CN102833067A - Trilateral authentication method and system and authentication state management method of terminal equipment - Google Patents

Trilateral authentication method and system and authentication state management method of terminal equipment Download PDF

Info

Publication number
CN102833067A
CN102833067A CN2011101608909A CN201110160890A CN102833067A CN 102833067 A CN102833067 A CN 102833067A CN 2011101608909 A CN2011101608909 A CN 2011101608909A CN 201110160890 A CN201110160890 A CN 201110160890A CN 102833067 A CN102833067 A CN 102833067A
Authority
CN
China
Prior art keywords
authentication
smart card
terminal
state
binding relationship
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011101608909A
Other languages
Chinese (zh)
Other versions
CN102833067B (en
Inventor
吴传喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yancheng Dongfang automobile Square Investment Development Co.,Ltd.
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110160890.9A priority Critical patent/CN102833067B/en
Priority to PCT/CN2011/080783 priority patent/WO2012171283A1/en
Publication of CN102833067A publication Critical patent/CN102833067A/en
Application granted granted Critical
Publication of CN102833067B publication Critical patent/CN102833067B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Telephone Function (AREA)

Abstract

The invention discloses a trilateral authentication method and system and an authentication state management method of terminal equipment. The authentication state management method comprises the following steps that: before bidirectional authentication of a terminal and a smart card, the terminal equipment is in a machine card unauthenticated state; when the bidirectional authentication is passed, the terminal equipment changes to a machine card authentication-pass state or bidirectional authentication-pass state; if the bidirectional authentication is not passed, the terminal equipment changes to a machine card locking state or bidirectional authentication un-pass state; if the authentication of the binding relation between the terminal and the smart card by a management platform is passed, the terminal equipment changes to a trilateral authentication-pass state or safe state; and if the binding relation authentication is not passed, the terminal equipment changes to a trilateral authentication un-pass state or unsafe state. Through the trilateral authentication of the terminal, smart card and management platform and the management scheme of the terminal equipment authentication state provided by the invention, the Internet of things can be used in a relatively safe operation environment, and the scheme is easy to realize and popularize.

Description

The authentication state management method of method, system and the terminal equipment of tripartite authentication
Technical field
The present invention relates to communication technical field, relate in particular to a kind of authentication state management method of method, system and terminal equipment of tripartite authentication.
Background technology
Internet of Things has been used as one of focus technology of tackling economic crisis, revitalizing the economy as the important component part of emerging high-tech industry by countries in the world.The Internet of Things business can be widely applied in numerous industries, for example vehicle, electric power, finance, environmental protection, oil, individual and enterprise's security protection, the hydrology, military affairs, fire-fighting, meteorology, coal, agriculture and forestry, elevator etc.Estimate that according to the expert between the coming years, the Internet of Things business will get into a lot of industries apace; Its number of users also will be grown up fast; Expectation to 2012 end of the year, the domestic Internet of Things number of users based on the mobile cellular communication technology of China possibly reach 3000~4,000 ten thousand, and Internet of Things is used also can become LTE (Long Term Evolution after the several years; Long Term Evolution) one of core application of technology has vast potential for future development.
At present in the application type of Internet of Things business; A lot of business all require the apparatus of terminal and smart card to possess higher fail safe; For example: environmental monitoring through the various enviromental monitoring equipments of deployed in the sub-district, is used for the monitor cell environmental quality; Comprise sub-district pollutant, noise, rubbish, sewage etc., for community resident is built quiet, healthy, harmonious living environment; And community's security; Because personal safety, property safety are the most important things that community resident is paid close attention to; Video monitoring equipment, anti-theft alarming equipment, family's security protection equipment, family's video intercom, building gate inhibition etc. need be installed in the sub-district; And the information that realizes owner, property, security personnel, neighbourhood committee, public security bureau joins mutually the common living environment that makes up harmonious safety; In addition, also be included in the application such as Smart Home, Safety of Coal Mine Production and monitoring, medical treatment & health, also very high for the application safety management expectancy.
For avoid smart card diverted to other purpose or physics stolen, need to consider the application safety management of smart card, as take way to manages such as means such as binding machine and card, the authentication of third party's legitimacy, realize that specially card is special-purpose.But means such as present existing binding machine and card scheme, the authentication of third party's legitimacy are perhaps bound poor effect, crack easily, and perhaps fail safe is not high, perhaps can't solve the problem under new applied environment.
Summary of the invention
The technical problem that the present invention solves provides a kind of authentication state management method of method, system and terminal equipment of tripartite authentication, can guarantee the safety issue under multiple applied environment.
For solving the problems of the technologies described above, the invention provides a kind of method of tripartite authentication, said method comprises:
Carry out two-way authentication between terminal and the smart card, if said two-way authentication passes through, the binding relationship of said terminal and said smart card is reported to management platform in then said terminal, and to said management platform request said binding relationship is carried out authentication;
Said management platform is carried out authentication to the binding relationship of said terminal and said smart card, if said binding relationship authentication passes through, judges that then tripartite authentication passes through.
Further, said method also comprises:
If said binding relationship authentication do not pass through, judge that then tripartite authentication do not pass through.
Further, said mutual authentication process specifically comprises:
After smart card uses algorithm one to draw smart card side authentication result according to authentication information, and after using two pairs of said smart card side authentication results of algorithm to encrypt, the smart card side authentication result after said authentication information and the encryption is sent to said terminal;
The authentication information that send according to said smart card at said terminal uses algorithm one to draw the end side authentication result; Use the smart card side authentication result after three pairs of said encryptions of algorithm to decipher simultaneously, and smart card side authentication result and the said end side authentication result that deciphering obtains compared, if consistent; Then said end side authentication result is sent to said smart card; Otherwise authentification failure finishes this verification process;
The said end side authentication result that said smart card will be received and the smart card side authentication result that draws compare, if consistent, and authentication success then, otherwise, authentification failure;
Wherein, said algorithm three is the inverse operation of said algorithm two.
Further, said binding relationship is meant the combination of end message and smart card information;
Wherein, said end message comprises a kind of or its combination in any in the following information: International Mobile Equipment Identity identifies (IMEI), Electronic Serial Number (ESN), is stored in the parameter information in the terminal;
Said smart card information comprises a kind of or its combination in any in the following information: international mobile subscriber identifier (IMSI), integrated circuit card identifier (ICCID), be stored in the parameter information in the smart card.
Further, the verification process of said binding relationship specifically comprises:
Said management platform is searched the binding relationship that whether has said terminal and said smart card in the local binding relationship database, if existence, judges that then said binding relationship authentication passes through, otherwise, judge that said binding relationship authentication do not pass through.
Further, said method also comprises:
Said management platform judge tripartite authentication through the time, the state of said terminal equipment is changed to tripartite authentication through state or safe condition; Judge tripartite authentication through the time, the state of said terminal equipment is changed to tripartite authentication through state or non-safe condition.
Further, said method also comprises:
Said two-way authentication through the time, said terminal and said smart card are changed to the authentication of machine card pass through state through state or two-way authentication;
Said two-way authentication through the time, said terminal and said smart card are changed to machine card lock state or two-way authentication through state, and the authentication information of said smart card are changed to invalid information.
Further, said authentication information with smart card is changed to invalid information, comprising: change the IMSI of said smart card into blank, random number or error message.
The present invention also provides a kind of authentication state management method of terminal equipment, and said terminal equipment comprises terminal and smart card, and said authentication state management method comprises:
When said terminal and said smart card did not carry out two-way authentication as yet, the state of said terminal equipment was a machine card un-authenticated state;
When said two-way authentication was passed through, said terminal equipment transferred the authentication of machine card to and passes through state through state or two-way authentication; When said two-way authentication was not passed through, said terminal equipment transferred machine card lock state to or state is not passed through in two-way authentication;
When management platform was passed through the binding relationship authentication of said terminal and said smart card, said terminal equipment transferred tripartite authentication to through state or safe condition; When said binding relationship authentication was not passed through, said terminal equipment transferred tripartite authentication to through state or non-safe condition.
Further, after said starting up of terminal, said smart card had just resetted, said terminal equipment transferred machine card un-authenticated state to by initial state.
In addition, the present invention also provides a kind of system of tripartite authentication, and said system comprises: the two-way authentication module of end side and binding relationship authentication request module, and the two-way authentication module of smart card side and the tripartite authentication module in the management platform, wherein:
The two-way authentication module of said end side is used for, and carries out two-way authentication between the smart card;
Said binding relationship authentication request module is used for, if said two-way authentication is passed through, then reports the binding relationship of said terminal and said smart card to management platform, and to said management platform request said binding relationship is carried out authentication;
The two-way authentication module of said smart card side is used for, and carries out two-way authentication between the terminal;
Said tripartite authentication module is used for, and according to the request of said binding relationship authentication request module, the binding relationship of said terminal and said smart card is carried out authentication; If said binding relationship authentication is passed through; Judge that then tripartite authentication passes through, otherwise, judge that tripartite authentication do not pass through.
Further; The two-way authentication module of said smart card side is used for; After using algorithm one to draw smart card side authentication result according to authentication information; And after using two pairs of said smart card side authentication results of algorithm to encrypt, the smart card side authentication result after said authentication information and the encryption is sent to said terminal; And after receiving the end side authentication result, compare with the said smart card side authentication result that draws, if consistent, authentication success then, otherwise, authentification failure;
The two-way authentication module of said end side is used for, and the authentication information that sends according to said smart card uses algorithm one to draw the end side authentication result, uses the smart card side authentication result after three pairs of said encryptions of algorithm to decipher simultaneously; And smart card side authentication result and the said end side authentication result that deciphering obtains compared; If consistent, then said end side authentication result is sent to said smart card, otherwise; Authentification failure finishes this verification process;
Wherein, said algorithm three is the inverse operation of said algorithm two.
Further, said tripartite authentication module is used for, and searches the binding relationship that whether has said terminal and said smart card in the local binding relationship database of said management platform; If exist; Judge that then said binding relationship authentication passes through, otherwise, judge that said binding relationship authentication do not pass through;
Said binding relationship is meant the combination of end message and smart card information;
Wherein, said end message comprises a kind of or its combination in any: IMEI, ESN in the following information, is stored in the parameter information in the terminal;
Said smart card information comprises a kind of or its combination in any: IMSI, ICCID in the following information, is stored in the parameter information in the smart card.
Further, said system comprises that also the two-way authentication result of smart card side implements module,
Said authentication result is implemented module and is used for, when said mutual authentication process through the time, said terminal and said smart card are changed to the authentication of machine card pass through state through state or two-way authentication; When said two-way authentication not through the time, said terminal and said smart card are changed to machine card lock state or two-way authentication through state, and the authentication information of said smart card are changed to invalid information.
Further, said two-way authentication result implements module and is used for, and in the following manner said authentication information with smart card is changed to invalid information: change the IMSI of said smart card into blank, random number or error message.
Through above-mentioned authentication method, make the safety of terminal and smart card all be guaranteed, when the smart card of forging is used at the terminal; Locking terminal has guaranteed the safety at terminal, and smart card is stolen or can't use by logging in network when illegally using; The terminal is when using illegal smart card; Also timely locking terminal, this binding relationship can be by dynamic authentication simultaneously, have in the management platform side control and management of terminal and card apparatus is weighed; Be convenient to the business that operator carries out oneself, also really guaranteed to carry out the professional terminal of Internet of Things and the specificity and the fail safe of smart card.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the overall procedure sketch map of the tripartite authentication method of the embodiment of the invention;
Fig. 2 is the mutual sketch map of terminal of the present invention, smart card and management platform;
Fig. 3 is the terminal of the embodiment of the invention and the schematic flow sheet of smart card two-way authentication;
Fig. 4 is the identifying procedure sketch map of the management platform of the embodiment of the invention to the binding relationship of terminal and smart card;
Fig. 5 is the sketch map of the various authentication states of terminal equipment of the present invention;
Fig. 6 carries out the sketch map of tripartite authentication success for terminal, smart card, management platform in the embodiment of the invention one;
Fig. 7 carries out the sketch map of tripartite authentification failure for terminal, smart card, management platform in the embodiment of the invention two.
Embodiment
Main purpose of the present invention is to provide the method and system of the tripartite authentication of a kind of portable terminal, smart card and management platform (authentication platform), and Internet of Things is used can have a more safe and reliable running environment.
Be to realize that above-mentioned purpose, the present invention propose the method for a kind of portable terminal and smart card, management platform three parts authentication, as shown in Figure 1, this method specifically comprises following flow process:
The start of step 101. terminal equipment, after smart card resetted, terminal equipment transferred machine card un-authenticated state to from initial condition.
Terminal equipment among the present invention is meant the equipment of being made up of terminal and smart card.
Step 102 is at first carried out two side's authentications between portable terminal and the smart card, if passed through two side's authentications between portable terminal and the smart card, changes step 103, if terminal, smart card mutual authentication are not passed through, changes step 104.
Step 103 if terminal and smart card have passed through two side's two-way authentications, then is changed to the authentication of machine card through state with state, and portable terminal reports the binding relationship of itself and smart card to management platform, and the request management platform carries out authentication to binding relationship.
Step 104; State is changed to machine card lock state (can locking terminal, the terminal is set invalid etc.), and the authentication information (especially IMSI) of revising smart card simultaneously is invalid information, as IMSI being changed into blank, random number, error message etc.; Guarantee that smart card can't use, authentication finishes.
Step 105, management platform execution portable terminal and smart card, the tripartite verification process of management platform.
Step 106, if management platform has been passed through the binding relationship authentication of terminal and smart card, then tripartite authentication is passed through, management platform is returned the binding relationship authentication through sign to the terminal, and execution in step 107, otherwise, execution in step 108.
Step 107, terminal are received the authentication of management platform through sign, and the state of then putting terminal equipment is safe condition (or state is passed through in tripartite authentication), allow terminal equipment operation correlative working application.
Step 108, terminal are received the authentication of management platform not through sign, and the state of putting terminal equipment is unsafe condition (or state is not passed through in tripartite authentication), forbid terminal equipment operation correlative working application.
Wherein, before the terminal equipment operation correlative working application, the judgement state is safe condition (state is passed through in tripartite authentication), then can move the correlative working application, otherwise, forbid moving the correlative working application.
Wherein, described binding relationship is meant the combination of end message and smart card information;
Said end message comprises a kind of or its combination in any: IMEI (the InternationalMobile Equipment Identity in the following information; International Mobile Equipment Identity sign), ESN (Electronic SerialNumbers, Electronic Serial Number), be stored in parameter information in the terminal etc.;
Said smart card information comprises a kind of or its combination in any: IMSI, ICCID (Integrate Circuit Card Identity, integrated circuit card identifier) in the following information, is stored in parameter information in the smart card etc.
Further, among the present invention, the mutual authentication process of terminal and smart card is to adopt terminal, smart card authentication agreement to carry out authentication; As shown in Figure 2, difference storage algorithm one and algorithm two in smart card and the terminal, algorithm for inversion---the algorithm three of other storage algorithm two in the terminal; Wherein, Algorithm one is used for according to authentication information access authentication result, and algorithm two is used for authentication result is encrypted, and algorithm three is used for the result of algorithm two is deciphered.Comprise binding machine and card corresponding relation database in the management platform, be used to preserve the corresponding information of binding machine and card relation.Wherein, described management platform can be the network authentication platform, application management platform, safety management platform etc.
As shown in Figure 3, authentication protocol flow process of the present invention specifically describes as follows:
Step 301; Smart card uses the algorithm one of agreement to draw smart card side operation result (hereinafter being also referred to as authentication result) according to authentication information (comprising information such as parameters for authentication); And after using algorithm two to encrypt; Send to allow the authentication instruction to the terminal, and carry authentication information such as parameters for authentication, and according to the authentication result of the encryption of authentication information computing;
Wherein, authentication information comprises: random number, international mobile device identifier (IMSI), subscriber authentication key, be stored in other information in the smart card etc. wherein one or more.
Step 302, algorithm three computings (inverse operation of algorithm two) are carried out to the operation result of the encryption that smart card transmits in the terminal, promptly carry out the decrypting process of algorithm two, obtain smart card side authentication result; Simultaneously, the terminal uses same algorithm one to carry out computing according to the information that smart card sends, and obtains the end side authentication result.
Step 303 judges whether the authentication result of smart card is identical with the authentication result at terminal, if identical, then execution in step 304, otherwise, execution in step 305.
Step 304, if the end side operation result is consistent with the smart card operation result that deciphering obtains, then end side sends the operation result of oneself to smart card, changes step 306.
Step 305, if the end side operation result is inconsistent with the smart card operation result that deciphering obtains, then authentification failure changes step 308.
The result that step 306, smart card obtain behind the operation result at terminal and own computing obtains compares, if identical, then changes step 307, otherwise, change step 308.
Step 307, two-way authentication is passed through, and finishes authentication, continues flow.
Step 308, authentification failure finishes authentication, and the set terminal is improper user mode (like a locking terminal, terminal invalid etc.), and the authentication information of revising smart card is invalid information (like blank, random number, error message etc.).
Wherein, above-mentioned said algorithm one be present known all kinds of algorithms with algorithm two, include but not limited to following symmetry and asymmetric arithmetic and between combination in any: DEA (DES); 3 tuples are according to AES (3DES), hash algorithm (HASH), IMSI identifying algorithm A3; RSA Algorithm and error checking and correct algorithm (ECC); Cryptographic keys generating algorithm A5, the close spoon of user generating algorithm A8, etc.Wherein, the combination between the described algorithm comprises, with after the computing behind one of them algorithm, the result who obtains is carried out computing etc. with the another one algorithm more earlier, and the rest may be inferred.
The management platform authentication be the binding relationship between smart card and the terminal; Has only the authentication of having passed through this binding relationship; Management platform just allows to use based on the equipment operation Internet of Things of this terminal and smart card, otherwise forbids the equipment operation Internet of Things application of this terminal and smart card.
Further, as shown in Figure 4, management platform is described below the detailed process of the authentication of binding relationship:
Step 401, after two side's authentications between portable terminal and the smart card were passed through, portable terminal was to the binding relationship of management platform report itself and smart card, and request management carries out authentication to binding relationship.
Step 402, whether the binding relationship at management platform checking smart card and terminal passes through, if pass through, then execution in step 403, otherwise execution in step 404.
Wherein, preserve the binding relationship correspondence table at smart card and terminal in the binding relationship database of management platform this locality.Whether management platform exists through the binding relationship of verifying this smart card and terminal, verifies whether the binding relationship at smart card and terminal passes through.
Step 403, if binding relationship passes through checking, then management platform is returned tripartite authentication through sign to the terminal, and execution in step 405.
Step 404, if binding relationship does not pass through checking, then management platform is returned tripartite authentication through indicating to the terminal, changes step 406.
Step 405, if tripartite authentication that management platform returns is received through indicating in the terminal, the state of then putting terminal equipment is safe condition (state is passed through in tripartite authentication).
Step 406, if tripartite authentication that management platform returns is received through indicating in the terminal, the state of then putting terminal equipment is unsafe condition (state is not passed through in tripartite authentication).
Wherein, Internet of Things is used by before the operation, and terminal equipment judges at first whether state is safe condition (state is passed through in tripartite authentication), if for safe condition (state is passed through in tripartite authentication) then this application of operation, otherwise does not move this application.
The present invention also provides a kind of authentication state management method of terminal equipment, and Fig. 5 shows the terminal equipment various authentication states in concrete application the among the present invention, and as shown in Figure 5, the state of terminal equipment can be divided into following several kinds:
The default conditions of terminal equipment are initial state;
When terminal and smart card did not carry out two-way authentication as yet, the state of terminal equipment was a machine card un-authenticated state; Specifically can be: after starting up of terminal, smart card had just resetted, terminal equipment transfers machine card un-authenticated state to by initial state;
When two-way authentication was passed through, terminal equipment transferred the authentication of machine card to and passes through state through state or the two-way authentication of machine card; When two-way authentication was not passed through, terminal equipment transferred the authentication of machine card to through state or machine card lock state;
When management platform was passed through the binding relationship authentication of terminal and smart card, terminal equipment transferred tripartite authentication to through state or safe condition; When the binding relationship authentication was not passed through, terminal equipment transferred tripartite authentication to through state or non-safe condition.
For making the object of the invention, technical scheme and advantage clearer, hereinafter will combine accompanying drawing that embodiments of the invention are elaborated.Need to prove that under the situation of not conflicting, embodiment among the application and the characteristic among the embodiment be combination in any each other.
Embodiment one
In the present embodiment; Use random number and IMSI as authentication information; Difference storage algorithm one and algorithm two in smart card and the terminal, algorithm for inversion---the algorithm three of other storage algorithm two in the terminal, algorithm one is used for according to authentication information access authentication result; Algorithm two is used for authentication result is encrypted, and algorithm three is used for the result of algorithm two is deciphered.
The internet-of-things terminal start after smart card resets, is carried out portable terminal and smart card mutual authentication process.As shown in Figure 6, the terminal of present embodiment, smart card, management platform are successfully carried out tripartite verification process, specifically comprise:
Step 601, smart card utility command status word are sent to the terminal and are allowed the authentication instruction.
Step 602, smart card sends the instruction notification terminal to the terminal and obtains parameters for authentication.
Step 603, terminal receive the coomand mode word, and identification allows authentication, then send order to smart card, require smart card to send it and add overstocked authentication result.
Step 604, smart card use a pair of parameters for authentication of algorithm to carry out computing according to terminal request, and use algorithm two to encrypt, and the authentication result utility command status word of encrypting is passed to the terminal.
Step 605; The terminal uses algorithm three to carry out computing (carrying out the decrypting process of algorithm two) to the authentication result of the encryption that smart card transmits; Obtain the authentication result of smart card; The authentication information that send according to smart card simultaneously at the terminal uses same algorithm one to carry out computing, obtains the end side authentication result.Whether terminal relatively two authentication results is consistent.
Step 606, terminal are relatively found two authentication result unanimities, then send order and give smart card, and the unencrypted authentication result at terminal is sent to smart card.
The authentication result that step 607, smart card obtain after the authentication result at terminal and own computing obtains compares.
Step 608, smart card find that relatively two authentication results are identical, then notify terminal two-way authentication success.
Step 609; Then state is changed to the authentication of machine card through state after the terminal is notified, sends the information of sign portable terminal such as terminal equipment identifier and IMSI and smart card simultaneously to management platform, report that to management platform (means of communication can adopt prior art for the binding relationship of itself and smart card; Like short message; Modes such as BIP), concurrent referring to asks information to give management platform, and request is carried out authentication to binding relationship.
Step 610; Terminal equipment identifier and the IMSI that management platform is received binding relationship to the time; Go the corresponding binding relationship database lookup terminal and the binding relationship of smart card whether to exist; If there is corresponding relation, then through tripartite authentication, management platform is returned the binding relationship authentication through sign to the terminal.
Terminal equipment receives authentication through after indicating; Then putting terminal unit status is safe condition (state is passed through in tripartite authentication); Before the terminal equipment operation correlative working application, the state of judgment device is safe condition (state is passed through in tripartite authentication), and the correlative working application brings into operation.
Embodiment two
In the present embodiment; Use IMSI as authentication information; Difference storage algorithm one and algorithm two in smart card and the terminal, algorithm for inversion---the algorithm three of other storage algorithm two in the terminal, algorithm one is used for according to authentication information access authentication result; Algorithm two is used for authentication result is encrypted, and algorithm three is used for the result of algorithm two is deciphered.
Starting up of terminal after smart card resets, is carried out portable terminal and smart card mutual authentication process.In the present embodiment, terminal, smart card, management platform are carried out the process of tripartite authentification failure, and be as shown in Figure 7, and this process specifically describes as follows:
Step 701, smart card utility command status word are sent to the terminal and are allowed the authentication instruction.
Step 702, smart card are sent the instruction notification terminal to the terminal simultaneously and are obtained parameters for authentication.
Step 703, terminal receive the coomand mode word, and identification allows authentication, then send order to smart card, require smart card to send it and add overstocked authentication result.
Step 704, smart card use a pair of parameters for authentication of algorithm to carry out computing according to terminal request, and use algorithm two to encrypt, and the authentication result utility command status word of encrypting is passed to the terminal.
Step 705; The terminal uses algorithm three to carry out computing (carrying out the decrypting process of algorithm two) to the authentication result of the encryption that smart card transmits; Obtain the authentication result of smart card; The authentication information that send according to smart card simultaneously at the terminal uses same algorithm one to carry out computing, obtains the end side operation result.Whether terminal relatively two authentication results is consistent.
Step 706, terminal find that relatively two authentication results are inconsistent, then send the instruction notification smart card through authentication; Terminal and smart card finish authentication, and the terminal is locked, and can't use; The IMSI information of smart card is changed into random number; Even stolen, also can't step on net and use, terminal equipment is in machine card lock state.
In addition, a kind of authentication state management method of terminal equipment is provided also in the embodiment of the invention, said terminal equipment comprises terminal and smart card, and this authentication state management method comprises:
When terminal and smart card did not carry out two-way authentication as yet, the state of terminal equipment was a machine card un-authenticated state;
When two-way authentication was passed through, terminal equipment transferred the authentication of machine card to and passes through state through state or two-way authentication; When two-way authentication was not passed through, terminal equipment transferred machine card lock state to or state is not passed through in two-way authentication;
When management platform was passed through the binding relationship authentication of terminal and smart card, terminal equipment transferred tripartite authentication to through state or safe condition; When the binding relationship authentication was not passed through, terminal equipment transferred tripartite authentication to through state or non-safe condition.
Further, after starting up of terminal, smart card had just resetted, described terminal equipment transferred machine card un-authenticated state to by initial state.
In addition; A kind of system (not shown) of tripartite authentication also is provided in the embodiment of the invention, and this system mainly comprises: the two-way authentication module of end side and binding relationship authentication request module, the two-way authentication module of smart card side; With the tripartite authentication module in the management platform, wherein:
The two-way authentication module of end side is used for, and carries out two-way authentication between the smart card;
Binding relationship authentication request module is used for, if said two-way authentication passes through, then to the binding relationship of management platform reporting terminal and smart card, and to the management platform request binding relationship is carried out authentication;
The two-way authentication module of smart card side is used for, and carries out two-way authentication between the terminal;
Tripartite authentication module is used for, and according to the request of binding relationship authentication request module, the binding relationship of terminal and smart card is carried out authentication, passes through as if the binding relationship authentication, judges that then tripartite authentication passes through, otherwise, judge that tripartite authentication do not pass through.
Further; The two-way authentication module of smart card side is used for; After using algorithm one to draw smart card side authentication result according to authentication information, and after using two pairs of smart card sides of algorithm authentication result to encrypt, with authentication information and the smart card side authentication result after encrypting send to the terminal; And after receiving the end side authentication result, compare with the smart card side authentication result that draws, if consistent, authentication success then, otherwise, authentification failure;
The two-way authentication module of end side is used for, and the authentication information that sends according to smart card uses algorithm one to draw the end side authentication result, uses the smart card side authentication result after three pairs of encryptions of algorithm to decipher simultaneously; And smart card side authentication result and the end side authentication result that deciphering obtains compared; If consistent, then the end side authentication result is sent to smart card, otherwise; Authentification failure finishes this verification process;
Wherein, algorithm three is the inverse operation of algorithm two.
Further, tripartite authentication module is used for, and searches the binding relationship that whether has terminal and smart card in the local binding relationship database of management platform, if exist, judge that then the binding relationship authentication passes through, otherwise the authentication of judgement binding relationship is not passed through;
Binding relationship is meant the combination of end message and smart card information;
Wherein, end message comprises a kind of or its combination in any: IMEI, ESN in the following information, is stored in the parameter information in the terminal;
Smart card information comprises a kind of or its combination in any: IMSI, ICCID in the following information, is stored in the parameter information in the smart card.
Further, system comprises that also the two-way authentication result of smart card side implements module,
Authentication result is implemented module and is used for, when mutual authentication process through the time, terminal and smart card are changed to the authentication of machine card pass through state through state or two-way authentication; When two-way authentication not through the time, terminal and smart card are changed to machine card lock state or two-way authentication through state, and the authentication information of smart card are changed to invalid information.
Further, the two-way authentication result implements module and is used for, and just the authentication information of smart card is changed to invalid information in the following manner: change the IMSI of smart card into blank, random number or error message.
More than be merely preferred case study on implementation of the present invention; Be not limited to the present invention; The present invention also can have other various embodiments; Under the situation that does not deviate from spirit of the present invention and essence thereof, those of ordinary skill in the art can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Obviously, it is apparent to those skilled in the art that above-mentioned each module of the present invention or each step can realize with the general calculation device; They can concentrate on the single calculation element; Perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element; Thereby; Can they be stored in the storage device and carry out, and in some cases, can carry out step shown or that describe with the order that is different from here by calculation element; Perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.

Claims (15)

1. the method for a tripartite authentication is characterized in that, said method comprises:
Carry out two-way authentication between terminal and the smart card, if said two-way authentication passes through, the binding relationship of said terminal and said smart card is reported to management platform in then said terminal, and to said management platform request said binding relationship is carried out authentication;
Said management platform is carried out authentication to the binding relationship of said terminal and said smart card, if said binding relationship authentication passes through, judges that then tripartite authentication passes through.
2. the method for claim 1 is characterized in that, said method also comprises:
If said binding relationship authentication do not pass through, judge that then tripartite authentication do not pass through.
3. the method for claim 1 is characterized in that, said mutual authentication process specifically comprises:
After smart card uses algorithm one to draw smart card side authentication result according to authentication information, and after using two pairs of said smart card side authentication results of algorithm to encrypt, the smart card side authentication result after said authentication information and the encryption is sent to said terminal;
The authentication information that send according to said smart card at said terminal uses algorithm one to draw the end side authentication result; Use the smart card side authentication result after three pairs of said encryptions of algorithm to decipher simultaneously, and smart card side authentication result and the said end side authentication result that deciphering obtains compared, if consistent; Then said end side authentication result is sent to said smart card; Otherwise authentification failure finishes this verification process;
The said end side authentication result that said smart card will be received and the smart card side authentication result that draws compare, if consistent, and authentication success then, otherwise, authentification failure;
Wherein, said algorithm three is the inverse operation of said algorithm two.
4. the method for claim 1 is characterized in that,
Said binding relationship is meant the combination of end message and smart card information;
Wherein, said end message comprises a kind of or its combination in any in the following information: International Mobile Equipment Identity identifies (IMEI), Electronic Serial Number (ESN), is stored in the parameter information in the terminal;
Said smart card information comprises a kind of or its combination in any in the following information: international mobile subscriber identifier (IMSI), integrated circuit card identifier (ICCID), be stored in the parameter information in the smart card.
5. like claim 1 or 4 described methods, it is characterized in that the verification process of said binding relationship specifically comprises:
Said management platform is searched the binding relationship that whether has said terminal and said smart card in the local binding relationship database, if existence, judges that then said binding relationship authentication passes through, otherwise, judge that said binding relationship authentication do not pass through.
6. method as claimed in claim 5 is characterized in that, said method also comprises:
Said management platform judge tripartite authentication through the time, the state of said terminal equipment is changed to tripartite authentication through state or safe condition; Judge tripartite authentication through the time, the state of said terminal equipment is changed to tripartite authentication through state or non-safe condition.
7. the method for claim 1 is characterized in that, said method also comprises:
Said two-way authentication through the time, said terminal and said smart card are changed to the authentication of machine card pass through state through state or two-way authentication;
Said two-way authentication through the time, said terminal and said smart card are changed to machine card lock state or two-way authentication through state, and the authentication information of said smart card are changed to invalid information.
8. method as claimed in claim 7 is characterized in that,
Said authentication information with smart card is changed to invalid information, comprising: change the IMSI of said smart card into blank, random number or error message.
9. the authentication state management method of a terminal equipment is characterized in that, said terminal equipment comprises terminal and smart card, and said authentication state management method comprises:
When said terminal and said smart card did not carry out two-way authentication as yet, the state of said terminal equipment was a machine card un-authenticated state;
When said two-way authentication was passed through, said terminal equipment transferred the authentication of machine card to and passes through state through state or two-way authentication; When said two-way authentication was not passed through, said terminal equipment transferred machine card lock state to or state is not passed through in two-way authentication;
When management platform was passed through the binding relationship authentication of said terminal and said smart card, said terminal equipment transferred tripartite authentication to through state or safe condition; When said binding relationship authentication was not passed through, said terminal equipment transferred tripartite authentication to through state or non-safe condition.
10. method as claimed in claim 9 is characterized in that,
After said starting up of terminal, said smart card had just resetted, said terminal equipment transferred machine card un-authenticated state to by initial state.
11. the system of a tripartite authentication is characterized in that, said system comprises: the two-way authentication module of end side and binding relationship authentication request module, and the two-way authentication module of smart card side and the tripartite authentication module in the management platform, wherein:
The two-way authentication module of said end side is used for, and carries out two-way authentication between the smart card;
Said binding relationship authentication request module is used for, if said two-way authentication is passed through, then reports the binding relationship of said terminal and said smart card to management platform, and to said management platform request said binding relationship is carried out authentication;
The two-way authentication module of said smart card side is used for, and carries out two-way authentication between the terminal;
Said tripartite authentication module is used for, and according to the request of said binding relationship authentication request module, the binding relationship of said terminal and said smart card is carried out authentication; If said binding relationship authentication is passed through; Judge that then tripartite authentication passes through, otherwise, judge that tripartite authentication do not pass through.
12. system as claimed in claim 11 is characterized in that,
The two-way authentication module of said smart card side is used for; After using algorithm one to draw smart card side authentication result according to authentication information; And after using two pairs of said smart card side authentication results of algorithm to encrypt, the smart card side authentication result after said authentication information and the encryption is sent to said terminal; And after receiving the end side authentication result, compare with the said smart card side authentication result that draws, if consistent, authentication success then, otherwise, authentification failure;
The two-way authentication module of said end side is used for, and the authentication information that sends according to said smart card uses algorithm one to draw the end side authentication result, uses the smart card side authentication result after three pairs of said encryptions of algorithm to decipher simultaneously; And smart card side authentication result and the said end side authentication result that deciphering obtains compared; If consistent, then said end side authentication result is sent to said smart card, otherwise; Authentification failure finishes this verification process;
Wherein, said algorithm three is the inverse operation of said algorithm two.
13. like claim 11 or 12 described systems, it is characterized in that,
Said tripartite authentication module is used for; Search the binding relationship that whether has said terminal and said smart card in the local binding relationship database of said management platform, if existence, judge that then said binding relationship authentication passes through; Otherwise, judge that said binding relationship authentication do not pass through;
Said binding relationship is meant the combination of end message and smart card information;
Wherein, said end message comprises a kind of or its combination in any: IMEI, ESN in the following information, is stored in the parameter information in the terminal;
Said smart card information comprises a kind of or its combination in any: IMSI, ICCID in the following information, is stored in the parameter information in the smart card.
14., it is characterized in that said system comprises that also the two-way authentication result of smart card side implements module like claim 11 or 12 described systems,
Said authentication result is implemented module and is used for, when said mutual authentication process through the time, said terminal and said smart card are changed to the authentication of machine card pass through state through state or two-way authentication; When said two-way authentication not through the time, said terminal and said smart card are changed to machine card lock state or two-way authentication through state, and the authentication information of said smart card are changed to invalid information.
15. system as claimed in claim 14 is characterized in that,
Said two-way authentication result implements module and is used for, and in the following manner said authentication information with smart card is changed to invalid information: change the IMSI of said smart card into blank, random number or error message.
CN201110160890.9A 2011-06-15 2011-06-15 Trilateral authentication method and system and authentication state management method of terminal equipment Active CN102833067B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110160890.9A CN102833067B (en) 2011-06-15 2011-06-15 Trilateral authentication method and system and authentication state management method of terminal equipment
PCT/CN2011/080783 WO2012171283A1 (en) 2011-06-15 2011-10-14 Method and system for third-party authentication and method for managing authentication state of terminal device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110160890.9A CN102833067B (en) 2011-06-15 2011-06-15 Trilateral authentication method and system and authentication state management method of terminal equipment

Publications (2)

Publication Number Publication Date
CN102833067A true CN102833067A (en) 2012-12-19
CN102833067B CN102833067B (en) 2017-05-17

Family

ID=47336047

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110160890.9A Active CN102833067B (en) 2011-06-15 2011-06-15 Trilateral authentication method and system and authentication state management method of terminal equipment

Country Status (2)

Country Link
CN (1) CN102833067B (en)
WO (1) WO2012171283A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104244227A (en) * 2013-06-09 2014-12-24 中国移动通信集团公司 Terminal access authentication method and device in internet of things system
CN104243152A (en) * 2013-06-06 2014-12-24 中国银联股份有限公司 Security information interaction system, equipment and method
CN104715533A (en) * 2015-04-10 2015-06-17 电子科技大学 Method for unlocking door lock by matching code by virtue of dynamic fingerprint of mobile terminal
CN105959189A (en) * 2016-06-08 2016-09-21 美的集团股份有限公司 Home appliance equipment, communication system and method of cloud server and terminal, and terminal
CN111092820A (en) * 2018-10-23 2020-05-01 中国移动通信有限公司研究院 Equipment node authentication method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1478196A2 (en) * 2003-05-12 2004-11-17 Vodafone Group PLC Module and method for detecting at least one event in a cellular mobile telephony subscriber equipment, a computer program to carry out the method and a card and terminal with the module.
CN101511083A (en) * 2008-12-25 2009-08-19 北京握奇数据系统有限公司 Authentication method and terminal for telecom smart card
CN101686572A (en) * 2008-09-26 2010-03-31 中国移动通信集团公司 Method and system for interlocking wireless terminal cards, and management platform

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6367009B1 (en) * 1998-12-17 2002-04-02 International Business Machines Corporation Extending SSL to a multi-tier environment using delegation of authentication and authority
US9055107B2 (en) * 2006-12-01 2015-06-09 Microsoft Technology Licensing, Llc Authentication delegation based on re-verification of cryptographic evidence
CN101931941A (en) * 2010-09-26 2010-12-29 联通兴业科贸有限公司 Method and system for authentication/binding of telecom smart card and mobile terminal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1478196A2 (en) * 2003-05-12 2004-11-17 Vodafone Group PLC Module and method for detecting at least one event in a cellular mobile telephony subscriber equipment, a computer program to carry out the method and a card and terminal with the module.
CN101686572A (en) * 2008-09-26 2010-03-31 中国移动通信集团公司 Method and system for interlocking wireless terminal cards, and management platform
CN101511083A (en) * 2008-12-25 2009-08-19 北京握奇数据系统有限公司 Authentication method and terminal for telecom smart card

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243152A (en) * 2013-06-06 2014-12-24 中国银联股份有限公司 Security information interaction system, equipment and method
CN104243152B (en) * 2013-06-06 2018-01-12 中国银联股份有限公司 Security information interaction system, apparatus and method
CN104244227A (en) * 2013-06-09 2014-12-24 中国移动通信集团公司 Terminal access authentication method and device in internet of things system
CN104715533A (en) * 2015-04-10 2015-06-17 电子科技大学 Method for unlocking door lock by matching code by virtue of dynamic fingerprint of mobile terminal
CN104715533B (en) * 2015-04-10 2017-03-08 电子科技大学 A kind of method of use mobile terminal dynamic fingerprint to code door lock
CN105959189A (en) * 2016-06-08 2016-09-21 美的集团股份有限公司 Home appliance equipment, communication system and method of cloud server and terminal, and terminal
CN105959189B (en) * 2016-06-08 2019-09-13 美的集团股份有限公司 Household appliance and its with the communication system and method for Cloud Server and terminal, terminal
CN111092820A (en) * 2018-10-23 2020-05-01 中国移动通信有限公司研究院 Equipment node authentication method, device and system

Also Published As

Publication number Publication date
WO2012171283A1 (en) 2012-12-20
CN102833067B (en) 2017-05-17

Similar Documents

Publication Publication Date Title
CN102833066A (en) Three-party authentication method and device as well as intelligent card supporting two-way authentication
US20170164192A1 (en) Bluetooth low energy (ble) communication between a mobile device and a vehicle
CN102833068B (en) Method for bidirectional authentication of terminal and smart card, protocol and smart card
CN108173822A (en) Intelligent door lock management-control method, intelligent door lock and computer readable storage medium
CN102196422B (en) Method for preventing leakage of lost file of handheld communication terminal
CN108650220B (en) Method and equipment for issuing and acquiring mobile terminal certificate and automobile end chip certificate
RU2014137130A (en) METHODS AND DEVICE FOR LARGE-SCALE DISTRIBUTION OF ELECTRONIC ACCESS CLIENTS
CN105469489A (en) Electronic locking system based on random key
CN104113839A (en) Mobile data safety protection system and method based on SDN
CN103297437A (en) Safety server access method for mobile intelligent terminal
CN105099690A (en) OTP and user behavior-based certification and authorization method in mobile cloud computing environment
CN114448727B (en) Information processing method and system based on industrial internet identification analysis system
CN105828332A (en) Method of improving wireless local area authentication mechanism
CN104364793A (en) Security mode for mobile communications devices
CN205121680U (en) Bluetooth lock system based on intelligent terminal
CN104065750A (en) Safety management method and system based on shared data
CN104754571A (en) User authentication realizing method, device and system thereof for multimedia data transmission
CN102833067A (en) Trilateral authentication method and system and authentication state management method of terminal equipment
CN102495983A (en) Method for encrypting and decrypting data of intelligent mobile terminal in real time
CN103415010A (en) D2D network authentication method and system
CN104506527A (en) Multidimensional information pointer platform and data access method thereof
CN101895881A (en) Method for realizing GBA secret key and pluggable equipment of terminal
KR101281099B1 (en) An Authentication method for preventing damages from lost and stolen smart phones
CN104144411A (en) Encryption and decryption terminal and encryption and decryption method applied to encryption terminal and decryption terminal
CN201336704Y (en) Remote video monitoring system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20201222

Address after: 224000 room 403-405, 4th floor, Yongning International Auto City, Yancheng City, Jiangsu Province (No.2, Kaichuang Road, New District, Yandu District, Yancheng City) (b)

Patentee after: Yancheng Dongfang automobile Square Investment Development Co.,Ltd.

Address before: 518057 Ministry of justice, Zhongxing building, South Science and technology road, Nanshan District hi tech Industrial Park, Shenzhen, Guangdong

Patentee before: ZTE Corp.

TR01 Transfer of patent right