CN116865971B - Internet of things terminal identity authentication method based on digital certificate - Google Patents
Internet of things terminal identity authentication method based on digital certificate Download PDFInfo
- Publication number
- CN116865971B CN116865971B CN202310694708.0A CN202310694708A CN116865971B CN 116865971 B CN116865971 B CN 116865971B CN 202310694708 A CN202310694708 A CN 202310694708A CN 116865971 B CN116865971 B CN 116865971B
- Authority
- CN
- China
- Prior art keywords
- certificate
- terminal
- chain
- issuer
- identity authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000012795 verification Methods 0.000 claims abstract description 12
- 230000008569 process Effects 0.000 claims description 11
- 230000008859 change Effects 0.000 description 3
- 230000007774 longterm Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
Abstract
The invention discloses an identity authentication method of an internet of things terminal based on a digital certificate, which belongs to the technical field of the internet of things and comprises the following steps: s1: issuing a certificate; s2: requesting identity authentication; s3: certificate chain and signature verification; s4: judging existence of the crossing points; s5: and (5) carrying out judgment on the private key. The terminal certificate is used as a trust anchor, the trust chain is extended to the opposite terminal equipment through the certificate chain of the terminal certificate, the certificate chain of the opposite terminal certificate and the intersection point of the two certificate chains, so that the identity authentication is finished.
Description
Technical Field
The invention relates to the technical field of the Internet of things, in particular to an Internet of things terminal identity authentication method based on a digital certificate.
Background
In the internet of things system, identity authentication needs to be performed on terminal equipment. Among many authentication solutions, PKI (public key infrastructure) -based digital certificate authentication schemes are widely used for their security.
The traditional PKI digital certificate system generally adopts a tree structure, and the method for judging whether the terminal certificate is credible in the tree structure is to search up step by taking the terminal certificate as a starting point until the root certificate, thereby establishing a certificate chain; if the certificate chain is complete and the root certificate is trusted, the terminal certificate is trusted. In such a security system with the root certificate as a trust anchor, the security of the root certificate itself becomes critical. In order to ensure security, the traditional PKI system requires periodic replacement of the root certificate, and after the replacement of the root certificate, the new root certificate needs to be used for re-issuing all certificates issued by the old root certificate, and the new root certificate needs to be added to all terminal devices in the internet of things system as soon as possible to replace the old root certificate.
The internet of things system uses the traditional PKI digital certificate, and a root certificate needs to be stored in all terminal devices in advance. The characteristics of the internet of things determine that the internal data is not easy to change once the terminal equipment is deployed, and in order to prevent the root certificate in the terminal equipment from being maliciously deleted or tampered, some extra protection measures are often adopted; this results in all mechanisms for updating certificates necessarily increasing the complexity of the device and presenting more stability and security concerns. The internet of things system can set the root certificate with the ultra-long validity period, but the risk of revealing the private key of the root certificate is continuously accumulated along with the long-term operation of the system.
In another case, the terminal of the internet of things can unconditionally trust the terminal certificate held by the terminal of the internet of things, but cannot be used as a trust anchor. By adopting the certificate signing method of the traditional certificate system, the terminal can verify the digital signature to confirm that the certificate held by the terminal is truly signed by the private key corresponding to the public key of the last-stage certificate of the certificate chain, but cannot confirm whether the last-stage certificate issuing the last-stage certificate is trusted or not, and because any certificate can sign the last-stage certificate without changing the public key of the last-stage certificate, the trust chain can only extend by one stage. If a trust model using a terminal certificate as a trust anchor is adopted, the system can only directly issue the terminal certificate by the root certificate, and the problem still exists that the root certificate is not replaced or is replaced together with the terminal certificate in the running process of the system.
In a security system based on the root certificate as a trust anchor, the root certificate preset in the terminal is required when the terminal equipment is subjected to identity authentication, and after the root certificate is replaced, the terminal certificate is also required to be replaced together, so that the identity authentication work is very inconvenient.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: how to change the trust model of the traditional PKI system which takes the root certificate as a trust anchor, and further change the identity authentication mode, and provides an identity authentication method of the terminal of the Internet of things based on the digital certificate.
The invention solves the technical problems through the following technical scheme, and the method for authenticating the identity of the terminal of the Internet of things based on the digital certificate comprises the following steps:
s1: certificate issuing
Issuing a certificate in the Internet of things system by using the digital certificate system;
s2: request identity authentication
A first terminal in the Internet of things system requests identity authentication to a second terminal, sends a first terminal certificate, and receives the first terminal certificate through the second terminal;
s3: certificate chain and signature verification
The second terminal respectively establishes a first terminal certificate and a certificate chain of the second terminal certificate, verifies the signatures of the terminal certificate and the issuer of the intermediate certificate in the two certificate chains and the self-signatures of the intermediate certificate and the root certificate, and enters a step S4 after the two certificate chains are complete and the signatures are verified to be correct, otherwise, the identity authentication fails;
s4: intersection presence determination
Checking whether at least one intermediate certificate or root certificate exists in the other certificate chain or not, if so, entering a step S5, otherwise, failing the identity authentication;
s5: private key holding determination
Judging whether the first terminal holds the private key of the first terminal certificate, if so, the identity authentication is successful, otherwise, the identity authentication fails, and then the identity authentication process is completed.
Still further, in the step S1, the digital certificate system includes a root certificate, an intermediate certificate issued using the root certificate, a subordinate intermediate certificate or a terminal certificate issued using the intermediate certificate; when the certificates are issued, the certificates are written into a unique identifier in the system, all the certificates comprise public keys in at least one group of key pairs of asymmetric cryptographic algorithms, and matched private keys are saved by a certificate holder; the root certificate signs the data field of the certificate and stores the signature value in the self-signed field of the certificate, the intermediate certificate signs the data field of the certificate by the root certificate or an upper intermediate certificate and stores the signature value and the unique identifier of the issuer certificate in the issuer signature field of the certificate, the data field of the certificate and the issuer signature field of the certificate are signed by the certificate and stores the signature value in the self-signed field of the certificate, and the terminal certificate signs the data field of the certificate by the intermediate certificate and stores the signature value and the unique identifier of the issuer certificate in the issuer signature field of the certificate; the terminal certificate is stored in the terminal of the Internet of things, and the root certificate and all the intermediate certificates are stored in positions which can be acquired by the terminal of the Internet of things.
Further, when the intermediate certificate is self-signed, that is, the holder of the intermediate certificate signs the intermediate certificate and its issuer signature value, the issuer's legitimacy is acknowledged.
Further, in the step S2, the internet of things system includes at least two internet of things terminals, namely a first terminal and a second terminal, and the two terminals respectively hold a corresponding first terminal certificate and a corresponding second terminal certificate.
Further, in the step S3, when the certificate chain is established, the first terminal certificate and the second terminal certificate are respectively used as starting points, the unique identifier of the issuer certificate in the signature domain of the issuer certificate is used for searching and verifying the issuer certificate step by step upwards, and the intermediate certificates at all levels upwards are obtained until the root certificate, so that two certificate chains are formed.
Further, in the step S3, after the certificate chain is obtained, whether the certificate chain is complete is determined by the structure of the certificate chain, and when the certificate chain includes the terminal certificate, at least one intermediate certificate and the root certificate, the certificate chain is indicated to be a complete certificate chain, otherwise, the certificate chain is an incomplete certificate chain.
Further, in the step S3, the process of verifying the signatures of the issuers of the terminal certificate and the intermediate certificate in the two certificate chains is specifically as follows:
s301: acquiring a terminal certificate and all intermediate certificates in each certificate chain;
s302: reading the signature values in the data domain and the signature domain of the issuer of the current certificate, and reading the public key of the issuer of the current certificate;
s303: verifying and signing the data domain of the current certificate by using the public key of the issuer certificate of the current certificate and the signature value in the issuer signature domain of the current certificate;
s304: when the terminal certificate and all the intermediate certificates in each certificate chain can be checked successfully, the signature value of the issuer is checked correctly, otherwise, the signature value is checked incorrectly, and the identity authentication fails.
Further, in the step S3, the specific process of verifying the self-signature of the intermediate certificate and the root certificate is as follows:
s311: acquiring all intermediate certificates and root certificates in each certificate chain;
s312: reading a public key of a current certificate and a signature value in a self-signature domain, and reading a data domain and an issuer signature domain when the current certificate is an intermediate certificate and reading the data domain when the current certificate is a root certificate;
s313: when the current certificate is an intermediate certificate, the public key of the current certificate and the signature value in the self-signature domain of the current certificate are used for verifying and signing the data domain of the current certificate and the signature domain of the issuer; the current certificate is a root certificate, and a public key of the current certificate and a signature value in a self-signature domain of the current certificate are used for verifying and signing a data domain of the current certificate;
s314: when all the intermediate certificates and root certificates in each certificate chain can be successfully checked, the verification of the self-signed value is correct, otherwise, the verification of the self-signed value is incorrect, and the identity authentication is failed.
Further, in the step S4, according to the certificate chain structure obtained in the step S3, the contents of the terminal certificate, the intermediate certificate and the root certificate in the certificate chain structure are read, and based on the unique identifiers of the certificates, search and comparison are performed one by one, when the unique identifier of the intermediate certificate/the root certificate of one of the certificate chains can be found in the other certificate chain, the other contents in the same intermediate certificate/root certificate in the two found certificate chains are compared, and if the comparison is consistent, step S5 is entered, otherwise, the identity authentication fails.
Further, in the step S5, when determining whether the first terminal holds the private key of the first terminal certificate, the second terminal reads the public key of the first terminal certificate, encrypts the setting data by using the public key, sends the encrypted setting data ciphertext to the first terminal, the first terminal attempts to decrypt by using the private key held by the first terminal and sends the result to the second terminal, and the second terminal determines whether the received result is consistent with the setting data, if so, the second terminal holds the private key of the first terminal certificate, otherwise, the second terminal does not hold the private key of the first terminal certificate, and the identity authentication fails.
Compared with the prior art, the invention has the following advantages: according to the terminal identity authentication method of the Internet of things based on the digital certificate, the terminal certificate is used as a trust anchor, the trust chain is extended to opposite terminal equipment through the certificate chain of the terminal certificate, the certificate chain of the terminal certificate and the intersection point of the two certificate chains, so that the identity authentication is finished.
Drawings
Fig. 1 is a flow chart of an authentication method of an internet of things terminal based on a digital certificate in a first embodiment of the invention.
Detailed Description
The following describes in detail the examples of the present invention, which are implemented on the premise of the technical solution of the present invention, and detailed embodiments and specific operation procedures are given, but the scope of protection of the present invention is not limited to the following examples.
Example 1
As shown in fig. 1, this embodiment provides a technical solution: an internet of things terminal identity authentication method based on a digital certificate comprises the following steps:
s1: certificate issuing
Issuing a certificate in the Internet of things system by using the digital certificate system;
s2: request identity authentication
A first terminal in the Internet of things system requests identity authentication to a second terminal, sends a first terminal certificate, and receives the first terminal certificate through the second terminal;
s3: certificate chain and signature verification
The second terminal respectively establishes a first terminal certificate and a certificate chain of the second terminal certificate, verifies the signatures of the terminal certificate and the issuer of the intermediate certificate in the two certificate chains and the self-signatures of the intermediate certificate and the root certificate, and enters a step S4 after the two certificate chains are complete and the signatures are verified to be correct, otherwise, the identity authentication fails;
s4: intersection presence determination
Checking whether at least one intermediate certificate or root certificate exists in the other certificate chain or not, if so, entering a step S5, otherwise, failing the identity authentication;
s5: private key holding determination
Judging whether the first terminal holds the private key of the first terminal certificate, if so, the identity authentication is successful, otherwise, the identity authentication fails, and then the identity authentication process is completed.
In this embodiment, in step S1, the digital certificate system includes a root certificate, an intermediate certificate issued using the root certificate, a subordinate intermediate certificate or a terminal certificate issued using the intermediate certificate; all certificates have unique identifiers in the system, all certificates contain public keys in at least one group of key pairs of asymmetric cryptographic algorithms, and matched private keys are saved by certificate holders; the root certificate signs the data field of the certificate and stores the signature value in the self-signed field of the certificate, the intermediate certificate signs the data field of the certificate by the root certificate or an upper intermediate certificate and stores the signature value and the unique identifier of the issuer certificate in the issuer signature field of the certificate, the data field of the certificate and the issuer signature field of the certificate are signed by the certificate and stores the signature value in the self-signed field of the certificate, and the terminal certificate signs the data field of the certificate by the intermediate certificate and stores the signature value and the unique identifier of the issuer certificate in the issuer signature field of the certificate; the terminal certificate is stored in the terminal of the Internet of things, and the root certificate and all the intermediate certificates are stored in positions which can be acquired by the terminal of the Internet of things. When the intermediate certificate is self-signed, namely, a holder of the intermediate certificate signs the intermediate certificate and a signature value of an issuer thereof, so as to acknowledge the legitimacy of the issuer; when the intermediate certificate is trusted, the superior intermediate certificate or root certificate issuing the intermediate certificate is also trusted, so that the trust chain extends from bottom to top along the certificate chain.
It should be noted that, the unique identifier of the certificate in this embodiment includes, but is not limited to, a serial number, and the certificate data field is written at the time of issuing the certificate.
In this embodiment, in step S2, the internet of things system includes at least two internet of things terminals, namely a first terminal and a second terminal, where the two terminals respectively hold a corresponding first terminal certificate and a corresponding second terminal certificate; in step S3, when the certificate chain is established, the first terminal certificate and the second terminal certificate are respectively used as starting points, the unique identifier of the issuer certificate in the signature domain of the certificate issuer is used for searching and verifying the issuer certificate step by step upwards, and the intermediate certificate and the root certificate of each level upwards are obtained, so that two certificate chains are formed. In step S3, after the certificate chain is obtained, whether the certificate chain is complete is determined by the structure of the certificate chain, and when the certificate chain includes the terminal certificate, at least one intermediate certificate and the root certificate, the certificate chain is indicated to be a complete certificate chain, otherwise, the certificate chain is an incomplete certificate chain.
In this embodiment, in step S3, the process of verifying the issuer signatures of the terminal certificate and the intermediate certificate in the two certificate chains is specifically as follows:
s301: acquiring a terminal certificate and all intermediate certificates in each certificate chain;
s302: reading the signature values in the data domain and the signature domain of the issuer of the current certificate, and reading the public key of the issuer of the current certificate;
s303: verifying and signing the data domain of the current certificate by using the public key of the issuer certificate of the current certificate and the signature value in the issuer signature domain of the current certificate;
s304: when the terminal certificate and all the intermediate certificates in each certificate chain can be checked successfully, the signature value of the issuer is checked correctly, otherwise, the signature value is checked incorrectly, and the identity authentication fails.
In this embodiment, in step S3, the specific procedure of verifying the self-signatures of the intermediate certificate and the root certificate is as follows:
s311: acquiring all intermediate certificates and root certificates in each certificate chain;
s312: reading a public key of a current certificate and a signature value in a self-signature domain, and reading a data domain and an issuer signature domain when the current certificate is an intermediate certificate and reading the data domain when the current certificate is a root certificate; the signature domain comprises a signature value and a unique identifier of a signature certificate, and the signature value and the unique identifier of the signature certificate are both included in a signature and signature verification range;
s313: when the current certificate is an intermediate certificate, the public key of the current certificate and the signature value in the self-signature domain of the current certificate are used for verifying and signing the data domain of the current certificate and the signature domain of the issuer; the current certificate is a root certificate, and a public key of the current certificate and a signature value in a self-signature domain of the current certificate are used for verifying and signing a data domain of the current certificate;
s314: when all the intermediate certificates and root certificates in each certificate chain can be successfully checked, the verification of the self-signed value is correct, otherwise, the verification of the self-signed value is incorrect, and the identity authentication is failed.
In this embodiment, in step S4, according to the certificate chain structure obtained in step S3, the contents of the terminal certificate, the intermediate certificate and the root certificate in the certificate chain structure are read, and based on the unique identifiers of the certificates, search and compare one by one, when the unique identifier of the intermediate certificate/root certificate of one of the certificate chains can be found in the other certificate chain, then compare the remaining contents in the same intermediate certificate/root certificate in the two found certificate chains, and if the comparison is consistent, step S5 is entered, otherwise the identity authentication fails.
In this embodiment, in step S5, when determining whether the first terminal holds the private key of the first terminal certificate, the second terminal reads the public key of the first terminal certificate, encrypts the setting data by using the public key, and sends the encrypted setting data ciphertext to the first terminal, the first terminal attempts to decrypt by using the private key held by the first terminal and sends the result to the second terminal, and the second terminal determines whether the received result is consistent with the setting data, if so, it indicates that the first terminal holds the private key of the first terminal certificate, otherwise, it indicates that the first terminal does not hold the private key of the first terminal certificate, and identity authentication fails.
It should be noted that, in this embodiment, the second terminal verifies the identity of the first terminal, and when the first terminal verifies the identity of the second terminal, the principle is the same as that when the second terminal verifies the identity of the first terminal.
Example two
In this embodiment, a digital certificate system based on public key cryptography is established, and digital certificates are signed by using the digital certificate system, where the digital certificate system includes a digital certificate authority CA, the CA has a self-signed root certificate rooter, uses the self-signed root certificate rooter to issue an intermediate certificate middler, and uses the intermediate certificate middler to issue a lower intermediate certificate or a terminal certificate Endcer; the intermediate certificate Middcer signs by the root certificate Rootcer or the superior intermediate certificate and then carries out self-signature; the self-signature data of the intermediate certificate includes the signature value of the root certificate or the upper intermediate certificate.
The signing method reconstructs a trust model of the PKI system, and the terminal equipment of the Internet of things only needs to store the terminal certificate and does not need to store the root certificate; when the root certificate of the Internet of things system is out of date and needs to be replaced, only the new root certificate is used for re-issuing the intermediate certificate which is still in the validity period and issued by the old root certificate, the self-signing of the intermediate certificate is carried out, and then the updated root certificate and the intermediate certificate are issued, so that the problem of replacing the preset root certificate in the terminal in the application scene of the Internet of things can be solved, the system safety is enhanced, the system stability is kept, and the management flexibility is improved.
In this embodiment, the intermediate certificate is self-signed, which corresponds to the holder of the intermediate certificate, and the validity of the issuer is acknowledged by signing the intermediate certificate and its issuer signature value; thus, if the intermediate certificate is trusted, the superior intermediate certificate or root certificate issuing the intermediate certificate is also trusted, thereby realizing that the trust chain extends from bottom to top along the certificate chain.
The embodiment also provides a terminal identity authentication method of the internet of things based on the digital certificate, which utilizes the digital certificate system to carry out the signing work of the digital certificate, terminals EA and EB respectively hold terminal certificates EndcerrA and EndcerrB, and the terminal EA requests the terminal EB for identity authentication, and the authentication process comprises the following steps:
the first step: terminal EB receives terminal certificate EndcearA sent when EA requests identity authentication
And a second step of: the terminal EB respectively establishes a terminal certificate EndcerrA and a terminal certificate EndcerrB, wherein each certificate chain comprises a terminal certificate, one or more intermediate certificates and a root certificate; terminal EB needs to verify the terminal certificate and the issuer signature of the intermediate certificate, and also needs to verify the self-signature of the intermediate certificate and the root certificate; if both certificate chains are complete and verification is correct, continuing to the next step, otherwise, failing authentication;
and a third step of: the terminal EB checks whether at least one intermediate certificate or root certificate exists in the other certificate chain or not, if yes, the next step is continued, otherwise, authentication fails;
fourth step: the terminal EB judges whether the terminal EA holds the private key of the terminal certificate Endcera, if so, the authentication is successful, otherwise, the authentication fails, and then the identity authentication process is completed.
In summary, in the method for authenticating the terminal identity of the internet of things based on the digital certificate in the embodiment, the terminal certificate is used as the trust anchor, and the trust chain is extended to the opposite terminal device through the certificate chain of the terminal certificate, the certificate chain of the opposite terminal certificate and the intersection point of the two certificate chains so as to complete the authentication.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (7)
1. The terminal identity authentication method of the internet of things based on the digital certificate is characterized by comprising the following steps of:
s1: certificate issuing
Issuing a certificate in the Internet of things system by using the digital certificate system;
s2: request identity authentication
A first terminal in the Internet of things system requests identity authentication to a second terminal, sends a first terminal certificate, and receives the first terminal certificate through the second terminal;
s3: certificate chain and signature verification
The second terminal respectively establishes a first terminal certificate and a certificate chain of the second terminal certificate, verifies the signatures of the terminal certificate and the issuer of the intermediate certificate in the two certificate chains and the self-signatures of the intermediate certificate and the root certificate, and enters a step S4 after the two certificate chains are complete and the signatures are verified to be correct, otherwise, the identity authentication fails;
s4: intersection presence determination
Checking whether at least one intermediate certificate or root certificate exists in the other certificate chain or not, if so, entering a step S5, otherwise, failing the identity authentication;
s5: private key holding determination
Judging whether the first terminal holds a private key of the first terminal certificate, if so, the identity authentication is successful, otherwise, the identity authentication fails, and then the identity authentication process is completed;
in the step S1, the digital certificate system includes a root certificate, an intermediate certificate issued using the root certificate, a subordinate intermediate certificate or a terminal certificate issued using the intermediate certificate; when the certificates are issued, the certificates are written into a unique identifier in the system, all the certificates comprise public keys in at least one group of key pairs of asymmetric cryptographic algorithms, and matched private keys are saved by a certificate holder; the root certificate signs the data field of the certificate and stores the signature value in the self-signed field of the certificate, the intermediate certificate signs the data field of the certificate by the root certificate or an upper intermediate certificate and stores the signature value and the unique identifier of the issuer certificate in the issuer signature field of the certificate, the data field of the certificate and the issuer signature field of the certificate are signed by the certificate and stores the signature value in the self-signed field of the certificate, and the terminal certificate signs the data field of the certificate by the intermediate certificate and stores the signature value and the unique identifier of the issuer certificate in the issuer signature field of the certificate; the terminal certificate is stored in the terminal of the Internet of things, and the root certificate and all the intermediate certificates are stored in positions which can be acquired by the terminal of the Internet of things;
when the intermediate certificate is self-signed, namely, a holder of the intermediate certificate signs the intermediate certificate and a signature value of an issuer thereof, so as to acknowledge the legitimacy of the issuer;
in the step S4, according to the certificate chain structure obtained in the step S3, the contents of the terminal certificate, the intermediate certificate and the root certificate in the certificate chain structure are read, and based on the unique identifiers of the certificates, search and comparison are performed one by one, when the unique identifier of the intermediate certificate/the root certificate of one of the certificate chains can be found in the other certificate chain, the other contents in the same intermediate certificate/root certificate in the two found certificate chains are compared, and if the comparison is consistent, step S5 is entered, otherwise, the identity authentication fails.
2. The internet of things terminal identity authentication method based on the digital certificate as set forth in claim 1, wherein: in the step S2, the internet of things system includes at least two internet of things terminals, namely a first terminal and a second terminal, where the two terminals respectively hold a corresponding first terminal certificate and a corresponding second terminal certificate.
3. The internet of things terminal identity authentication method based on the digital certificate as set forth in claim 1, wherein: in the step S3, when the certificate chain is established, the first terminal certificate and the second terminal certificate are respectively used as starting points, the unique identification of the issuer certificate in the signature domain of the certificate issuer is used for searching and verifying the issuer certificate step by step upwards, and the intermediate certificates at all levels upwards are obtained until the root certificate, so that two certificate chains are formed.
4. The internet of things terminal identity authentication method based on the digital certificate as set forth in claim 3, wherein: in the step S3, after the certificate chain is obtained, whether the certificate chain is complete is determined by the structure of the certificate chain, and when the certificate chain includes the terminal certificate, at least one intermediate certificate and the root certificate, the certificate chain is indicated to be the complete certificate chain, otherwise, the certificate chain is the incomplete certificate chain.
5. The method for authenticating the identity of the terminal of the internet of things based on the digital certificate according to claim 4, wherein the method is characterized by comprising the following steps of: in the step S3, the process of verifying the signatures of the issuers of the terminal certificate and the intermediate certificate in the two certificate chains is specifically as follows:
s301: acquiring a terminal certificate and all intermediate certificates in each certificate chain;
s302: reading the signature values in the data domain and the signature domain of the issuer of the current certificate, and reading the public key of the issuer of the current certificate;
s303: verifying and signing the data domain of the current certificate by using the public key of the issuer certificate of the current certificate and the signature value in the issuer signature domain of the current certificate;
s304: when the terminal certificate and all the intermediate certificates in each certificate chain can be checked successfully, the signature value of the issuer is checked correctly, otherwise, the signature value is checked incorrectly, and the identity authentication fails.
6. The internet of things terminal identity authentication method based on the digital certificate according to claim 5, wherein the method comprises the following steps: in the step S3, the specific process of verifying the self-signatures of the intermediate certificate and the root certificate is as follows:
s311: acquiring all intermediate certificates and root certificates in each certificate chain;
s312: reading a public key of a current certificate and a signature value in a self-signature domain, and reading a data domain and an issuer signature domain when the current certificate is an intermediate certificate and reading the data domain when the current certificate is a root certificate;
s313: when the current certificate is an intermediate certificate, the public key of the current certificate and the signature value in the self-signature domain of the current certificate are used for verifying and signing the data domain of the current certificate and the signature domain of the issuer; the current certificate is a root certificate, and a public key of the current certificate and a signature value in a self-signature domain of the current certificate are used for verifying and signing a data domain of the current certificate;
s314: when all the intermediate certificates and root certificates in each certificate chain can be successfully checked, the verification of the self-signed value is correct, otherwise, the verification of the self-signed value is incorrect, and the identity authentication is failed.
7. The internet of things terminal identity authentication method based on the digital certificate according to claim 1 or 6, wherein the method is characterized in that: in the step S5, when determining whether the first terminal holds the private key of the first terminal certificate, the second terminal reads the public key of the first terminal certificate, encrypts the setting data by using the public key, sends the encrypted setting data ciphertext to the first terminal, the first terminal attempts to decrypt by using the private key held by the first terminal and sends the result to the second terminal, and the second terminal determines whether the received result is consistent with the setting data, if so, the second terminal holds the private key of the first terminal certificate, otherwise, the second terminal does not hold the private key of the first terminal certificate, and the identity authentication fails.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310694708.0A CN116865971B (en) | 2023-06-12 | 2023-06-12 | Internet of things terminal identity authentication method based on digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310694708.0A CN116865971B (en) | 2023-06-12 | 2023-06-12 | Internet of things terminal identity authentication method based on digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116865971A CN116865971A (en) | 2023-10-10 |
| CN116865971B true CN116865971B (en) | 2024-02-27 |
Family
ID=88220655
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310694708.0A Active CN116865971B (en) | 2023-06-12 | 2023-06-12 | Internet of things terminal identity authentication method based on digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116865971B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901794A (en) * | 2014-03-06 | 2015-09-09 | 苹果公司 | Revocation of root certificates |
| CN111133729A (en) * | 2017-09-05 | 2020-05-08 | 思杰系统有限公司 | Securing security of a data connection for communication between two endpoints |
| CN113924749A (en) * | 2019-04-29 | 2022-01-11 | 现代自动车株式会社 | Cross-certification method and device for electric vehicle charging |
| CN114598455A (en) * | 2020-12-04 | 2022-06-07 | 华为技术有限公司 | Method, device, terminal entity and system for signing and issuing digital certificate |
| CN115567221A (en) * | 2022-09-22 | 2023-01-03 | 中国银行股份有限公司 | Certificate hierarchical management method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7716139B2 (en) * | 2004-10-29 | 2010-05-11 | Research In Motion Limited | System and method for verifying digital signatures on certificates |
| US10057067B2 (en) * | 2015-05-27 | 2018-08-21 | International Business Machines Corporation | Automatic root key rollover during digital signature verification |
| KR20210121805A (en) * | 2020-03-31 | 2021-10-08 | 삼성전자주식회사 | Electronic device within blockchain based pki domain, electronic device within certification authority based pki domain, and cryptographic communication system including these electronic devices |
-
2023
- 2023-06-12 CN CN202310694708.0A patent/CN116865971B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901794A (en) * | 2014-03-06 | 2015-09-09 | 苹果公司 | Revocation of root certificates |
| CN111133729A (en) * | 2017-09-05 | 2020-05-08 | 思杰系统有限公司 | Securing security of a data connection for communication between two endpoints |
| CN113924749A (en) * | 2019-04-29 | 2022-01-11 | 现代自动车株式会社 | Cross-certification method and device for electric vehicle charging |
| CN114598455A (en) * | 2020-12-04 | 2022-06-07 | 华为技术有限公司 | Method, device, terminal entity and system for signing and issuing digital certificate |
| CN115567221A (en) * | 2022-09-22 | 2023-01-03 | 中国银行股份有限公司 | Certificate hierarchical management method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116865971A (en) | 2023-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107742212B (en) | Asset verification method, device and system based on block chain | |
| CN109104415B (en) | System and method for constructing trusted node network | |
| EP2597588A1 (en) | Information processing device, controller, certificate issuing authority, method of determining validity of revocation list, and method of issuing certificates | |
| CN112887282B (en) | Identity authentication method, device, system and electronic equipment | |
| CN108885658B (en) | Proof of device authenticity by means of credentials | |
| JP2016032247A (en) | Authentication station apparatus, authentication station program and authentication station operation method | |
| CN103248491B (en) | A kind of backup method of electronic signature token private key and system | |
| CN110557452B (en) | Node management method and device of block chain, storage medium and computer equipment | |
| CN113609213B (en) | Method, system, device and storage medium for synchronizing device keys | |
| CN109218025B (en) | Method, security device and security system | |
| CN111222174A (en) | Joining method, verification method, device and storage medium of block chain node | |
| CN112861106B (en) | Digital certificate processing method and system, electronic device and storage medium | |
| US20180069850A1 (en) | Authentication method, authentication system, and communication device | |
| CN108540447B (en) | Block chain-based certificate verification method and system | |
| CN114244527A (en) | Block chain-based power Internet of things equipment identity authentication method and system | |
| CN104735064B (en) | The method that safety is cancelled and updated is identified in a kind of id password system | |
| CN113536329A (en) | Electronic device for cryptographic communication and cryptographic communication system | |
| CN111737766B (en) | Method for judging validity of digital certificate signature data in block chain | |
| CN115062292A (en) | Equipment safety starting and authentication method and device based on hierarchical encryption | |
| JP3761432B2 (en) | Communication system, user terminal, IC card, authentication system, connection and communication control system, and program | |
| JP4846464B2 (en) | System for issuing and verifying multiple public key certificates, and method for issuing and verifying multiple public key certificates | |
| CN116865971B (en) | Internet of things terminal identity authentication method based on digital certificate | |
| CN107171814A (en) | A kind of digital certificate updating method and device | |
| CN103248490B (en) | A kind of back up the method and system of information in electronic signature token | |
| JP4541740B2 (en) | Authentication key update system and authentication key update method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |