CN115208702B - Internet of things equipment authentication and key agreement method - Google Patents

Internet of things equipment authentication and key agreement method Download PDF

Info

Publication number
CN115208702B
CN115208702B CN202211125240.5A CN202211125240A CN115208702B CN 115208702 B CN115208702 B CN 115208702B CN 202211125240 A CN202211125240 A CN 202211125240A CN 115208702 B CN115208702 B CN 115208702B
Authority
CN
China
Prior art keywords
authentication
visitor
central server
key
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211125240.5A
Other languages
Chinese (zh)
Other versions
CN115208702A (en
Inventor
肖勇才
杨浩
徐建
刘旷也
章玲玲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Jiangxi Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Jiangxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Jiangxi Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202211125240.5A priority Critical patent/CN115208702B/en
Publication of CN115208702A publication Critical patent/CN115208702A/en
Application granted granted Critical
Publication of CN115208702B publication Critical patent/CN115208702B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00571Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00896Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys specially adapted for particular uses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The invention relates to the technical field of communication, in particular to an Internet of things equipment authentication and key agreement method. The method is used for identity authentication and key exchange between the visitor terminal and the central server; the method comprises the steps that a preset central server contains encrypted visitor registration information and an access time period which are filled in advance, the registration information contains equipment information of a visitor terminal and identity information of a visitor, and a shared root key is arranged between the visitor terminal and the central server; the authentication token is calculated by introducing random numbers generated by both communication parties, the random numbers used for generating the authentication token are encrypted and protected in the transmission process, and the registration information of the visitor is dynamically encrypted, so that different keys used in each communication process are ensured, and the risk of key leakage in the channel transmission process is effectively prevented; and the double-layer authentication of the identity information and the visitor terminal is adopted, so that the safety risk caused by the loss or leakage of one party of the identity information or the visitor terminal can be effectively prevented.

Description

Internet of things equipment authentication and key agreement method
Technical Field
The invention relates to the technical field of communication, in particular to an Internet of things equipment authentication and key agreement method.
Background
With the popularization of the internet of things and intelligent devices, the internet of things communication technology and the interactive application of the intelligent devices are more and more common, for example, remote interaction and control of mobile phones, computers and intelligent household appliances are realized. The identity authentication mechanism is an important tool for ensuring the effectiveness of communication, and accordingly, the safety of the identity authentication mechanism and the communication safety of the internet of things are issues which need to be considered. For example, some of the existing identity authentication mechanisms of the intelligent access control system can provide a temporary password or a temporary access control card to a temporary cleaner or a maintenance worker in an authorized manner. However, the safety of the simple temporary digital password and the temporary access control card still needs to be improved, a unit door and an entrance door need to be opened in some residential houses, a courtyard door and an entrance door may need to be opened in a single residential house, the password is inconvenient to transmit if different passwords are arranged, the use is troublesome, the safety is insufficient if the same password is set, the password is easy to leak or be cracked, the temporary password is effective within a certain range of time, and the risk caused by the spreading of the password cannot be completely avoided.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method for equipment authentication and key agreement of the Internet of things, so as to improve the safety of identity authentication.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows.
An Internet of things equipment authentication and key agreement method is used for identity authentication and key exchange between a visitor terminal and a central server; the method comprises the steps that pre-filled encrypted visitor registration information and an access time period are contained in a preset center server, the registration information comprises equipment information IDa of a visitor terminal stored in a local visitor terminal and identity information IDb of a visitor, and a shared root secret key K is arranged between the visitor terminal and the center server; the authentication process steps of the method comprise:
step (1), after receiving an identity information authentication request signal of a visitor through intelligent door lock equipment M1, a central server checks whether the identity information IDb of the visitor conforms to identity information prestored in the central server, if so, an authentication flow is started, and if not, authentication is terminated;
step (2), the central server judges whether the current time point is within a preset access time period, if so, the next authentication is carried out, and if not, the authentication is terminated;
step (3), the central server generates a random number Rs, calculates an authentication key K1= KDF (IDa, rs, K) by using a key derivation algorithm, and then calculates an authentication token AUTNs = E by using a symmetric cryptographic algorithm K1 (Rs | | IDa), and a random number Rs, an authentication key K1 and an authentication token AUTNs are sent to the visitor terminal;
step (4), after the visitor terminal receives the information sent by the central server, the authentication token AUTNs is subjected to inverse operation decryption by using the authentication key K1 to obtain a random number Rs 'and decrypted equipment information IDa' of the visitor terminal, then whether the random number Rs 'is consistent with the random number Rs is compared, whether the decrypted equipment information IDa' of the visitor terminal is consistent with equipment information IDa of the visitor terminal stored in the visitor terminal is compared, if so, the central server successfully authenticates the identity, the next authentication is carried out, and if not, the authentication is failed and the authentication is terminated;
and (5) the visitor terminal generates a random number Ra, calculates an authentication key K2= KDF (IDa, ra, K) by using a key derivation algorithm, and then calculates an authentication token AUTNa = E by using a symmetric cryptographic algorithm K2 (Ra | | Rs') sending the random number Ra, the authentication key K2 and the authentication token AUTNa to the central server;
step (6), after receiving the authentication token AUTNa sent by the visitor terminal, the central server uses the authentication key K2 to execute inverse operation to decrypt the authentication token AUTNa to obtain a random number Ra 'and a random number Rs', compares whether the random number Ra 'is consistent with the random number Ra and simultaneously compares whether the random number Rs' is consistent with the Rs, if yes, the identity authentication of the visitor terminal is successful, and if not, the authentication is failed;
step (7), if the authentication in the step (6) is successful, the central server sends a signal of successful authentication to the intelligent door lock device M1, namely the intelligent door lock device M1 is opened; if the authentication in the step (6) fails, the authentication is terminated, namely the intelligent door lock device M1 is not opened;
step (8), when the intelligent door lock device M2 needs to be opened, repeating the step (1) to the step (6), and if the authentication in the step (6) fails, terminating the authentication; if the authentication in the step (6) is successful, the central server generates a temporary random field Rc as a temporary password, calculates a communication key Kc = KDF (K, ra', rc) by using a key derivation algorithm, and then sends the communication key Kc to the guest terminal;
step (9), the visitor terminal decrypts the communication key Kc by using the root key K to obtain a decrypted temporary password Rc'; the visitor transmits the decrypted temporary password Rc 'to the central server through the intelligent door lock device M2, and the central server compares whether the decrypted temporary password Rc' is consistent with the temporary random field Rc or not; if the two are consistent, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2 (namely the intelligent door lock device M2 is opened); if the comparison is inconsistent, the authentication fails, and the authentication is terminated (i.e., the intelligent door lock device M2 is not unlocked).
KDF (X1, X2, X3) is a key derivation algorithm, and X1/X2/X3 is an algorithm input parameter; e () is a symmetric cryptographic algorithm, E K1 /E K2 For symmetric cryptographic algorithms using K1/K2 keys, | | is a character connection symbol.
Further, in step (3), before calculating the authentication key K1, the dynamic ID information IDat may be generated according to the device information IDa of the guest terminal stored locally at the guest terminal, the random number Rs, and the current time node, the authentication key K1= KDF (IDat, rs, K) may be calculated by using a key derivation algorithm, and then the authentication token AUTNs = E may be calculated by using a symmetric cryptographic algorithm K1 (Rs | | | IDat); in step (4), the authentication token AUTNs is decrypted by inverse operation using the authentication key K1 to obtain the random number Rs ' and the binary string IDat ', and at this time, the binary string IDat ' is converted into the string IDa ' (i.e., the decrypted device information IDa ' of the guest terminal) by inverse operation, and then the random number Rs ' and the random number Rs are compared to determine whether they are consistent, and at the same time, the decrypted device information IDa ' of the guest terminal and the device information IDa of the guest terminal stored locally at the guest terminal are compared to determine whether they are consistent.
Further, the dynamic ID information IDat is generated in such a manner that the time node + the device information IDa of the guest terminal locally stored in the guest terminal + the random number Ra is combined and converted into a binary string by short division.
The identity information IDb of the visitor comprises one or more of fingerprint information, pupil information and temporary access card information; visitor's terminal means cell-phone, intelligent bracelet or intelligent wrist-watch etc..
The invention has the beneficial effects that:
(1) The invention calculates the authentication key and the authentication token by introducing the random numbers generated by both communication parties, and the random numbers used for generating the authentication key and the authentication token are encrypted and protected in the transmission process, thereby effectively preventing the risk of key leakage in the channel transmission process and improving the safety of the communication key.
(2) The two communication parties negotiate to generate a secret key each time of authentication, and the equipment information of the visitor terminal is dynamically encrypted, so that the secret keys used in each communication process are different; and the temporary password is generated by adopting double-layer authentication of the identity information and the visitor terminal, so that the safety risk caused by the loss or leakage of one party of the identity information or the visitor terminal can be effectively prevented.
(3) The method can be used for a residential access control system with a unit door and an entrance door or a courtyard door and an entrance door, is convenient for temporary cleaning personnel, maintenance workers or temporary visitors to enter and exit the access control system, has high safety and provides convenience for residents.
Drawings
Fig. 1 is an authentication flow chart of an identity authentication and key agreement method in an embodiment of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and thus the present invention is not limited to the specific embodiments disclosed below.
Fig. 1 shows an internet of things device authentication and key agreement method, which is used for identity authentication and key exchange between a guest terminal and a central server; in this embodiment, the method is applied to an access control system including a courtyard door, an entrance door, and two intelligent door locks (a device M1 and a device M2); the method comprises the steps that pre-filled encrypted visitor registration information and an access time period are contained in a preset center server, the registration information comprises equipment information IDa of a visitor terminal stored in a local visitor terminal and identity information IDb of a visitor, and a shared root secret key K is arranged between the visitor terminal and the center server; the authentication process steps of the method comprise:
step (1), the central server receives a signal of identity information IDb of a visitor through the intelligent door lock device M1, then the authentication request of the visitor is received, whether the identity information IDb of the visitor is consistent with identity information prestored by the central server is firstly checked, if so, an authentication flow is started, and if not, the authentication is terminated; in this embodiment, the identity information IDb of the visitor is fingerprint information;
step (2), the central server judges whether the current time point is within a preset access time period, if so, the next authentication is carried out, and if not, the authentication is terminated;
and (3) the central server generates a random number Rs, generates dynamic ID information IDat according to the equipment information IDa, the random number Rs and the current time node of the visitor terminal stored in the local visitor terminal, calculates an authentication key K1= KDF (IDat, rs and K) by using a key derivation algorithm, and calculates an authentication token AUTNs = E by using a symmetric cryptographic algorithm K1 (Rs | | IDat), and a random number Rs, an authentication key K1 and an authentication token AUTNs are sent to the visitor terminal; the dynamic ID information IDat is generated by combining a time node, equipment information IDa of a local visitor terminal stored in the visitor terminal and a random number Ra and then converting the combination into a binary character string by short division;
step (4), after the visitor terminal receives the information sent by the central server, the authentication token AUTNs is subjected to inverse operation decryption by using an authentication key K1 to obtain a random number Rs 'and a binary character string IDat', the binary character string IDat 'is converted into a decimal character string, namely decrypted equipment information IDa' of the visitor terminal through inverse operation, then whether the random number Rs 'is consistent with the random number Rs is compared, whether the decrypted equipment information IDa' of the visitor terminal is consistent with the equipment information IDa of the visitor terminal stored in the visitor terminal, if so, the central server successfully authenticates the identity, the next authentication is carried out, and if one of the random number Rs is inconsistent, the authentication fails, and the authentication is terminated;
and (5) the visitor terminal generates a random number Ra, calculates an authentication key K2= KDF (IDa, ra, K) by using a key derivation algorithm, and then calculates an authentication token AUTNa = E by using a symmetric cryptographic algorithm K2 (Ra | | Rs') sending the random number Ra, the authentication key K2 and the authentication token AUTNa to the central server;
step (6), after receiving the authentication token AUTNa sent by the visitor terminal, the central server uses the authentication key K2 to execute inverse operation to decrypt the authentication token AUTNa to obtain a random number Ra 'and a random number Rs', compares whether the random number Ra 'is consistent with the random number Ra, compares whether the random number Rs' is consistent with the random number Rs, if so, the identity authentication of the visitor terminal is successful, and if one of the random number Ra is inconsistent with the random number Rs, the authentication is failed;
step (7), if the authentication in the step (6) is successful, the central server sends a signal of successful authentication to the intelligent door lock device M1 (namely, the intelligent door lock device M1 is opened); if the authentication in the step (6) fails, the authentication is terminated (namely, the intelligent door lock device M1 is not opened);
step (8), when the intelligent door lock device M2 needs to be opened, repeating the step (1) to the step (6), and if the authentication in the step (6) fails, terminating the authentication; if the authentication in the step (6) is successful, the central server generates a temporary random field Rc as a temporary password, calculates a communication key Kc = KDF (K, ra', rc) by using a key derivation algorithm, and then sends the communication key Kc to the visitor terminal;
step (9), the visitor terminal decrypts the communication key Kc by using the root key K to obtain a decrypted temporary password Rc'; the visitor transmits the decrypted temporary password Rc 'to the central server through the intelligent door lock device M2, and the central server compares whether the decrypted temporary password Rc' is consistent with the temporary random field Rc or not; if the two are consistent, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2 (namely the intelligent door lock device M2 is opened); if the comparison is inconsistent, the authentication fails, and the authentication is terminated (i.e., the intelligent door lock device M2 is not unlocked).
In another embodiment, in consideration of the fact that the password is incorrectly input due to misoperation of the visitor, if the central server compares the decrypted temporary password Rc' with the temporary random field Rc in step (9) to obtain a result of inconsistency, the central server can re-input the password for authentication in the step of step (9) within a certain preset time (for example, preset to 30 s), and the central server compares whether the temporary password input by the visitor is consistent with the temporary random field Rc again; if the identity information is consistent with the identity information, the visitor inputs the fingerprint information again, the central server checks whether the identity information IDb of the visitor is correct, if so, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2 (namely, the intelligent door lock device M2 is opened); if the identity information IDb of the inconsistent visitors is wrong, the authentication fails, and the authentication is terminated (namely the intelligent door lock device M2 is not opened). The setting avoids the situation that the visitor needs to repeat all authentication steps after misoperation during final verification, saves the time of identity authentication, and can ensure the safety of the identity authentication.

Claims (2)

1. An Internet of things equipment authentication and key agreement method is used for identity authentication and key exchange between a visitor terminal and a central server; the method comprises the steps that a preset central server contains pre-filled encrypted visitor registration information and an access time period, wherein the registration information comprises equipment information IDa of a visitor terminal and identity information IDb of a visitor, and a shared root key K is arranged between the visitor terminal and the central server; the method is characterized in that the authentication process comprises the following steps:
step (1), the central server receives a signal of identity information IDb of a visitor through the intelligent door lock device M1, then the authentication request of the visitor is received, whether the identity information IDb of the visitor is consistent with identity information prestored by the central server is firstly checked, if so, an authentication flow is started, and if not, the authentication is terminated;
step (2), the central server judges whether the current time point is within a preset access time period, if so, the next authentication is carried out, and if not, the authentication is terminated;
and (3) the central server generates a random number Rs, generates dynamic ID information IDat according to the equipment information IDa and the random number Rs of the visitor terminal and the current time node, calculates an authentication key K1= KDF (IDat, rs and K) by using a key derivation algorithm, and calculates an authentication token AUTNs = E by using a symmetric cryptographic algorithm K1 (Rs | | IDat), and a random number Rs, an authentication key K1 and an authentication token AUTNs are sent to the visitor terminal; the dynamic ID information IDat is generated by combining the time node, the equipment information IDa of the guest terminal and the random number Rs and converting the combination into a binary string by short division;
step (4), after the visitor terminal receives the information sent by the central server, the authentication token AUTNs is subjected to inverse operation decryption by using an authentication key K1 to obtain a random number Rs 'and a binary character string IDat', the binary character string IDat 'is converted into a decimal character string, namely decrypted equipment information IDa' of the visitor terminal through inverse operation, then whether the random number Rs 'is consistent with the random number Rs is compared, whether the decrypted equipment information IDa' of the visitor terminal is consistent with the equipment information IDa of the visitor terminal stored in the visitor terminal, if so, the central server successfully authenticates the identity, the next authentication is carried out, and if one of the random number Rs is inconsistent, the authentication fails, and the authentication is terminated;
and (5) the visitor terminal generates a random number Ra, calculates an authentication key K2= KDF (IDa, ra, K) by using a key derivation algorithm, and then calculates an authentication token AUTNa = E by using a symmetric cryptographic algorithm K2 (Ra | | Rs') sending the random number Ra, the authentication key K2 and the authentication token AUTNa to the central server;
step (6), after receiving the authentication token AUTNa sent by the visitor terminal, the central server uses the authentication key K2 to execute inverse operation to decrypt the authentication token AUTNa to obtain a random number Ra 'and a random number Rs' ', compares whether the random number Ra' is consistent with the random number Ra, compares whether the random number Rs '' is consistent with the random number Rs, if yes, the identity authentication of the visitor terminal is successful, and if one of the random number Ra is inconsistent, the authentication is failed;
step (7), if the authentication in the step (6) is successful, the central server sends a signal of successful authentication to the intelligent door lock device M1, namely the intelligent door lock device M1 is opened; if the authentication in the step (6) fails, the authentication is terminated, namely the intelligent door lock device M1 is not opened;
step (8), when the intelligent door lock device M2 needs to be opened, repeating the step (1) to the step (6), and if the authentication in the step (6) fails, terminating the authentication; if the authentication in the step (6) is successful, the central server generates a temporary random field Rc as a temporary password, calculates a communication key Kc = KDF (K, ra', rc) by using a key derivation algorithm, and then sends the communication key Kc to the visitor terminal;
step (9), the visitor terminal decrypts the communication key Kc by using the root key K to obtain a decrypted temporary password Rc'; the visitor transmits the decrypted temporary password Rc 'to the central server through the intelligent door lock device M2, and the central server compares whether the decrypted temporary password Rc' is consistent with the temporary random field Rc or not; if the authentication is consistent with the authentication request, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2, namely the intelligent door lock device M2 is opened;
if the password is inconsistent, the visitor can input the password again within a certain preset time to repeat the step (9) for identity verification, and the central server compares whether the temporary password input by the visitor is consistent with the temporary random field Rc again; if the identity information is consistent with the identity information, the visitor inputs the fingerprint information again, the central server checks whether the identity information IDb of the visitor is correct, if so, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2, namely, the intelligent door lock device M2 is opened; if the identity information IDb of the inconsistent visitors is wrong, the authentication fails, the authentication is terminated, and the intelligent door lock device M2 is not opened.
2. The internet of things equipment authentication and key agreement method as claimed in claim 1, wherein the identity information IDb of the visitor includes one or more of fingerprint information, pupil information, and temporary access card information.
CN202211125240.5A 2022-09-16 2022-09-16 Internet of things equipment authentication and key agreement method Active CN115208702B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211125240.5A CN115208702B (en) 2022-09-16 2022-09-16 Internet of things equipment authentication and key agreement method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211125240.5A CN115208702B (en) 2022-09-16 2022-09-16 Internet of things equipment authentication and key agreement method

Publications (2)

Publication Number Publication Date
CN115208702A CN115208702A (en) 2022-10-18
CN115208702B true CN115208702B (en) 2022-12-30

Family

ID=83572879

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211125240.5A Active CN115208702B (en) 2022-09-16 2022-09-16 Internet of things equipment authentication and key agreement method

Country Status (1)

Country Link
CN (1) CN115208702B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107274516A (en) * 2017-04-19 2017-10-20 捷开通讯(深圳)有限公司 The method and server of access registrar, intelligent terminal and storage device
CN108989318A (en) * 2018-07-26 2018-12-11 中国电子科技集团公司第三十研究所 A kind of lightweight safety certification and key exchange method towards narrowband Internet of Things
CN110858969A (en) * 2018-08-23 2020-03-03 刘高峰 Client registration method, device and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101621801B (en) * 2009-08-11 2012-11-28 华为终端有限公司 Method, system, server and terminal for authenticating wireless local area network
CN107919956B (en) * 2018-01-04 2020-09-22 重庆邮电大学 End-to-end safety guarantee method in cloud environment facing to Internet of things
CN111835752B (en) * 2020-07-09 2022-04-12 国网山西省电力公司信息通信分公司 Lightweight authentication method based on equipment identity and gateway

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107274516A (en) * 2017-04-19 2017-10-20 捷开通讯(深圳)有限公司 The method and server of access registrar, intelligent terminal and storage device
CN108989318A (en) * 2018-07-26 2018-12-11 中国电子科技集团公司第三十研究所 A kind of lightweight safety certification and key exchange method towards narrowband Internet of Things
CN110858969A (en) * 2018-08-23 2020-03-03 刘高峰 Client registration method, device and system

Also Published As

Publication number Publication date
CN115208702A (en) 2022-10-18

Similar Documents

Publication Publication Date Title
CN106789047B (en) A kind of block chain identification system
CN101222488B (en) Method and network authentication server for controlling client terminal access to network appliance
CN109410406B (en) Authorization method, device and system
US5418854A (en) Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system
TW201812630A (en) Block chain identity system
CN107274532A (en) The temporary password gate control system that encryption parameter dynamically updates
CN111080845B (en) Temporary unlocking method, system, door lock, administrator terminal and readable storage medium
CN109448197A (en) A kind of cloud intelligent lock system and key management method based on multi-enciphering mode
CN109728909A (en) Identity identifying method and system based on USBKey
CN108418691A (en) Dynamic network identity identifying method based on SGX
US10133861B2 (en) Method for controlling access to a production system of a computer system not connected to an information system of said computer system
CN108509787B (en) Program authentication method
CN109618334B (en) Control method and related equipment
CN105099690A (en) OTP and user behavior-based certification and authorization method in mobile cloud computing environment
CN109905374A (en) A kind of identity identifying method with secret protection characteristic towards wired home
CN106411926A (en) Data encryption communication method and system
CN111540093A (en) Access control system and control method thereof
CN113037702B (en) Agricultural worker login system safe working method based on big data analysis
CN107104792B (en) Portable mobile password management system and management method thereof
CN111882706A (en) Intelligent house management method
CN115208702B (en) Internet of things equipment authentication and key agreement method
KR101996317B1 (en) Block chain based user authentication system using authentication variable and method thereof
CN114726555B (en) Authentication and key agreement method, device and storage medium
JP2001344214A (en) Method for certifying terminal and cipher communication system
CN108566365B (en) Intelligent door lock opening method based on sound wave technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant