CN112866236A - Internet of things identity authentication system based on simplified digital certificate - Google Patents

Internet of things identity authentication system based on simplified digital certificate Download PDF

Info

Publication number
CN112866236A
CN112866236A CN202110052317.XA CN202110052317A CN112866236A CN 112866236 A CN112866236 A CN 112866236A CN 202110052317 A CN202110052317 A CN 202110052317A CN 112866236 A CN112866236 A CN 112866236A
Authority
CN
China
Prior art keywords
certificate
signature
internet
things
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110052317.XA
Other languages
Chinese (zh)
Other versions
CN112866236B (en
Inventor
杨家全
冯勇
李响
李踔
王禹
李浩涛
罗恩博
栾思平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of Yunnan Power Grid Co Ltd
Original Assignee
Electric Power Research Institute of Yunnan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Research Institute of Yunnan Power Grid Co Ltd filed Critical Electric Power Research Institute of Yunnan Power Grid Co Ltd
Priority to CN202110052317.XA priority Critical patent/CN112866236B/en
Publication of CN112866236A publication Critical patent/CN112866236A/en
Application granted granted Critical
Publication of CN112866236B publication Critical patent/CN112866236B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides an Internet of things identity authentication system based on simplified digital certificates, which comprises Internet of things terminal equipment, an application server and a certificate management center. The certificate authority is configured to: issuing a terminal certificate, a server certificate and an issuer certificate. The terminal device of the internet of things is configured to: and sending an authentication request, wherein the authentication request comprises a terminal random number sequence. The application server is configured to: and responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence to obtain a first signature value. The internet of things terminal device is further configured to: and authenticating the application server through the first signature value, the server certificate and the signer certificate, and if the authentication is successful, signing the terminal random number sequence and the server random number sequence to obtain a second signature value. The application server is further configured to: and authenticating the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate. The method and the device simplify the authentication process and reduce the time delay.

Description

Internet of things identity authentication system based on simplified digital certificate
Technical Field
The application relates to the field of Internet of things security, in particular to an Internet of things identity authentication system based on a simplified digital certificate.
Background
The internet of things refers to the connection of any object with a network through information sensing equipment according to an agreed protocol. The object carries out information exchange and communication through an information transmission medium so as to realize the functions of intelligent identification, positioning, tracking, supervision and the like, and the functions comprise a perception layer, a network transmission layer and an application layer. In practical application, if communication is required to be established, identity authentication between the terminal equipment of the internet of things and the application server in the internet of things is required.
A general authentication method employs digital certificate authentication. The format of the current digital certificate generally adopts the international x.509v3 standard, and a standard x.509 digital certificate contains the following contents: version information, serial number, signature algorithm, issuer, validity period, holder public key, issuer unique identifier, holder unique identifier, extension, and signature of certificate issuer to certificate. In the authentication process, the content contained in the digital certificate needs to be subjected to multi-stage authentication among the internet of things terminal, the application server and the digital certificate mark sending end.
However, the digital certificate contains more redundant information useless for authentication, the redundant information occupies a large amount of storage space of the terminal equipment of the internet of things in the authentication process, and the multi-stage authentication mode brings larger time delay to the terminal of the internet of things. Therefore, such an authentication method is not suitable for the terminal device of the internet of things.
Disclosure of Invention
The application provides an Internet of things identity authentication system based on simplified digital certificates, and aims to solve the problem that a traditional authentication mode is not suitable for terminal equipment of the Internet of things.
The application provides an thing networking authentication system based on simplify digital certificate includes: the system comprises the Internet of things terminal equipment, an application server and a certificate management center;
the certificate authority configured to: issuing a terminal certificate for the terminal equipment of the Internet of things; issuing a server certificate for the application server; and issuing an identity certificate for the user; the terminal certificate, the server certificate and the issuer certificate are simplified digital certificates;
the internet of things terminal device is configured to: sending an authentication request to the application server, wherein the authentication request comprises a terminal random number sequence;
the application server is configured to: responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a first signature value; sending the first signature value and the server certificate to the terminal equipment of the Internet of things;
the internet of things terminal device is further configured to: authenticating the identity of the application server through the first signature value, the server certificate and the issuer certificate, if the identity authentication of the application server is successful, signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a second signature value, and sending the second signature value and the terminal certificate to the application server;
the application server is further configured to: and authenticating the identity of the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate, and if the identity authentication of the terminal equipment of the Internet of things is successful, sending a notification message to the terminal equipment of the Internet of things so as to notify that the authentication of the terminal equipment of the Internet of things is successful.
Optionally, the terminal device further includes a hardware cryptographic module, and the internet of things terminal device is further configured to: storing the terminal certificate and the issuer certificate; storing the identity signature and the signature private key of the user; the application server is further configured to: storing the server certificate and the issuer certificate; the hardware cryptographic module is configured to: and storing the identity signature and the signature private key of the application server.
Optionally, the simplified digital certificate includes an issuer unique identifier, a holder signature public key, an encryption public key, a validity period, a signature algorithm, and an issuer signature of the certificate.
Optionally, the terminal device of the internet of things is further configured to: verifying the validity period of the server certificate, if the validity period is in a valid state, the validity period passes verification, and performing digital signature verification operation on the signature of the signer to the certificate in the server certificate by using a signature public key in the signer certificate and a signature algorithm specified in the server certificate; if the validity period is in a non-valid state or a invalid state, the validity period verification fails, and the identity authentication of the application server fails.
Optionally, the terminal device of the internet of things is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is valid, the server certificate passes the verification, and the digital signature verification operation is performed on the first signature value by using a signature public key in the server certificate and a signature algorithm specified in the server certificate; and if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is invalid, the server certificate verification fails, and the identity authentication of the application server fails.
Optionally, the terminal device of the internet of things is further configured to: if the digital signature verification operation result of the first signature value shows that the first signature value is valid, the first signature value passes verification, and the identity authentication of the application server is successful; and if the digital signature verification operation result of the first signature value indicates that the first signature value is invalid, the first signature value fails to be verified, and the identity authentication of the application server fails.
Optionally, the application server is further configured to: verifying the validity period of the terminal certificate, if the validity period is in a valid state, the validity period passes verification, and performing digital signature verification operation on the signature of the signer to the certificate in the terminal certificate by using a signature public key in the signer certificate and a signature algorithm specified in the terminal certificate; if the validity period is in a non-effective or invalid state, the validity period verification fails, and the identity authentication of the terminal equipment of the Internet of things fails.
Optionally, the application server is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the terminal certificate is valid, the terminal certificate passes verification, and the state of the terminal certificate is inquired from the certificate management center; if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the terminal certificate is invalid, the terminal certificate verification fails, and the identity authentication of the terminal equipment of the internet of things fails.
Optionally, the application server is further configured to: if the inquired state of the terminal certificate is valid, performing digital signature verification operation on the second signature value by using a signature public key in the terminal certificate and a signature algorithm specified by the terminal certificate; and if the inquired terminal certificate is in a revoke state, the identity authentication of the terminal equipment of the Internet of things fails.
Optionally, the application server is further configured to: if the digital signature verification operation result of the second signature value indicates that the second signature value is valid, the second signature value passes verification, and the identity authentication of the terminal equipment of the Internet of things is successful; and if the digital signature verification operation result of the second signature value indicates that the second signature value is invalid, the verification of the second signature value fails, and the identity authentication of the terminal equipment of the Internet of things fails.
According to the technical scheme, the identity authentication system based on the Internet of things with the simplified digital certificate comprises the terminal equipment of the Internet of things, the application server and the certificate management center. The certificate authority is configured to: issuing a terminal certificate, a server certificate and an issuer certificate. The terminal device of the internet of things is configured to: and sending an authentication request, wherein the authentication request comprises a terminal random number sequence. The application server is configured to: and responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence to obtain a first signature value. The internet of things terminal device is further configured to: and authenticating the application server through the first signature value, the server certificate and the signer certificate, and if the authentication is successful, signing the terminal random number sequence and the server random number sequence to obtain a second signature value. The application server is further configured to: and authenticating the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate. The method and the device simplify the authentication process and reduce the time delay.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an identity authentication system of the internet of things based on a simplified digital certificate according to the present application;
FIG. 2 is a schematic diagram of an application server identity authentication method according to the present application;
fig. 3 is a schematic diagram of identity authentication of terminal equipment in the internet of things.
Detailed Description
Reference will now be made in detail to embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following examples do not represent all embodiments consistent with the present application. But merely as exemplifications of systems and methods consistent with certain aspects of the application, as recited in the claims.
Referring to fig. 1, a schematic structural diagram of an internet of things identity authentication system based on a simplified digital certificate is provided. As can be seen from fig. 1, the system comprises: the system comprises the terminal equipment of the Internet of things, an application server and a certificate management center. The certificate authority configured to: signing and issuing terminal certificate Cert for terminal equipment of Internet of thingsT(ii) a Issuing a server certificate Cert for the application serverS(ii) a And issuing an identity certificate for the user; the terminal certificate CertTServer certificate CertSAnd the issuer certificate is a simplified digital certificate.
In practical application, the terminal device of the internet of things is a device which is connected with a sensing network layer and a transmission network layer in the internet of things and realizes data acquisition and data transmission to the network layer. The method has the functions of data acquisition, preliminary processing, encryption, transmission and the like. In order to improve the security of the internet of things, identity authentication is required when data interaction and other actions are performed between the terminal device of the internet of things and the application server. The certificate management center plays a role in signing and issuing digital certificates for the terminal equipment of the Internet of things and the application server, and mutual identity authentication between the terminal equipment of the Internet of things and the application server is achieved through the digital certificates.
Further, the simplified digital certificate may include an issuer unique identification, a holder signature public key, an encryption public key, a validity period, a signature algorithm, and an issuer signature for the certificate. The unique identifier of the issuer is the identifier of the certificate management center. The unique identifier of the holder is marked as an identifier of a party who is issued a certificate, and in the embodiment of the application, the holder is the terminal equipment of the internet of things and the application server. The validity period is the valid time of the digital certificate, the digital certificate is valid only when the digital certificate is within the validity period, otherwise, the digital certificate is not valid or is invalid. In particular, the simplified digital certificate can be described in a format based on the asn.1 abstract syntax notation. Asn.1 Abstract Syntax Notation (Abstract Syntax Notation One) describes a data format for representing, encoding, transmitting and decoding data.
Certificate::=SEQUENCE{
issuerUniqueID BIT STRING,
subjectUniqueID BIT STRING,
signPublicKey BIT STRING,
encPublicKey BIT STRING,
notBeforeTime GeneralizedTime,
notAfterTime GeneralizedTime,
signAlgorithm OBJECT IDENTIFIER,
signatureValue BIT STRING}
Wherein issuerUniqueID represents the unique identifier of the issuer; SubjectUniqueID represents the holder unique identification; signpublic Key represents the holder signature public key; encPublicKey represents an encryption public key; the notbepotetime and notAfterTime indicate the validity period, that is, the validity period is determined by the notbepotetime and notAfterTime; signAlgorithm denotes a signature algorithm; signatureValue represents the signer's signature on the certificate.
