CN103533403A - Equipment certificate activating method for smart cloud TV terminal - Google Patents
Equipment certificate activating method for smart cloud TV terminal Download PDFInfo
- Publication number
- CN103533403A CN103533403A CN201310529585.1A CN201310529585A CN103533403A CN 103533403 A CN103533403 A CN 103533403A CN 201310529585 A CN201310529585 A CN 201310529585A CN 103533403 A CN103533403 A CN 103533403A
- Authority
- CN
- China
- Prior art keywords
- certificate
- television terminal
- manufacturer
- intelligent cloud
- cloud television
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides an equipment certificate activating method for a smart cloud TV terminal. The method is characterized in that a set of central CA system in charge of issuing a second-level CA trust root for a second-level CA system is deployed; each manufacturer deploys a set of manufacturer-oriented second-level terminal equipment certificate CA system to online activate an certificate for the smart cloud TV terminal of the manufacturer; with the help of the second-level CA trust root, a manufacturer not deploying the second-level smart cloud TV equipment certificate CA system is deployed with a set of center-oriented second-level terminal equipment certificate CA system to online activate the certificate of the equipment of the manufacturer; due to a security agent module and a TV recognition module preset on the smart cloud TV terminal equipment and the center-oriented second-level terminal equipment certificate CA system or the manufacturer-oriented second-level terminal equipment certificate CA system, the most important business of activating the certificate for a smart cloud TV is completed, and the credible equipment identification of the smart cloud TV is obtained. The method provided by the invention has the advantages of strong universality, high safety and high confidentiality.
Description
Technical field
The invention belongs to the identify label field in information security, be specifically related to a kind of implementation method of device certificate activation of intelligent cloud television terminal.
Background technology
In the generation information technology such as cloud computing, Internet of Things, identify label management is a sixty-four dollar question, and it is the first barrier of safety system, is also the basis of whole information security system.Intelligence cloud TV, as the fusion of the emerging technologies such as intelligent television and cloud computing, Internet of Things, has led the developing direction of domestic and international color TV industry, is the advanced stage that intelligent television develops.To realize veritably intellectuality identification, monitoring and the management of intelligent cloud TV, just require it will have own unique identify label, only in this way just likely realize monitoring and the management of intelligent cloud TV being carried out to the safe formula of reviewing, therefore the identify label of intelligent cloud TV management has become the problem that solution is needed in its evolution badly.Yet, in the face of the emerging high in the clouds equipment of this class, relevant research institution and business organization also clearly do not propose comparatively rationally perfect identify label method, deal with by its real identity and meet the business demand of constantly expanding in cloud computing, Internet of Things application scenarios; And reply sets up credible and secure identify label between heterogeneous networks, different business, realize confidentiality in multiple environment, integrality, sharing, authentication and non-ly deny sex service, promote the fail safe of identity information.In recent years, some groups of enterprise have started to explore in the intelligent equipments such as Android, IOS, the digital certificate technique of employing based on PKI system, realize the trusted identity sign of intelligent equipment, meet the demands such as the multi-service application of smart machine, basic safety guarantee, and obtained good effect.
For published patent (a kind of facing cloud television terminal authentication implementation method and system, 201310086043.1) in certificate Activiation method, shortcoming is considered for the manufacturer that does not dispose CA system capability, how to realize the terminal of such manufacturer and sign and issue device certificate, shortcoming is mutual with the corresponding service interface of manufacturer simultaneously, complete the checking of vendor equipment legitimacy, to prevent that mountain vallage machine from obtaining certificate and activating service, and then obtain the illegal service of believable identify label acquisition.
The present invention intends based on PKI(Public Key Infrastructure, i.e. " PKIX ", it is a kind of key management platform of following set standard, it can provide cryptographic service and necessary key and the certificate management systems such as encryption and digital signature for all-network application, in simple terms, PKI is exactly the infrastructure that security service is provided of utilizing PKI theory and technology to set up) certificate system, by the secondary terminal equipment certificate CA system towards manufacturer with towards the secondary terminal equipment certificate CA system at center, the legitimacy of Ji Yu manufacturer validation-cross terminal equipment, the device certificate of realizing intelligent cloud television terminal activates, set up the trusted identity sign of intelligent cloud television equipment.Based on this, by safe, practical, the valid digital certificate of tool, for the trouble free service service of providing infrastructures of the aspects such as the authentication of intelligent cloud television terminal in generation information technology applied environment, empowerment management, responsibility tracking, strengthen the safety assurance ability of each application system.Its core is to set up the intelligent cloud television terminal equipment digital certificate of serving each application system, forms towards the believable intelligent cloud TV identify label system of intelligent cloud television industries chain, ensures the controlled development of intelligent cloud TV industry safety.
Summary of the invention
The technology of the present invention is dealt with problems: be intended to tackle the identify label technological challenge that intelligent cloud television industries faces, a kind of implementation method that device certificate safe, the strong intelligent cloud television terminal of confidentiality activates that has more is provided.
The technology of the present invention solution: briefly introduce the basic thought of this programme, the present invention has drawn the advantage of existing solution, specifically, technical solution of the present invention comprises following several aspect:
Aspect one: in view of the consideration of intelligent cloud TV manufacturer to user management cost, the secondary terminal equipment certificate CA system (be manufacturer self do not dispose CA system) towards center of foundation based on PKI certificate system, management for whole certificate life cycles such as the activation of intelligent cloud television terminal equipment certificate (user certificate), operation and managements, provides controlled cert services.The certificate trust systems of this CA system and the user management of center CA system made two-stage simultaneously, forms the security infrastructure of intelligent cloud TV industry.
Aspect two: by the secondary terminal equipment certificate CA system towards manufacturer based on PKI certificate system (manufacturer self disposes CA system), realize the activation of the device certificate (user certificate) of self manufacturer intelligence cloud television terminal, help manufacturer to grasp self user's liveness, and provide trust support for user's access service.This CA system and center CA system are also set up the certificate trust systems of two-stage user management simultaneously, form the security infrastructure of intelligent cloud TV industry.
Aspect three: the intelligent cloud television terminal for fear of mountain vallage carries out the generation that certificate activates problem, and the legitimacy of device identification must be verified by manufacturer.The device identification white list providing by manufacturer or identify checking interface by vendor equipment, provides believable proof of identification for the device certificate of intelligent cloud television terminal activates, to ensure that legal equipment obtains believable certificate identity sign.
The implementation method that a kind of device certificate towards intelligent cloud television terminal of the present invention activates, is achieved as follows:
First, dispose a set of center CA system, described center CA system is by certificate authority module composition, be responsible for secondary CA system towards the secondary terminal equipment certificate CA system at center with issue the root of trust of secondary CA and the management of this root of trust life cycle towards the secondary terminal equipment certificate CA system of manufacturer, build complete certificate and trust chain, form a kind of two-stage user management based on PKI certificate system; The deployment of this system is disposed consistent with traditional system;
Second, the secondary CA root of trust of issuing based on described center CA system, each manufacturer disposes respectively a set of secondary terminal equipment certificate CA system towards manufacturer, the intelligent cloud television terminal equipment certificate that is responsible for this manufacturer activates, and for obtaining the trusted identity sign of intelligent cloud television terminal, lays the foundation; Simultaneously by secondary CA root of trust, be the manufacturer that does not dispose the device certificate CA system capability of second-level intelligence cloud television terminal, dispose the device certificate CA system of a set of secondary terminal towards center, be responsible for the device certificate activation line of such manufacturer, for obtaining the trusted identity sign of intelligent cloud television terminal, lay the foundation;
The described secondary terminal equipment certificate CA system towards center comprises: towards the certificate request proxy module at center, device identification inquiry forwarding module, towards the certificate authority module at center; The checking that the described certificate request proxy module towards center is responsible for setting up towards the safe lane of the built-in TSM Security Agent module of the secondary terminal equipment certificate CA system at center and intelligent cloud television terminal, the certificate issuance request that interception TSM Security Agent module sends, invocation facility sign inquiry forwarding module finishing equipment identify and issue the device certificate that certificate authority module is signed and issued; Device identification inquiry forwarding module is responsible for the validity of Authentication devices sign; Towards the certificate authority module at center, be responsible for the device certificate that intelligent cloud television terminal is signed and issued by the manufacturer that does not dispose second-level intelligence cloud television equipment certificate CA system capability;
The described secondary terminal equipment certificate CA system towards manufacturer comprises: towards the certificate request proxy module of manufacturer with towards the certificate authority module of manufacturer; Towards the certificate request proxy module of manufacturer, be used for setting up towards the safe lane of the built-in TSM Security Agent module of the secondary terminal equipment certificate CA system at center and intelligent cloud television terminal, the certificate issuance request that interception TSM Security Agent module sends, the device identification query interface that calls manufacturer self inside complete the checking that equipment of itself identifies and issue the device certificate of signing and issuing towards the certificate authority module of manufacturer; Towards the certificate authority module of manufacturer, be responsible for the device certificate that self intelligent cloud television terminal is signed and issued intelligent cloud television terminal;
The 3rd, at the preset TSM Security Agent module of intelligent cloud television terminal and cloud TV TV identification module, pre-install towards the root certificate of the Intelligent television terminal device certificate CA system at center, the root certificate of center CA system simultaneously, complete the device certificate activating service of intelligent cloud television terminal, obtain the believable device identification of intelligent cloud television terminal;
Described TV identification module is for fear of mountain vallage machine, to copy TSM Security Agent module to carry out the generation that device certificate activates problem, guarantees that the device identification legitimacy of intelligent cloud television terminal must be verified by manufacturer; Described TV identification module: whether autopolling ground monitoring intelligent cloud television terminal interconnection network, if monitor not interconnection network, points out user to complete network connection so that it obtains more propertyization services; If monitor interconnection network, by it, obtain the unique device identification of intelligent cloud television terminal, identification of the manufacturer and related hardware information, and trigger own device identification checking business; By the vendor equipment recognition interface of manufacturer's portal integration, the legitimate verification of finishing equipment sign; After device identification checking is legal, sends certificate and activate startup request to TSM Security Agent module; TV identification module is equivalent to an Android App, is directly installed on intelligent cloud television terminal;
Described TSM Security Agent module: acceptance certificate activates and starts request, starts certificate activating service; Generate public private key pair, the request of signing and issuing and the request of transmission certificate issuance Generate Certificate; Set up safe lane; Receiving plane to manufacturer and the device certificate issuing towards the certificate request proxy module at center, safety preserve this device certificate and complete authentication based on this certificate; TSM Security Agent module is equivalent to an Android App, is directly installed on intelligent cloud television terminal;
The root certificate of the described Intelligent television terminal device certificate CA system towards center is a secondary root certificate, by center CA system, is responsible for signing and issuing, and in secondary CA system, imports this certificate; The root certificate of center CA system is a top-level root certificate, in top CA system, imports this certificate.
The present invention compared with prior art, has following remarkable advantage:
(1) the present invention has higher fail safe and stronger confidentiality
Because the present invention has adopted two-stage user management (device certificate management) pattern, towards manufacturer with towards the secondary terminal equipment certificate CA system at center (this system combination equipment validity authentication module), and increased TV identification module, and adopted the digital certificate technique based on PKI public key cryptography, there is extremely strong confidentiality, anti-ability, the interconnected ability denied.Certificate Activiation method in the patent scheme of prior art does not have equipment validity checking, can not prevent that mountain vallage machine from obtaining legal believable identify label, manufacturer is disposed the ability consideration deficiency of CA, therefore certificate Activiation method of the present invention has higher versatility, fail safe, confidentiality simultaneously.
(2) the present invention also has advantages of that user management cost is low, highly versatile.
Accompanying drawing explanation
Fig. 1 the invention process overall framework;
The certificate of the secondary terminal equipment certificate CA system of Fig. 2 based on towards center activates schematic diagram;
The certificate activation process figure of the secondary terminal equipment certificate CA system of Fig. 3 based on towards center;
The certificate of the secondary terminal equipment certificate CA system of Fig. 4 based on towards manufacturer activates schematic diagram;
The certificate activation process figure of the secondary terminal equipment certificate CA system of Fig. 5 based on towards manufacturer.
Embodiment
For making object of the present invention, advantage and technical scheme clearer, below by concrete, implement, and by reference to the accompanying drawings, the present invention is described in more detail.
The General Implementing framework of this scheme has been described on the whole for Fig. 1, in short, the one, by disposing a set of intelligent cloud television terminal equipment CA system at center, form the basic root of trust of intelligent cloud television terminal, for intelligent cloud television terminal provides basic trust supporting.Specifically, be exactly that center CA system is responsible for the root of trust that secondary CA system (towards the secondary terminal equipment certificate CA system at center, towards the secondary terminal equipment certificate CA system of manufacturer) is issued secondary CA, build complete certificate and trust chain, form a kind of two-stage user management based on PKI certificate; The 2nd, the secondary CA root of trust of issuing based on center CA system, disposes respectively a set of CA system in each manufacturer, is responsible for the intelligent cloud television terminal equipment activation line certificate of this manufacturer, for obtaining the trusted identity sign of intelligent cloud television terminal, lays the foundation.Simultaneously, by secondary CA root of trust, it at center, is the manufacturer that does not dispose second-level intelligence cloud television terminal equipment certificate CA system capability, dispose a set of secondary terminal equipment certificate CA system towards center, the equipment on-line that is responsible for such manufacturer activates certificate, for obtaining the trusted identity sign of intelligent cloud television terminal, lays the foundation; The 3rd, for fear of mountain vallage machine, complete certificate and activate, by the preset TSM Security Agent of intelligent cloud television terminal and TV identification module, complete the most important certificate activating service of intelligent cloud television terminal, obtain its believable device identification, mainly comprise two-part content below.
One, the certificate towards the secondary terminal equipment certificate CA system at center activates implementation method
Intelligence cloud television terminal is by presetting, when it is reached the standard grade for the first time, by triggering the built-in TV identification module of intelligent cloud television terminal, (this module is for fear of mountain vallage machine, to copy TSM Security Agent module to carry out the generation that certificate activates problem, the legitimacy that guarantees the device identification of intelligent cloud television terminal must be verified by manufacturer), the reached the standard grade recognition of devices of intelligent cloud television terminal of manufacturer's door, after the inner identification of manufacturer is passed through, TV identification module triggers the online application of the device certificate of intelligent cloud television terminal veritably, call the built-in safe joint face of TSM Security Agent module of intelligent cloud television terminal to the secondary terminal equipment certificate CA system at center, (this interface is mainly responsible for device identification inquiry transponder mutual by the device identification of this CA system integration, to inquire about forwarding interface again, finishing equipment sign authentication function) and after device identification inquiry transponder finishing equipment sign verifies, by this CA system, realize and sign and issue online the device certificate of intelligent cloud television terminal and be issued to television terminal, as accompanying drawing 2.The precondition of this implementation Process is the built-in TV identification module of intelligent cloud television terminal, TSM Security Agent module, has pre-installed towards the root certificate of the intelligent cloud television terminal equipment certificate CA system at center, the root certificate of center CA system.
Below in conjunction with accompanying drawing 3, specifically describe its implementation:
(1) when intelligent cloud television terminal is reached the standard grade for the first time under user's operation, whether the built-in TV identification module autopolling ground monitoring intelligent cloud television terminal of intelligence cloud television terminal interconnection network, if monitor not interconnection network, point out user to complete network connection so that it obtains more propertyization services; If monitor interconnection network, by it, obtained unique device identification TV of intelligent cloud television terminal
iD, identification of the manufacturer and related hardware information, and trigger own device identification checking business;
(2) the built-in TV identification module of intelligent cloud television terminal is by the vendor equipment recognition interface of manufacturer's portal integration, and finishing equipment sign (comprises device identification TV
iDand identification of the manufacturer) checking, if be verified, notice TV identification module triggers certificate activating service; If checking is not passed through, notice TV identification module stops certificate activating service;
(3) the built-in TV identification module of intelligent cloud television terminal receives after certificate activation trigger notice, sends certificate activation startup request and (comprises the device identification TV after being verified
iDand identification of the manufacturer) to TSM Security Agent module;
(4) after the built-in TSM Security Agent module acceptance certificate activation notification of intelligent cloud television terminal, start certificate activating service, generate public private key pair, and automatically guide access plane to the secondary terminal equipment certificate CA system at center, trigger certificate activating service;
(5) intelligent cloud television terminal is by built-in TSM Security Agent module, with this secondary terminal equipment certificate CA system made safe lane;
(6) the built-in TSM Security Agent module of intelligent cloud television terminal sends and comprises with this certificate issuance request of certificate issuance request PKCS#10(of private key signature: certificate request information+signature algorithm+signature value, certificate request packets of information contains: certificate version number+main body (equipment vendors' sign and device identification TV
iD)+main body public key information (PKI generating algorithm+PKI bit value)+attribute (facility information or can expansion equipment unique information)) to this second-level intelligence television terminal equipment certificate CA system;
(7) this secondary terminal equipment certificate CA system obtains after certificate issuance request, obtains equipment vendors' sign and device identification TV from this request
iD, by its integrated recognition of devices inquiry forwarding interface, to the marking matched request of device identification inquiry forwarding module forwarding unit, (this device identification matching request comprises: equipment vendors' sign and device identification TV
iD);
(8) device identification inquiry forwarding module receives after device identification matching request, at local device sign white list or by vendor equipment recognition interface, mates this device identification TV
iD.If device identification TV
iDmate unsuccessfully, notify the secondary terminal equipment certificate CA system towards center, termination device certificate issuance, and by device identification authentication failed information, notice TSM Security Agent module, this certificate issuance failure; If device identification TV
iDthe match is successful, notifies the secondary terminal equipment certificate CA system towards center, starting device certificate issuance;
(9) towards the secondary terminal equipment certificate CA system at center, receiving device certificate signs and issues after notice, the service of starting device certificate issuance, sign and issue the device certificate of intelligent cloud television terminal, generate a random number simultaneously, and private key corresponding to the root certificate of this second-level intelligence cloud television terminal equipment certificate CA system signed to this random number, by signing and issuing device certificate, random number signature and random number, return to the built-in TSM Security Agent module of intelligent cloud television terminal;
(10) the built-in TSM Security Agent module of intelligent cloud television terminal receives after device certificate, random number and random number signature, this random number of root certification authentication by the secondary terminal equipment certificate CA system towards center is signed, if this random number signature verification is not passed through, stop installing this certificate, stop certificate activating service; If this random number signature verification is passed through, installing terminal certificate;
(11) intelligent cloud television terminal is used private key corresponding to device certificate of self to sign to this random number by built-in TSM Security Agent module, and transmission is given center secondary terminal equipment certificate CA system towards the server authentication information (this authorization information comprises: random number signature and terminal certificate) of the secondary terminal equipment certificate CA system at center;
(12) the secondary terminal equipment certificate CA system towards center receives after authorization information, verifies this information, if verify, do not pass through, and this certificate un-activation of mark, return intelligent cloud television terminal authentication failure message simultaneously; If be verified, and this certificate of mark activates, returns intelligent cloud television terminal authentication by information simultaneously, and this intelligence cloud television terminal can be enjoyed personalized service by this certificate.
The successful realization of this process, has set up network trust sign for later stage intelligence cloud television terminal user enjoys various cloud services, can enjoy laying a good foundation of personalized service for intelligent cloud television terminal user simultaneously.
Two, the certificate towards the secondary terminal equipment certificate CA system of manufacturer activates implementation method
Intelligence cloud television terminal is by presetting, when it is reached the standard grade for the first time, by triggering the built-in TV identification module of intelligent cloud television terminal, (this module is for fear of mountain vallage machine, to copy TSM Security Agent module to carry out the generation that certificate activates problem, the legitimacy that guarantees the device identification of intelligent cloud television terminal must be verified by manufacturer), the reached the standard grade recognition of devices of intelligent cloud television terminal of manufacturer's door, after the inner identification of manufacturer is passed through, TV identification module triggers the online application of the device certificate of intelligent cloud television terminal veritably, call the built-in safe joint face of TSM Security Agent module of intelligent cloud television terminal to the secondary terminal equipment certificate CA system of manufacturer, again by the device identification inquiry forwarding interface of this CA system integration, complete after the device identification checking of manufacturer's door self inside, by this CA system, realize and sign and issue online the device certificate of intelligent cloud television terminal and be issued to television terminal, as accompanying drawing 4.The precondition of this implementation Process is the built-in TV identification module of intelligent cloud television terminal, TSM Security Agent module, has pre-installed towards the root certificate of the secondary terminal equipment certificate CA system of manufacturer, the root certificate of center CA system.
Below in conjunction with Fig. 5, specifically describe its implementation:
(1) when intelligent cloud television terminal is reached the standard grade for the first time under user's operation, whether the built-in TV identification module autopolling ground monitoring intelligent cloud television terminal of intelligence cloud television terminal interconnection network, if monitor not interconnection network, point out user to complete network connection so that it obtains more propertyization services; If monitor interconnection network, by it, obtained unique device identification TVID, identification of the manufacturer and the related hardware information of intelligent cloud television terminal, and trigger own device identification checking business;
(2) the built-in TV identification module of intelligent cloud television terminal is by the vendor equipment recognition interface of manufacturer's portal integration, the checking of finishing equipment sign (comprising device identification TVID and identification of the manufacturer), if be verified, notice TV identification module triggers certificate activating service; If checking is not passed through, notice TV identification module stops certificate activating service;
(3) the built-in TV identification module of intelligent cloud television terminal receives after certificate activation trigger notice, sends certificate activation startup request (comprising device identification TVID and identification of the manufacturer after being verified) and arrives TSM Security Agent module;
(4) after the built-in TSM Security Agent module acceptance certificate activation notification of intelligent cloud television terminal, start certificate activating service, generate public private key pair, and automatically guide access plane to the secondary terminal equipment certificate CA system of manufacturer, trigger certificate activating service;
(5) intelligent cloud television terminal is by built-in TSM Security Agent module, with this secondary terminal equipment certificate CA system made safe lane;
(6) the built-in TSM Security Agent module of intelligent cloud television terminal sends and comprises with this certificate issuance request of certificate issuance request PKCS#10(of private key signature: certificate request information+signature algorithm+signature value, and certificate request packets of information contains: certificate version number+main body (equipment vendors' sign and device identification TVID)+main body public key information (PKI generating algorithm+PKI bit value)+attribute (facility information or can expansion equipment unique information)) arrive this secondary terminal equipment certificate CA system;
(7) the secondary terminal equipment certificate CA system towards manufacturer obtains after certificate issuance request, obtains device identification TV from this request
iD, (this device identification matching request comprises: device identification TV in the marking matched request of recognition of devices inquiry forwarding interface ,Xiang Ben manufacturer self door transmitting apparatus integrated by manufacturer
iD);
(8) this manufacturer door receives after device identification matching request, in local device sign white list, mates this device identification TV
iD.If device identification TV
iDmate unsuccessfully, notify the secondary terminal equipment certificate CA system towards manufacturer, termination device certificate issuance, and notify TSM Security Agent module device sign authentication failed, this certificate issuance failure; If device identification TV
iDthe match is successful, notifies this secondary terminal equipment certificate CA system, starting device certificate issuance;
(9) towards the secondary equipment certificate CA system of manufacturer, receiving terminal certificate signs and issues after notice, the service of starting device certificate issuance, sign and issue the device certificate of intelligent cloud television terminal, generate a random number simultaneously, and with private key corresponding to the root certificate of this secondary equipment certificate CA system, this random number is signed, by signing and issuing device certificate, random number signature and random number, return to the built-in TSM Security Agent module of intelligent cloud television terminal;
(10) the built-in TSM Security Agent module of intelligent cloud television terminal receives after terminal certificate, random number and random number signature, this random number of root certification authentication by the secondary equipment certificate CA system towards manufacturer is signed, if this random number signature verification is not passed through, stop installing this certificate, stop certificate activating service; If this random number signature verification is passed through, erection unit certificate;
(11) intelligent cloud television terminal is used private key corresponding to terminal certificate of self to sign to this random number by built-in TSM Security Agent module, and transmission is given this secondary equipment certificate CA system towards the server authentication information (this authorization information comprises: random number signature and terminal certificate) of the secondary equipment certificate CA system of manufacturer;
(12) the secondary equipment certificate CA system towards manufacturer receives after authorization information, verifies this information, if verify, do not pass through, and this certificate un-activation of mark, return intelligent cloud television terminal authentication failure message simultaneously; If be verified, and this certificate of mark activates, returns intelligent cloud television terminal authentication by information simultaneously, and this intelligence cloud television terminal can be enjoyed personalized service by this certificate.
The successful realization of this process, is similarly later stage intelligence cloud television terminal user and enjoys various cloud services and set up network trust sign, can enjoy laying a good foundation of personalized service for intelligent cloud television terminal user simultaneously.
Claims (5)
1. the implementation method activating towards the device certificate of intelligent cloud television terminal, is characterized in that implementation method is as follows:
First, dispose a set of center CA system, described center CA system is by certificate authority module composition, be responsible for secondary CA system towards the secondary terminal equipment certificate CA system at center with issue the root of trust of secondary CA and the management of this root of trust life cycle towards the secondary terminal equipment certificate CA system of manufacturer, build complete certificate and trust chain, form a kind of two-stage user management based on PKI certificate system;
Second, the secondary CA root of trust of issuing based on described center CA system, each manufacturer disposes respectively a set of secondary terminal equipment certificate CA system towards manufacturer, be responsible for the device activation certificate of the intelligent cloud television terminal of this manufacturer, for obtaining the trusted identity sign of intelligent cloud television terminal, lay the foundation; Simultaneously by secondary CA root of trust, be the manufacturer that does not dispose the device certificate CA system capability of second-level intelligence cloud television terminal, dispose the device certificate CA system of a set of secondary terminal towards center, the device certificate that is responsible for such manufacturer activates, and for obtaining the trusted identity sign of intelligent cloud television terminal, lays the foundation;
The described secondary terminal equipment certificate CA system towards center comprises: towards the certificate request proxy module at center, device identification inquiry forwarding module, towards the certificate authority module at center; The checking that the described certificate request proxy module towards center is responsible for setting up towards the safe lane of the built-in TSM Security Agent module of the secondary terminal equipment certificate CA system at center and intelligent cloud television terminal, the certificate issuance request that interception TSM Security Agent module sends, invocation facility sign inquiry forwarding module finishing equipment identify and issue the device certificate that certificate authority module is signed and issued; Device identification inquiry forwarding module is responsible for the validity of Authentication devices sign; Towards the certificate authority module at center, be responsible for the device certificate that intelligent cloud television terminal is signed and issued by the manufacturer that does not dispose second-level intelligence cloud television equipment certificate CA system capability;
The described secondary terminal equipment certificate CA system towards manufacturer comprises: towards the certificate request proxy module of manufacturer with towards the certificate authority module of manufacturer; Towards the certificate request proxy module of manufacturer, be used for setting up towards the safe lane of the built-in TSM Security Agent module of the secondary terminal equipment certificate CA system at center and intelligent cloud television terminal, the certificate issuance request that interception TSM Security Agent module sends, the device identification query interface that calls manufacturer self inside complete the checking that equipment of itself identifies and issue the device certificate of signing and issuing towards the certificate authority module of manufacturer; Towards the certificate authority module of manufacturer, be responsible for the device certificate that self intelligent cloud television terminal is signed and issued intelligent cloud television terminal;
The 3rd, at the preset TSM Security Agent module of intelligent cloud television terminal and cloud TV TV identification module, pre-install towards the root certificate of the Intelligent television terminal device certificate CA system at center, the root certificate of center CA system simultaneously, complete the device certificate activating service of intelligent cloud television terminal, obtain the believable device identification of intelligent cloud television terminal;
Described TV identification module is for fear of mountain vallage machine, to copy TSM Security Agent module to carry out the generation that device certificate activates problem, guarantees that the device identification legitimacy of intelligent cloud television terminal must be verified by manufacturer; Described TV identification module: whether autopolling ground monitoring intelligent cloud television terminal interconnection network, if monitor not interconnection network, points out user to complete network connection so that it obtains more propertyization services; If monitor interconnection network, by it, obtain the unique device identification of intelligent cloud television terminal, identification of the manufacturer and related hardware information, and trigger own device identification checking business; By the vendor equipment recognition interface of manufacturer's portal integration, the legitimate verification of finishing equipment sign; After device identification checking is legal, sends certificate and activate startup request to TSM Security Agent module;
Described TSM Security Agent module: acceptance certificate activates and starts request, starts certificate activating service; Generate public private key pair, the request of signing and issuing and the request of transmission certificate issuance Generate Certificate; Set up safe lane; Receiving plane to manufacturer and the device certificate issuing towards the certificate request proxy module at center, safety preserve this device certificate and complete authentication based on this certificate;
The root certificate of the described Intelligent television terminal device certificate CA system towards center is a secondary root certificate, by center CA system, is responsible for signing and issuing, and in secondary CA system, imports this certificate; The root certificate of center CA system is a top-level root certificate, in top CA system, imports this certificate.
2. the implementation method that the device certificate towards intelligent cloud television terminal according to claim 1 activates, it is characterized in that: it is as follows that the certificate of the described secondary terminal equipment certificate CA system towards center activates implementation method: intelligent cloud television terminal is by presetting, when it is reached the standard grade for the first time, the built-in TV identification module of intelligent cloud television terminal will be triggered, the reached the standard grade recognition of devices of intelligent cloud television terminal of manufacturer's door, after the inner identification of manufacturer is passed through, TV identification module triggers the online application of the device certificate of intelligent cloud television terminal veritably, call the built-in safe joint face of TSM Security Agent module of intelligent cloud television terminal to the secondary terminal equipment certificate CA system at center, again by after this inquiry forwarding interface of device identification towards the secondary terminal equipment certificate CA system integration at center and the checking of device identification inquiry forwarding module finishing equipment sign, by this secondary terminal equipment certificate CA system towards center, realize and sign and issue online the device certificate of intelligent cloud television terminal and be issued to intelligent cloud television terminal, described device identification inquiry forwarding interface is responsible for device identification inquiry transponder mutual, finishing equipment sign authentication function.
3. the implementation method that the device certificate towards intelligent cloud television terminal according to claim 2 activates, is characterized in that: described process concrete methods of realizing is as follows:
(1) when intelligent cloud television terminal is reached the standard grade for the first time under user's operation, whether the built-in TV identification module autopolling ground monitoring intelligent cloud television terminal of intelligence cloud television terminal interconnection network, if monitor not interconnection network, point out user to complete network connection so that it obtains more propertyization services; If monitor interconnection network, by it, obtained unique device identification, identification of the manufacturer and the related hardware information of intelligent cloud television terminal, and trigger own device identification checking business;
(2) the built-in TV identification module of intelligent cloud television terminal is by the vendor equipment recognition interface of manufacturer's portal integration, the checking of finishing equipment sign, the checking that comprises device identification and identification of the manufacturer, if be verified, notice TV identification module triggers certificate activating service; If checking is not passed through, notice TV identification module stops certificate activating service;
(3) the built-in TV identification module of intelligent cloud television terminal receives certificate and activates after trigger notice, sends certificate and activates and start request, comprises that device identification after being verified and identification of the manufacturer are to TSM Security Agent module;
(4) after the built-in TSM Security Agent module acceptance certificate activation notification of intelligent cloud television terminal, start certificate activating service, generate public private key pair, and automatically guide access plane to the secondary terminal equipment certificate CA system at center, trigger certificate activating service;
(5) intelligent cloud television terminal is by built-in TSM Security Agent module, with this secondary terminal equipment certificate CA system made safe lane;
(6) the built-in TSM Security Agent module of intelligent cloud television terminal sends with the certificate issuance request of private key signature to this second-level intelligence television terminal equipment certificate CA system;
(7) this secondary terminal equipment certificate CA system obtains after certificate issuance request, from this request, obtain equipment vendors' sign and device identification, by its integrated recognition of devices inquiry forwarding interface, to the marking matched request of device identification inquiry forwarding module forwarding unit;
(8) device identification inquiry forwarding module receives after device identification matching request, at local device sign white list or by vendor equipment recognition interface, mate this device identification, if device identification coupling is unsuccessful, notify towards the device certificate CA system of the secondary terminal at center, termination device certificate issuance, and notify TSM Security Agent device identification authentication failed, certificate issuance failure; If the match is successful in device identification, notify the secondary terminal equipment certificate CA system towards center, starting device certificate issuance;
(9) towards the secondary terminal equipment certificate CA system at center, receiving device certificate signs and issues after notice, the service of starting device certificate issuance, sign and issue the device certificate of intelligent cloud television terminal, generate a random number simultaneously, and private key corresponding to the root certificate of the device certificate CA system of this second-level intelligence cloud television terminal is to this random number signature, by signing and issuing device certificate, random number signature and random number, returns to the built-in TSM Security Agent module of intelligent cloud television terminal;
(10) the built-in TSM Security Agent module of intelligent cloud television terminal receives after device certificate, random number and random number signature, this random number of root certification authentication by the secondary terminal equipment certificate CA system towards center is signed, if this random number signature verification is not passed through, stop installing this device certificate, termination device certificate activating service; If this random number signature verification is passed through, this device certificate is installed;
(11) intelligent cloud television terminal is used private key corresponding to device certificate of self to sign to this random number by built-in TSM Security Agent module, and the server authentication information towards the secondary terminal equipment certificate CA system at center of sending is to center secondary terminal equipment certificate CA system;
(12) the secondary terminal equipment certificate CA system towards center receives after authorization information, verifies this information, if verify, do not pass through, and this device certificate un-activation of mark, return intelligent cloud television terminal authentication failure message simultaneously; If be verified, and this device certificate of mark activates, returns intelligent cloud television terminal authentication by information simultaneously, and this intelligence cloud television terminal can be enjoyed personalized service by this device certificate.
4. the implementation method that the device certificate towards intelligent cloud television terminal according to claim 1 activates, it is characterized in that: the certificate of the described secondary terminal equipment certificate CA system towards manufacturer activates implementation method: intelligent cloud television terminal is by presetting, when it is reached the standard grade for the first time, the built-in TV identification module of intelligent cloud television terminal will be triggered, the reached the standard grade recognition of devices of intelligent cloud television terminal of manufacturer's door, after the inner identification of manufacturer is passed through, TV identification module is the online application of trigger equipment certificate veritably, call the built-in safe joint face of TSM Security Agent module of intelligent cloud television terminal to the secondary terminal equipment certificate CA system of manufacturer, again by the device identification inquiry forwarding interface of this CA system integration, complete after the device identification checking of manufacturer's door self inside, by this CA system, realize and sign and issue online the device certificate of intelligent cloud TV and be issued to cloud Intelligent television terminal.
5. the implementation method that the device certificate towards intelligent cloud television terminal according to claim 4 activates, is characterized in that: the certificate of the described secondary terminal equipment certificate CA system based on towards manufacturer activates specific implementation process:
(1) when intelligent cloud television terminal is reached the standard grade for the first time under user's operation, whether the built-in TV identification module autopolling ground monitoring intelligent cloud TV of intelligence cloud television terminal interconnection network, if monitor not interconnection network, point out user to complete network connection so that it obtains more propertyization services; If monitor interconnection network, by it, obtained unique device identification, identification of the manufacturer and the related hardware information of intelligent cloud television terminal, and trigger own device identification checking business;
(2) the built-in TV identification module of intelligent cloud television terminal is by the vendor equipment recognition interface of manufacturer's portal integration, and the checking of finishing equipment sign, if be verified, notifies TV identification module trigger equipment certificate activating service; If checking is not passed through, notice TV identification module arrestment certificate activating service;
(3) the built-in TV identification module of intelligent cloud television terminal receives after certificate activation trigger notice, and transmitting apparatus certificate activates and starts request to TSM Security Agent module;
(4) after the built-in TSM Security Agent module accepting device certificate activation notification of intelligent cloud television terminal, starting device certificate activating service, generate public private key pair, and automatically guide access plane to the secondary terminal equipment certificate CA system of manufacturer, trigger equipment certificate activating service;
(5) intelligent cloud television terminal is by built-in TSM Security Agent module, with this secondary terminal equipment certificate CA system made safe lane;
(6) the built-in TSM Security Agent module of intelligent cloud television terminal sends with the request of signing and issuing of the device certificate of private key signature to this secondary terminal equipment certificate CA system;
(7) after the secondary terminal equipment certificate CA system equipment certificate issuance request of manufacturer, from this request, obtain device identification, by the integrated marking matched request of recognition of devices inquiry forwarding interface ,Xiang Ben manufacturer self door transmitting apparatus of manufacturer;
(8) this manufacturer door receives after device identification matching request, in local device sign white list, mates this device identification; If device identification coupling is unsuccessful, notify the secondary terminal equipment certificate CA system towards manufacturer, termination device certificate issuance, and notify the device identification authentication failed of TSM Security Agent module, certificate issuance failure; If the match is successful in device identification, notify this secondary terminal equipment certificate CA system, starting device certificate issuance;
(9) towards the secondary equipment certificate CA system of manufacturer, receiving terminal certificate signs and issues after notice, the service of starting device certificate issuance, sign and issue the device certificate of intelligent cloud television terminal, generate a random number simultaneously, and with private key corresponding to the root certificate of this secondary equipment certificate CA system, this random number is signed, by signing and issuing device certificate, random number signature and random number, return to the built-in TSM Security Agent module of intelligent cloud television terminal;
(10) the built-in TSM Security Agent module of intelligent cloud television terminal receives after device certificate, random number and random number signature, by this random number of secondary equipment certificate CA system root certification authentication towards manufacturer, sign, if this random number signature verification is not passed through, stop installing this certificate, stop certificate activating service; If this random number signature verification is passed through, erection unit certificate;
(11) intelligent cloud television terminal is used private key corresponding to device certificate of self to sign to this random number by built-in TSM Security Agent module, and the server authentication information towards the secondary equipment certificate CA system of manufacturer of sending is to this secondary equipment certificate CA system;
(12) the secondary equipment certificate CA system towards manufacturer receives after authorization information, verifies this information, if verify, do not pass through, and this device certificate un-activation of mark, return intelligent cloud television terminal authentication failure message simultaneously; If be verified, and this device certificate of mark activates, returns intelligent cloud television terminal authentication by information simultaneously, and this intelligence cloud television terminal is enjoyed personalized service by this certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310529585.1A CN103533403B (en) | 2013-10-31 | 2013-10-31 | What a kind of device certificate towards smart cloud TV terminal activated realizes method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310529585.1A CN103533403B (en) | 2013-10-31 | 2013-10-31 | What a kind of device certificate towards smart cloud TV terminal activated realizes method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103533403A true CN103533403A (en) | 2014-01-22 |
| CN103533403B CN103533403B (en) | 2016-07-06 |
Family
ID=49935012
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310529585.1A Expired - Fee Related CN103533403B (en) | 2013-10-31 | 2013-10-31 | What a kind of device certificate towards smart cloud TV terminal activated realizes method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103533403B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168113A (en) * | 2014-08-07 | 2014-11-26 | 河海大学 | Certificate-based encryption method and system for n layers of CA structures |
| CN105391608A (en) * | 2015-12-04 | 2016-03-09 | 美的集团股份有限公司 | Household electrical appliance, network configuration method thereof and household intelligent network box |
| CN105530250A (en) * | 2015-12-09 | 2016-04-27 | 美的集团股份有限公司 | Authentication activation method and system for household appliance |
| CN105553938A (en) * | 2015-12-04 | 2016-05-04 | 美的集团股份有限公司 | Household electrical appliance network distribution method, household electrical appliance and household intelligent network box |
| CN105959299A (en) * | 2016-03-23 | 2016-09-21 | 四川长虹电器股份有限公司 | Method for issuing safety certificate and safety certificate server |
| WO2018177143A1 (en) * | 2017-03-31 | 2018-10-04 | 华为技术有限公司 | Identity authentication method and system, server and terminal |
| WO2019129046A1 (en) * | 2017-12-27 | 2019-07-04 | 国家新闻出版广电总局广播科学研究院 | Trust chain establishment method of smart television terminal, and smart television terminal |
| CN110730151A (en) * | 2018-07-16 | 2020-01-24 | 上海铠射信息科技有限公司 | Novel method for authorizing use of terminal digital certificate |
| CN112532390A (en) * | 2019-08-30 | 2021-03-19 | 华为技术有限公司 | Method and device for loading certificate of digital certificate certification authority |
| WO2022170821A1 (en) * | 2021-02-10 | 2022-08-18 | 华为技术有限公司 | Service certificate management method and apparatus, system, and electronic device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060104147A (en) * | 2005-03-29 | 2006-10-09 | 주식회사 아이캐시 | Electronic payment method and system thereof for cable tv home shopping using smart card |
| CN101969440A (en) * | 2010-10-28 | 2011-02-09 | 四川长虹电器股份有限公司 | Software certificate generating method |
| CN102664739A (en) * | 2012-04-26 | 2012-09-12 | 杜丽萍 | PKI (Public Key Infrastructure) implementation method based on safety certificate |
-
2013
- 2013-10-31 CN CN201310529585.1A patent/CN103533403B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060104147A (en) * | 2005-03-29 | 2006-10-09 | 주식회사 아이캐시 | Electronic payment method and system thereof for cable tv home shopping using smart card |
| CN101969440A (en) * | 2010-10-28 | 2011-02-09 | 四川长虹电器股份有限公司 | Software certificate generating method |
| CN102664739A (en) * | 2012-04-26 | 2012-09-12 | 杜丽萍 | PKI (Public Key Infrastructure) implementation method based on safety certificate |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168113A (en) * | 2014-08-07 | 2014-11-26 | 河海大学 | Certificate-based encryption method and system for n layers of CA structures |
| CN105391608A (en) * | 2015-12-04 | 2016-03-09 | 美的集团股份有限公司 | Household electrical appliance, network configuration method thereof and household intelligent network box |
| CN105553938A (en) * | 2015-12-04 | 2016-05-04 | 美的集团股份有限公司 | Household electrical appliance network distribution method, household electrical appliance and household intelligent network box |
| CN105530250A (en) * | 2015-12-09 | 2016-04-27 | 美的集团股份有限公司 | Authentication activation method and system for household appliance |
| CN105959299A (en) * | 2016-03-23 | 2016-09-21 | 四川长虹电器股份有限公司 | Method for issuing safety certificate and safety certificate server |
| CN105959299B (en) * | 2016-03-23 | 2019-05-07 | 四川长虹电器股份有限公司 | A kind of method issuing safety certificate and secure credentials server |
| US11165767B2 (en) | 2017-03-31 | 2021-11-02 | Huawei Technologies Co., Ltd. | Identity authentication method and system, server, and terminal |
| WO2018177143A1 (en) * | 2017-03-31 | 2018-10-04 | 华为技术有限公司 | Identity authentication method and system, server and terminal |
| CN108667780A (en) * | 2017-03-31 | 2018-10-16 | 华为技术有限公司 | A kind of identity authentication method, system and server and terminal |
| WO2019129046A1 (en) * | 2017-12-27 | 2019-07-04 | 国家新闻出版广电总局广播科学研究院 | Trust chain establishment method of smart television terminal, and smart television terminal |
| CN109982150B (en) * | 2017-12-27 | 2020-06-23 | 国家新闻出版广电总局广播科学研究院 | Trust chain establishing method of intelligent television terminal and intelligent television terminal |
| CN109982150A (en) * | 2017-12-27 | 2019-07-05 | 国家新闻出版广电总局广播科学研究院 | The trust chain method for building up and Intelligent television terminal of Intelligent television terminal |
| US11303459B2 (en) | 2017-12-27 | 2022-04-12 | Academy of Broadcasting Science, National Radio and Television Administration | Smart television terminal and method for establishing a trust chain therefor |
| CN110730151A (en) * | 2018-07-16 | 2020-01-24 | 上海铠射信息科技有限公司 | Novel method for authorizing use of terminal digital certificate |
| CN112532390A (en) * | 2019-08-30 | 2021-03-19 | 华为技术有限公司 | Method and device for loading certificate of digital certificate certification authority |
| CN112532390B (en) * | 2019-08-30 | 2022-05-10 | 华为技术有限公司 | Method and device for loading certificate of digital certificate certification authority |
| WO2022170821A1 (en) * | 2021-02-10 | 2022-08-18 | 华为技术有限公司 | Service certificate management method and apparatus, system, and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103533403B (en) | 2016-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103533403A (en) | Equipment certificate activating method for smart cloud TV terminal | |
| CN106411528B (en) | Lightweight authentication key negotiation method based on implicit certificate | |
| EP3699019A1 (en) | Electric car charging method and system using certificate-based management | |
| CN101951603B (en) | Access control method and system for wireless local area network | |
| CN106685664B (en) | Power equipment safety control system and method under internet | |
| CN108990060B (en) | Certificate distribution system and method of base station equipment | |
| WO2015169126A1 (en) | Certificate acquisition method and device | |
| CN105635062B (en) | The verification method and device of network access equipment | |
| CN104283886A (en) | Web safety access implementation method based on intelligent terminal local authentication | |
| CN101753354A (en) | Method for realizing the automatic configuration of network camera and monitoring system | |
| CN110035071A (en) | A kind of long-range double factor mutual authentication method, client and server-side towards industrial control system | |
| US20080150753A1 (en) | Secure Data Transfer In A Communication System Including Portable Meters | |
| CN103532713A (en) | Sensor authentication and sharing key generating method, sensor authentication and sharing key generating system and sensor | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| KR20080104594A (en) | Online certificate verification apparatus and method for offline device | |
| US20120137129A1 (en) | Method for issuing a digital certificate by a certification authority, arrangement for performing the method, and computer system of a certification authority | |
| CN111431840B (en) | Security processing method and device, computer equipment and readable storage medium | |
| CN102984045A (en) | Access method of Virtual Private Network and Virtual Private Network client | |
| CN108234119B (en) | Digital certificate management method and platform | |
| CN103905209A (en) | Mutual authentication method based on NTRUSign passive optical network access | |
| KR101491553B1 (en) | Secure SmartGrid Communication System and Method using DMS based on Certification | |
| US11228453B2 (en) | Secure provisioning of electronic lock controllers | |
| CN209882108U (en) | Device for mobile phone terminal to safely access information network | |
| CN108401493B (en) | Method for transmitting key, receiving terminal and distributing terminal | |
| CN115086085B (en) | New energy platform terminal security access authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160706 Termination date: 20181031 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |