CN102761560B - Method and system for verifying information integrity - Google Patents

Method and system for verifying information integrity Download PDF

Info

Publication number
CN102761560B
CN102761560B CN201210272370.1A CN201210272370A CN102761560B CN 102761560 B CN102761560 B CN 102761560B CN 201210272370 A CN201210272370 A CN 201210272370A CN 102761560 B CN102761560 B CN 102761560B
Authority
CN
China
Prior art keywords
authentication code
message
dynamic factor
module
message authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201210272370.1A
Other languages
Chinese (zh)
Other versions
CN102761560A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201210272370.1A priority Critical patent/CN102761560B/en
Publication of CN102761560A publication Critical patent/CN102761560A/en
Application granted granted Critical
Publication of CN102761560B publication Critical patent/CN102761560B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a system for verifying information integrity. The method comprises the following steps that: an information authentication code generating device receives information to be transmitted, updates a first dynamic factor, carries out one-way conversion to the first dynamic factor so as to obtain a first numerical value, updates the first present dynamic factor, calculates so as to obtain a first information authentication code and generates a transmission message; the information authentication code generating device transmits the transmission message to an authentication server through a host computer; the authentication server receives and splits the transmission message, updates a second dynamic factor, generates a verification window according to the second dynamic factor, carries out one-way conversion to each dynamic factor of the verification window so as to obtain a series of second numerical values, and verifies the splitting result by using the second dynamic factor and the second numerical value in the verification window. The dynamic factors used for calculating the information authentication code do not appear in the transmission network, so that the dynamic factors are prevented from being forged by an attacker effectively, and the replay attack is defended effectively.

Description

A kind of method and system of authorization information integrality
Technical field
The present invention relates to information security field, particularly relate to a kind of method and system of authorization information integrality.
Background technology
Prior art utilizes the stopover sites of reliable computing technology and Bilinear map (a kind of cryptographic technique simultaneously realizing digital signature and encryption) to propose an Internet of Things security transfer model, meet ONS (the Object Naming Service of Internet of Things, object name analysis service) inquiry and Item Information transmit the demand for security of two links, has the features such as fail safe, anonymity, credibility and attack tolerant.But prior art needs to carry out comparatively complicated calculating, proposes high requirement to the operational capability of Internet of things node equipment.Compared with digital signature, the computation complexity of message authentication code (MAC) is relatively little, is more suitable for being applied to actual Internet of things node equipment.Light-weighted cryptographic algorithm, cipher protocol and the cryptographic technique that can set safe class belong to the key technology of Internet of Things security system.But traditional MAC mechanism can only be used for verifying message integrity, can not resist Replay Attack.On the other hand, as one of major networks framework that Internet of Things uses, the intrinsic security threat such as wireless sensor network exists node control, node is caught.Therefore, the security mechanism being applied to Internet of Things also should consider that the security risk how preventing above-mentioned threat from causing affects whole security system.
Summary of the invention
The object of the invention is to overcome the deficiencies in the prior art, providing a kind of method and system of authorization information integrality, it has, and fail safe is high, anti-replay, be applicable to the feature of multiple environment.
The method of a kind of authorization information integrality provided by the invention, comprising:
Step S1: message authentication code generates the message to be sent that equipment Receiving Host sends, and upgrades and obtains the first dynamic factor;
Step S2: described message authentication code generates equipment and does monotonic transformation to described first dynamic factor, obtains the first numerical value;
Step S3: described message authentication code generates the first dynamic factor described in renewal of the equipment, and obtains current first dynamic factor;
Step S4: described message authentication code generates equipment and calculates the first message authentication code to described message to be sent and current first dynamic factor, generates message transmission according to described message to be sent, described first numerical value and described first message authentication code;
Step S5: described message authentication code generates equipment and sends described message transmission to described main frame;
Step S6: described main frame receives described message transmission, sends to certificate server by described message transmission;
Step S7: described certificate server receives described message transmission and splits it;
Step S8: described certificate server upgrades the second dynamic factor of its storage inside and obtains current second dynamic factor, generates checking window according to current second dynamic factor;
Step S9: described certificate server sequentially does monotonic transformation to each dynamic factor of described checking window, obtains a series of second value;
Step S10: described certificate server the second dynamic factor in described checking window and the second value corresponding with it are verified split result, as being verified, then gives the information that described main frame return messages are complete; As authentication failed, then give the incomplete information of described main frame return messages.
Described first dynamic factor is identical with described second dynamic factor type, is specially the result that time factor or event factor or time factor and event factor calculate.
When described first dynamic factor and described second dynamic factor are event factor, described step S4 specifically comprises: described message authentication code generates equipment and is encrypted calculating to described message to be sent and current first dynamic factor, obtain described first message authentication code, by described message to be sent, described first numerical value and described first message authentication code combination, obtain described message transmission;
Certificate server described in described step S7 splits the message after the first numerical value after obtaining fractionation, fractionation, the first message authentication code after fractionation to described message transmission;
Described step S10 specifically comprises:
Step S10-1: described certificate server is sequentially by the described second value in described checking window and the first numeric ratio pair after described fractionation, if there is the second value consistent with the first numerical value after described fractionation, then current second dynamic factor is set to the dynamic factor corresponding to the second value consistent with described first numerical value; Otherwise, the information of integrity verification failure is returned to described main frame;
Step S10-2: described certificate server upgrades and obtains current second dynamic factor;
Step S10-3: described certificate server calculates the second message authentication code to the message after described fractionation and current second dynamic factor;
Step S10-4: the first message authentication code after the second message authentication code described in described certificate server comparison and described fractionation; If consistent, be then verified, to the information that described main frame return messages are complete; Otherwise, to the incomplete information of described main frame return messages.
When described first dynamic factor and described second dynamic factor are time factor, described step S4-step S7 replaces with:
Step S4 ': described message authentication code generates the device identification of equipment use double secret key, described message to be sent and current first dynamic factor and calculates described first message authentication code, and described first message authentication code and described first numerical value are sent to described main frame;
Step S5 ': described main frame obtains described device identification from described message authentication code generation equipment, by described device identification, described message to be sent, described first numerical value received and described first message authentication code combination, obtain described message transmission, described message transmission is sent to described certificate server;
Step S6 ': described certificate server receives described message transmission and splits it, if split successfully, then obtains described device identification, described message to be sent, described first numerical value and described first message authentication code, performs step S7 '; Otherwise, the response of authentication failed is returned to described main frame;
Step S7 ': the key that described certificate server is corresponding according to described device identification retrieval, if retrieved, then performs step S8; Otherwise, the response of described authentication failed is returned to described main frame.
Described step S10 specifically comprises:
Step S10-1 ': described certificate server is sequentially by the first numeric ratio pair that the described second value in described checking window and described fractionation obtain, if there is the described second value consistent with the first numerical value that described fractionation obtains, then current second dynamic factor is set to the dynamic factor corresponding to the second value consistent with described first numerical value; Otherwise, the information of integrity verification failure is returned to described main frame;
Step S10-2 ': described certificate server upgrades and obtains current second dynamic factor;
Step S10-3 ': after device identification described in the double secret key retrieved described in described certificate server uses, described fractionation, message and current second dynamic factor calculate the second message authentication code;
Step S10-4 ': described first message authentication code that the second message authentication code described in described certificate server comparison and fractionation obtain; If consistent, be then verified, to the information that described main frame return messages are complete; Otherwise, to the incomplete information of described main frame return messages.
Obtain described first dynamic factor according to described time factor and described event factor, described step S4-step S7 replaces with:
Step S4 ": described message authentication code generates equipment and calculates described device identification, onboard clock current time, message to be sent and current first dynamic factor according to digest algorithm; obtain the first summary; be encrypted described first summary; obtain digital signature; using described digital signature as described first message authentication code, described first message authentication code and the first numerical value are sent to described main frame;
Step S5 ": described main frame obtains described device identification and current time from described message authentication code generation equipment; by described device identification, current time, described message to be sent, described first numerical value received and described first message authentication code combination; obtain described message transmission, described message transmission is sent to described certificate server;
Step S6 ": described certificate server receives described message transmission and splits it, if split successfully, then obtains described device identification, moment, message, described first numerical value and described first message authentication code, performs step S7 "; Otherwise, the response of authentication failed is returned to described main frame;
Step S7 ": described certificate server, according to the second dynamic factor of described device identification retrieval correspondence and PKI, if retrieved, then performs step S8; Otherwise, the response of described authentication failed is returned to described main frame.
Described step S10 specifically comprises:
Step S10-1 ": described certificate server uses described PKI to be decrypted the first message authentication code after described fractionation, obtains described first summary;
Step S10-2 ": described certificate server calculates described second value, described device identification, described moment, described message according to digest algorithm successively by described, obtains the second summary;
Step S10-3 ": more described second summary of described certificate server and described first summary, if unanimously, to described main frame return messages complete information; Otherwise, to described main frame return messages Incomplete information.
Described message transmission compound mode presets, and comprising: sequentially splicing, sectionally smooth join.
The mode of described fractionation message transmission and the compound mode of described message transmission reciprocal.
Described renewal the method obtaining described first dynamic factor are specially: described message authentication code generates equipment by the count value of current preservation from adding the step-length preset, using described count value as described first dynamic factor.
Symmetric encipherment algorithm is used to calculate the first message authentication code to described message to be sent and current first dynamic factor in described step S4.
Generate described checking window in described step S8 to be specially: with described certificate server current count value for starting point, generate a series of dynamic factor according to predetermined range value, namely generate described checking window.
Described renewal the method obtaining described first dynamic factor are specially: described message authentication code generates equipment and obtains onboard clock current time, using the described moment as described first dynamic factor.
Described renewal the method obtaining described first dynamic factor are specially: described message authentication code generates equipment and determines described first dynamic factor according to onboard clock current time and the step-length that presets.
Symmetric encipherment algorithm is used to calculate described first message authentication code to described device identification, described message to be sent and current first dynamic factor in described step S4 '.
Generate checking window in described step S8 to be specially: with described certificate server current time for mid point, generate a series of dynamic factor according to described predetermined range value and the described step-length preset, namely generate described checking window.
Also comprise in described step S8: be proved to be successful the moment recently according to current preservation, remove from described checking window described be proved to be successful the moment recently before part.
In described step S10, also comprise after being verified: upgrade and preserve and be describedly proved to be successful the moment recently.
Described renewal the method obtaining described first dynamic factor are specially: described message authentication code generates the step-length that the count value of current preservation presets described in add by equipment, and obtain onboard clock current time, count value and current time are calculated, using result of calculation as described first dynamic factor.
Described generation checking window is specially: with described certificate server present timing value for mid point, generates a series of moment according to predetermined range value and the described step-length preset; With described certificate server current count value for starting point, generate a series of count value according to predetermined range value, the moment of described correspondence is calculated with described corresponding count value, obtains a series of dynamic factor, namely generate described checking window.
Step S10-1 " replace with:
Step S10-1 "-1: described certificate server finds the equipment of corresponding generating messages identifying code according to described device identification; as found, and uses the corresponding PKI of described equipment to be decrypted the first message authentication code after described fractionation; to obtain described first summary, as can not find, returns authentication failed information to described main frame.
The system of a kind of authorization information integrality provided by the invention, comprising: message authentication code generates equipment, main frame and certificate server;
Described message authentication code generates equipment and comprises: the first memory module, the first receiver module, the first acquisition module, the first computing module, the second computing module, composite module, the first sending module;
Described first memory module, for storing the first dynamic factor;
Described first receiver module, for receiving the message to be sent that described main frame sends;
Described first acquisition module, also therefrom obtains current first dynamic factor for described first dynamic factor upgraded in described first memory module;
Described first computing module, for doing monotonic transformation to current first dynamic factor, obtains the first numerical value;
Described second computing module, for calculating described first message authentication code to described message to be sent and current first dynamic factor;
Described generation module, for generating described message transmission according to described message to be sent, described first numerical value and described first message authentication code;
Described first sending module, for sending described message transmission to described main frame;
Described main frame comprises: the second receiver module and the second sending module;
Described second receiver module, for receiving described message transmission;
Described second sending module, for described message transmission is sent to described certificate server, and sends to described message authentication code to generate equipment by described information to be sent;
Described certificate server comprises: the 3rd receiver module, fractionation module, the second memory module, the second acquisition module, window module, the 3rd computing module, authentication module, the 3rd sending module;
Described 3rd receiver module, for receiving described message transmission;
Described fractionation module, for splitting described message transmission;
Described second memory module, for storing the second dynamic factor;
Described second acquisition module, also therefrom obtains current second dynamic factor for the second dynamic factor upgraded in described second memory module;
Described window module, calculates multiple dynamic factor for current second dynamic factor obtained according to described second acquisition module, and stores;
Described 3rd computing module, for doing monotonic transformation to each dynamic factor described in described checking window, obtains described a series of second value;
Described authentication module, for the second dynamic factor in described checking window and the second value corresponding with it split result to described fractionation module verify;
Described 3rd sending module, for returning to main frame by the result of described authentication module.
Described fractionation module splits and obtains information, the first numerical value and the first message authentication code, and described authentication module comprises: the first comparing unit, the first computing unit, the second comparing unit;
Whether described first comparing unit is identical with described first numerical value for more described second value;
Described first computing unit, for calculating described second message authentication code to described message and current second dynamic factor;
Whether described second comparing unit is identical with described first message authentication code for more described second message authentication code.
Described composite module in described message authentication code generation equipment also can be placed in described main frame, described first sending module is also for sending to described main frame by described first message authentication code and described first numerical value, and described second receiver module is also for receiving described first message authentication code of described first sending module transmission and described first numerical value; Described main frame also comprises the 3rd acquisition module, for obtaining described device identification from described message authentication code generation equipment;
Described composite module, specifically for by described message to be sent, described first numerical value, device identification and described first message authentication code combination, obtains described message transmission.
Described second memory module is also proved to be successful the moment recently for storing.
Described certificate server also comprises: retrieval module, for the key corresponding according to described device identification retrieval.
Described authentication module comprises: the first comparing unit, the first computing unit, the second comparing unit;
Whether described first comparing unit is identical with described first numerical value for more described second value;
Described first computing unit, for calculating described second message authentication code to described device identification, described message and current second dynamic factor;
Whether described second comparing unit is identical with described first message authentication code for more described second message authentication code.
Described first acquisition module comprises: the first acquiring unit, second acquisition unit and the first computing unit;
Described first acquiring unit, generates the count value of equipment for obtaining described message authentication code;
Described second acquisition unit, generates the onboard clock current time of equipment for obtaining described message authentication code;
Described first computing unit, for calculating described count value and onboard clock current time, obtains described first dynamic factor.
Described composite module in described message authentication code generation equipment also can be placed in described main frame, described first sending module is also for sending to described main frame by described first message authentication code and described first numerical value, and described second receiver module is also for receiving described first message authentication code of described first sending module transmission and described first numerical value; Described main frame also comprises:
Second acquisition module, for obtaining described device identification, count value and current time from described message authentication code generation equipment;
Generation module, for generating described first numerical value according to described count value and described current time;
Described composite module, specifically for by described device identification, current time, message, described first numerical value and described first message authentication code combination, obtains described message transmission.31, system according to claim 30, is characterized in that, described 3rd acquisition module comprises: the 3rd acquiring unit, the 4th acquiring unit and the second computing unit;
Described 3rd acquiring unit, for obtaining the count value of described certificate server;
Described 4th acquiring unit, for obtaining the onboard clock current time of described certificate server;
Described second computing unit, for calculating described count value and described onboard clock current time, obtains the second dynamic factor;
Described window module, generates multiple dynamic factor specifically for the current time obtained according to count value and the 4th acquiring unit of described 3rd acquiring unit acquisition, and stores.
Described authentication module comprises: the 3rd computing unit, the 4th computing unit and comparing unit;
Described 3rd computing unit, is decrypted for the first message authentication code obtained described fractionation, obtains the first summary;
Described 4th computing unit, for calculating the dynamic factor in described checking window, described device identification, described moment and described message successively according to digest algorithm, obtains the second summary;
Whether described comparing unit is identical with described first summary for more described second summary.
Described certificate server also comprises: checking module, for checking the legitimacy splitting the moment obtained.
The present invention compared with prior art, has the following advantages:
Fail safe is high: calculate the dynamic factor that message authentication code uses in the present invention and do not occur in a transport network, can effectively avoid victim to forge;
Anti-replay: the dynamic factor used in the present invention is non-repetitive, has the characteristic of " one-time pad ", effectively can resist Replay Attack; If service time is as dynamic factor, the effect of timestamp also can be possessed;
Be applicable to multiple environment: the present invention, based on monotonic transformation, does not comprise the crypto-operation of high strength, is applicable to the environment of limited performance.
Accompanying drawing explanation
Fig. 1 is the flow chart of the method for a kind of authorization information integrality that the embodiment of the present invention 1 provides;
Fig. 2 is the flow chart of the method for a kind of authorization information integrality that the embodiment of the present invention 2 provides;
Fig. 3 is the flow chart of the method for a kind of authorization information integrality that the embodiment of the present invention 3 provides;
Fig. 4 is the block diagram of the system of a kind of authorization information integrality that the embodiment of the present invention 4 provides;
Fig. 5 is the block diagram of the system of a kind of authorization information integrality that the embodiment of the present invention 5 provides;
Fig. 6 is the block diagram of the system of a kind of authorization information integrality that the embodiment of the present invention 6 provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Embodiment 1
Embodiments of the invention 1 provide a kind of method of authorization information integrality, as shown in Figure 1, comprising:
Step 101: message authentication code generates equipment and receives message to be sent, upgrades and obtains the first dynamic factor;
Message to be sent in the present embodiment sends to message authentication code to generate equipment by main frame;
In the present embodiment, described renewal the method obtaining the first dynamic factor are specially:
The count value that current device is preserved by message authentication code generation equipment is from adding the step-length preset, using count value as the first dynamic factor; Preferred the present embodiment count value is from adding 1;
Such as, when receiving message to be sent, the count value that message authentication code generates the current preservation of equipment is 100, then the first dynamic factor is 101, and correspondingly, count value is now updated to 101;
In the present embodiment, the first dynamic factor is event factor; Step-length during renewal presets, and also can be other non-zero numerical value except 1;
Step 102: message authentication code generates equipment and does monotonic transformation to the first dynamic factor according to the first preset rules, obtains the first numerical value;
Preferably, in the present embodiment, the first preset rules is SHA-1 algorithm; In addition, also other algorithms can be used, as MD5, SHA-256 etc.;
Step 103: message authentication code generates renewal of the equipment first dynamic factor, and obtains current first dynamic factor;
The Methods and steps 101 upgrading the first dynamic factor is identical, is not repeating at this;
If upgrading front first dynamic factor is 101, then current first dynamic factor is 102;
Step 104: message authentication code generates equipment and calculates the first message authentication code to message to be sent and current first dynamic factor according to the second preset rules, by message to be sent, the first numerical value and the first message authentication code combination, obtains message transmission;
Preferably, in the present embodiment, the second preset rules is the HMAC method of RFC2104 defined; In addition, also additive method can be used, as symmetric cryptography etc.;
In the present embodiment, compound mode presets; Preferably, in the present embodiment, message to be sent, the first numerical value and the first message authentication code are sequentially spliced, obtains message transmission.In addition, other reversible compound modes can also be used, as sectionally smooth join etc.;
Message authentication code generates equipment when again calculating message authentication code, from current count value, as can from 102 in the present embodiment;
In the present embodiment, current count value can be used in a step 101, correspondingly, carry out renewal current count Value Operations after step 104;
Step 105: message authentication code generates equipment and sends message transmission to main frame;
Step 106: main frame receives message transmission, and message transmission is sent to certificate server;
In the present embodiment, step 107-step 113 is the implementation method that certificate server is verified message transmission;
Step 107: certificate server receives message transmission and is split as message, the first numerical value and the first message authentication code;
Split in the present embodiment message method and with step 104 in splice the method for message reciprocal;
Step 108: certificate server upgrades the second dynamic factor and obtains current second dynamic factor, generates checking window according to current second dynamic factor;
In the present embodiment, second dynamic factor is stored in certificate server, second dynamic factor type of certificate server is identical with the first dynamic factor type that message authentication code when generating message transmission generates equipment, upgrades and obtain in the Methods and steps 101 of current second dynamic factor to upgrade and to obtain the method for the first dynamic factor identical;
Particularly, in the present embodiment, the use case factor;
Described generation checking window is specially:
Take current count value as starting point, generate a series of dynamic factor according to predetermined range value;
Such as, current count value is 95, and range value is 10, then the checking window generated is:
96,97,98,99,100,101,102,103,104,105;
Step 109: certificate server sequentially does monotonic transformation according to the first preset rules each dynamic factor to checking window, obtains a series of second value;
Identical in the monotonic transformation Methods and steps 102 that this step uses;
Step 110: the second dynamic factor, sequentially by each second value and described first numeric ratio pair, if there is the second value consistent with described first numerical value, is then set to the dynamic factor corresponding to the second value consistent with the first numerical value by certificate server; Otherwise, the information of integrity verification failure is returned to main frame;
Such as, if the second value come by 101 monotonic transformations is identical with described first numerical value, then the second dynamic factor is set to 101;
Step 111: certificate server upgrades and obtains the second dynamic factor;
The concrete grammar upgraded is identical with step 101, does not repeat them here;
If upgrading front second dynamic factor is 101, then current second dynamic factor is 102;
Step 112: the message that fractionation obtains by certificate server and current second dynamic factor calculate the second message authentication code according to the second preset rules;
The Methods and steps 104 generating the second message authentication code is identical, does not repeat them here.
Step 113: certificate server comparison second message authentication code and the first message authentication code.If consistent, be then verified, to the information that main frame return messages are complete; Otherwise, to the incomplete information of main frame return messages.
Embodiment 2
Embodiments of the invention 2 provide a kind of method of authorization information integrality, as shown in Figure 2, comprising:
Step 201: message authentication code generates equipment and receives message to be sent, upgrades and obtains the first dynamic factor;
In the present embodiment, described acquisition first dynamic factor is specially time factor, and particularly, described renewal the method obtaining the first dynamic factor are specially:
Message authentication code generates equipment and obtains onboard clock current time, using this moment as the first dynamic factor;
Further, can also be: message authentication code generates equipment and determines the first dynamic factor according to the current time of onboard clock and the step-length of making an appointment;
Such as, current time is 12:00:20, and step-length is 1 minute, then the first dynamic factor is 12:01:20;
Step 202: message authentication code generates equipment and does monotonic transformation according to the first preset rules to the first dynamic factor, obtains the first numerical value;
Preferably, in the present embodiment, SHA-1 algorithm is used to do monotonic transformation.In addition, also other algorithms can be used, as MD5, SHA-256 etc.
Step 203: after message authentication code generation equipment waits for that the first dynamic factor upgrades, obtain current first dynamic factor;
Step 204: message authentication code generates equipment and device identification, message to be sent and current first dynamic factor are calculated the first message authentication code according to the second preset rules;
In the present embodiment, device identification is stored in advance in message authentication code and generates device interior, and generate the information of equipment and corresponding key for identification message authentication code, the key in the present embodiment is symmetric key;
Preferably, in the present embodiment, the OTP method of RFC6287 defined is used to calculate message authentication code.Correspondingly, message authentication code generates equipment and presets the key generated needed for OTP;
Step 204 is specially: be encrypted generation first message authentication code with symmetric key to device identification, message to be sent and current first dynamic factor;
Step 205: message authentication code generates equipment and sends the first numerical value and the first message authentication code to main frame, main frame generates equipment from message authentication code and obtains device identification;
Step 206: main frame, by device identification, message to be sent, the first numerical value and the first message authentication code combination, obtains message transmission, message transmission is sent to certificate server;
In the present embodiment, compound mode presets.Preferably, in the present embodiment, device identification, message to be sent, the first numerical value and the first message authentication code are sequentially spliced, obtains message transmission.In addition, other reversible compound modes can also be used, as sectionally smooth join etc.;
From step 207, it is the method that certificate server processes the carrying out of message transmission;
Step 207: certificate server receives message transmission and is split as device identification, message, the first numerical value and the first message authentication code, if split successfully, performs step 208, otherwise, the response of authentication failed is returned to main frame;
Split in the present embodiment message method and with step 205 in splice the method for message reciprocal;
Step 208: the key that certificate server is corresponding according to device identification retrieval.If retrieve corresponding key, perform step 209, otherwise, the response of authentication failed is returned to main frame;
Further, in the present embodiment, result for retrieval also can comprise dynamic factor parameter, such as time offset value;
Step 209: certificate server upgrades the second dynamic factor according to the onboard clock of server end and obtains current second dynamic factor, generates checking window according to current second dynamic factor;
In the present embodiment, certificate server upgrades and obtains in the Methods and steps 201 of the second dynamic factor and to upgrade and to obtain the method for the first dynamic factor identical;
Particularly, in the present embodiment, service time the factor;
In the present embodiment, the described method generating checking window is specially:
Take current time as mid point, generate a series of dynamic factor according to predetermined amplitude and step-length.
Such as, current time is 12:00:00, and amplitude is 11, and step-length is 1 second, then the checking window generated is:
11:59:56,11:59:57,11:59:58,11:59:59,12:00:00,12:00:01,12:00:02,12:00:03,12:00:04,12:00:05;
Further, when result for retrieval comprises dynamic factor parameter, then according to parameter, checking window is adjusted.Such as, deviant is 1 second, then the checking window after adjustment is
11:59:57,11:59:58,11:59:59,12:00:00,12:00:01,12:00:02,12:00:03,12:00:04,12:00:05,12:00:06;
Further, described generation checking window also comprises:
According to current preservation " being proved to be successful the moment recently ", from dynamic factor sequence, remove the part before being proved to be successful the moment recently.
Such as, current preservation " being proved to be successful the moment recently " is 11:59:58, then the checking window after removing is
11:59:59,12:00:00,12:00:01,12:00:02,12:00:03,12:00:04,12:00:05;
Step 210: certificate server sequentially does monotonic transformation according to the first preset rules each dynamic factor to checking window, obtains a series of second value;
Identical in the monotonic transformation Methods and steps 202 that this step uses;
Step 211: certificate server is sequentially by each second value and described first numeric ratio pair.If there is the second value consistent with described first numerical value, then the second dynamic factor is set to the dynamic factor corresponding to the second value consistent with the first numerical value; Otherwise, return integrity verification failure information to main frame;
Such as, if the second value come by 12:00:01 monotonic transformation is identical with described first numerical value, then the second dynamic factor is set to 12:00:01;
Step 212: after certificate server detects that the second dynamic factor upgrades, obtain current second dynamic factor;
The concrete grammar upgraded is identical with step 201, does not repeat them here;
If upgrading front second dynamic factor is 12:00:01, then current second dynamic factor is 12:00:02;
Step 213: the message that the key that certificate server obtains according to device identification, retrieval, fractionation obtain and current second dynamic factor generate the second message authentication code according to the second preset rules;
Particularly, the Methods and steps 204 generating the second message authentication code is identical, does not repeat them here;
Step 214: certificate server comparison second message authentication code and the first message authentication code, if unanimously, be then verified, to main frame return messages complete information; Otherwise, to main frame return messages Incomplete information;
In the present embodiment, also comprise after being verified: upgrade and be proved to be successful the moment recently, as being updated to 12:00:01 by being proved to be successful the moment recently in the present embodiment.
Embodiment 3
Embodiments of the invention 3 provide a kind of method of authorization information integrality, as shown in Figure 3, comprising:
Step 301: message authentication code generates equipment and receives message to be sent, upgrades and obtains the first dynamic factor;
In the present embodiment, described renewal the method obtaining the first dynamic factor are specially:
Message authentication code generates equipment by the count value of current preservation from adding the step-length (such as from adding 1) preset, and obtain onboard clock current time, according to the first preset rules, these two numerical value are calculated, using result of calculation as the first dynamic factor;
In the present embodiment, the first preset rules comprise add, subtract, XOR, with or etc. computing; Particularly, in the present embodiment, these two value additions are obtained the first dynamic factor;
Step 302: message authentication code generates equipment and does monotonic transformation to the first dynamic factor according to the second preset rules, obtains the first numerical value;
Preferably, in the present embodiment, SHA-1 algorithm is used to do monotonic transformation; In addition, also other algorithms can be used, as MD5, SHA-256 etc.;
Step 303: message authentication code generates renewal of the equipment first dynamic factor, and obtains current first dynamic factor;
The Methods and steps 301 upgrading the first dynamic factor is identical, is not repeating at this;
Step 304: message authentication code generates equipment and device identification, onboard clock current time, message to be sent and current first dynamic factor are calculated the first message authentication code according to the 3rd preset rules;
Particularly, in the present embodiment, message authentication code generation equipment use own private key carries out signature generation first message authentication code to device identification, onboard clock current time, message to be sent and current first dynamic factor;
In the present embodiment, device identification is the mark that message authentication code generates equipment, and certificate server can retrieve the equipment of generating messages identifying code and the PKI of correspondence thereof by device identification;
Step 305: message authentication code generates equipment and sends the first numerical value and the first message authentication code to main frame, main frame generates equipment from message authentication code and obtains device identification and current time;
Step 306: main frame, by device identification, current time, message to be sent, the first numerical value and the first message authentication code combination, obtains message transmission, sends to message transmission certificate server message authentication code to generate equipment and sends message transmission to main frame;
In the present embodiment, step 307-step 311 is the implementation procedure that certificate server is verified the message transmission received;
Step 307: certificate server receives message transmission and is split as device identification, moment, message, the first numerical value and the first message authentication code; If split successfully, continue; Otherwise, the response of authentication failed is returned to main frame;
Split in the present embodiment message method and with step 305 in splice the method for message reciprocal;
Step 308: certificate server according to device identification at the second dynamic factor parameter and PKI corresponding to server-side retrieval.If retrieved, then perform step 309, otherwise, the response of authentication failed is returned to main frame;
Particularly, in the present embodiment, described second dynamic factor parameter comprises count value and time offset value;
Step 309: certificate server upgrades the second dynamic factor and obtains current second dynamic factor, generates checking window according to current second dynamic factor;
In the present embodiment, described renewal second dynamic factor is specially: more new count value, and obtains clocking value according to current time and time offset value;
In the present embodiment, the described method generating checking window is specially:
Take clocking value as mid point, generate a series of moment according to predetermined amplitude and step-length; Take current count value as starting point, generate a series of count value according to predetermined range value, the moment of correspondence is calculated according to the first preset rules with corresponding count value, obtain a series of dynamic factor, generate checking window;
The time migration determination time value that the moment that also can obtain according to fractionation and retrieval obtain, a series of moment value is generated according to predetermined amplitude and step-length, each moment value is calculated according to the first preset rules with corresponding count value, obtains a series of dynamic factor, generate checking window
Step 310: certificate server sequentially does monotonic transformation according to the second preset rules each dynamic factor to checking window, obtains a series of second value;
Identical in the monotonic transformation Methods and steps 302 that this step uses;
Step 311: each second value and device identification, moment, message sequentially form by preset rules by certificate server verifies message, whether comparatively validate message is corresponding with the first message authentication code, if, to main frame return messages complete information, the second dynamic factor is updated to corresponding dynamic factor; Otherwise, return integrity verification failure information to main frame;
Particularly, in the present embodiment, this step is:
Step 311-1: the PKI that certificate server uses Message Authentication Code to generate equipment is decrypted splitting the first message authentication code obtained, and obtains the first summary;
In the present embodiment, this step also can be: certificate server finds the equipment of corresponding generating messages identifying code according to device identification, as found, the corresponding PKI of this equipment is used to be decrypted splitting the first message authentication code obtained, obtain the first summary, as can not find, return authentication failed information to main frame;
Step 311-2: the device identification that certificate server obtains each second value, fractionation according to digest algorithm, moment, message calculate, and obtain the second summary;
Step 311-3: whether certificate server compares the second summary identical with the first summary, if unanimously, to main frame return messages complete information; Otherwise, return integrity verification failure information to main frame;
In the present embodiment, also comprise after being verified: upgrade and be proved to be successful the moment recently.
Further, when step 311 is judged as YES, the present embodiment also comprises:
Step 312: check the moment legitimacy splitting and obtain; If legal, then give main frame return messages complete information, otherwise, return integrity verification failure information to main frame;
Particularly, check and split moment of obtaining whether after being proved to be successful the moment recently, if so, then illegal, otherwise, legal;
Or, check whether split the moment obtained has record at server end, if had, then illegal, otherwise, legal, and preserve this moment.
Embodiment 4
Embodiments of the invention 4 provide a kind of system of authorization information integrality according to the method in embodiment 1, as shown in Figure 4, comprising: message authentication code generates equipment 41, main frame 42 and certificate server 43;
Message authentication code generates equipment 41 and comprises: the first memory module 41-1, the first receiver module 41-2, the first acquisition module 41-3, the first computing module 41-4, the second computing module 41-5, composite module 41-6, the first sending module 41-7;
First memory module 41-1, for storing the first dynamic factor;
First receiver module 41-2, for the message to be sent that Receiving Host 42 sends;
First acquisition module 41-3, for upgrading the first dynamic factor in the first memory module 41-1 and therefrom and obtain current first dynamic factor;
First computing module 41-4, for doing monotonic transformation to current first dynamic factor, obtains the first numerical value;
Second computing module 41-5, for calculating the first message authentication code to message to be sent and current first dynamic factor;
Composite module 41-6, for by message to be sent, the first numerical value and the first message authentication code combination, obtains message transmission;
First sending module 41-7, for sending message transmission to main frame 42;
Main frame 42 comprises: the second receiver module 42-1 and the second sending module 42-2;
Second receiver module 42-1, for receiving message transmission;
Second sending module 42-2, for message transmission is sent to certificate server 43, and sends to message authentication code to generate equipment 41 by information to be sent;
Certificate server 43 comprises: the 3rd receiver module 43-1, fractionation module 43-2, the second memory module 43-3, the second acquisition module 43-4, window module 43-5, the 3rd computing module 43-6, authentication module 43-7, the 3rd sending module 43-8;
3rd receiver module 43-1, for receiving message transmission;
Split module 43-2, the message transmission for being received by the 3rd receiver module 43-1 is split as message, the first numerical value and the first message authentication code;
Second memory module 41-3, for storing the second dynamic factor;
Second acquisition module 43-4, also therefrom obtains current second dynamic factor for the second dynamic factor upgraded in the second memory module 41-3;
Window module 43-5, for calculating multiple dynamic factor to the current dynamic second state factor obtained according to the second acquisition module 43-4, and stores;
3rd computing module 43-6, for doing monotonic transformation to each dynamic factor in window module 43-5, obtains a series of second value;
Authentication module 43-7, for the second dynamic factor in window module 53-6 and the second value corresponding with it split result to described fractionation module 43-2 verify;
Particularly, authentication module 43-7 comprises: the first comparing unit 43-71, the first computing unit 43-72, the second comparing unit 43-73;
Whether the first comparing unit 43-71 is identical with the first numerical value for the second value in comparatively validate window;
First computing unit 43-72, for calculating the second message authentication code to message and current second dynamic factor;
Whether the second comparing unit 43-73 is identical with the first message authentication code for comparing the second message authentication code;
3rd sending module 43-8, for sending the complete information of described message and the incomplete information of described message to main frame;
Particularly, in the present embodiment, the implementation that message authentication code generates equipment is: the A type equipment taking count value as the first dynamic factor; A type equipment is that disposable message authentication code generates equipment.This equipment is DIE form, is convenient to encapsulate with other module integrations; With the singlechip chip of low-power consumption for hardware platform, generate orderly non repetitive sequence by counter; The information one-time writes such as firmware, device identification and key, after write, fuse is distorted to prevent victim; Internal information and firmware are stored in volatile random asccess memory, once namely power-off destroys all data, reduce and catch risk.A type equipment is applicable to the sensing layer node that amount of communication data is little, cost control requirement strict, environment for use risk is higher.
Embodiment 5
Embodiments of the invention 5 provide a kind of system of authorization information integrality according to the method in embodiment 2, as shown in Figure 5, comprising: message authentication code generates equipment 51, main frame 52 and certificate server 53;
Message authentication code generates equipment 51 and comprises: the first memory module 51-1, the first receiver module 51-2, the first acquisition module 51-3, the first computing module 51-4, the second computing module 51-5, the first sending module 51-6;
First memory module 51-1, for storing the first dynamic factor;
First receiver module 51-2, for the message to be sent that Receiving Host 52 sends;
First acquisition module 51-3, for upgrading the first dynamic factor in the first memory module 51-1 and therefrom and obtain current first dynamic factor;
First computing module 51-4, for doing monotonic transformation to current first dynamic factor, obtains the first numerical value;
Second computing module 51-5, for calculating the first message authentication code according to double secret key device identification, message to be sent and current first dynamic factor;
First sending module 51-6, for sending the first message authentication code and the first numerical value to main frame;
Main frame 52 comprises: the second receiver module 52-1, the second acquisition module 52-2, composite module 52-3 and the second sending module 52-4;
Second receiver module 52-1, for receiving the first message authentication code and the first numerical value;
Second acquisition module 52-2, obtains device identification for generating in equipment 51 from message authentication code;
Composite module 52-3, for by device identification, message to be sent, the first numerical value and the first message authentication code combination, obtains message transmission;
Second sending module 52-4, for message transmission is sent to certificate server, and sends to message authentication code to generate equipment 51 by information to be sent;
Certificate server 53 comprises: the 3rd receiver module 53-1, fractionation module 53-2, retrieval module 53-3, the second memory module 53-4, the 3rd acquisition module 53-5, window module 53-6, the 3rd computing module 53-7, authentication module 53-8, the 3rd sending module 53-9;
3rd receiver module 53-1, for receiving message transmission;
Split module 53-2, the message transmission for being received by the 3rd receiver module 53-1 is split as device identification, message, the first numerical value and the first message authentication code;
Retrieval module 53-3, for the key corresponding according to device identification retrieval;
Second memory module 53-4, for storing the second dynamic factor;
3rd acquisition module 53-5, also therefrom obtains current second dynamic factor for the second dynamic factor upgraded in the second memory module 51-4;
Window module 53-6, for calculating multiple dynamic factor to the current dynamic second state factor obtained according to the 3rd acquisition module 53-5, and stores;
3rd computing module 53-7, for doing monotonic transformation to each dynamic factor in window module 53-6, obtains a series of second value;
Authentication module 53-8, for the second dynamic factor in window module 53-6 and the second value corresponding with it split result to described fractionation module verify;
Particularly, authentication module 53-8 comprises: the first comparing unit 53-81, the first computing unit 53-82, the second comparing unit 53-83;
Whether the first comparing unit 53-81 is identical with the first numerical value for comparing the second value that the 3rd computing module 53-7 obtains;
First computing unit 53-82, for calculating the second message authentication code to device identification, message and current second dynamic factor;
Whether the second comparing unit 53-83 is identical with the first message authentication code for comparing the second message authentication code;
3rd sending module 53-9, for sending the complete information of message and the incomplete information of message to main frame;
Particularly, in the present embodiment, the implementation that message authentication code generates equipment is: the Type B equipment taking current time as the first dynamic factor; Type B equipment is that the message authentication code possessing timestamp characteristic generates equipment.This equipment is storage card (TF card) specification, is communicated with host computer by SDIO agreement; With the low power-consumption intelligent the core of the card sheet of onboard clock for hardware platform, generate orderly non repetitive sequence by clock pulse; Built-in firmware is in production phase programming, and the write authority of the information such as device id, key controls by firmware, obtains after authorizing and can upgrade; Firmware and internal information are protected by intelligent card chip, possess the characteristic of " tearing sheet open destroyed ".Type B equipment is applicable to that data traffic is less, cost control requirement relative loose, environment for use risk is lower, safety requirements is higher sensing layer node.
Embodiment 6
Embodiments of the invention 6 provide a kind of system of authorization information integrality according to the method in embodiment 3, as shown in Figure 6, comprising: message authentication code generates equipment 61, main frame 62 and certificate server 63;
Message authentication code generates equipment 61 and comprises: the first memory module 61-1, the first receiver module 61-2, the first acquisition module 61-3, the first computing module 61-4, the second computing module 61-5, the first sending module 61-6;
First memory module 61-1, for storing the first dynamic factor;
First receiver module 61-2, for the message to be sent that Receiving Host 62 sends;
First acquisition module 61-3, for upgrading the first dynamic factor in the first memory module 61-1 and therefrom and obtain current first dynamic factor;
Particularly, the first acquisition module 61-3 comprises: the first acquiring unit 61-31, second acquisition unit 61-32 and the first computing unit 61-33;
First acquiring unit 61-31, generates the count value of equipment for obtaining message authentication code;
Second acquisition unit 61-32, generates the onboard clock current time of equipment for obtaining message authentication code;
First computing unit 61-33, for calculating count value and onboard clock current time, obtains the first dynamic factor;
First computing module 61-4, for doing monotonic transformation to current first dynamic factor, obtains the first numerical value;
Second computing module 61-5, for calculating the first message authentication code to device identification, onboard clock current time, message to be sent and current first dynamic factor;
First sending module 61-6, for sending the first message authentication code and the first numerical value to main frame 62;
Main frame 62 comprises: the second receiver module 62-1, the second acquisition module 62-2, generation module 62-3, composite module 62-4 and the second sending module 62-5;
Second receiver module 62-1, for receiving the first message authentication code and the first numerical value;
Second acquisition module 62-2, for obtaining device identification, count value and current time;
Generation module 62-3, for generating the first numerical value according to count value and current time;
Composite module 62-4, for by device identification, current time, message to be sent, the first numerical value and the first message authentication code combination, obtains message transmission;
Second sending module 62-5, for message transmission is sent to certificate server 63, and sends to message authentication code to generate equipment 61 by information to be sent;
Certificate server 63 comprises: the 3rd receiver module 63-1, fractionation module 63-2, retrieval module 63-3, the second memory module 63-4, the 3rd acquisition module 63-5, window module 63-6, the 3rd computing module 63-7, authentication module 63-8, checking module 63-9 and the 3rd sending module 63-10;
3rd receiver module 63-1, for receiving message transmission;
Split module 63-2, the message transmission for being received by the 3rd receiver module 63-1 is split as device identification, moment, message, the first numerical value and the first message authentication code;
Retrieval module 63-3, for the second dynamic factor parameter corresponding according to device identification retrieval;
Second memory module 63-4, for storing the second dynamic factor;
3rd acquisition module 63-5, also therefrom obtains current second dynamic factor for the second dynamic factor upgraded in the second memory module 61-4;
Particularly, the 3rd acquisition module 63-5 comprises: the 3rd acquiring unit 63-51, the 4th acquiring unit 63-52 and the second computing unit 63-53;
3rd acquiring unit 63-51, for obtaining the count value of certificate server;
4th acquiring unit 63-52, for obtaining the onboard clock current time of certificate server;
Second computing unit 63-53, for calculating count value and onboard clock current time, obtains the second dynamic factor;
Window module 63-6, the current time for obtaining the count value obtained according to the 3rd acquisition module 63-51 and the 4th acquiring unit 63-52 generates and obtains multiple dynamic factor, and stores;
3rd computing module 63-7, for doing monotonic transformation to each dynamic factor of checking window, obtains a series of second value;
Whether authentication module 63-8 is corresponding with the first message authentication code for comparatively validate message;
Particularly, comparison module 63-8 comprises: the 3rd computing unit 63-81, the 4th computing unit 63-82 and comparing unit 63-83;
3rd computing unit 63-81, for being decrypted splitting the first message authentication code obtained, obtains the first summary;
4th computing unit 63-82, for calculating each dynamic factor in checking window, device identification, moment and message according to digest algorithm, obtains the second summary;
Whether comparing unit 63-83 is identical with the first summary for comparing the second summary;
Checking module 63-9, for checking the legitimacy splitting the moment obtained;
3rd sending module 63-10, for exporting the complete information of described message and the incomplete information of described message;
Particularly, in the present embodiment, message authentication code generates the implementation of equipment and is: the C type equipment taking the result of calculation of count value and moment value as the first dynamic factor; C type equipment is the information safety devices of enhancement mode, the message authentication code replacing A/B type equipment to use by digital signature.This equipment to support that the intelligent card chip of asymmetric key algorithm (as RSA) is for hardware platform, has larger memory space, can generate unsymmetrical key to and store digital certificate.C type equipment contributes to realizing docking of Internet of Things secure transport mechanism and the internet security system based on digital certificate and PKI, is applicable to data traffic is comparatively large, cost control requirement is loose, environment for use risk is low network layer or application layer node.C type equipment has the variforms such as USB Key, IC-card, to adapt to different node environment.
The above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in technical scope disclosed by the invention; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (33)

1. a method for authorization information integrality, is characterized in that, described method comprises:
Step S1: message authentication code generates the message to be sent that equipment Receiving Host sends, and upgrades and obtains the first dynamic factor;
Step S2: described message authentication code generates equipment and does monotonic transformation to described first dynamic factor, obtains the first numerical value;
Step S3: described message authentication code generates the first dynamic factor described in renewal of the equipment, and obtains current first dynamic factor;
Step S4: described message authentication code generates equipment and calculates the first message authentication code to described message to be sent and current first dynamic factor, generates message transmission according to described message to be sent, described first numerical value and described first message authentication code;
Step S5: described message authentication code generates equipment and sends described message transmission to described main frame;
Step S6: described main frame receives described message transmission, sends to certificate server by described message transmission;
Step S7: described certificate server receives described message transmission and splits it;
Step S8: described certificate server upgrades the second dynamic factor of its storage inside and obtains current second dynamic factor, generates checking window according to current second dynamic factor;
Step S9: described certificate server sequentially does monotonic transformation to each dynamic factor of described checking window, obtains a series of second value;
Step S10: described certificate server the second dynamic factor in described checking window and the second value corresponding with it are verified split result, as being verified, then gives the information that described main frame return messages are complete; As authentication failed, then give the incomplete information of described main frame return messages.
2. method according to claim 1, is characterized in that, described first dynamic factor is identical with described second dynamic factor type, is specially the result that time factor or event factor or time factor and event factor calculate.
3. method according to claim 2, it is characterized in that, when described first dynamic factor and described second dynamic factor are event factor, described step S4 specifically comprises: described message authentication code generates equipment and is encrypted calculating to described message to be sent and current first dynamic factor, obtain described first message authentication code, by described message to be sent, described first numerical value and described first message authentication code combination, obtain described message transmission;
4. method according to claim 3, is characterized in that, certificate server described in described step S7 splits the message after the first numerical value after obtaining fractionation, fractionation, the first message authentication code after fractionation to described message transmission;
Described step S10 specifically comprises:
Step S10-1: described certificate server is sequentially by the described second value in described checking window and the first numeric ratio pair after described fractionation, if there is the second value consistent with the first numerical value after described fractionation, then current second dynamic factor is set to the dynamic factor corresponding to the second value consistent with described first numerical value; Otherwise, the information of integrity verification failure is returned to described main frame;
Step S10-2: described certificate server upgrades and obtains current second dynamic factor;
Step S10-3: described certificate server calculates the second message authentication code to the message after described fractionation and current second dynamic factor;
Step S10-4: the first message authentication code after the second message authentication code described in described certificate server comparison and described fractionation; If consistent, be then verified, to the information that described main frame return messages are complete; Otherwise, to the incomplete information of described main frame return messages.
5. method according to claim 2, is characterized in that, when described first dynamic factor and described second dynamic factor are time factor, described step S4-step S7 replaces with:
Step S4 ': described message authentication code generates the device identification of equipment use double secret key, described message to be sent and current first dynamic factor and calculates described first message authentication code, and described first message authentication code and the first numerical value are sent to described main frame;
Step S5 ': described main frame obtains described device identification by described device identification, described message to be sent, described first numerical value received and described first message authentication code combination from described message authentication code generation equipment, obtain described message transmission, described message transmission is sent to described certificate server;
Step S6 ': described certificate server receives described message transmission and splits it, if split successfully, then obtains described device identification, described message to be sent, described first numerical value and described first message authentication code, performs step S7 '; Otherwise, the response of authentication failed is returned to described main frame;
Step S7 ': the key that described certificate server is corresponding according to described device identification retrieval, if retrieved, then performs step S8; Otherwise, the response of described authentication failed is returned to described main frame.
6. method according to claim 5, is characterized in that, described step S10 specifically comprises:
Step S10-1 ': described certificate server is sequentially by the first numeric ratio pair that the described second value in described checking window and described fractionation obtain, if there is the described second value consistent with the first numerical value that described fractionation obtains, then current second dynamic factor is set to the dynamic factor corresponding to the second value consistent with described first numerical value; Otherwise, the information of integrity verification failure is returned to described main frame;
Step S10-2 ': described certificate server upgrades and obtains current second dynamic factor;
Step S10-3 ': after device identification described in the double secret key retrieved described in described certificate server uses, described fractionation, message and current second dynamic factor calculate the second message authentication code;
Step S10-4 ': described first message authentication code that the second message authentication code described in described certificate server comparison and fractionation obtain; If consistent, be then verified, to the information that described main frame return messages are complete; Otherwise, to the incomplete information of described main frame return messages.
7. method according to claim 2, is characterized in that, obtains described first dynamic factor according to described time factor and described event factor, and described step S4-step S7 replaces with:
Step S4 ": described message authentication code generates equipment and calculates described device identification, onboard clock current time, message to be sent and current first dynamic factor according to digest algorithm; obtain the first summary; be encrypted described first summary; obtain digital signature; using described digital signature as described first message authentication code, described first message authentication code and the first numerical value are sent to described main frame;
Step S5 ": described main frame obtains described device identification and current time from described message authentication code generation equipment; by described device identification, current time, described message to be sent, described first numerical value received and described first message authentication code combination; obtain described message transmission, described message transmission is sent to described certificate server;
Step S6 ": described certificate server receives described message transmission and splits it, if split successfully, then obtains described device identification, moment, message, described first numerical value and described first message authentication code, performs step S7 "; Otherwise, the response of authentication failed is returned to described main frame;
Step S7 ": described certificate server, according to the second dynamic factor of described device identification retrieval correspondence and PKI, if retrieved, then performs step S8; Otherwise, the response of described authentication failed is returned to described main frame.
8. method according to claim 7, is characterized in that, described step S10 specifically comprises:
Step S10-1 ": described certificate server uses described PKI to be decrypted the first message authentication code after described fractionation, obtains described first summary;
Step S10-2 ": described certificate server calculates described second value, described device identification, described moment, described message according to digest algorithm successively by described, obtains the second summary;
Step S10-3 ": more described second summary of described certificate server and described first summary, if unanimously, to described main frame return messages complete information; Otherwise, to described main frame return messages Incomplete information.
9. the method according to claim 2,4,6 any one, is characterized in that, described message transmission compound mode presets, and comprising: sequentially splicing, sectionally smooth join.
10. method according to claim 9, is characterized in that, the mode of described fractionation message transmission and the compound mode of described message transmission reciprocal.
11. methods according to claim 4, it is characterized in that, described renewal the method obtaining described first dynamic factor are specially: described message authentication code generates equipment by the count value of current preservation from adding the step-length preset, using described count value as described first dynamic factor.
12. methods according to claim 11, is characterized in that, use symmetric encipherment algorithm to calculate the first message authentication code to described message to be sent and current first dynamic factor in described step S4.
13. methods according to claim 11, it is characterized in that, generate described checking window in described step S8 to be specially: with described certificate server current count value for starting point, generate a series of dynamic factor according to predetermined range value, namely generate described checking window.
14. methods according to claim 5, is characterized in that, described renewal the method obtaining described first dynamic factor are specially: described message authentication code generates equipment and obtains onboard clock current time, using the described moment as described first dynamic factor.
15. methods according to claim 5, it is characterized in that, described renewal the method obtaining described first dynamic factor are specially: described message authentication code generates equipment and determines described first dynamic factor according to onboard clock current time and the step-length that presets.
16. methods according to claim 5, is characterized in that, use symmetric encipherment algorithm to calculate described first message authentication code to described device identification, described message to be sent and current first dynamic factor in described step S4 '.
17. methods according to claims 14 or 15, it is characterized in that, generate checking window in described step S8 to be specially: with described certificate server current time for mid point, generate a series of dynamic factor according to predetermined range value and the step-length preset, namely generate described checking window.
18. methods according to claim 6, is characterized in that, also comprise in described step S8: be proved to be successful the moment recently according to current preservation, remove from described checking window described be proved to be successful the moment recently before part.
19. methods according to claim 18, is characterized in that, in described step S10, also comprise after being verified: upgrade and preserve and be describedly proved to be successful the moment recently.
20. methods according to claim 7, it is characterized in that, described renewal the method obtaining described first dynamic factor are specially: described message authentication code generates equipment by the count value of current preservation from adding the step-length preset, and obtain onboard clock current time, count value and current time are calculated, using result of calculation as described first dynamic factor.
21. methods according to claim 20, is characterized in that, described generation checking window is specially: with described certificate server present timing value for mid point, generates a series of moment according to predetermined range value and the described step-length preset; With described certificate server current count value for starting point, generate a series of count value according to predetermined range value, the moment of described correspondence is calculated with described corresponding count value, obtains a series of dynamic factor, namely generate described checking window.
22. methods according to claim 8, is characterized in that, step S10-1 " replace with:
Step S10-1 "-1: described certificate server finds the equipment of corresponding generating messages identifying code according to described device identification; as found, and uses the corresponding PKI of described equipment to be decrypted the first message authentication code after described fractionation; to obtain described first summary, as can not find, returns authentication failed information to described main frame.
The system of 23. 1 kinds of authorization information integralities, is characterized in that, comprises message authentication code and generates equipment, main frame and certificate server;
Described message authentication code generates equipment and comprises: the first memory module, the first receiver module, the first acquisition module, the first computing module, the second computing module, composite module, the first sending module;
Described first memory module, for storing the first dynamic factor;
Described first receiver module, for receiving the message to be sent that described main frame sends;
Described first acquisition module, also therefrom obtains current first dynamic factor for described first dynamic factor upgraded in described first memory module;
Described first computing module, for doing monotonic transformation to current first dynamic factor, obtains the first numerical value;
Described second computing module, for calculating the first message authentication code to described message to be sent and current first dynamic factor;
Described generation module, for generating message transmission according to described message to be sent, described first numerical value and described first message authentication code;
Described first sending module, for sending described message transmission to described main frame;
Described main frame comprises: the second receiver module and the second sending module;
Described second receiver module, for receiving described message transmission;
Described second sending module, for described message transmission is sent to described certificate server, and sends to described message authentication code to generate equipment by described information to be sent;
Described certificate server comprises: the 3rd receiver module, fractionation module, the second memory module, the 3rd acquisition module, window module, the 3rd computing module, authentication module, the 3rd sending module;
Described 3rd receiver module, for receiving described message transmission;
Described fractionation module, for splitting described message transmission;
Described second memory module, for storing the second dynamic factor;
Described 3rd acquisition module, also therefrom obtains current second dynamic factor for the second dynamic factor upgraded in described second memory module;
Described window module, calculates multiple dynamic factor for current second dynamic factor obtained according to described 3rd acquisition module, and stores;
Described 3rd computing module, for doing monotonic transformation to each dynamic factor of described checking window, obtains a series of second value;
Described authentication module, for the second dynamic factor in described checking window and the second value corresponding with it split result to described fractionation module verify;
Described 3rd sending module, for returning to main frame by the result of described authentication module.
24. systems according to claim 23, is characterized in that, described fractionation module splits and obtains information, the first numerical value and the first message authentication code, and described authentication module comprises: the first comparing unit, the first computing unit, the second comparing unit;
Whether described first comparing unit is identical with described first numerical value for more described second value;
Described first computing unit, for calculating the second message authentication code to described message and current second dynamic factor;
Whether described second comparing unit is identical with described first message authentication code for more described second message authentication code.
25. systems according to claim 23, it is characterized in that, described composite module in described message authentication code generation equipment is placed in described main frame, described first sending module is also for sending to described main frame by described first message authentication code and described first numerical value, and described second receiver module is also for receiving described first message authentication code of described first sending module transmission and described first numerical value; Described main frame also comprises the second acquisition module, for obtaining described device identification from described message authentication code generation equipment;
Described composite module, specifically for by described message to be sent, described first numerical value, device identification and described first message authentication code combination, obtains described message transmission.
26. systems according to claim 23, is characterized in that, described second memory module is also proved to be successful the moment recently for storing.
27. systems according to claim 25, is characterized in that, described certificate server also comprises: retrieval module, for the key corresponding according to described device identification retrieval.
28. systems according to claim 25, is characterized in that, described authentication module comprises: the first comparing unit, the first computing unit, the second comparing unit;
Whether described first comparing unit is identical with described first numerical value for more described second value;
Described first computing unit, for calculating the second message authentication code to described device identification, described message and current second dynamic factor;
Whether described second comparing unit is identical with described first message authentication code for more described second message authentication code.
29. systems according to claim 23, is characterized in that, described first acquisition module comprises: the first acquiring unit, second acquisition unit and the first computing unit;
Described first acquiring unit, generates the count value of equipment for obtaining described message authentication code;
Described second acquisition unit, generates the onboard clock current time of equipment for obtaining described message authentication code;
Described first computing unit, for calculating described count value and onboard clock current time, obtains described first dynamic factor.
30. systems according to claim 29, it is characterized in that, described composite module in described message authentication code generation equipment is placed in described main frame, described first sending module is also for sending to described main frame by described first message authentication code and described first numerical value, and described second receiver module is also for receiving described first message authentication code of described first sending module transmission and described first numerical value; Described main frame also comprises:
Second acquisition module, for obtaining described device identification, count value and current time from described message authentication code generation equipment;
Generation module, for generating described first numerical value according to described count value and described current time;
Described composite module, specifically for by described device identification, current time, message, described first numerical value and described first message authentication code combination, obtains described message transmission.
31. systems according to claim 30, is characterized in that, described certificate server also comprises the 3rd acquisition module; Described 3rd acquisition module comprises: the 3rd acquiring unit, the 4th acquiring unit and the second computing unit;
Described 3rd acquiring unit, for obtaining the count value of described certificate server;
Described 4th acquiring unit, for obtaining the onboard clock current time of described certificate server;
Described second computing unit, for calculating described count value and described onboard clock current time, obtains the second dynamic factor;
Described window module, generates multiple dynamic factor specifically for the current time obtained according to count value and the 4th acquiring unit of described 3rd acquiring unit acquisition, and stores.
32. systems according to claim 31, is characterized in that, described authentication module comprises: the 3rd computing unit, the 4th computing unit and comparing unit;
Described 3rd computing unit, is decrypted for the first message authentication code obtained described fractionation, obtains the first summary;
Described 4th computing unit, for calculating the dynamic factor in described checking window, described device identification, described moment and described message successively according to digest algorithm, obtains the second summary;
Whether described comparing unit is identical with described first summary for more described second summary.
33. systems according to claim 32, is characterized in that, described certificate server also comprises: checking module, for checking the legitimacy splitting the moment obtained.
CN201210272370.1A 2012-08-01 2012-08-01 Method and system for verifying information integrity Expired - Fee Related CN102761560B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210272370.1A CN102761560B (en) 2012-08-01 2012-08-01 Method and system for verifying information integrity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210272370.1A CN102761560B (en) 2012-08-01 2012-08-01 Method and system for verifying information integrity

Publications (2)

Publication Number Publication Date
CN102761560A CN102761560A (en) 2012-10-31
CN102761560B true CN102761560B (en) 2015-01-14

Family

ID=47055881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210272370.1A Expired - Fee Related CN102761560B (en) 2012-08-01 2012-08-01 Method and system for verifying information integrity

Country Status (1)

Country Link
CN (1) CN102761560B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103456050B (en) * 2013-07-22 2015-09-23 金硕澳门离岸商业服务有限公司 Electronic affirmation method and system
WO2017113353A1 (en) * 2015-12-31 2017-07-06 华为技术有限公司 Data transmission method, apparatus and device
CN107332809B (en) * 2016-04-29 2020-11-24 中国电信股份有限公司 Verification method, verification system and related equipment
CN112636898B (en) * 2019-09-24 2023-03-14 比亚迪股份有限公司 Communication method, device and system based on communication network
CN115460598B (en) * 2021-06-07 2024-08-27 中移物联网有限公司 Authentication method, generation method, equipment end and server end of offline password

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060408A (en) * 2006-04-17 2007-10-24 株式会社瑞萨科技 Message authentication code producing apparatus, message authentication code verifying apparatus, and authentication system
CN101119381A (en) * 2007-09-07 2008-02-06 中兴通讯股份有限公司 Method and system for preventing playback attack
CN101340289A (en) * 2008-08-19 2009-01-07 北京飞天诚信科技有限公司 Replay attack preventing method and method thereof
CN101621794A (en) * 2009-07-07 2010-01-06 董志 Method for realizing safe authentication of wireless application service system
CN102065067A (en) * 2009-11-11 2011-05-18 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN102457482A (en) * 2010-10-19 2012-05-16 成都市华为赛门铁克科技有限公司 Authentication method, apparatus and system thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090164788A1 (en) * 2006-04-19 2009-06-25 Seok-Heon Cho Efficient generation method of authorization key for mobile communication
CN102638794B (en) * 2007-03-22 2016-03-30 华为技术有限公司 Authentication and cryptographic key negotiation method, authentication method, system and equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060408A (en) * 2006-04-17 2007-10-24 株式会社瑞萨科技 Message authentication code producing apparatus, message authentication code verifying apparatus, and authentication system
CN101119381A (en) * 2007-09-07 2008-02-06 中兴通讯股份有限公司 Method and system for preventing playback attack
CN101340289A (en) * 2008-08-19 2009-01-07 北京飞天诚信科技有限公司 Replay attack preventing method and method thereof
CN101621794A (en) * 2009-07-07 2010-01-06 董志 Method for realizing safe authentication of wireless application service system
CN102065067A (en) * 2009-11-11 2011-05-18 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN102457482A (en) * 2010-10-19 2012-05-16 成都市华为赛门铁克科技有限公司 Authentication method, apparatus and system thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《An Efficient One-key Carter-Wegman Message Authentication Code》;Jin Xu等;《Computational Intelligence and Security, 2006 International Conference on IEEE》;20061106;第1331-1334页 *
《高效的RFID双向认证协议》;王明辉等;《计算机应用》;20111031;第31卷(第10期);第2694-2696页 *

Also Published As

Publication number Publication date
CN102761560A (en) 2012-10-31

Similar Documents

Publication Publication Date Title
US10979231B2 (en) Cross-chain authentication method, system, server, and computer-readable storage medium
TWI749061B (en) Blockchain identity system
CN105050081B (en) Method, device and system for connecting network access device to wireless network access point
EP2634957B1 (en) Authentication Device and System
CN111131313B (en) Safety guarantee method and system for replacing ECU (electronic control Unit) of intelligent networked automobile
CN106357701B (en) The integrity verification method of data in cloud storage
US8526606B2 (en) On-demand secure key generation in a vehicle-to-vehicle communication network
CN102026195B (en) One-time password (OTP) based mobile terminal identity authentication method and system
CN106685985B (en) A kind of vehicle remote diagnosis system and method based on information security technology
CN101036341B (en) Regular content check system
US20160330179A1 (en) System and method for key exchange based on authentication information
CN102761560B (en) Method and system for verifying information integrity
CN103236931B (en) A kind of auth method based on TPM and system and relevant device
CN101610150B (en) Third-party digital signature method and data transmission system
CN106850207B (en) CA-free identity authentication method and system
JP2010011400A (en) Cipher communication system of common key system
CN106790045B (en) distributed virtual machine agent device based on cloud environment and data integrity guarantee method
WO2008035450A1 (en) Authentication by one-time id
CN113781678A (en) Vehicle Bluetooth key generation and authentication method and system under network-free environment
CN111884811B (en) Block chain-based data evidence storing method and data evidence storing platform
CN110855667B (en) Block chain encryption method, device and system
CN114257376B (en) Digital certificate updating method, device, computer equipment and storage medium
CN101938500A (en) Method and system for verifying source address
CN110300287A (en) A kind of public safety video monitoring networking camera access authentication method
CN101309147A (en) Identity authentication method based on image password

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20150114