In practical application, the simplified digital certificate can be stronger in applicability to the Internet of things, and excessive storage space occupation is avoided. Moreover, identity authentication in the Internet of things is carried out by relying on the simplified digital certificate, so that the large time delay can be avoided, and the consumed calculation performance is low. Meanwhile, the simplified digital certificate simultaneously comprises a holder signature public key and an encryption public key, and a double-key system is realized in one certificate.
With continued reference to fig. 1, the internet of things terminal device is configured to: sending an authentication request to the application server, wherein the authentication request comprises a terminal random number sequence RT
In practical applications, the authentication request may further include a device identification DevID. The authentication request is used for establishing contact between the terminal equipment of the Internet of things and the application server.
The application server may be configured to: generating a server random number sequence R in response to the authentication requestSRandomly signing the terminal by using the self signature private keyNumber sequence RTAnd the server random number sequence RSSigning to obtain a first signature value; the first signature value and the server certificate Cert are combinedSAnd sending the information to the terminal equipment of the Internet of things.
In this embodiment, the application server may be further configured to: verifying whether the device identification DevID complies with a predetermined identification rule in response to the authentication request, and if so, continuing to generate a server random number sequence RS. The first signature value may be a random number sequence R to the terminalTAnd the server random number sequence RSAnd the formed combined sequence is signed to obtain a signature result.
Further, the internet of things terminal device performs identity authentication on the application server, specifically, the first signature value and the server certificate Cert are utilizedSAnd (6) carrying out verification.
The internet of things terminal device may be further configured to: by the first signature value, the server certificate CertSAnd the signer certificate authenticates the identity of the application server, if the identity authentication of the application server is successful, the terminal random number sequence and the server random number sequence are signed by using a self signature private key to obtain a second signature value, and the second signature value and the terminal certificate Cert are usedTAnd sending the information to the application server.
In this embodiment, the second signature value may be a random number sequence R to the terminalTAnd the server random number sequence RSAnd the formed combined sequence is signed to obtain a signature result.
Fig. 2 is a schematic diagram of the identity authentication of the application server according to the present application. As can be seen from fig. 2:
the internet of things terminal device is further configured to: for the server certificate CertSIf the validity period is in a valid state, the validity period passes the verification, and the signature public key in the signer certificate and the server certificate Cert are usedSFor the signature algorithm specified in (1), for theServer certificate CertSThe signer in the system carries out digital signature verification operation on the signature of the certificate; if the validity period is in a non-valid state or a invalid state, the validity period verification fails, and the identity authentication of the application server fails.
In this embodiment, if the server certificate CertSIs in the valid period, and can also describe the server certificate CertSIn the valid state, if the server certificate CertSNot within the validity period, the server certificate Cert can be describedSIn a stale or non-operative state. Expired or non-validated server certificate CertSThe application server can not pass the identity authentication of the terminal equipment of the internet of things, namely the identity authentication of the application server fails.
The internet of things terminal device is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer shows the server certificate CertSIs valid, server certificate CertSAuthentication is passed using the server certificate CertSAnd the server certificate CertSThe signature algorithm specified in (1) performs digital signature verification operation on the first signature value; if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is invalid, the server certificate CertSAnd if the verification fails, the identity authentication of the application server fails.
In this embodiment, the digital signature verification is to perform signature verification operation on a digital signature of data or a message by using a public signature key corresponding to a private signature key, where the public signature key is a public signature key stored in a digital certificate. And the operation result shows whether the digital signature is generated by a signature private key corresponding to the certificate. The server certificate CertSThe signature of the signer to the certificate is included, namely the certificate management center signs the server certificate CertSThe signature of (2).
The internet of things terminal device may be further configured to: if the digital signature verification operation result of the first signature value shows that the first signature value is valid, the first signature value passes verification, and the identity authentication of the application server is successful; and if the digital signature verification operation result of the first signature value indicates that the first signature value is invalid, the first signature value fails to be verified, and the identity authentication of the application server fails.
In the technical scheme of the application, after the identity authentication of the terminal equipment of the internet of things to the application server is successful, the identity authentication of the terminal equipment of the internet of things by the application server should be carried out.
The application server may be further configured to: through the second signature value and the terminal certificate CertTAnd the signer certificate authenticates the identity of the terminal equipment of the Internet of things, and if the identity authentication of the terminal equipment of the Internet of things is successful, a notification message is sent to the terminal equipment of the Internet of things so as to notify that the authentication of the terminal equipment of the Internet of things is successful.
Referring to fig. 3, a schematic diagram of identity authentication of terminal equipment in the internet of things is shown. As can be seen from the figure 3 of the drawings,
the application server is further configured to: for the terminal certificate CertTIf the validity period is in a valid state, the validity period passes the verification, and the terminal certificate Cert is verified by using the signature public key in the issuer certificate and the signature algorithm specified in the terminal certificateTThe signer in the system carries out digital signature verification operation on the signature of the certificate; if the validity period is in a non-effective or invalid state, the validity period verification fails, and the identity authentication of the terminal equipment of the Internet of things fails.
In this embodiment, if the terminal certificate CertTIs in the valid period, and can also explain the terminal certificate CertTIn an effective state, if the terminal certificate CertTNot within the validity period, the terminal certificate Cert can be describedTIn a stale or non-operative state. Terminal certificate Cert that is invalid or not validatedTAnd the terminal equipment of the internet of things can not pass the identity authentication of the application server, namely the identity authentication of the terminal equipment of the internet of things fails.
The application server may be further configured to: if the signer signs the certificateThe digital signature verification operation result shows that the signature of the terminal certificate is valid, and the terminal certificate CertTThe certificate management center inquires the terminal certificate Cert after passing the verificationTThe state of (1); if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the terminal certificate is invalid, the terminal certificate CertTAnd if the verification fails, the identity authentication of the terminal equipment of the Internet of things fails.
In this embodiment, the terminal certificate CertTThe signature of the signer to the certificate is included, namely the certificate management center signs the terminal certificate CertTThe signature of (2).
The application server is further configured to: if the inquired terminal certificate CertTIs in effect, using the terminal certificate CertTThe signature public key and the signature algorithm specified by the terminal certificate carry out digital signature verification operation on the second signature value; if the inquired terminal certificate CertTThe state of (2) is the lifting pin, and the identity authentication of the terminal equipment of the Internet of things fails.
In this embodiment, there is a case where the terminal certificate is revoked, and when there is an illegal operation of the terminal device of the internet of things, the certificate management center may be configured to revoke the terminal certificate CertTAnd recording the terminal certificate CertTThe state of (1). The application server may be configured to query the certificate authority for the terminal certificate CertTThe state of (1). Revoked terminal certificate CertTThe authentication of the application server cannot be passed, that is, the terminal equipment of the internet of things cannot pass the identity authentication.
The application server is further configured to: if the digital signature verification operation result of the second signature value indicates that the second signature value is valid, the second signature value passes verification, and the identity authentication of the terminal equipment of the Internet of things is successful; and if the digital signature verification operation result of the second signature value indicates that the second signature value is invalid, the verification of the second signature value fails, and the identity authentication of the terminal equipment of the Internet of things fails.
In the technical scheme of the application, the system can further comprise a hardware password moduleThe internet of things terminal device is further configured to: storing the terminal certificate CertTAnd the issuer certificate; storing the identity signature and the signature private key of the user; the application server is further configured to: storing the server certificate CertSAnd the issuer certificate; the hardware cryptographic module is configured to: and storing the identity signature and the signature private key of the application server.
In practical application, the identity signature and the signature private key of the application server are stored in the hardware password module, so that the signature private key can be ensured not to be leaked, and the server certificate Cert can not appearSA situation where the private key is compromised. Furthermore, the verification of the terminal equipment of the Internet of things on the certificate state of the server is avoided, the steps are simplified, and the efficiency of identity authentication is improved.
According to the technical scheme, the application provides an internet of things identity authentication system based on simplified digital certificates, and the system comprises: the system comprises the Internet of things terminal equipment, an application server and a certificate management center; the certificate authority configured to: issuing a terminal certificate for the terminal equipment of the Internet of things; issuing a server certificate for the application server; and issuing an identity certificate for the user; the terminal certificate, the server certificate and the issuer certificate are simplified digital certificates; the internet of things terminal device is configured to: sending an authentication request to the application server, wherein the authentication request comprises a terminal random number sequence; the application server is configured to: responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a first signature value; sending the first signature value and the server certificate to the terminal equipment of the Internet of things; the internet of things terminal device is further configured to: authenticating the identity of the application server through the first signature value, the server certificate and the issuer certificate, if the identity authentication of the application server is successful, signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a second signature value, and sending the second signature value and the terminal certificate to the application server; the application server is further configured to: and authenticating the identity of the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate, and if the identity authentication of the terminal equipment of the Internet of things is successful, sending a notification message to the terminal equipment of the Internet of things so as to notify that the authentication of the terminal equipment of the Internet of things is successful. According to the technical scheme, a single-layer certificate issuing system is adopted, and complex certificate chain verification is not needed. The terminal equipment of the Internet of things does not need to inquire and verify the state of the server certificate, so that the authentication process is simplified, and the communication delay is reduced.
The embodiments provided in the present application are only a few examples of the general concept of the present application, and do not limit the scope of the present application. Any other embodiments extended according to the scheme of the present application without inventive efforts will be within the scope of protection of the present application for a person skilled in the art.

Claims (10)

1. An internet of things identity authentication system based on a simplified digital certificate is characterized by comprising: the system comprises the Internet of things terminal equipment, an application server and a certificate management center;
the certificate authority configured to: issuing a terminal certificate for the terminal equipment of the Internet of things; issuing a server certificate for the application server; and issuing an identity certificate for the user; the terminal certificate, the server certificate and the issuer certificate are simplified digital certificates;
the internet of things terminal device is configured to: sending an authentication request to the application server, wherein the authentication request comprises a terminal random number sequence;
the application server is configured to: responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a first signature value; sending the first signature value and the server certificate to the terminal equipment of the Internet of things;
the internet of things terminal device is further configured to: authenticating the identity of the application server through the first signature value, the server certificate and the issuer certificate, if the identity authentication of the application server is successful, signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a second signature value, and sending the second signature value and the terminal certificate to the application server;
the application server is further configured to: and authenticating the identity of the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate, and if the identity authentication of the terminal equipment of the Internet of things is successful, sending a notification message to the terminal equipment of the Internet of things so as to notify that the authentication of the terminal equipment of the Internet of things is successful.
2. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 1, further comprising a hardware cryptographic module, wherein the internet of things terminal device is further configured to: storing the terminal certificate and the issuer certificate; storing the identity signature and the signature private key of the user; the application server is further configured to: storing the server certificate and the issuer certificate; the hardware cryptographic module is configured to: and storing the identity signature and the signature private key of the application server.
3. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 1, wherein the simplified digital certificate comprises an issuer unique identifier, a holder signature public key, an encryption public key, a validity period, a signature algorithm and an issuer signature on the certificate.
4. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 1, wherein the internet of things terminal device is further configured to: verifying the validity period of the server certificate, if the validity period is in a valid state, the validity period passes verification, and performing digital signature verification operation on the signature of the signer to the certificate in the server certificate by using a signature public key in the signer certificate and a signature algorithm specified in the server certificate; if the validity period is in a non-valid state or a invalid state, the validity period verification fails, and the identity authentication of the application server fails.
5. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 4, wherein the internet of things terminal device is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is valid, the server certificate passes the verification, and the digital signature verification operation is performed on the first signature value by using a signature public key in the server certificate and a signature algorithm specified in the server certificate; and if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is invalid, the server certificate verification fails, and the identity authentication of the application server fails.
6. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 5, wherein the internet of things terminal device is further configured to: if the digital signature verification operation result of the first signature value shows that the first signature value is valid, the first signature value passes verification, and the identity authentication of the application server is successful; and if the digital signature verification operation result of the first signature value indicates that the first signature value is invalid, the first signature value fails to be verified, and the identity authentication of the application server fails.
7. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 1, wherein the application server is further configured to: verifying the validity period of the terminal certificate, if the validity period is in a valid state, the validity period passes verification, and performing digital signature verification operation on the signature of the signer to the certificate in the terminal certificate by using a signature public key in the signer certificate and a signature algorithm specified in the terminal certificate; if the validity period is in a non-effective or invalid state, the validity period verification fails, and the identity authentication of the terminal equipment of the Internet of things fails.
8. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 7, wherein the application server is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the terminal certificate is valid, the terminal certificate passes verification, and the state of the terminal certificate is inquired from the certificate management center; if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the terminal certificate is invalid, the terminal certificate verification fails, and the identity authentication of the terminal equipment of the internet of things fails.
9. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 8, wherein the application server is further configured to: if the inquired state of the terminal certificate is valid, performing digital signature verification operation on the second signature value by using a signature public key in the terminal certificate and a signature algorithm specified by the terminal certificate; and if the inquired terminal certificate is in a revoke state, the identity authentication of the terminal equipment of the Internet of things fails.
10. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 9, wherein the application server is further configured to: if the digital signature verification operation result of the second signature value indicates that the second signature value is valid, the second signature value passes verification, and the identity authentication of the terminal equipment of the Internet of things is successful; and if the digital signature verification operation result of the second signature value indicates that the second signature value is invalid, the verification of the second signature value fails, and the identity authentication of the terminal equipment of the Internet of things fails.
CN202110052317.XA 2021-01-15 2021-01-15 Internet of things identity authentication system based on simplified digital certificate Active CN112866236B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110052317.XA CN112866236B (en) 2021-01-15 2021-01-15 Internet of things identity authentication system based on simplified digital certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110052317.XA CN112866236B (en) 2021-01-15 2021-01-15 Internet of things identity authentication system based on simplified digital certificate

Publications (2)

Publication Number Publication Date
CN112866236A true CN112866236A (en) 2021-05-28
CN112866236B CN112866236B (en) 2023-03-31

Family

ID=76005786

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110052317.XA Active CN112866236B (en) 2021-01-15 2021-01-15 Internet of things identity authentication system based on simplified digital certificate

Country Status (1)

Country Link
CN (1) CN112866236B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640467A (en) * 2022-03-15 2022-06-17 微位(深圳)网络科技有限公司 Service-based digital certificate query method and system
CN114666155A (en) * 2022-04-08 2022-06-24 深圳市欧瑞博科技股份有限公司 Equipment access method, system and device, Internet of things equipment and gateway equipment
CN114710289A (en) * 2022-06-02 2022-07-05 确信信息股份有限公司 Internet of things terminal secure registration and access method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
US20180181739A1 (en) * 2015-08-27 2018-06-28 Alibaba Group Holding Limited Identity authentication using biometrics
CN110879879A (en) * 2018-09-05 2020-03-13 航天信息股份有限公司 Internet of things identity authentication method and device, electronic equipment, system and storage medium
CN111083131A (en) * 2019-12-10 2020-04-28 南瑞集团有限公司 Lightweight identity authentication method for power Internet of things sensing terminal
CN112187808A (en) * 2020-09-30 2021-01-05 徐凌魁 Electronic traffic authentication platform and authentication method
CN112202721A (en) * 2020-09-08 2021-01-08 辽宁丰沃新能源有限公司 Intelligent safety system of power enterprise internet of things terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180181739A1 (en) * 2015-08-27 2018-06-28 Alibaba Group Holding Limited Identity authentication using biometrics
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
CN110879879A (en) * 2018-09-05 2020-03-13 航天信息股份有限公司 Internet of things identity authentication method and device, electronic equipment, system and storage medium
CN111083131A (en) * 2019-12-10 2020-04-28 南瑞集团有限公司 Lightweight identity authentication method for power Internet of things sensing terminal
CN112202721A (en) * 2020-09-08 2021-01-08 辽宁丰沃新能源有限公司 Intelligent safety system of power enterprise internet of things terminal
CN112187808A (en) * 2020-09-30 2021-01-05 徐凌魁 Electronic traffic authentication platform and authentication method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
廖会敏: "泛在电力物联网信息安全综述", 《电力信息与通信技术》 *
蒲志强: "一种基于AAA 证书和身份签名的混合认证方法", 《四川师范大学学报(自然科学版)》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640467A (en) * 2022-03-15 2022-06-17 微位(深圳)网络科技有限公司 Service-based digital certificate query method and system
CN114666155A (en) * 2022-04-08 2022-06-24 深圳市欧瑞博科技股份有限公司 Equipment access method, system and device, Internet of things equipment and gateway equipment
CN114666155B (en) * 2022-04-08 2024-04-16 深圳市欧瑞博科技股份有限公司 Equipment access method, system, device, internet of things equipment and gateway equipment
CN114710289A (en) * 2022-06-02 2022-07-05 确信信息股份有限公司 Internet of things terminal secure registration and access method and system

Also Published As

Publication number Publication date
CN112866236B (en) 2023-03-31

Similar Documents

Publication Publication Date Title
CN112953727B (en) Internet of things-oriented equipment anonymous identity authentication method and system
CN112866236B (en) Internet of things identity authentication system based on simplified digital certificate
CN1777096B (en) Password protection method and device
US6535980B1 (en) Keyless encryption of messages using challenge response
US7020778B1 (en) Method for issuing an electronic identity
KR100962399B1 (en) Method for providing anonymous public key infrastructure and method for providing service using the same
CN111262692B (en) Key distribution system and method based on block chain
EP2472772B1 (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
US10742426B2 (en) Public key infrastructure and method of distribution
WO2008009183A1 (en) Password remotely authentication method based on the intelligent card and an intelligent card, a server and system thereof
CN107454077A (en) A kind of single-point logging method based on IKI ID authentications
WO2014069985A1 (en) System and method for identity-based entity authentication for client-server communications
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
CN115102695A (en) Vehicle networking certificate authentication method based on block chain
WO2004032416A1 (en) Public key cryptography and a framework therefor
EP2359525B1 (en) Method for enabling limitation of service access
Yang et al. Blockchain-based conditional privacy-preserving authentication protocol with implicit certificates for vehicular edge computing
CN114710289B (en) Internet of things terminal security registration and access method and system
Ding et al. Equipping smart devices with public key signatures
CN114301612A (en) Information processing method, communication apparatus, and encryption apparatus
KR101256114B1 (en) Message authentication code test method and system of many mac testserver
CN109088732A (en) A kind of CA certificate implementation method based on mobile terminal
JP4071474B2 (en) Expiration confirmation device and method
Zhou et al. An efficient public-key framework
CN114826620B (en) Safe method and system for binding intelligent door lock and intelligent door lock

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant