A kind of terminal device authentication method, Apparatus and system
Technical field
The application belongs to communication information process field, particularly relates to a kind of terminal device authentication method, Apparatus and system.
Background technology
Along with mobile Internet and the development of Internet of Things, including the end of wearable device (such as Intelligent bracelet, intelligent watch etc.)
End equipment is more and more universal, and is increasingly becoming the development trend of following intelligent mobile products application.
Wearable device often includes the multiple sensitive informations such as the account of user, identity, communication, property, if wearable
Equipment is attacked by malice fishing, terminal deception, information intercepting etc. and is obtained authority, and user will cause immeasurable loss.Cause
This, the security certificate certification of wearable device is increasingly taken seriously.It is currently based on the safety applications product of wearable device also
Starting appearance, its solution mainly includes that wearable device is based on intelligent terminal (such as intelligent movable mobile phone, intelligent electric appliance etc.)
Or the condition code of third-party application carries out authorization identifying to described intelligent terminal.
But the condition code used in existing wearable device authorization identifying solution is usually single constant condition code, and
Verification process generally uses utilize the channel safety rank such as WIFI or bluetooth relatively low for unilateral authentication.Prior art
Authorization and authentication method easilys lead to condition code and is intercepted, reveals or uses the intelligent terminal of forgery to cheat, and acquisition can be worn
Wear the authority of equipment.In prior art, the authorization and authentication method of wearable device yet suffers from bigger potential safety hazard.
Summary of the invention
The application purpose is to provide a kind of terminal device authentication method, Apparatus and system, can be the intelligence including wearable device
The two-way authentication in licensing process can be provided by terminal unit, improve the safety of terminal unit authorization identifying.
A kind of terminal device authentication method, Apparatus and system that the application provides are achieved in that
A kind of terminal device authentication method, described method includes:
First key of generation and the first device identification of first terminal are added by the preset key of first terminal transmission storage
Request message is opened in the mandate of close generation;
Second terminal obtains mandate and opens request message, is decrypted by the preset key of storage, and according to the result of described deciphering
Judge whether to open device authorization;
Result in described deciphering be successfully time, send utilize described deciphering obtain the first double secret key described in the second terminal second
Device identification is encrypted the mandate of generation and opens results messages;
First terminal obtains mandate and opens results messages, and opens results messages solve with authorizing described in described first double secret key
Close;If successful decryption, then open device authorization.
A kind of terminal device authentication method, described method includes:
The second key and the first device identification of first terminal that first double secret key of first terminal transmission storage generates add
The authorization request message of close generation;
Second terminal obtains authorization request message, is decrypted with the first key of storage;When described successful decryption, it is judged that be
No storage has the first authorisation device mark corresponding with the first device identification of described deciphering acquisition;
Being sometimes in described judged result, described first terminal is awarded by described second terminal based on described first device identification
Power, and send the mandate being encrypted generation with the second device identification of the second terminal described in described the second double secret key deciphered and obtain
Results messages;
First terminal obtains Authorization result message, is decrypted with described second key;When successful decryption, it may be judged whether storage
There is the second authorisation device mark corresponding with the second device identification that described deciphering obtains, and determine based on described judged result and be
No described second terminal is authorized.
A kind of terminal device authentication method, described method includes:
The second key and the first device identification of first terminal that first double secret key of first terminal transmission storage generates add
The authorization request message of close generation;
First terminal obtains the Authorization result message that the second terminal sends, and is decrypted with described second key;
Described first terminal is when described successful decryption, it may be judged whether the second device identification that storage has with described deciphering obtains is relative
The the second authorisation device mark answered, and determine whether described second terminal is authorized based on described judged result.
A kind of terminal device authentication method, described method includes:
Second terminal obtains the authorization request message that first terminal sends, and is decrypted with the first key of storage;
Described second terminal is when described successful decryption, it may be judged whether the first device identification that storage has with described deciphering obtains is relative
The the first authorisation device mark answered;
Described second terminal is sometimes in described judged result, awards described first terminal based on described first device identification
Power, and send the mandate being encrypted generation with the second device identification of the second terminal described in described the second double secret key deciphered and obtain
Results messages.
A kind of terminal device authentication device, described device includes:
First memory element, for storing the second authorisation device mark of the second terminal of the first key of generation, acquisition;
First ciphering unit, for generating the second key, and utilizes the second key and the first of acquisition described in described first double secret key
Device identification is encrypted, and generates authorization request message;
First communication module, is used for sending described authorization request message, is additionally operable to receive the Authorization result message that the second terminal sends;
First deciphering judging unit, is used for utilizing Authorization result message described in described second double secret key to be decrypted, and is being decrypted into
During merit, it is judged that whether described first memory element stores second mandate corresponding with the second device identification of described deciphering acquisition
Device identification;
First authorization module, determines whether to enter described second terminal for judged result based on described first deciphering judging unit
Row authorizes.
A kind of terminal device authentication device, described device includes:
Second communication module, for receiving authorization request message and the transmission Authorization result message that first terminal sends;
Second memory element, for storing the first authorisation device mark and the first key of the first terminal of acquisition;
Second deciphering judging unit, for utilizing authorization request message described in the first double secret key of storage to be decrypted, and in deciphering
During success, it is judged that whether described second memory element stores the first authorisation device mark corresponding with described first device identification
Know;
Second authorization module, judged result based on described second deciphering judging unit determines whether described first device identification institute
Corresponding described first terminal authorizes.
Second ciphering unit, is sometimes for deciphering the judged result of judging unit described second, utilizes described second double secret key
Second device identification of described second terminal is encrypted generation Authorization result message.
A kind of terminal device authentication system, described system includes:
First terminal, enters for sending the first device identification of the second key and the first terminal generated with the first double secret key of storage
The authorization request message that row encryption generates;It is additionally operable to obtain the Authorization result message that the second terminal sends, and with described second key
It is decrypted;It is additionally operable to when successful decryption, it may be judged whether the second device identification that storage has with described deciphering obtains is corresponding
Second authorisation device mark, and determine whether described second terminal is authorized based on described judged result;
Second terminal, sends for first terminal and obtains authorization request message, and be decrypted with the first key of storage;Also use
When at described successful decryption, it may be judged whether storage has first corresponding with described first device identification of described deciphering acquisition to award
Power device identification;It is additionally operable in described judged result as sometimes, based on described first device identification, described first terminal is awarded
Power, and send the mandate being encrypted generation with the second device identification of the second terminal described in described the second double secret key deciphered and obtain
Results messages.
A kind of terminal device authentication system, described system includes:
First terminal, enters for sending the first device identification of the second key and the first terminal generated with the first double secret key of storage
The authorization request message that row encryption generates;It is additionally operable to obtain the Authorization result message that the second terminal sends, and with described second key
It is decrypted;It is additionally operable to when successful decryption, it may be judged whether the second device identification that storage has with described deciphering obtains is corresponding
Second authorisation device mark, and determine whether described second terminal is authorized based on described judged result;
Second terminal, sends for first terminal and obtains authorization request message, and be decrypted with the first key of storage;Also use
When at described successful decryption, it may be judged whether storage has first corresponding with described first device identification of described deciphering acquisition to award
Power device identification;It is additionally operable in described judged result as sometimes, based on described first device identification, described first terminal is awarded
Power, and send the mandate being encrypted generation with the second device identification of the second terminal described in described the second double secret key deciphered and obtain
Results messages.
A kind of terminal device authentication method of the application offer, Apparatus and system, can ensure and carry out between multiple terminals opening equipment
Authorize and the certification of device authorization.First terminal can utilize the preset key encrypted authentication key prestored and device identification to be formed
Request message is opened in mandate, and so only same storage has the second terminal of preset key just can be decrypted, completes a side and award
The certification that power is opened.The device identification of the second terminal is encrypted, by first by the authentication secret that deciphering then can be utilized to obtain
Terminal is decrypted, and described first terminal just can be opened authorization identifying by successful decryption, completes terminal unit and opens authorization requests
Two-way authentication.Further, after opening the device identification of mandate, acquisition authorisation device, it is possible to use the application provides
Terminal device authentication method carry out the authorities such as application on terminal unit or equipment and carry out authorization identifying.During device authorization
Still use the two-way authentication of multiple terminals, and in two-way authentication interacting message, add device identification and authentication secret, the most in fact
Execute the authentication secret used in mode and can also can be greatly improved the terminal unit of such as wearable device for dynamically updating
Authorization identifying, improves the safety of terminal unit authorization identifying.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to embodiment or prior art
In description, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only to remember in the application
Some embodiments carried, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to
Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is the method flow schematic diagram of the application a kind of embodiment of a kind of terminal device authentication method;
Fig. 2 is the method flow schematic diagram of the application a kind of embodiment of a kind of terminal device authentication method;
Fig. 3 is the schematic flow sheet of the application a kind of terminal device authentication method another kind embodiment;
Fig. 4 is the schematic flow sheet of the application a kind of terminal device authentication method another kind embodiment;
Fig. 5 is the modular structure schematic diagram of the application a kind of terminal device authentication a kind of embodiment of device;
Fig. 6 is the modular structure schematic diagram of the application a kind of terminal device authentication device another kind embodiment;
Fig. 7 is the modular structure schematic diagram of the application a kind of terminal device authentication device another kind embodiment;
Fig. 8 is the modular structure schematic diagram of the application a kind of terminal device authentication a kind of embodiment of device;
Fig. 9 is the modular structure schematic diagram of the application a kind of terminal device authentication device another kind embodiment;
Figure 10 is the modular structure schematic diagram of the application a kind of terminal device authentication device another kind embodiment.
Detailed description of the invention
For the technical scheme making those skilled in the art be more fully understood that in the application, below in conjunction with in the embodiment of the present application
Accompanying drawing, the technical scheme in the embodiment of the present application is clearly and completely described, it is clear that described embodiment is only
It is some embodiments of the present application rather than whole embodiments.Based on the embodiment in the application, ordinary skill people
The every other embodiment that member is obtained under not making creative work premise, all should belong to the scope of the application protection.
Terminal described herein can include but not limited to the terminal unit of wearable device.The mandate of described terminal unit is recognized
Card can be by including but not limited to that the terminal unit of user side is connected to by the connected mode such as Wi-Fi or cellular mobile network
The terminal unit of the Internet and server-side carries out the application scenarios of authorization identifying, it is also possible to by including but not limited to that bluetooth passes
The modes such as transmission protocol, NFC near-field communication etc. and wired connection are connected the application carrying out authorization identifying with other intelligent terminals
Scene.Below the application as a example by the authorization identifying between the terminal unit and intelligent mobile mobile phone of wearable device to the application institute
State method and device to be described in detail.Wearable device described herein includes but not limited to be loaded with Intelligent treatment core
The watch of sheet, glasses, footwear, cap, clothing, jewelry etc. can be with wearable device.
Before carrying out authorization identifying between terminal devices, can first carry out verifying that the terminal unit requiring authorization identifying whether may be used
Letter, then further can authorize to requiring that the terminal unit authorized opens authorization identifying after being verified.Adopt
By the leading authentication method whether terminal unit authorization identifying opened described herein, can effectively reduce illegal terminal equipment
Carry out authorization identifying, block the authorization identifying communication of wearable device or other-end equipment and illegal terminal early.Fig. 1 is
The method flow schematic diagram of herein described one embodiment of a kind of terminal device authentication method, as described in Figure 1, described method can
To include:
First key of generation and the first device identification of first terminal are carried out by the preset key of S1: first terminal transmission storage
Request message is opened in the mandate that encryption generates.
First key key1 of generation and the first device identification of first terminal are entered by preset key key0 of first terminal storage
Row encryption, formed mandate open request message MSG_A1, and send described mandate open request message MSG_A1.
Described first terminal can be smart mobile phone described above, can also move intelligence for other in other application scenarios
Can terminal.In the present embodiment can using send authorize open request message MSG_A1 terminal unit as first terminal, can
To open the terminal unit of request message MSG_A1 as the second terminal, example in concrete implementation mode by receiving described mandate
In the present embodiment can using smart mobile phone as described in first terminal, using described wearable device as the second terminal.Certainly,
In above-described embodiment, the second terminal to such as wearable device carries out the first terminal of authorization identifying and can also arrange for special
Server, or intelligent terminal managing device etc..
Can store preset key key0 in advance in described first terminal, arrange when this preset key can include dispatching from the factory is initial
Change key, or with the second terminal make an appointment arrange may be used for open device authorization or the key of device authorization certification.
Described first terminal can generate the first key key1, described first key key1 and may be used for and include described wearable device
The second terminal carry out authorization identifying.Described first terminal can be raw by the application in terminal or preset key schedule
Become described first key key1, the first described key key1 can include the data forms such as the numeral of routine, character, symbol
Key.
It is then possible to utilize the described preset key key0 described first key key1 and the first of first terminal to including generation
Device identification app_divice_id is encrypted, and request message MSG_A1 is opened in the mandate forming described first terminal.Described
First device identification app_divice_id of one terminal can be for unique identification information identifying this first terminal equipment, specifically
IMEI, the MAC that such as can include smart mobile phone or other device identification strings etc..
After request message MSG_A1 is opened in the described mandate of formation, described first terminal can send the described mandate request of opening and disappear
Breath MSG_A1.Concrete transmission mode can include that broadcasting described mandate by WIFI or bluetooth etc. opens request message
MSG_A1, naturally it is also possible to include other communication modes etc. utilizing dedicated channel or network.
First terminal can utilize the first device identification of the preset key of storage the first key to generating and first terminal to carry out
Encryption, forms mandate and opens request message MSG_A1, it is possible to by broadcast or point-to-point etc. in the way of send described in award
Power opens request message MSG_A1.
S2: the second terminal obtains mandate and opens request message, is decrypted by the preset key of storage, it is possible to according to described solution
Close result judges whether to open device authorization.
Described second terminal can obtain the mandate of described first terminal transmission and open request message MSG_A1, it is possible to use storage
Preset key key0 the mandate of described acquisition is opened request message MSG_A1 be decrypted;Described second terminal is according to institute
The result stating deciphering judges whether to open device authorization.
Described second terminal can get described first terminal with acceptance and open with the mandate of broadcast or the transmission of point-to-point form
Logical message.Described second terminal the most also prestores preset key key0, such as the wearable device such as Intelligent bracelet, intelligent watch
In prestore when dispatching from the factory arrange preset key key0, the preset key in described second terminal can with described first terminal such as
In smart mobile phone, the preset key of storage is identical, can complete information encryption or the deciphering of correspondence.Certain is embodiment at other
In can also be for the key that is mutually matched.In actual applications, the preset key of the wearable device of described second terminal generally may be used
To include the authentication secret of plant, the preset key of described first terminal can include first terminal by a certain application from specially
Download with server or service provider side and obtain, naturally it is also possible to include the key of Default Value in advance.
Second terminal described herein can include but not limited to be loaded with the watch of Intelligent treatment chip, glasses, footwear, cap,
The wearable device of clothing, jewelry, bracelet, suspension member etc..
Described second terminal can be decrypted by preset key key0 of storage after obtaining authorization request message MSG_A1.As
Authorization request message MSG_A1 that the most described second terminal obtains is the message using preset key key0 to be encrypted equally,
The most described second terminal can utilize preset key key0 of self to be decrypted successfully accordingly.If described second terminal
Get uses forgery, terminal unit deception etc. to send the authorization request message of coming for illegal terminal equipment, and it is non-preset close
Key key0 encryption, described second terminal can not successful decryption, then it can not be opened device authorization certification.Described
Two terminal units can impose the whether deciphering of message successful decryption to judge according to the described mandate to obtaining please with the mandate obtained
The terminal unit asking message corresponding is the most legal, legal, and it is opened device authorization, it is allowed to carry out authorization identifying with it;No
Then can be regarded as illegal terminal equipment, it can be carried out authorization requests refusal, shielding etc. and process.
Described second terminal can obtain mandate and open request message MSG_A1, is decrypted it, it is possible to according to deciphering
Result judges whether to open device authorization, if allow the equipment opening request message MSG_A1 with the mandate obtained to authorize
Certification.
S3: the result in described deciphering be successfully time, send the second terminal described in the first double secret key utilizing described deciphering to obtain
Second device identification is encrypted the mandate of generation and opens results messages.
Result in described deciphering be successfully time, described second terminal can open device authorization;Described second terminal utilizes described
Second device identification auth_divice_id of described second terminal is encrypted by the first key key0 that deciphering obtains, and formation is awarded
Power opens results messages MSG_B1, and sends described mandate and open results messages MSG_B1.If described second terminal utilizes
Request message MSG_A1 successful decryption, the most described second terminal are opened in the mandate obtained by preset key key0 of self storage
Equipment can open the service of device authorization, it is allowed to the information carrying out authorization identifying with other-end equipment is mutual.
In the application preferred embodiment, under terminal unit one-to-many or multi-to-multi application scenarios, the application is preferred
Embodiment provides a kind of authentication method distinguishing different terminal equipment based on device identification.Concrete, the result in described deciphering is
During success, described second terminal is opened device authorization and be may include that
Result in described deciphering be successfully time, the first device identification that described second terminal obtains based on described deciphering is to described the
One terminal opens device authorization.
When request message MSG_A1 success is opened in the mandate of first terminal described in the most described second terminal deciphering, can obtain
To the first device identification of described first terminal equipment, can store in locally applied file, the most described second terminal is open-minded
Could be arranged to the first device identification according to this successful decryption during device authorization the terminal that described first device identification is corresponding is set
The standby service opening device authorization certification, it is allowed to described second terminal and this first terminal carry out the interacting message of authorization identifying.Institute
State the second terminal still to obtain the mandate of other-end equipment when described first terminal is opened device authorization and open request
Message MSG_A1, but the terminal unit that the authorization request message of non-successful decryption is corresponding can not opened device authorization, it is possible to
The second terminal unit is not deciphered or the terminal unit such as Unrecorded device identification does not open device authorization.
After successful decryption described above, described second terminal can complete to open described first terminal the certification of authorization requests,
The most described second terminal further can carry out Registration Authentication to described first terminal, may be used for described first terminal to institute
State the second terminal to carry out registering, identifying and open authorization identifying, complete described first terminal to described second terminal registration registration,
Open device authorization certification etc..Second terminal described in the present embodiment can utilize described open mandate to ask message MSG_A1
Second device identification auth_divice_id of described second terminal is encrypted by the first key key1 that deciphering obtains, and formation is awarded
Power opens results messages MSG_B1.Described second terminal equally broadcast in the way of WIFI or bluetooth, or
Send described mandate with other point-to-point communication modes and open results messages MSG_B1.Wearable in majority such as Intelligent bracelet etc.
Second terminal of equipment can be provided with short distance or mobile communications network or the module of proprietary data communication network, permissible
Realize the information communication between described first terminal and described second terminal, complete information mutual.
Described second terminal can utilize the first key of acquisition to encrypt described second device identification when described successful decryption, will receive
Take away logical results messages and feed back to described first terminal.
S4: first terminal obtains mandate and opens results messages, is decrypted with described first key;If successful decryption, the most open-minded
Device authorization.
Described first terminal can receive the mandate of the described second terminal transmission of acquisition and open message, and such as smart mobile phone passes through bluetooth
Scanning acquires the wearable device Authorization result message by Bluetooth broadcast.Described second terminal can utilize described generation
The mandate that first key key1 docking results take is opened results messages MSG_B1 and is decrypted.If successful decryption, the most permissible
Represent that the second terminal unit sending described Authorization result message is reliable, the relevant information of described second terminal can be registered,
Second device identification auth_divice_id of the such as second terminal unit, it is possible to open device authorization, is used for and wearable device
Carry out the interacting message of authorization identifying, complete the certification that the device authorization of the second terminal is opened.
In preferred embodiment, at successful decryption described in described first terminal, open device authorization and may include that described first
During terminal unit successful decryption, the described second device identification auth_divice_id obtained based on described deciphering is whole to described second
End opens device authorization.
When deciphering the second authorization terminal deciphering message MSG_B1 success of wearable device such as the first terminal of smart mobile phone, permissible
Obtain the device identification of described wearable device, can smart mobile phone side registration storage can with the device identification of wearable device,
The first described key key1 can also be stored simultaneously.So, smart mobile phone can obtain and store the equipment mark of wearable device
Knowing, only device identification to described storage can open device authorization, open device authorization to strengthen be that point-to-point type is opened by open
Logical device authorization, can effectively stop illegal wearable device to open device authorization authentication service, improve terminal unit two-way authentication
Safety.
After the above-mentioned message interaction process opening authorization identifying, described first terminal such as smart mobile phone can obtain and store
There is the second device identification auth_divice_id of the second terminal such as Intelligent bracelet etc., it is possible to the first of the described generation that storage generates
Key key1;Described second terminal can also store the device identification of described first terminal such as smart mobile phone equally
App_divice_id and described first key key1, completes described first terminal and the second terminal opens the two-way authentication of device authorization.
Compared to traditional only wearable device unidirectional authorization identifying to smart mobile phone or server etc., the embodiment of the present application is authorizing
First carry out opening the two-way authentication of device authorization before certification, the safety of terminal device authentication mandate can be increased substantially.
First terminal described above and the second terminal are two-way open device authorization services/functionalities after, device authorization can be carried out and recognize
Card.Fig. 2 is the method flow schematic diagram of a kind of embodiment of a kind of terminal device authentication method described herein, as in figure 2 it is shown,
The method carrying out authorization identifying after described first terminal and the second terminal unit open authorization identifying function may include that
The second key and the first device identification of first terminal that first double secret key of S1 ': first terminal transmission storage generates are carried out
The authorization request message that encryption generates.
First terminal can be with the first key key1 of storage the second key key2 to generating and the first equipment mark of first terminal
Know app_divice_id and be encrypted formation authorization request message MSG_A2, and send described authorization request message MSG_A2.
Described first terminal can utilize the application on described first terminal to generate the second key key2, the second key of described generation
Key2 can include authentication secret that is random or that generate according to pre-defined algorithm, concrete be referred to above-mentioned first terminal and open and set
The the first key key1 generated in standby licensing process, does not repeats at this.Described in aforementioned, first terminal is when opening device authorization
Generating the first key key1, and stored, first terminal described herein can utilize described the to generate described in double secret key
The second key key2 and the first device identification app_divice_id of described first terminal be encrypted, formed wearable
Authorization request message MSG_A2 of second terminal such as equipment, it is possible to by WIFI or bluetooth, the short haul connection side such as infrared
Formula or point-to-point or other private communication modes send described authorization request message MSG_A2, for described second terminal receiving area
Reason.
S2 ': the second terminal obtains authorization request message, is decrypted with the first key of storage;When described successful decryption, sentence
Disconnected whether storage deciphers, with described, the first authorisation device mark that the first device identification obtained is corresponding.
Described second terminal can obtain authorization request message MSG_A2, and with the first key key1 of storage to described acquisition
Authorization request message MSG_A2 be decrypted.Described first device identification described deciphering obtained when described successful decryption
First authorisation device mark Pre_app_divice_id of app_divice_id and storage compares, it may be judged whether have and described the
One the first corresponding for device identification app_divice_id authorisation device mark Pre_app_divice_id.The second described terminal can
Thinking wearable device, concrete can including but not limited to is loaded with the watch of Intelligent treatment chip, glasses, footwear, cap, clothes
The wearable device of dress, jewelry, bracelet, suspension member etc..
In the present embodiment, the first terminal of smart mobile phone can be authenticated by the second terminal of wearable device.Described in aforementioned
Two terminals can obtain the first key key1 that first terminal sends, described second terminal during opening device authorization request
Can receive and obtain authorization request message MSG_A2 that first terminal sends, then can utilize described first key key1 pair
Described authorization request message MSG_A2 is decrypted.If deciphering unsuccessfully, described first terminal is set by the most described second terminal
Standby authorization failure.
If successful decryption, then the first device identification that can the deciphering of described authorization request message MSG_A2 will be obtained
App_divice_id compares with device identification that is that obtain when opening device authorization service and that store, it may be judged whether award with opening
Device identification during power service is consistent.Aforementioned second terminal unit can obtain the first of storage first terminal when opening device authorization
Device identification, can identify described first device identification of described second terminal storage as the first authorisation device herein
Pre_app_divice_id, is labeled as the mark of reliable terminal unit.Certainly, one-to-many or multipair is faced at terminal unit
Under many application scenarios, described second terminal can store multiple described first authorisation device mark, and each described first is awarded
Power device identification can a corresponding first terminal equipment.Described second terminal can be by described first device identification
App_divice_id compares with described first authorisation device mark Pre_app_divice_id, it may be judged whether storage has with described
First the first corresponding for device identification app_divice_id authorisation device mark Pre_app_divice_id.
If it is judged that for not having, even if then to described authorization messages MSG_A2 successful decryption, it is also possible to arrange not to described
Described in authorization messages, the first terminal corresponding to the first device identification app_divice_id does not authorizes, or the second terminal pair
The failure of described first terminal authorization identifying.
S3 ': be sometimes in described judged result, described first terminal is carried out by described second terminal based on described first device identification
Authorize, and send the second device identification of the second terminal described in the second double secret key obtained with described deciphering and be encrypted awarding of generation
Power results messages.
Certainly, be sometimes in described judged result, described second terminal based on described first device identification app_divice_id to institute
State first terminal to authorize;Described second terminal utilizes the second key key2 of deciphering acquisition second to described second terminal
Device identification auth_divice_id is encrypted, and forms Authorization result message MSG_B2, and sends described Authorization result message
MSG_B2。
Concrete, described second terminal can based on obtaining first terminal described in described first device identification app_divice_id labelling,
First terminal is authorized.After described in the embodiment of the present application, the second terminal carries out authorization identifying to described first terminal, institute
State first terminal and also need to described second terminal is carried out reverse certification, improve authorization identifying between smart mobile phone and wearable device
Safety and reliability.Therefore, the second key key2 encryption that described second terminal can utilize described deciphering to obtain is described
Second device identification auth_divice_id of the second terminal, forms the Authorization result message feeding back to described first terminal
MSG_B2.Certainly, described second terminal can send described Authorization result message MSG_B2, concrete interacting message transmission
Mode is referred to first terminal and the second terminal message interactive mode in other embodiments of the application, does not repeats at this.
S4 ': first terminal obtains Authorization result message, is decrypted with described second key;When successful decryption, it may be judged whether
Storage has the second authorisation device mark corresponding with the second device identification of described deciphering acquisition, and true based on described judged result
Determine whether described second terminal to be authorized.
Described first terminal can obtain Authorization result message MSG_B2, and authorizes knot with described second key key2 to described
Really message MSG_B2 is decrypted;When successful decryption by described deciphering obtain the second device identification auth_divice_id with
Second authorisation device mark Pre_auth_divice_id of storage compares, it may be judged whether have and described second device identification
The second corresponding for auth_divice_id authorisation device mark Pre_auth_divice_id, and determine whether based on described judged result
Described second terminal is authorized.
Described first terminal can obtain Authorization result message MSG_B2 by WIFI or bluetooth etc., and utilizes described generation
The second key key2 be decrypted.If successful decryption, then can the deciphering of described Authorization result message MSG_B2 will be obtained
The the second device identification auth_divice_id taken compares with device identification that is that obtain when opening device authorization service and that store,
Judge whether to be consistent with device identification when opening authorization service.Aforementioned first terminal equipment can obtain also when opening device authorization
Storing the second device identification of the second terminal, described second device identification that herein can be stored by described first terminal is as second
Authorisation device mark Pre_auth_divice_id, is labeled as the mark of reliable terminal unit.Certainly, one is faced at terminal unit
To under the many or application scenarios of multi-to-multi, described first terminal can store multiple described second authorisation device mark, each
Individual described second authorisation device mark can corresponding second terminal unit, as storage have Intelligent bracelet, the second of intelligent watch
Authorisation device mark etc..Described second device identification auth_divice_id can be authorized with described second and set by described first terminal
Standby mark Pre_auth_divice_id compares, it may be judged whether storage has and described second device identification auth_divice_id phase
The second corresponding authorisation device mark Pre_auth_divice_id.
Further, based on described judged result, described first terminal can determine whether that setting terminal to described second authorizes.
If described judged result is for having, described second terminal is authorized by the most described first terminal.Such as smart mobile phone judges to obtain
The second device identification of Intelligent bracelet when opening with authorization identifying the second authorisation device mark of the Intelligent bracelet of storage identical, then
Described Intelligent bracelet can be authorized by described smart mobile phone in the second device identification based on described Intelligent bracelet, completes described
The authorization identifying of Intelligent bracelet.The most described first terminal can perform the corresponding Authorized operation to the second terminal.Certainly, as
The most described judged result is that the second authorisation device of the second Terminal Equipment Identifier and the storage that obtain identifies and do not corresponds, then to described the
Two authorization terminal failures.
The application provide a kind of terminal device authentication method, can first carry out before terminal device authentication device authorization open please
The certification asked, opens want the terminal unit of equipment to foreclose by not meeting device authorization, can avoid illegal terminal the most in advance
Device authorization is opened in requirement.During device authorization certification, the especially client of wearable device and the clothes of intelligent terminal
The authorization identifying of business device end have employed based on preset key and the first key of generation, the two-way authentication of the second key, compared to biography
The wearable device of system only unilateral authentication to server end is greatly improved the safety and reliability of authentication between devices, can
To be prevented effectively from wearable device by malice fishing, terminal deception etc..
The checking condition code that prior art generally uses during authorization identifying is changeless condition code, once condition code quilt
Stealing, assailant can be caused to utilize the condition code of acquisition to obtain the authority of terminal unit, security reliability is poor.Herein described
A kind of terminal device authentication method also provide for a kind of preferred embodiment, in this preferred embodiment, carry out two-way authorization and recognize
The terminal unit of card can convert authentication secret during authorization identifying each time, and so, the authentication secret dynamically updated is permissible
Increase substantially the safety of the authorization identifying of terminal unit.Fig. 3 is that the application one terminal device authentication method another kind is implemented
The schematic flow sheet of example, as it is shown on figure 3, described a kind of terminal device authentication method can also include:
S5 ': have and described first the first corresponding for device identification app_divice_id mandate in described second terminal judges storage
During device identification Pre_app_divice_id, described second key key2 is replaced described first key key1;
Judge that storage has corresponding for the second device identification auth_divice_id the obtained with described deciphering at described first terminal
During two authorisation device mark Pre_auth_divice_id, described second key key2 is replaced described first key key1.
Described preferred embodiment in, the newest authorization identifying, described first terminal can generate new second and test
Card key, after one-time authentication, the second new authentication secret can described second terminal can be replaced current by described first terminal
The first authentication secret as update after described first key.Terminal device authentication side described in the application preferred embodiment
Method uses authentication secret dynamically to update, it is provided that the safety of terminal unit authorization identifying.
In conventional terminal unit checking, especially set with wearable such as intelligent terminal (smart mobile phone, panel computer etc.)
Checking between standby (Intelligent bracelet, intelligent watch etc.) uses WIFI more, or Bluetooth communication etc., such short distance is believed
Breath transmission belongs to the mode that channel safety rank is relatively low in modern communication technology, is not easily hacked person and blocks in message transmitting procedure
Cutting, the information of transmission is easily stolen or forges.Herein described a kind of terminal device authentication method is another kind of preferably to be implemented
In example, it is also possible to further add additional identification information in the information content of terminal unit transmission, it is ensured that what information received can
By property, improve the safety and reliability of information transmission further.
Fig. 4 is the method flow schematic diagram of herein described a kind of terminal device authentication method another kind embodiment, as shown in Figure 4,
Described a kind of terminal device authentication method can also include:
S6 ': the authorization request message sent at described first terminal adds described first double secret key according to adding that pre-defined rule generates
The information that information is encrypted;
Add, in the Authorization result message that described second terminal returns, the letter utilizing described second key to encrypt described additional information
Breath;
Accordingly, described first terminal also judges the additional information that described deciphering obtains when deciphering described Authorization result message success
The most identical with additional information when sending authorization request message, and determine whether described second terminal according to described judged result
Authorize.
The additional information of described interpolation generally can include but not limited to that (a string random number may be used for adding challenge code challenge
Close message, it is to avoid the defeated cleartext information of communication links), summary digest (accounts information that user logs in, session id etc.)
Deng.The present embodiment can add in the information of transmission the checking information of the adnexa such as challenge code, summary, can be to transmission
Message be encrypted, it is possible to effectively stop assailant to send the packet that terminal unit had received, reach fraud system
Purpose, the authorization identifying of wearable device can be effectively improved the correctness of authorization identifying.
Based on a kind of terminal device authentication method described herein, the application provides a kind of terminal device authentication device.Fig. 5 is
The modular structure schematic diagram of herein described a kind of terminal device authentication device, as it is shown in figure 5, described device may include that
First memory element 101, may be used for the second authorisation device mark of the second terminal of the first key of storage generation, acquisition
Know;
First ciphering unit 102, may be used for generating the second key, and utilizes the second key described in described first double secret key and obtain
The first device identification taken is encrypted, and generates authorization request message;
First communication module 103, may be used for sending described authorization request message, it is also possible to for receiving what the second terminal sent
Authorization result message.In concrete implementation process, described communication module can include WIFI communication module, or based on short
The bluetooth of distance communication, infrared communication module etc., naturally it is also possible to include 2G/3G/4G and the shifting of more highest version communication protocol
Dynamic communication network module and wire communication module.
First deciphering judging unit 104, may be used for utilizing Authorization result message described in described second double secret key to be decrypted, and
When successful decryption, it is judged that the second device identification that whether described first memory element 101 stores with described deciphering obtains is relative
The the second authorisation device mark answered;
First authorization module 105, may be used for judged result based on described first deciphering judging unit 104 and determines whether institute
State the second terminal to authorize.
A kind of terminal device authentication device described in the present embodiment may be used for the such as intelligence can being authenticated with wearable device
The terminal units such as mobile phone, panel computer or special server, can be effective, safe wearable device carried out equipment award
Power certification, improves the safety of device authorization certification.
In herein described a kind of terminal device authentication device another kind preferred embodiment, the of described memory element 101 storage
One key can also dynamically update, and all carries out key updating in device authorization certification each time, and the equipment that can increase substantially is awarded
The safety and reliability of power certification.Fig. 6 is the module knot of herein described a kind of terminal device authentication device another kind embodiment
Structure schematic diagram, as shown in Figure 6, terminal device authentication device described in preferred embodiment can also include:
First key updating module 106, may be used for deciphering the judged result of judging unit 104 for sometimes by institute described first
State the first key of described first memory element 101 storage of the second key replacement that the first ciphering unit 102 generates.
For ensureing the synchronized update of the termination authentication secret of authorization identifying, the first key updating module described in the present embodiment
At described first deciphering judging unit 104,106 can judge whether described first memory element 101 has stored obtains with described deciphering
During corresponding the second authorisation device mark of the second device identification of taking, the second key that described first ciphering unit 102 generates is replaced
Change the first key of described first memory element 101 storage.If described judged result is for having, then can receive authorization requests and disappear
Second terminal of breath has passed through authorization identifying, and it is close that the authentication secret prestored in the second terminal the such as first key is also updated to second
Key, then the concordance of key when can ensure the bidirectional terminal equipment encrypting and decrypting of authorization identifying when authorization identifying next time.
In the another kind of embodiment of the application, for strengthening the peace of the terminal equipment in communication channel information transmission of authorization identifying further
Quan Xing, Fig. 7 are the modular structure schematic diagrams of herein described a kind of terminal device authentication device another kind embodiment, such as Fig. 7 institute
Showing, described a kind of terminal device authentication device can also include:
Additional information module 107, may be used for adding described first double secret key in described authorization request message raw according to pre-defined rule
The information that the additional information become is encrypted;
Accordingly, when deciphering described Authorization result message success, described first deciphering judging unit 104 also judges that described deciphering obtains
The additional information taken is the most identical with the additional information of described interpolation to authorization request message, described first authorization module 105 basis
The judged result of described additional information determines whether to authorize described second terminal.
In a kind of embodiment of terminal device authentication device described herein, the second described terminal can be wearable setting
Standby, concrete the second described terminal can include but not limited to be loaded with the watch of Intelligent treatment chip, glasses, footwear, cap,
Clothing, jewelry, bracelet, the wearable device of suspension member.
Terminal unit resistive thermal device described above may be used for the such as smart mobile phone, flat board can being authenticated with wearable device
The terminal units such as computer or special server, accordingly, the application also provides for one and may be used for such as intelligent watch, intelligence
The device being authenticated in the terminal unit of the wearable devices such as energy bracelet, for setting the such as terminal such as smart mobile phone, server
For carrying out authorization identifying.Fig. 8 is the modular structure schematic diagram of herein described a kind of a kind of embodiment of terminal device authentication device,
As shown in Figure 8, described device may include that
Second communication module 201, may be used for receiving authorization request message and the transmission Authorization result message that first terminal sends;
Second memory element 202, may be used for the first authorisation device mark and the first key of the first terminal that storage obtains;
Second deciphering judging unit 203, may be used for utilizing authorization request message described in the first double secret key stored to be decrypted,
And when successful decryption, it is judged that whether described second memory element 202 stores first corresponding with described first device identification
Authorisation device identifies;
Second authorization module 204, can determine whether described the based on the judged result of described second deciphering judging unit 203
Corresponding to one device identification, described first terminal authorizes.
Second ciphering unit 205, may be used for deciphering the judged result of judging unit 203 for sometimes, utilizing institute described second
The second device identification stating the second terminal described in the second double secret key is encrypted generation Authorization result message.
The device of the terminal device authentication that the present embodiment provides, can award requests such as smart mobile phones in the terminal of wearable device
The terminal unit of power is authenticated, and completes the two-way authorization certification of terminal unit.Can utilize in the present embodiment to open to authorize and ask
The the first secret key decryption authorization request message obtained when asking obtains the first device identification, and by itself and the first authorisation device mark stored
Knowledge compares, and then judges that the first terminal that request authorizes is the most legal, and determines whether first terminal according to judged result
Authorize.So can with the terminal unit of wearable device in can effectively to request the intelligent terminal of authorization identifying, server
Etc. carrying out reverse certification, improve the safety of terminal unit authorization identifying.
In preferred embodiment, the device of the terminal device authentication that may be used for wearable device described above can also be verified
The dynamic renewal of key, improves the safety and reliability of terminal unit authorization identifying.Fig. 9 is that herein described a kind of terminal sets
The modular structure schematic diagram of standby certification device another kind embodiment, as it is shown in figure 9, described device can also include:
Second key updating module 206, may be used for deciphering judging unit 203 described second and judges described second memory element
Described deciphering is obtained when having the first authorisation device mark corresponding with the first device identification of described deciphering acquisition by 202 storages
Second key replaces the first key of described second memory element 201 storage.
As described in aforementioned, after the second terminal deciphering success, when the first key of storage can be replaced by deciphering authorization request message
The second key obtained, it is achieved the dynamic renewal of authentication secret in terminal unit authorization identifying, it is provided that the safety of proof procedure and
Reliability.
Figure 10 is the modular structure schematic diagram of herein described a kind of terminal device authentication device another kind embodiment, such as Figure 10 institute
Show that in another kind of preferred embodiment, described device can also include:
Additional information processing module 207, may be used for adding utilize described deciphering to obtain second in described Authorization result message
The information of the additional information that the described deciphering of key encryption obtains.
In the transmission message of terminal unit authorization identifying, add the transmission message that additional information is possible to prevent to forge, strengthen further
The safety of the terminal equipment in communication channel information transmission of authorization identifying.
Based on the first terminal equipment that may be used for wearable device described herein and smart mobile phone, panel computer, server
The terminal device authentication device of the second terminal unit, the application provides a kind of terminal device authentication system, and described system is concrete
May include that
First terminal, may be used for the second key and the first equipment mark of first terminal of the first double secret key generation of transmission storage
Know the authorization request message being encrypted generation;Can be also used for obtaining the Authorization result message that the second terminal sends, and with described
Second key is decrypted;Can be also used for when successful decryption, it may be judged whether storage has the second equipment obtained with described deciphering
Identify the second corresponding authorisation device mark, and determine whether described second terminal is authorized based on described judged result;
Second terminal, may be used for first terminal and sends acquisition authorization request message, and be decrypted with the first key of storage;
Can be also used for when described successful decryption, it may be judged whether described first device identification that storage has with described deciphering obtains is corresponding
First authorisation device mark;Can be also used in described judged result as sometimes, based on described first device identification to described the
One terminal authorizes, and sends the second device identification of the second terminal described in the second double secret key obtained with described deciphering and add
The Authorization result message of close generation.
In above-mentioned a kind of terminal device authentication system preferred embodiment, it is also possible to including:
Judging that storage has second mandate corresponding with the second device identification of described deciphering acquisition to set for described first terminal
By the device of described second key described first key of replacement during standby mark:
For described second terminal when judging to have corresponding with described first device identification the first authorisation device mark by described
Second key replaces the device of described first key.
Terminal device authentication system described in above-described embodiment, it is possible to achieve two-way authorization certification between terminal unit, it is provided that set
The safety of standby authorization identifying, the authentication secret used in preferred embodiment dynamically updates, and can improve device authorization further
The safety and reliability of certification.
The application also provides for one can carry out opening device authorization certification terminal device authentication system before authorization identifying, permissible
Ensure that the terminal unit asking to carry out authorization identifying therewith has permission and carry out authorization identifying.Therefore, a kind of terminal that the application provides
Concrete may include that of device authentication system
First terminal, may be used for transmission storage preset key to generate the first key and the first equipment mark of first terminal
Knowledge is encrypted the mandate of generation and opens request message;Can be additionally used in acquisition the second terminal transmission mandate and open results messages, and use
Authorize described in described first double secret key and open results messages;If successful decryption, then open device authorization;
Second terminal, the mandate that may be used for obtaining first terminal transmission is opened request message, is solved by the preset key of storage
Close, and judge whether to open device authorization according to the result of described deciphering;Can be also used for the result of described deciphering be successfully time,
Send the mandate utilizing the second device identification of the second terminal described in described the first double secret key deciphered and obtain to be encrypted generation to open
Logical results messages.
In preferred embodiment, can also include in described terminal device authentication system following at least one.
For described second device identification based on described deciphering acquisition when described first terminal is at described successful decryption to described
Second terminal opens the device of device authorization;
For the first device identification pair obtained based on described deciphering when the result of described deciphering is successfully in described second terminal
Described first terminal opens the device of device authorization.
In terminal device authentication system described above second terminal can include but not limited to be loaded with Intelligent treatment chip watch,
Glasses, footwear, cap, clothing, jewelry, bracelet, the wearable device of suspension member.
The application provide terminal device authentication method, Apparatus and system, it is possible to achieve open between multiple terminals device authorization and
The two-way authentication of device authorization, substantially increases compared to the unilateral authentication of the especially wearable device of terminal unit in prior art
The safety of terminal device authentication.
Although it is mutual to mention information based on the message transmission such as mobile communications network, WIFI, bluetooth etc in teachings herein, but
It is that the application is not limited to must be the situation of the Data Transport Protocol of complete standard.Revise slightly on the basis of some agreement
After transmission mechanism can also carry out the scheme of each embodiment of above-mentioned the application.Certainly, even if not using above-mentioned general or standard
Agreement, but use proprietary protocol, as long as the information meeting the application the various embodiments described above is mutual and information judges feedback system,
Still can realize identical application, not repeat them here.
Unit that above-described embodiment illustrates or module, specifically can be realized by computer chip or entity, or by having certain merit
The product of energy realizes.For convenience of description, it is divided into various module to be respectively described with function when describing apparatus above.Certainly,
The function of each module can be realized in same or multiple softwares and/or hardware when implementing the application, it is also possible to will realize same
The module of one function is realized by the combination of multiple submodules or subelement.
It is also known in the art that in addition to realizing controller in pure computer readable program code mode, the most permissible
Make controller with gate, switch, special IC, FPGA control by method step carries out programming in logic
The form of device processed and embedding microcontroller etc. realizes identical function.The most this controller is considered a kind of Hardware Subdivision
Part, and its inside is included can also be considered as the structure in hardware component for the device realizing various function.Or even,
In can being considered as the device being used for realizing various function not only can being the software module of implementation method but also can being hardware component
Structure.
The application can be described in the general context of computer executable instructions, such as program module.
Usually, program module include perform particular task or realize the routine of particular abstract data type, program, object, assembly,
Data structure, class etc..The application can also be put into practice in a distributed computing environment, in these distributed computing environment, by
The remote processing devices connected by communication network performs task.In a distributed computing environment, program module can position
In the local and remote computer-readable storage medium including storage device.
As seen through the above description of the embodiments, those skilled in the art it can be understood that to the application can be by soft
Part adds the mode of required general hardware platform and realizes.Based on such understanding, the technical scheme of the application is the most in other words
The part contributing prior art can embody with the form of software product, and this computer software product can be stored in
In storage medium, such as ROM/RAM, magnetic disc, CD, intelligent chip etc., including some instructions with so that a computer
Equipment (can be personal computer, mobile terminal, server, wearable device, or the network equipment etc.) performs the application
The method described in some part of each embodiment or embodiment.
Each embodiment in this specification uses the mode gone forward one by one to describe, and between each embodiment, same or analogous part is mutual
Seeing, what each embodiment stressed is the difference with other embodiments.The application can be used for numerous general or
Special computer system or include Intelligent treatment chip terminal environment or configuration in.Such as: personal computer, server
Computer, handheld device or portable set, laptop device, multicomputer system, system based on microprocessor, can compile
The electronic equipment of journey, network PC, minicomputer, mainframe computer, wearable device etc. and include any of the above system or
Distributed computing environment of equipment etc..
Although depicting the application by embodiment, it will be appreciated by the skilled addressee that the application have many deformation and a change and
Without departing from spirit herein, it is desirable to appended claim includes that these deformation and change are without deviating from spirit herein.