CN115208702B - Internet of things equipment authentication and key agreement method - Google Patents
Internet of things equipment authentication and key agreement method Download PDFInfo
- Publication number
- CN115208702B CN115208702B CN202211125240.5A CN202211125240A CN115208702B CN 115208702 B CN115208702 B CN 115208702B CN 202211125240 A CN202211125240 A CN 202211125240A CN 115208702 B CN115208702 B CN 115208702B
- Authority
- CN
- China
- Prior art keywords
- authentication
- visitor
- central server
- key
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00571—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00896—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys specially adapted for particular uses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Lock And Its Accessories (AREA)
Abstract
The invention relates to the technical field of communication, in particular to an Internet of things equipment authentication and key agreement method. The method is used for identity authentication and key exchange between the visitor terminal and the central server; the method comprises the steps that a preset central server contains encrypted visitor registration information and an access time period which are filled in advance, the registration information contains equipment information of a visitor terminal and identity information of a visitor, and a shared root key is arranged between the visitor terminal and the central server; the authentication token is calculated by introducing random numbers generated by both communication parties, the random numbers used for generating the authentication token are encrypted and protected in the transmission process, and the registration information of the visitor is dynamically encrypted, so that different keys used in each communication process are ensured, and the risk of key leakage in the channel transmission process is effectively prevented; and the double-layer authentication of the identity information and the visitor terminal is adopted, so that the safety risk caused by the loss or leakage of one party of the identity information or the visitor terminal can be effectively prevented.
Description
Technical Field
The invention relates to the technical field of communication, in particular to an Internet of things equipment authentication and key agreement method.
Background
With the popularization of the internet of things and intelligent devices, the internet of things communication technology and the interactive application of the intelligent devices are more and more common, for example, remote interaction and control of mobile phones, computers and intelligent household appliances are realized. The identity authentication mechanism is an important tool for ensuring the effectiveness of communication, and accordingly, the safety of the identity authentication mechanism and the communication safety of the internet of things are issues which need to be considered. For example, some of the existing identity authentication mechanisms of the intelligent access control system can provide a temporary password or a temporary access control card to a temporary cleaner or a maintenance worker in an authorized manner. However, the safety of the simple temporary digital password and the temporary access control card still needs to be improved, a unit door and an entrance door need to be opened in some residential houses, a courtyard door and an entrance door may need to be opened in a single residential house, the password is inconvenient to transmit if different passwords are arranged, the use is troublesome, the safety is insufficient if the same password is set, the password is easy to leak or be cracked, the temporary password is effective within a certain range of time, and the risk caused by the spreading of the password cannot be completely avoided.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method for equipment authentication and key agreement of the Internet of things, so as to improve the safety of identity authentication.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows.
An Internet of things equipment authentication and key agreement method is used for identity authentication and key exchange between a visitor terminal and a central server; the method comprises the steps that pre-filled encrypted visitor registration information and an access time period are contained in a preset center server, the registration information comprises equipment information IDa of a visitor terminal stored in a local visitor terminal and identity information IDb of a visitor, and a shared root secret key K is arranged between the visitor terminal and the center server; the authentication process steps of the method comprise:
step (1), after receiving an identity information authentication request signal of a visitor through intelligent door lock equipment M1, a central server checks whether the identity information IDb of the visitor conforms to identity information prestored in the central server, if so, an authentication flow is started, and if not, authentication is terminated;
step (2), the central server judges whether the current time point is within a preset access time period, if so, the next authentication is carried out, and if not, the authentication is terminated;
step (3), the central server generates a random number Rs, calculates an authentication key K1= KDF (IDa, rs, K) by using a key derivation algorithm, and then calculates an authentication token AUTNs = E by using a symmetric cryptographic algorithm K1 (Rs | | IDa), and a random number Rs, an authentication key K1 and an authentication token AUTNs are sent to the visitor terminal;
step (4), after the visitor terminal receives the information sent by the central server, the authentication token AUTNs is subjected to inverse operation decryption by using the authentication key K1 to obtain a random number Rs 'and decrypted equipment information IDa' of the visitor terminal, then whether the random number Rs 'is consistent with the random number Rs is compared, whether the decrypted equipment information IDa' of the visitor terminal is consistent with equipment information IDa of the visitor terminal stored in the visitor terminal is compared, if so, the central server successfully authenticates the identity, the next authentication is carried out, and if not, the authentication is failed and the authentication is terminated;
and (5) the visitor terminal generates a random number Ra, calculates an authentication key K2= KDF (IDa, ra, K) by using a key derivation algorithm, and then calculates an authentication token AUTNa = E by using a symmetric cryptographic algorithm K2 (Ra | | Rs') sending the random number Ra, the authentication key K2 and the authentication token AUTNa to the central server;
step (6), after receiving the authentication token AUTNa sent by the visitor terminal, the central server uses the authentication key K2 to execute inverse operation to decrypt the authentication token AUTNa to obtain a random number Ra 'and a random number Rs', compares whether the random number Ra 'is consistent with the random number Ra and simultaneously compares whether the random number Rs' is consistent with the Rs, if yes, the identity authentication of the visitor terminal is successful, and if not, the authentication is failed;
step (7), if the authentication in the step (6) is successful, the central server sends a signal of successful authentication to the intelligent door lock device M1, namely the intelligent door lock device M1 is opened; if the authentication in the step (6) fails, the authentication is terminated, namely the intelligent door lock device M1 is not opened;
step (8), when the intelligent door lock device M2 needs to be opened, repeating the step (1) to the step (6), and if the authentication in the step (6) fails, terminating the authentication; if the authentication in the step (6) is successful, the central server generates a temporary random field Rc as a temporary password, calculates a communication key Kc = KDF (K, ra', rc) by using a key derivation algorithm, and then sends the communication key Kc to the guest terminal;
step (9), the visitor terminal decrypts the communication key Kc by using the root key K to obtain a decrypted temporary password Rc'; the visitor transmits the decrypted temporary password Rc 'to the central server through the intelligent door lock device M2, and the central server compares whether the decrypted temporary password Rc' is consistent with the temporary random field Rc or not; if the two are consistent, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2 (namely the intelligent door lock device M2 is opened); if the comparison is inconsistent, the authentication fails, and the authentication is terminated (i.e., the intelligent door lock device M2 is not unlocked).
KDF (X1, X2, X3) is a key derivation algorithm, and X1/X2/X3 is an algorithm input parameter; e () is a symmetric cryptographic algorithm, E K1 /E K2 For symmetric cryptographic algorithms using K1/K2 keys, | | is a character connection symbol.
Further, in step (3), before calculating the authentication key K1, the dynamic ID information IDat may be generated according to the device information IDa of the guest terminal stored locally at the guest terminal, the random number Rs, and the current time node, the authentication key K1= KDF (IDat, rs, K) may be calculated by using a key derivation algorithm, and then the authentication token AUTNs = E may be calculated by using a symmetric cryptographic algorithm K1 (Rs | | | IDat); in step (4), the authentication token AUTNs is decrypted by inverse operation using the authentication key K1 to obtain the random number Rs ' and the binary string IDat ', and at this time, the binary string IDat ' is converted into the string IDa ' (i.e., the decrypted device information IDa ' of the guest terminal) by inverse operation, and then the random number Rs ' and the random number Rs are compared to determine whether they are consistent, and at the same time, the decrypted device information IDa ' of the guest terminal and the device information IDa of the guest terminal stored locally at the guest terminal are compared to determine whether they are consistent.
Further, the dynamic ID information IDat is generated in such a manner that the time node + the device information IDa of the guest terminal locally stored in the guest terminal + the random number Ra is combined and converted into a binary string by short division.
The identity information IDb of the visitor comprises one or more of fingerprint information, pupil information and temporary access card information; visitor's terminal means cell-phone, intelligent bracelet or intelligent wrist-watch etc..
The invention has the beneficial effects that:
(1) The invention calculates the authentication key and the authentication token by introducing the random numbers generated by both communication parties, and the random numbers used for generating the authentication key and the authentication token are encrypted and protected in the transmission process, thereby effectively preventing the risk of key leakage in the channel transmission process and improving the safety of the communication key.
(2) The two communication parties negotiate to generate a secret key each time of authentication, and the equipment information of the visitor terminal is dynamically encrypted, so that the secret keys used in each communication process are different; and the temporary password is generated by adopting double-layer authentication of the identity information and the visitor terminal, so that the safety risk caused by the loss or leakage of one party of the identity information or the visitor terminal can be effectively prevented.
(3) The method can be used for a residential access control system with a unit door and an entrance door or a courtyard door and an entrance door, is convenient for temporary cleaning personnel, maintenance workers or temporary visitors to enter and exit the access control system, has high safety and provides convenience for residents.
Drawings
Fig. 1 is an authentication flow chart of an identity authentication and key agreement method in an embodiment of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and thus the present invention is not limited to the specific embodiments disclosed below.
Fig. 1 shows an internet of things device authentication and key agreement method, which is used for identity authentication and key exchange between a guest terminal and a central server; in this embodiment, the method is applied to an access control system including a courtyard door, an entrance door, and two intelligent door locks (a device M1 and a device M2); the method comprises the steps that pre-filled encrypted visitor registration information and an access time period are contained in a preset center server, the registration information comprises equipment information IDa of a visitor terminal stored in a local visitor terminal and identity information IDb of a visitor, and a shared root secret key K is arranged between the visitor terminal and the center server; the authentication process steps of the method comprise:
step (1), the central server receives a signal of identity information IDb of a visitor through the intelligent door lock device M1, then the authentication request of the visitor is received, whether the identity information IDb of the visitor is consistent with identity information prestored by the central server is firstly checked, if so, an authentication flow is started, and if not, the authentication is terminated; in this embodiment, the identity information IDb of the visitor is fingerprint information;
step (2), the central server judges whether the current time point is within a preset access time period, if so, the next authentication is carried out, and if not, the authentication is terminated;
and (3) the central server generates a random number Rs, generates dynamic ID information IDat according to the equipment information IDa, the random number Rs and the current time node of the visitor terminal stored in the local visitor terminal, calculates an authentication key K1= KDF (IDat, rs and K) by using a key derivation algorithm, and calculates an authentication token AUTNs = E by using a symmetric cryptographic algorithm K1 (Rs | | IDat), and a random number Rs, an authentication key K1 and an authentication token AUTNs are sent to the visitor terminal; the dynamic ID information IDat is generated by combining a time node, equipment information IDa of a local visitor terminal stored in the visitor terminal and a random number Ra and then converting the combination into a binary character string by short division;
step (4), after the visitor terminal receives the information sent by the central server, the authentication token AUTNs is subjected to inverse operation decryption by using an authentication key K1 to obtain a random number Rs 'and a binary character string IDat', the binary character string IDat 'is converted into a decimal character string, namely decrypted equipment information IDa' of the visitor terminal through inverse operation, then whether the random number Rs 'is consistent with the random number Rs is compared, whether the decrypted equipment information IDa' of the visitor terminal is consistent with the equipment information IDa of the visitor terminal stored in the visitor terminal, if so, the central server successfully authenticates the identity, the next authentication is carried out, and if one of the random number Rs is inconsistent, the authentication fails, and the authentication is terminated;
and (5) the visitor terminal generates a random number Ra, calculates an authentication key K2= KDF (IDa, ra, K) by using a key derivation algorithm, and then calculates an authentication token AUTNa = E by using a symmetric cryptographic algorithm K2 (Ra | | Rs') sending the random number Ra, the authentication key K2 and the authentication token AUTNa to the central server;
step (6), after receiving the authentication token AUTNa sent by the visitor terminal, the central server uses the authentication key K2 to execute inverse operation to decrypt the authentication token AUTNa to obtain a random number Ra 'and a random number Rs', compares whether the random number Ra 'is consistent with the random number Ra, compares whether the random number Rs' is consistent with the random number Rs, if so, the identity authentication of the visitor terminal is successful, and if one of the random number Ra is inconsistent with the random number Rs, the authentication is failed;
step (7), if the authentication in the step (6) is successful, the central server sends a signal of successful authentication to the intelligent door lock device M1 (namely, the intelligent door lock device M1 is opened); if the authentication in the step (6) fails, the authentication is terminated (namely, the intelligent door lock device M1 is not opened);
step (8), when the intelligent door lock device M2 needs to be opened, repeating the step (1) to the step (6), and if the authentication in the step (6) fails, terminating the authentication; if the authentication in the step (6) is successful, the central server generates a temporary random field Rc as a temporary password, calculates a communication key Kc = KDF (K, ra', rc) by using a key derivation algorithm, and then sends the communication key Kc to the visitor terminal;
step (9), the visitor terminal decrypts the communication key Kc by using the root key K to obtain a decrypted temporary password Rc'; the visitor transmits the decrypted temporary password Rc 'to the central server through the intelligent door lock device M2, and the central server compares whether the decrypted temporary password Rc' is consistent with the temporary random field Rc or not; if the two are consistent, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2 (namely the intelligent door lock device M2 is opened); if the comparison is inconsistent, the authentication fails, and the authentication is terminated (i.e., the intelligent door lock device M2 is not unlocked).
In another embodiment, in consideration of the fact that the password is incorrectly input due to misoperation of the visitor, if the central server compares the decrypted temporary password Rc' with the temporary random field Rc in step (9) to obtain a result of inconsistency, the central server can re-input the password for authentication in the step of step (9) within a certain preset time (for example, preset to 30 s), and the central server compares whether the temporary password input by the visitor is consistent with the temporary random field Rc again; if the identity information is consistent with the identity information, the visitor inputs the fingerprint information again, the central server checks whether the identity information IDb of the visitor is correct, if so, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2 (namely, the intelligent door lock device M2 is opened); if the identity information IDb of the inconsistent visitors is wrong, the authentication fails, and the authentication is terminated (namely the intelligent door lock device M2 is not opened). The setting avoids the situation that the visitor needs to repeat all authentication steps after misoperation during final verification, saves the time of identity authentication, and can ensure the safety of the identity authentication.
Claims (2)
1. An Internet of things equipment authentication and key agreement method is used for identity authentication and key exchange between a visitor terminal and a central server; the method comprises the steps that a preset central server contains pre-filled encrypted visitor registration information and an access time period, wherein the registration information comprises equipment information IDa of a visitor terminal and identity information IDb of a visitor, and a shared root key K is arranged between the visitor terminal and the central server; the method is characterized in that the authentication process comprises the following steps:
step (1), the central server receives a signal of identity information IDb of a visitor through the intelligent door lock device M1, then the authentication request of the visitor is received, whether the identity information IDb of the visitor is consistent with identity information prestored by the central server is firstly checked, if so, an authentication flow is started, and if not, the authentication is terminated;
step (2), the central server judges whether the current time point is within a preset access time period, if so, the next authentication is carried out, and if not, the authentication is terminated;
and (3) the central server generates a random number Rs, generates dynamic ID information IDat according to the equipment information IDa and the random number Rs of the visitor terminal and the current time node, calculates an authentication key K1= KDF (IDat, rs and K) by using a key derivation algorithm, and calculates an authentication token AUTNs = E by using a symmetric cryptographic algorithm K1 (Rs | | IDat), and a random number Rs, an authentication key K1 and an authentication token AUTNs are sent to the visitor terminal; the dynamic ID information IDat is generated by combining the time node, the equipment information IDa of the guest terminal and the random number Rs and converting the combination into a binary string by short division;
step (4), after the visitor terminal receives the information sent by the central server, the authentication token AUTNs is subjected to inverse operation decryption by using an authentication key K1 to obtain a random number Rs 'and a binary character string IDat', the binary character string IDat 'is converted into a decimal character string, namely decrypted equipment information IDa' of the visitor terminal through inverse operation, then whether the random number Rs 'is consistent with the random number Rs is compared, whether the decrypted equipment information IDa' of the visitor terminal is consistent with the equipment information IDa of the visitor terminal stored in the visitor terminal, if so, the central server successfully authenticates the identity, the next authentication is carried out, and if one of the random number Rs is inconsistent, the authentication fails, and the authentication is terminated;
and (5) the visitor terminal generates a random number Ra, calculates an authentication key K2= KDF (IDa, ra, K) by using a key derivation algorithm, and then calculates an authentication token AUTNa = E by using a symmetric cryptographic algorithm K2 (Ra | | Rs') sending the random number Ra, the authentication key K2 and the authentication token AUTNa to the central server;
step (6), after receiving the authentication token AUTNa sent by the visitor terminal, the central server uses the authentication key K2 to execute inverse operation to decrypt the authentication token AUTNa to obtain a random number Ra 'and a random number Rs' ', compares whether the random number Ra' is consistent with the random number Ra, compares whether the random number Rs '' is consistent with the random number Rs, if yes, the identity authentication of the visitor terminal is successful, and if one of the random number Ra is inconsistent, the authentication is failed;
step (7), if the authentication in the step (6) is successful, the central server sends a signal of successful authentication to the intelligent door lock device M1, namely the intelligent door lock device M1 is opened; if the authentication in the step (6) fails, the authentication is terminated, namely the intelligent door lock device M1 is not opened;
step (8), when the intelligent door lock device M2 needs to be opened, repeating the step (1) to the step (6), and if the authentication in the step (6) fails, terminating the authentication; if the authentication in the step (6) is successful, the central server generates a temporary random field Rc as a temporary password, calculates a communication key Kc = KDF (K, ra', rc) by using a key derivation algorithm, and then sends the communication key Kc to the visitor terminal;
step (9), the visitor terminal decrypts the communication key Kc by using the root key K to obtain a decrypted temporary password Rc'; the visitor transmits the decrypted temporary password Rc 'to the central server through the intelligent door lock device M2, and the central server compares whether the decrypted temporary password Rc' is consistent with the temporary random field Rc or not; if the authentication is consistent with the authentication request, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2, namely the intelligent door lock device M2 is opened;
if the password is inconsistent, the visitor can input the password again within a certain preset time to repeat the step (9) for identity verification, and the central server compares whether the temporary password input by the visitor is consistent with the temporary random field Rc again; if the identity information is consistent with the identity information, the visitor inputs the fingerprint information again, the central server checks whether the identity information IDb of the visitor is correct, if so, the authentication is successful, and the central server sends a signal of successful authentication to the intelligent door lock device M2, namely, the intelligent door lock device M2 is opened; if the identity information IDb of the inconsistent visitors is wrong, the authentication fails, the authentication is terminated, and the intelligent door lock device M2 is not opened.
2. The internet of things equipment authentication and key agreement method as claimed in claim 1, wherein the identity information IDb of the visitor includes one or more of fingerprint information, pupil information, and temporary access card information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211125240.5A CN115208702B (en) | 2022-09-16 | 2022-09-16 | Internet of things equipment authentication and key agreement method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211125240.5A CN115208702B (en) | 2022-09-16 | 2022-09-16 | Internet of things equipment authentication and key agreement method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115208702A CN115208702A (en) | 2022-10-18 |
CN115208702B true CN115208702B (en) | 2022-12-30 |
Family
ID=83572879
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211125240.5A Active CN115208702B (en) | 2022-09-16 | 2022-09-16 | Internet of things equipment authentication and key agreement method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115208702B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107274516A (en) * | 2017-04-19 | 2017-10-20 | 捷开通讯(深圳)有限公司 | The method and server of access registrar, intelligent terminal and storage device |
CN108989318A (en) * | 2018-07-26 | 2018-12-11 | 中国电子科技集团公司第三十研究所 | A kind of lightweight safety certification and key exchange method towards narrowband Internet of Things |
CN110858969A (en) * | 2018-08-23 | 2020-03-03 | 刘高峰 | Client registration method, device and system |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101621801B (en) * | 2009-08-11 | 2012-11-28 | 华为终端有限公司 | Method, system, server and terminal for authenticating wireless local area network |
CN107919956B (en) * | 2018-01-04 | 2020-09-22 | 重庆邮电大学 | End-to-end safety guarantee method in cloud environment facing to Internet of things |
CN111835752B (en) * | 2020-07-09 | 2022-04-12 | 国网山西省电力公司信息通信分公司 | Lightweight authentication method based on equipment identity and gateway |
-
2022
- 2022-09-16 CN CN202211125240.5A patent/CN115208702B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107274516A (en) * | 2017-04-19 | 2017-10-20 | 捷开通讯(深圳)有限公司 | The method and server of access registrar, intelligent terminal and storage device |
CN108989318A (en) * | 2018-07-26 | 2018-12-11 | 中国电子科技集团公司第三十研究所 | A kind of lightweight safety certification and key exchange method towards narrowband Internet of Things |
CN110858969A (en) * | 2018-08-23 | 2020-03-03 | 刘高峰 | Client registration method, device and system |
Also Published As
Publication number | Publication date |
---|---|
CN115208702A (en) | 2022-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106789047B (en) | A kind of block chain identification system | |
CN101222488B (en) | Method and network authentication server for controlling client terminal access to network appliance | |
CN109410406B (en) | Authorization method, device and system | |
US5418854A (en) | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system | |
TW201812630A (en) | Block chain identity system | |
CN107274532A (en) | The temporary password gate control system that encryption parameter dynamically updates | |
CN111080845B (en) | Temporary unlocking method, system, door lock, administrator terminal and readable storage medium | |
CN109448197A (en) | A kind of cloud intelligent lock system and key management method based on multi-enciphering mode | |
CN109728909A (en) | Identity identifying method and system based on USBKey | |
CN108418691A (en) | Dynamic network identity identifying method based on SGX | |
US10133861B2 (en) | Method for controlling access to a production system of a computer system not connected to an information system of said computer system | |
CN108509787B (en) | Program authentication method | |
CN109618334B (en) | Control method and related equipment | |
CN105099690A (en) | OTP and user behavior-based certification and authorization method in mobile cloud computing environment | |
CN109905374A (en) | A kind of identity identifying method with secret protection characteristic towards wired home | |
CN106411926A (en) | Data encryption communication method and system | |
CN111540093A (en) | Access control system and control method thereof | |
CN113037702B (en) | Agricultural worker login system safe working method based on big data analysis | |
CN107104792B (en) | Portable mobile password management system and management method thereof | |
CN111882706A (en) | Intelligent house management method | |
CN115208702B (en) | Internet of things equipment authentication and key agreement method | |
KR101996317B1 (en) | Block chain based user authentication system using authentication variable and method thereof | |
CN114726555B (en) | Authentication and key agreement method, device and storage medium | |
JP2001344214A (en) | Method for certifying terminal and cipher communication system | |
CN108566365B (en) | Intelligent door lock opening method based on sound wave technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |