CN108990060B - Certificate distribution system and method of base station equipment - Google Patents
Certificate distribution system and method of base station equipment Download PDFInfo
- Publication number
- CN108990060B CN108990060B CN201710414247.1A CN201710414247A CN108990060B CN 108990060 B CN108990060 B CN 108990060B CN 201710414247 A CN201710414247 A CN 201710414247A CN 108990060 B CN108990060 B CN 108990060B
- Authority
- CN
- China
- Prior art keywords
- certificate
- base station
- application request
- equipment
- serial number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a certificate distribution method of base station equipment, which comprises the following steps: the method comprises the steps that a certificate distribution server receives a certificate application request of base station equipment, legality verification is conducted on the certificate application request on the basis of a root certificate, and when the certificate application request passes the verification, the certificate distribution server sends the certificate application request to a first authentication server; wherein the root certificate is stored in the certificate distribution server; and when receiving the certificate application request, the first authentication server generates a trusted device certificate, and issues the trusted device certificate to the base station device through the certificate distribution server, wherein the trusted device certificate is used for identifying the legality of the base station device at an operator authentication authority. The invention also discloses a certificate distribution system of the base station equipment.
Description
Technical Field
The present invention relates to communications technologies, and in particular, to a certificate distribution system and method for a base station device.
Background
The data shows that the indoor distribution system accounts for 20% of the total base station number, and the 20% indoor coverage brings 80% of data traffic for the operator, so in order to increase the user viscosity, the operator takes the fourth generation mobile communication (4G) deep coverage as the primary task to be faced by the 4G deployment.
Although the small base station effectively solves the problem of indoor deep coverage and improves user experience as an implementation mode of indoor coverage, the deployment position of the small base station is not credible, and more security threats are inevitably brought. An attacker can tamper with the equipment configuration through a local interface or a remote control mode, steal authentication information stored by the equipment, even forge the equipment to trick user access, or attack a core network. Therefore, the small base station needs to simultaneously ensure local security, air interface security, access core network security, transmission security and operation and maintenance security.
At present, there are various security authentication methods for small cell devices, where there are certificate authentications in common use, and the authentication method is as follows: the method comprises the steps that a device certificate is signed for small base station equipment (including a security gateway) and used for identifying the legal identity of the small base station equipment; when the small base station requests to access the security gateway, carrying out validity authentication through the certificate; after the authentication is passed, an Internet Protocol Security (IPSec) secure transmission channel is established to ensure the transmission Security.
In the certificate authentication process, in order to verify the validity of the certificate of the small base station device applying for access, the security gateway needs to configure a root certificate chain of the certificate of the small base station device in advance in the security gateway, and the root certificate chain of the security gateway needs to be configured in advance in the small base station device. If the security gateway needs to support access to the small cell devices of multiple vendors, root Certificate chains of Certificate Authorities (CAs) of all small cell device vendors need to be configured in the security gateway, and the root Certificate chains of the corresponding security gateway are configured in the small cell devices, thereby causing a problem of complex Certificate configuration of device certificates.
Disclosure of Invention
In view of the foregoing technical problems, embodiments of the present invention are intended to provide a certificate distribution system and method for a base station device, so as to effectively solve the problem of complicated certificate configuration for each device manufacturer.
The technical scheme of the embodiment of the invention is realized as follows:
an embodiment of the present invention provides a certificate distribution system for a base station device, including:
the certificate distribution server is used for receiving a certificate application request of the base station equipment, carrying out validity verification on the certificate application request based on a root certificate, and sending the certificate application request to the first authentication server when the certificate application request passes the verification; wherein the root certificate is stored in the certificate distribution server;
the first authentication server is configured to generate a trusted device certificate when receiving the certificate application request, and issue the trusted device certificate to the base station device through the certificate distribution server, where the trusted device certificate is used to identify the validity of the base station device at an operator authentication authority.
In the above scheme, the certificate application request carries a preset certificate, an equipment serial number, a public key and a signature value;
the certificate distribution server is further used for analyzing the signature value in the preset certificate by using the public key in the root certificate to obtain a first abstract; performing hash operation on the equipment serial number and the public key in the preset certificate to obtain a second abstract;
the certificate distribution server is further configured to, when the first digest is consistent with the second digest, use the public key of the preset certificate to analyze the signature value in the certificate application request, so as to obtain a third digest; and carrying out Hash operation on the equipment serial number and the public key in the certificate application request to obtain a fourth abstract.
In the foregoing scheme, the certificate distribution server is specifically configured to: and when the third abstract is consistent with the fourth abstract, checking whether the equipment serial number in the certificate application request is in an equipment serial number list with validity authenticated by an equipment manufacturer certification authority.
In the above scheme, the method further comprises: the second authentication server is used for issuing the certificate of the base station equipment and sending the issued certificate to the base station equipment as the preset certificate, wherein the preset certificate represents the legality of the base station equipment in the equipment manufacturer certificate authority;
the second authentication server is further configured to send a root certificate of an equipment provider and a serial number of a base station device having legitimacy in the equipment provider certificate authority to the certificate distribution server.
In the foregoing solution, the first authentication server is specifically configured to: performing hash calculation on the equipment serial number and the public key in the certificate application request, and performing digital signature on a calculation result to obtain a second signature value;
and generating a trusted device certificate according to the public key and the device serial number in the certificate application request and the second signature value.
In the above scheme, the certificate distribution server is further configured to store the received root certificate and the serial number of the base station device to form an authorization device white list, where the authorization device white list is used to verify validity of the preset certificate and the device serial number sent by the base station device.
The embodiment of the invention also provides a certificate distribution method of the base station equipment, which comprises the following steps:
the method comprises the steps that a certificate distribution server receives a certificate application request of base station equipment, legality verification is conducted on the certificate application request on the basis of a root certificate, and when the certificate application request passes the verification, the certificate distribution server sends the certificate application request to a first authentication server; wherein the root certificate is stored in the certificate distribution server;
and when receiving the certificate application request, the first authentication server generates a trusted device certificate, and issues the trusted device certificate to the base station device through the certificate distribution server, wherein the trusted device certificate is used for identifying the legality of the base station device at an operator authentication authority.
In the above scheme, the certificate application request carries a preset certificate, an equipment serial number, a public key and a signature value;
before the validity verification is performed on the certificate application request based on the root certificate, the method further includes:
the certificate distribution server analyzes the signature value in the preset certificate by using the public key in the root certificate to obtain a first abstract; performing hash operation on the equipment serial number and the public key in the preset certificate to obtain a second abstract;
when the first abstract and the second abstract are consistent, the certificate distribution server uses the public key of the preset certificate to analyze the signature value in the certificate application request to obtain a third abstract; and carrying out Hash operation on the equipment serial number and the public key in the certificate application request to obtain a fourth abstract.
In the foregoing solution, the verifying the validity of the certificate application request based on the root certificate includes:
when the third digest is identical to the fourth digest, the certificate distribution server checks whether the device serial number in the certificate application request is in a list of device serial numbers authenticated by a device manufacturer certification authority and having validity.
In the foregoing solution, before the sending the certificate application request to the certificate distribution server, the method further includes:
the second authentication server signs a certificate of the base station equipment and issues the signed certificate as the preset certificate to the base station equipment, wherein the preset certificate represents the legality of the base station equipment in the equipment manufacturer certificate authority;
the second authentication server transmits a root certificate of an equipment provider and a serial number of a base station device having legitimacy in the equipment provider certificate authority to the certificate distribution server.
In the foregoing solution, the generating a trusted device certificate includes: the first authentication server performs hash calculation on the equipment serial number and the public key in the certificate application request, and performs digital signature on the calculation result to obtain a second signature value;
and the first authentication server generates a trusted device certificate according to the public key and the device serial number in the certificate application request and the second signature value.
In the above scheme, the method further comprises: and the certificate distribution server stores the received root certificate and the serial number of the base station equipment to form an authorization equipment white list, wherein the authorization equipment white list is used for verifying the validity of the preset certificate and the equipment serial number sent by the base station equipment.
The certificate distribution system and method for the base station equipment provided by the embodiment of the invention can generate a certificate application request after the base station equipment is installed and started, and send the certificate application request to a first authentication server, namely an operator CA (certificate Authority), through the certificate distribution server, and the first authentication server signs an authentic equipment certificate to the base station equipment after receiving the request. Therefore, the embodiment of the invention has the following beneficial effects: the method and the device realize the online distribution and automatic configuration of the certificate of the base station equipment, and effectively solve the problems of complex configuration, large workload and easy error.
Drawings
Fig. 1 is a schematic structural diagram of a certificate distribution system of a base station device according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of another certificate distribution system of a base station device according to an embodiment of the present invention;
fig. 3 is a schematic flowchart illustrating an implementation flow of a certificate distribution method for a base station device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, aspects and advantages of the present invention more apparent, the present invention will be described in detail in the following alternative embodiments of the present invention with reference to the accompanying drawings, which are a part of the embodiments of the present invention, but not all of them. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the present invention discloses a structure of a certificate distribution system of a base station device, as shown in fig. 1, the certificate distribution system of the present embodiment includes: a certificate distribution server 101, a first authentication server 102, a second authentication server 103, and a base station apparatus 104; wherein the content of the first and second substances,
the certificate distribution server 101 is configured to receive a certificate application request of a base station device, perform validity verification on the certificate application request based on a root certificate, and send the certificate application request to a first authentication server when the certificate application request passes the verification; wherein the root certificate is stored in the certificate distribution server. The certificate distribution server 101 may be a server having the above-described functions.
Here, the certificate distribution server 101 has the following modules: the system comprises an equipment white list management module, a certificate application request visa module and a certificate application processing module; the device white list processing module: the system is responsible for receiving and storing an authorized equipment serial number list and a second authentication server root certificate which are synchronized by a second authentication server (namely, a device manufacturer CA), and generating an equipment white list; a certificate application request authentication module: the system is in charge of an online automatic certificate application request, and a certificate signing request is initiated to a first authentication server only after the certificate passes the certification; certificate application processing module: and the authentication server is responsible for forwarding the certificate application request of the small base station equipment to the first authentication server.
The first authentication server 102 is configured to generate a trusted device certificate when receiving the certificate application request, and issue the trusted device certificate to the base station device through the certificate distribution server, where the trusted device certificate is used to identify the validity of the base station device at an operator certification authority.
Here, the first authentication server 102 has a trusted device certificate issuing module, which is configured to generate a trusted device certificate when receiving the certificate application request, and issue the trusted device certificate to the base station device through the certificate distribution server.
Here, the first authentication server 102 may also be an operator CA, a server or a system having a function of issuing a trusted device certificate, and the embodiment of the present invention is not limited in particular.
A base station device 104 configured to: 1) generating a new public key and private key pair, and generating a certificate application request carrying information such as an equipment serial number, a public key and a preset certificate; 2) performing digital signature on the certificate application request by using a private key to obtain a signature value; 3) the signature value is encapsulated to the certificate application request, and the encapsulated request is sent to the certificate distribution server 101.
Here, the base station apparatus 104 is a small base station apparatus or a micro base station apparatus, and the base station apparatus has advantages of: the integration level is high, strong adaptability, quick construction and convenient maintenance. In addition, the main application scenarios of the base station device include but are not limited to: 1) in a building, the dead angle coverage of a cell and the family coverage are realized; 2) the tunnel is arranged inside the tunnel, and the coverage can be flexibly realized; 3) the Internet of things is used for covering the sensor to the control equipment; 4) and (4) traffic, which utilizes the bandwidth advantage of fourth generation mobile communication (4G) to realize high-definition monitoring.
Here, the base station apparatus 104 has the following modules: the device comprises an equipment certificate safety storage module and a certificate application processing module, wherein: the equipment certificate safety storage module is a trusted environment and is used for safely storing the private key and the standby certificate preset by the second authentication server; and the certificate application processing module is responsible for generating a certificate application request, sending the request to the certificate distribution server, and replacing a pre-preset equipment certificate with a trusted equipment certificate issued by an operator CA after receiving the trusted equipment certificate issued by the first authentication server.
In an optional embodiment of the present invention, the certificate application request carries a preset certificate, an equipment serial number, a public key, and a signature value;
the certificate distribution server 101 is further configured to analyze a signature value in the preset certificate by using a public key in the root certificate to obtain a first digest; performing hash operation on the equipment serial number and the public key in the preset certificate to obtain a second abstract;
the certificate distribution server 101 is further configured to, when the first digest is consistent with the second digest, analyze the signature value in the certificate application request by using the public key of the preset certificate to obtain a third digest; and carrying out Hash operation on the equipment serial number and the public key in the certificate application request to obtain a fourth abstract.
Therefore, after receiving the certificate application request sent by the base station device 104, the certificate distribution server 101 uses the public key of the root certificate synchronized by the first authentication server to analyze the signature value in the preset certificate, so as to obtain a first digest; in addition, Hash calculation is carried out according to the equipment serial number and the public key in the preset certificate to obtain a second abstract, and the first abstract and the second abstract are compared to obtain the validity of the preset certificate.
In addition, when the first digest is identical to the second digest, the certificate distribution server 101 uses the public key of the preset certificate to analyze the signature value in the certificate application request, so as to obtain a third digest; in addition, the hash operation is carried out on the equipment string number and the public key in the certificate application request to obtain a fourth abstract, and the third abstract and the fourth abstract are compared to obtain the validity of the equipment string number and the public key in the certificate application request.
In an optional embodiment of the present invention, the certificate distribution server 101 is specifically configured to: and when the third abstract is consistent with the fourth abstract, checking whether the equipment serial number in the certificate application request is in an equipment serial number list with validity authenticated by an equipment manufacturer certification authority.
After finishing the validity of the preset certificate and the device serial number and the public key in the certificate application request, the certificate distribution server 101 checks whether the device serial number in the certificate application request is in a device serial number list, where the device serial number list is: the device vendor certification authority sends a list of device serial numbers with legitimacy to the certificate distribution server 101. When this checking step is completed, the verification of the certificate application request is finally completed, at which point the certificate application request is sent to the first authentication server 102.
In an optional embodiment of the present invention, the second authentication server 103 is configured to issue a certificate of the base station device 104, and issue the issued certificate as the preset certificate to the base station device 104, where the preset certificate indicates the validity of the base station device in the device manufacturer certificate authority;
the second authentication server 103 is further configured to send a root certificate of the device vendor and a serial number of a base station device having validity in the device vendor certificate authority to the certificate distribution server 101.
Here, the second authentication server 103 is a server or a system having a function of issuing a digital certificate of the temporary base station apparatus, and belongs to a server of an equipment vendor, and in the embodiment of the present invention, the second authentication server 103 may be referred to as an equipment vendor CA.
Before the base station device 104 leaves a factory or in a development stage, the second authentication server 103 issues a device certificate to the base station device 104, and issues the issued certificate as the preset certificate to a device certificate security storage module of the base station device in an online manner; alternatively, the device certificate that is preset to the base station device 104 is stored in the device certificate security storage module as the preset certificate in a manual storage manner.
In an optional embodiment of the present invention, the first authentication server 102 is specifically configured to: performing hash calculation on the equipment serial number and the public key in the certificate application request, and performing digital signature on a calculation result to obtain a second signature value;
and generating a trusted device certificate according to the public key and the device serial number in the certificate application request and the second signature value.
After receiving a certificate application request sent by the certificate distribution server 101, the first authentication server 102 performs hash calculation on the equipment serial number and the public key in the certificate application request, and performs digital signature on a calculation result to obtain a second signature value; and generating a trusted device certificate according to the public key and the device serial number in the certificate application request and the second signature value.
In an optional embodiment of the present invention, the certificate distribution server 101 is further configured to store the received root certificate and the serial number of the base station device to form an authorization device white list, where the authorization device white list is used to verify validity of the preset certificate and the device serial number sent by the base station device.
The certificate distribution server 101 receives the root certificate and the serial number of the base station device synchronized by the second authentication server 103, and stores the received information in the device white list processing module, which generates a device black and white list according to the root certificate and the serial number, so as to verify the certificate application request sent by the base station device 104 after activation.
The embodiment of the invention discloses a certificate distribution method of base station equipment, which comprises the following steps of:
step 201: the certificate distribution server receives a certificate application request of the base station equipment.
Specifically, before the certificate distribution server receives a certificate application request of the base station equipment, the base station equipment generates a new public key and private key pair after installation and activation, and generates a certificate application request carrying the public key, a serial number of the base station equipment and a preset certificate; the base station equipment uses the private key to digitally sign the certificate application request to obtain a signature value, packages the signature value into the certificate application request, and then sends the packaged certificate application request to a certificate distribution server. As a receiving side, the certificate distribution server receives a certificate application request sent by the base station device.
Step 202: and the certificate distribution server performs validity verification on the certificate application request based on the root certificate.
Here, the root certificate is generated by the device authority CA and synchronized to the certificate distribution server, and the certificate distribution server stores it. That is, the certificate distribution server has stored the root certificate before receiving the certificate application request.
For example, based on security considerations, before sending the certificate application request to the first authentication server, the certificate distribution server performs validity verification on the certificate application request based on the root certificate, and verifies whether the request is valid, for example, whether the request is from a base station device authorized by a device manufacturer certification authority.
Specifically, before the validity verification is performed on the certificate application request based on the root certificate, the method further includes: the certificate distribution server analyzes the signature value in the preset certificate by using the public key in the root certificate to obtain a first abstract; and carrying out Hash operation on the equipment serial number and the public key in the preset certificate to obtain a second abstract, and comparing the first abstract with the second abstract so as to obtain the validity of the preset certificate.
In addition, when the first abstract and the second abstract are consistent, the preset certificate is legal, and at this time, the certificate distribution server uses the public key of the preset certificate to analyze the signature value in the certificate application request to obtain a third abstract aiming at the equipment serial number and the public key in the preset certificate; in addition, the hash operation is carried out on the equipment string number and the public key in the certificate application request to obtain a fourth abstract, and the third abstract and the fourth abstract are compared to obtain the validity of the equipment string number and the public key in the certificate application request.
In an optional embodiment of the present invention, the verifying the validity of the certificate application request based on the root certificate includes: when the third digest is identical to the fourth digest, the certificate distribution server checks whether the device serial number in the certificate application request is in a list of device serial numbers authenticated by a device manufacturer certification authority and having validity.
For example, when the third digest is consistent with the fourth digest, it is indicated that the preset certificate is a legal certificate issued by an equipment provider, and the equipment serial number and the public key in the certificate application request come from a base station equipment having a legal certificate, at this time, it is continuously verified whether the equipment serial number is in an equipment serial number list, if so, it is indicated that the request is a legal request, at this time, the certificate distribution server forwards the request to an operator CA; if not, the request is an illegal request and is not forwarded.
Step 203: when the certificate application request is verified to be legal, the certificate distribution server forwards the certificate application request to the first authentication server.
Because the certificate distribution server does not have the function or the authority of issuing the trusted device certificate, after the certificate application request is verified, the request is sent to the operator CA with the trusted certificate issuance, so that the trusted device certificate issuance is completed.
Step 204: when the certificate application request is verified to be legal, the certificate distribution server does not forward the certificate application request.
Step 205: and when receiving the certificate application request, the first authentication server generates a trusted device certificate and issues the trusted device certificate to the base station device through the certificate distribution server.
Here, the trusted device certificate is used to identify the validity of the base station device at an operator certification authority.
Specifically, the generating the trusted device certificate includes: the first authentication server performs hash calculation on the equipment serial number and the public key in the certificate application request, and performs digital signature on the calculation result to obtain a second signature value;
and the first authentication server generates a trusted device certificate according to the public key and the device serial number in the certificate application request and the second signature value.
For example, after receiving a certificate application request forwarded by a certificate distribution server, an operator CA correspondingly parses the request to obtain a device serial number and a public key in the request, then performs hash operation on the device serial number and the public key, and encrypts an operation result by using a private key of the operator CA, thereby implementing digital signature to obtain a signature value. And the operator CA generates a trusted device certificate aiming at the base station device according to the signature value and the device serial number and the public key acquired from the certificate application request.
In an optional embodiment of the present invention, before sending the certificate application request to the certificate distribution server, the method further includes: the second authentication server signs a certificate of the base station equipment and issues the signed certificate as the preset certificate to the base station equipment, wherein the preset certificate represents the legality of the base station equipment in the equipment manufacturer certificate authority;
the second authentication server transmits a root certificate of an equipment provider and a serial number of a base station device having legitimacy in the equipment provider certificate authority to the certificate distribution server.
Specifically, before the base station device is installed and activated, the device provider CA issues a certificate for proving validity to the base station device, and the certificate is preset in the base station device in a networking manner or a manual storage manner. Further, the operator CA transmits the root certificate and the serial number of the base station device to the certificate distribution server to form a device white list from the root certificate and the serial number of the base station device.
In an alternative embodiment of the invention, the method further comprises: and the certificate distribution server stores the received root certificate and the serial number of the base station equipment to form an authorization equipment white list, wherein the authorization equipment white list is used for verifying the validity of the preset certificate and the equipment serial number sent by the base station equipment.
According to the technical scheme of the embodiment of the invention, before the base station equipment is installed, the certificate authorized by the equipment manufacturer is preset in the base station equipment; in addition, the certificate distribution server also obtains a root certificate of the device manufacturer and a serial number for the base station device, thereby forming a device white list. After the base station equipment is installed and started, a certificate application request is generated and sent to a first authentication server (namely an operator CA) through a certificate distribution server, and after receiving the request, the first authentication server issues a trusted equipment certificate to the base station equipment. Therefore, the embodiment of the invention has the following beneficial effects: 1) the method realizes the online distribution and automatic configuration of the certificate of the base station equipment, and effectively solves the problems of complex configuration, large workload and easy error; 2) the certificate system of the base station equipment applies to the CA of an operator, so that the problem that the equipment operator has private access to the base station can be effectively solved; 3) the CA of the device manufacturer is adopted to issue a preset certificate to temporarily identify the legal identity of the device, and the legitimacy verification is carried out on the certificate application request through the digital signature and device white list technology, so that the certificate application request can be ensured to be initiated by the legal device, the integrity of the request information is ensured, and the risk that the certificate request is maliciously tampered or counterfeited is effectively solved.
The embodiment of the invention also discloses another certificate distribution method of the base station equipment, and as shown in fig. 3, the certificate distribution method comprises the following steps:
step 301: and issuing a device certificate.
And the equipment manufacturer issues a certificate authorized and authenticated by the equipment manufacturer according to the corresponding information of the base station equipment.
Step 302: a device certificate is preset.
And presetting the issued device certificate into a trusted environment of the base station device, such as a device certificate security storage module.
Step 303: a secure storage device certificate and a private key.
The base station device securely stores a preset certificate and a private key belonging to the base station device itself.
Step 304: synchronizing a list of authorized device serial numbers and a root certificate.
The device merchant CA synchronizes its root certificate and the device serial number for which the certificate is preset to the certificate distribution server.
Step 305: a list of device serial numbers and a root certificate are stored.
The certificate distribution server stores the equipment serial number list and the root certificate of the equipment merchant CA to generate an equipment white list for subsequent online certificate application request authentication.
Step 306: a new public-private key pair is generated.
The base station device generates a new public key and private key when the base station device is activated after installation.
Step 307: a certificate application request is generated.
The base station equipment generates a certificate application request carrying an equipment serial number, a public key and a preset certificate.
Step 308: the certificate application request is digitally signed using the device certificate.
Step 309: a certificate application request (carrying the device serial number, public key, pre-set certificate, and signature value).
The base station equipment obtains a signature value after digitally signing the certificate application request, packages the signature value into the certificate application request, and sends the request to the certificate distribution server, wherein the certificate application request carries an equipment serial number, a public key, a preset certificate and the signature value.
Step 310: the validity of the preset certificate is verified using the device merchant CA root certificate.
Step 311: and if the preset certificate passes the verification, verifying the signature value.
Step 312: if the signature value is verified, it is checked whether the device serial number is in the list of authorized device serial numbers.
Step 313: and forwarding the certificate application request after the certificate application request passes the verification.
Step 314: and issuing the trusted device certificate according to the serial number and the public key in the certificate application request.
Step 315: and returning the trusted device certificate to the certificate distribution server.
The operator CA sends the issued trusted device certificate to the certificate distribution server.
Step 316: and returning the trusted device certificate to the base station device.
The certificate distribution server transmits the received trusted device certificate to the base station device.
Step 317: the trusted device certificate and the private key are stored.
After receiving the trusted device certificate, the base station device stores the trusted device certificate so as to perform access authentication on the base station device by using the certificate, and in addition, the private key is also stored.
Through the technical scheme of the embodiment of the invention, the following beneficial effects can be achieved: 1) the problems of complex configuration, large workload and easy error are effectively solved by the online distribution and automatic configuration of the certificate of the base station equipment; 2) the certificate system of the base station equipment applies to the CA of an operator, so that the problem that the equipment operator has private access to the base station can be effectively solved; 3) the CA of the device manufacturer is adopted to issue a preset certificate to temporarily identify the legal identity of the device, and the legitimacy verification is carried out on the certificate application request through the digital signature and device white list technology, so that the certificate application request can be ensured to be initiated by the legal device, the integrity of the request information is ensured, and the risk that the certificate request is maliciously tampered or counterfeited is effectively solved.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present invention are included in the protection scope of the present invention.
Claims (12)
1. A certificate distribution system of a base station apparatus, characterized by comprising:
the certificate distribution server is used for receiving a certificate application request of the base station equipment, verifying the legitimacy of a preset certificate in the certificate application request based on a root certificate, verifying the legitimacy of an equipment serial number, a signature value and a public key in the certificate application request by using the preset certificate when the certificate application request passes the verification, checking whether the equipment serial number is in a preset equipment serial number list when the certificate application request passes the verification, and if the equipment serial number passes the verification, sending the certificate application request to the first authentication server; wherein the root certificate is stored in the certificate distribution server; wherein the preset certificate indicates the validity of the base station device;
the first authentication server is configured to generate a trusted device certificate when receiving the certificate application request, and issue the trusted device certificate to the base station device through the certificate distribution server, where the trusted device certificate is used to identify the validity of the base station device at an operator authentication authority.
2. The system of claim 1,
the certificate distribution server is further used for analyzing the signature value in the preset certificate by using the public key in the root certificate to obtain a first abstract; performing hash operation on the equipment serial number and the public key in the preset certificate to obtain a second abstract;
the certificate distribution server is further configured to, when the first digest is consistent with the second digest, use the public key of the preset certificate to analyze the signature value in the certificate application request, so as to obtain a third digest; and carrying out Hash operation on the equipment serial number and the public key in the certificate application request to obtain a fourth abstract.
3. The system of claim 2,
the certificate distribution server is specifically configured to: and when the third abstract is consistent with the fourth abstract, checking whether the equipment serial number in the certificate application request is in an equipment serial number list with validity authenticated by an equipment manufacturer certification authority.
4. The system of claim 2, further comprising:
the second authentication server is used for issuing the certificate of the base station equipment and sending the issued certificate to the base station equipment as the preset certificate;
the second authentication server is further configured to send a root certificate of an equipment provider and a serial number of a base station device having legitimacy in the equipment provider certificate authority to the certificate distribution server.
5. The system of claim 2, wherein the first authentication server is specifically configured to:
performing hash calculation on the equipment serial number and the public key in the certificate application request, and performing digital signature on a calculation result to obtain a second signature value;
and generating a trusted device certificate according to the public key and the device serial number in the certificate application request and the second signature value.
6. The system of claim 3,
the certificate distribution server is further configured to store the received root certificate and the serial number of the base station device to form an authorization device white list, where the authorization device white list is used to verify validity of the preset certificate and the device serial number sent by the base station device.
7. A certificate distribution method of a base station apparatus, the method comprising:
the certificate distribution server receives a certificate application request of base station equipment, legality verification is carried out on a preset certificate in the certificate application request on the basis of a root certificate, when the certificate application request passes the verification, the preset certificate is used for verifying the legality of an equipment serial number, a signature value and a public key in the certificate application request, when the certificate application request passes the verification, whether the equipment serial number is in a preset equipment serial number list or not is checked, and if the equipment serial number passes the verification, the certificate application request is sent to a first authentication server; wherein the root certificate is stored in the certificate distribution server; wherein the preset certificate indicates the validity of the base station device;
and when receiving the certificate application request, the first authentication server generates a trusted device certificate, and issues the trusted device certificate to the base station device through the certificate distribution server, wherein the trusted device certificate is used for identifying the legality of the base station device at an operator authentication authority.
8. The method of claim 7,
before the validity verification is performed on the certificate application request based on the root certificate, the method further includes:
the certificate distribution server analyzes the signature value in the preset certificate by using the public key in the root certificate to obtain a first abstract; performing hash operation on the equipment serial number and the public key in the preset certificate to obtain a second abstract;
when the first abstract and the second abstract are consistent, the certificate distribution server uses the public key of the preset certificate to analyze the signature value in the certificate application request to obtain a third abstract; and carrying out Hash operation on the equipment serial number and the public key in the certificate application request to obtain a fourth abstract.
9. The method of claim 8, wherein the validating the certificate application request based on the root certificate comprises:
when the third digest is identical to the fourth digest, the certificate distribution server checks whether the device serial number in the certificate application request is in a list of device serial numbers authenticated by a device manufacturer certification authority and having validity.
10. The method of claim 8, wherein prior to sending the certificate application request to the certificate distribution server, the method further comprises:
the second authentication server signs the certificate of the base station equipment and issues the signed certificate as the preset certificate to the base station equipment;
the second authentication server transmits a root certificate of an equipment provider and a serial number of a base station device having legitimacy in the equipment provider certificate authority to the certificate distribution server.
11. The method of claim 7, wherein the generating a trusted device certificate comprises:
the first authentication server performs hash calculation on the equipment serial number and the public key in the certificate application request, and performs digital signature on the calculation result to obtain a second signature value;
and the first authentication server generates a trusted device certificate according to the public key and the device serial number in the certificate application request and the second signature value.
12. The method of claim 8, further comprising:
and the certificate distribution server stores the received root certificate and the serial number of the base station equipment to form an authorization equipment white list, wherein the authorization equipment white list is used for verifying the validity of the preset certificate and the equipment serial number sent by the base station equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710414247.1A CN108990060B (en) | 2017-06-05 | 2017-06-05 | Certificate distribution system and method of base station equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710414247.1A CN108990060B (en) | 2017-06-05 | 2017-06-05 | Certificate distribution system and method of base station equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108990060A CN108990060A (en) | 2018-12-11 |
| CN108990060B true CN108990060B (en) | 2021-02-02 |
Family
ID=64501880
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710414247.1A Active CN108990060B (en) | 2017-06-05 | 2017-06-05 | Certificate distribution system and method of base station equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108990060B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113339A (en) * | 2019-05-08 | 2019-08-09 | 北京百度网讯科技有限公司 | Elevator information display terminal letter of identity acquisition methods and device |
| CN111143888B (en) * | 2019-12-25 | 2021-08-10 | 北京深思数盾科技股份有限公司 | Certificate signing and issuing method and system |
| CN114268953B (en) * | 2020-09-14 | 2023-08-15 | 中国移动通信集团重庆有限公司 | Base station authentication method, query node, system and equipment |
| CN115567920A (en) * | 2021-06-30 | 2023-01-03 | 华为技术有限公司 | Authentication method and device |
| US11838428B2 (en) * | 2021-12-20 | 2023-12-05 | Nokia Technologies Oy | Certificate-based local UE authentication |
| CN115037480A (en) * | 2022-06-07 | 2022-09-09 | 抖音视界(北京)有限公司 | Method, device, equipment and storage medium for equipment authentication and verification |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102026192A (en) * | 2009-09-21 | 2011-04-20 | 中兴通讯股份有限公司 | Mobile backhaul network certificate distributing method and system |
| CN102088699A (en) * | 2009-12-08 | 2011-06-08 | 中兴通讯股份有限公司 | Trust list-based system and method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ATE461594T1 (en) * | 2005-10-13 | 2010-04-15 | Mitsubishi Electric Corp | METHOD FOR CONNECTING A BASE STATION TO A WIRELESS TELECOMMUNICATIONS NETWORK |
| US8627064B2 (en) * | 2011-03-24 | 2014-01-07 | Alcatel Lucent | Flexible system and method to manage digital certificates in a wireless network |
| EP2907287B1 (en) * | 2012-10-15 | 2016-06-29 | Nokia Solutions and Networks Oy | Network authentication |
| CN103560889B (en) * | 2013-11-05 | 2017-01-18 | 江苏先安科技有限公司 | Precision identity authentication method between X509 digital certificate and certificate application |
-
2017
- 2017-06-05 CN CN201710414247.1A patent/CN108990060B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102026192A (en) * | 2009-09-21 | 2011-04-20 | 中兴通讯股份有限公司 | Mobile backhaul network certificate distributing method and system |
| CN102088699A (en) * | 2009-12-08 | 2011-06-08 | 中兴通讯股份有限公司 | Trust list-based system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108990060A (en) | 2018-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108990060B (en) | Certificate distribution system and method of base station equipment | |
| CN108390851B (en) | Safe remote control system and method for industrial equipment | |
| CN110769393B (en) | Identity authentication system and method for vehicle-road cooperation | |
| US10680832B2 (en) | Computer apparatus for transmitting a certificate to a device in an installation | |
| CN103067402B (en) | The generation method and system of digital certificate | |
| CN102905260B (en) | Safety and certification system for data transmission of mobile terminal | |
| Haidar et al. | On the performance evaluation of vehicular PKI protocol for V2X communications security | |
| CN103533403B (en) | What a kind of device certificate towards smart cloud TV terminal activated realizes method | |
| US10075439B1 (en) | Programmable format for securely configuring remote devices | |
| CN101841525A (en) | Secure access method, system and client | |
| CN104753881A (en) | WebService security certification access control method based on software digital certificate and timestamp | |
| CN103079200A (en) | Wireless access authentication method, system and wireless router | |
| KR102065138B1 (en) | Method and system for providing security for establishing initial contact between mobile device and device | |
| CN103532713A (en) | Sensor authentication and sharing key generating method, sensor authentication and sharing key generating system and sensor | |
| CN103078742A (en) | Generation method and system of digital certificate | |
| CN104219055A (en) | NFC (near field communication)-based point-to-point trusted authentication method | |
| CN112383557B (en) | Safety access gateway and industrial equipment communication management method | |
| CN111435390A (en) | Safety protection method for operation and maintenance tool of power distribution terminal | |
| CN111541660B (en) | Identity authentication method for remote vehicle control | |
| CN108234119B (en) | Digital certificate management method and platform | |
| CN110445782B (en) | Multimedia safe broadcast control system and method | |
| CN114339680B (en) | V2X system and safety authentication method | |
| CN115051813A (en) | New energy platform control instruction protection method and system | |
| CN113609213B (en) | Method, system, device and storage medium for synchronizing device keys | |
| CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |