CN103905448B - Towards the camera-shooting and recording device entity authentication method of city security protection - Google Patents
Towards the camera-shooting and recording device entity authentication method of city security protection Download PDFInfo
- Publication number
- CN103905448B CN103905448B CN201410130070.9A CN201410130070A CN103905448B CN 103905448 B CN103905448 B CN 103905448B CN 201410130070 A CN201410130070 A CN 201410130070A CN 103905448 B CN103905448 B CN 103905448B
- Authority
- CN
- China
- Prior art keywords
- nvr
- certificate
- terminal
- field
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention provides a kind of camera-shooting and recording device entity authentication method towards city security protection, comprises the steps:NVR is encapsulated and is sent M1 certifications activation packet to terminal;Terminal is processed after M1 certifications activation packet is received, and is encapsulated a M2 access authentication request group and be sent to NVR;NVR is processed after M2 access authentication request groups are received, and is encapsulated M3 certificate verification request and sent packets to certificate server;Certificate server is processed after M3 certificate verifications request packet is received, and is encapsulated a M4 certificate verification respond packet and be sent to NVR;NVR is processed after M4 certificate verification respond packets are received, and is encapsulated a M5 access authentications respond packet and be sent to terminal;Terminal is further processed after the M5 access authentication respond packets for receiving NVR transmissions.The present invention is to carry out security protection to the secure communication between communication entity in safety-protection system.
Description
Technical field
The present invention relates to a kind of authentication method, especially a kind of authentication method of city safety-protection system.
Background technology
Public safety is the foundation stone of national security and social stability, is prevention and all kinds of important events of reply, accident and calamity
Evil, protection people life property safety, the basic guarantee for reducing social danger and economic loss, be government strengthen social management and
The important content of public service.With a succession of generation of social security events, demand of the common people to safety is also more and more stronger
It is strong, therefore, a higher cities and towns hardware environment of degree of safety is set up, strengthens the reaction coordination ability of security protection, be reply violence
The attack of terrorism in the urgent need to.Thus, security precautions technology and product play more and more important effect.Nowadays, city
It is an industry closely related with social economy and people's life that security protection industry in city's has been developing progressively.With safety city
City's construction is pushed forward comprehensively, and city that we live, community, rural area also are occurring to change silently.Intelligent and safe burglar alarm,
Intelligent and safe video monitoring using becoming increasingly popular, for safeguard our life securities, property safety, residence safety, network security,
Public place safety.
But in safety precaution image video monitoring networking system information transfer, exchange, control in safety problem not
Have and sufficiently considered, lack corresponding authentication and key generates system.There is following problem:
Illegal video camera is forged bad or false video and is sent to video storaging equipment;
Illegal client receives video from illegal video storage device;
Illegal video camera is forged bad or false video and is sent to video storaging equipment, may cause legitimate client
End obtains the video of mistake, and video storaging equipment also can be because storing invalid video and wasting space even produces mistake.
Illegal client receives video from illegal video storage device may be caused to obtain false or invalid video.
The content of the invention
The purpose of the present invention is to overcome the deficiencies in the prior art, there is provided a kind of camera-shooting and recording device towards city security protection
Entity authentication method, to carry out security protection to the secure communication between communication entity in safety-protection system.What the present invention was adopted
Technical scheme is:
A kind of camera-shooting and recording device entity authentication method towards city security protection, comprises the steps:
Step one, NVR encapsulation simultaneously send M1 certifications activation packet to terminal;M1 certifications activation packet includes following fields:
The certification identification field in group character field, M1, the NVR randoms number in M1, certification activationary time, local authentication clothes in M1
ECDH parameter of curve fields, the NVR certificate fields in M1 in the business identity field of device, M1, the NVR signature fields in M1;Its
In:
If the value of the lowest order of the group character field in M1 is the certification identification field in 1, M1 adopts following algorithm
To generate:auth_id1=SHA256(nNVR⊕Timeactive);If the value of the lowest order of the group character field in M1 is 0,
Now the value of the certification identification field in M1 is identified by the certification that last certification authentication process is consulted;
NVR random number n in M1NVRGenerated using Generating Random Number by NVR;TimeactiveWhen representing that certification is activated
Between;
The identity field of local authentication server represents the certificate server that NVR trusts, the identity of local authentication server
Account of the content of field for certificate server;
The certificate of NVR is contained in NVR certificate fields in M1;
NVR signature fields in M1 be to M1 packet in addition to this field all other data field signature;
Step 2, terminal are processed after M1 certifications activation packet is received, and encapsulate a M2 access authentications request point
Then M2 is sent packets to NVR by group;Specifically include:
After 2-1. terminals receive M1 certifications activation packet, the certificate of NVR is stored, NVR certificates are extracted from the certificate of NVR public
Key, the NVR during the M1 received with the checking of NVR CertPubKeys is grouped are signed, and carry out step 2-2, otherwise release if being verified
Linking between terminal and NVR;
2-2. terminal-pairs than M1 packet in certification activationary time and the system time of oneself, if the two is when acceptable
Between in the range of, then carry out step 2-3, otherwise release linking between terminal and NVR;
The identity field of the local authentication server in the examination M1 packets of 2-3. terminals, the authentication service checked in the field
Whether device account is the certificate server for oneself wanting to connect, if then carrying out step 2-4, is otherwise released between terminal and NVR
Link;
2-4. terminals are according to the NVR random number n in the M1 packets for receivingNVRAnd certification activationary time Timeactive, adopt
With the certification identification field being calculated with identical method in M1 in M2, and with M1 in the contrast of certification identification field, if one
Cause then carries out step 2-5, otherwise releases linking between terminal and NVR;
2-5. terminals generate terminal random number nTerminal, given birth to using ECDH algorithms according to the ECDH parameters of curve in M1 packets
Into the temporary public key xP of temporary private x and terminal of terminal, using terminal temporary public key xP as terminal key data
keydataTerminal;
2-6. terminal enclosure M2 access authentication request groups are simultaneously sent to NVR, and M2 access authentication request groups include following
Field:The terminal key number in the certification identification field in group character field, M2, the terminal random number in M2, M2 in M2
According to the ECDH parameter of curve fields in the NVR randoms number in, M2, the NVR identity fields in M2, M2, the terminal certificate word in M2
Terminal signature field in section, M2;Wherein:
Certification identification field values in M2 are identical with the certification identification field values in M1;
Terminal random number n in M2TerminalGenerated using Generating Random Number by terminal;
The content of the terminal key data in M2 is the terminal temporary public key xP exchanged for ECDH that terminal is generated;
NVR randoms number in M2 are consistent with the NVR randoms number in M1 packets;
Account ID of the content of the NVR identity fields in M2 for NVRNVR;
ECDH parameters of curve field in M2 is identical with the ECDH parameter of curve fields in M1 packets;
The certificate of terminal is contained in terminal certificate field in M2;
Terminal signature field in M2 be to M2 packet in addition to this field all other data field signature;
Step 3, NVR are processed after M2 access authentication request groups are received, and encapsulate a M3 certificate verifications request
Then M3 is sent packets to certificate server by packet;Specifically include:
The certificate of terminal after 3-1.NVR receives M2 access authentication request groups, is preserved, and terminal is extracted from the certificate of terminal
CertPubKey, the terminal signature in being grouped with the M2 that terminal certificate public key verifications are received, carries out step 3-2 if being verified,
Linking between terminal and NVR is released otherwise;
Whether the content of the NVR identity fields that 3-2.NVR is checked in M2 is oneself account of itself, if it is, carrying out
Step 3-3, otherwise releases linking between terminal and NVR;
The NVR randoms number that 3-3.NVR is checked in M2 whether with it is consistent in M1, carry out step 3-4 if consistent, otherwise
Release linking between terminal and NVR;
3-4.NVR encapsulation M3 certificate verification requests are grouped and are sent to certificate server;M3 certificate verifications request packet bag
Include following fields:
The terminal certificate in the terminal random number in IP address index field, M3, the NVR randoms number in M3, M3 in M3
The NVR signature fields in NVR certificate fields, M3 in field, M3;Wherein:
IP address of the IP address index field in M3 by terminal | | the IP address of NVR is constituted;
Terminal random number in M3, it is consistent with the terminal random number in M2;
NVR randoms number in M3, it is consistent with the NVR randoms number in M2;
Terminal certificate field in M3 is consistent with the terminal certificate field in M2;
NVR certificate fields in M3 are consistent with the NVR certificate fields in M1;
NVR signature fields in M3 be to M3 packet in addition to this field all other data field signature;
Step 4, certificate server are processed after M3 certificate verifications request packet is received, and encapsulate a M4 certificate
Authentication response is grouped, and M4 is sent packets to NVR then;Specifically include:
After 4-1. certificate servers receive M3 certificate verifications request packet, the certificate of NVR is preserved, is carried from the certificate of NVR
Take NVR CertPubKeys to verify the NVR signatures in M3 packets, step 4-2 is carried out if being verified, otherwise NVR is released and is recognized
Link between card server;
4-2. certificate servers verify terminal certificate and NVR certificates, generate two corresponding certificate verification results, and use
The private key of oneself signs certificate verification result field;
4-3. certificate server encapsulates M4 certificate verifications respond packet and is sent to NVR;M4 certificate verification respond packet bags
Include following fields:The certificate verification result field in IP address index field, M4, the certificate server in M4 in M4 is to certificate
The signature field that certificate server in the signature field of the result field, M4 is grouped to M4;
The value phase of the IP address index field in the value of the IP address index field in M4 and M3 certificate verifications request packet
Together;
Two disposable randoms number, first disposable random number and M3 are included in certificate verification result field in M4
Terminal random number in certificate verification request packet is identical, in second disposable random number and M3 certificate verifications request packet
NVR randoms number it is identical;Two certificate verification results, first certification authentication are included in certificate verification result field in M4 also
As a result the terminal certificate in packet is asked corresponding to M3 certificate verifications, second certificate verification result please corresponding to M3 certificate verifications
Seek the NVR certificates in being grouped;
Signature field of the certificate server in M4 to certificate verification result field, the field contents are certificate server list
Only the signature to certificate verification result field;
The signature field that certificate server in M4 is grouped to M4, is to all other in addition to this field in M4 packets
The signature of data field;
Step 5, NVR are processed after M4 certificate verification respond packets are received, and encapsulate a M5 access authentications response
Then M5 is sent packets to terminal by packet;Specifically include:
5-1.NVR has the certificate of certificate server before certification, after M4 certificate verification respond packets are received, from certification
Extract certificate server CertPubKey to verify signature that the certificate server in M4 is grouped M4 in the certificate of server, if testing
Card releases linking between NVR and certificate server by then carrying out step 5-2, otherwise;
Whether the terminal random number and NVR randoms number in 5-2.NVR checking M4 be correct, if correct carries out step 5-3,
Linking between NVR and certificate server is released otherwise;
The certificate server that 5-3.NVR is extracted in certificate verification result field and M4 in M4 from M4 is tied to certification authentication
The signature field of fruit field, first with the certificate server in certificate server CertPubKey checking M4 to certificate verification result field
Signature, then by checking the certificate verification result of terminal deciding whether to allow terminal to access and register, if allowing terminal
If accessing and registering, then step 5-4 is carried out, otherwise do not allow terminal to access and register, then disconnect the link of NVR and terminal;
5-4.NVR generates temporary private y and NVR of NVR according to the ECDH parameters of curve in M1 packets using ECDH algorithms
Temporary public key yP, using the temporary public key yP of NVR as NVR key data keydataNVR;NVR generates the access of terminal
As a result, then carry out step 5-5;
Step 5-5.NVR runs ECDH algorithms, is calculated NVR according to NVR temporary privates y and terminal temporary public key xP
Side master key;
Step 5-6.NVR encapsulates M5 access authentications respond packet and is sent to terminal;M5 access authentication respond packets include
Following fields:The NVR in the certification identification field in group character field, M5, the terminal random number in M5, M5 in M5 is random
The certificate verification result field accessed in result field, M5 in NVR key datas, M5 in number, M5, the authentication service in M5
Device is to the NVR signature fields in the signature field of certificate verification result field, M5;Wherein:
The certification identifier word in the activation packet of certification identification field values and M1 certifications, M2 access authentication request groups in M5
Segment value is identical;
Terminal random number in M5, it is consistent with the terminal random number in M2 packets;
NVR randoms number in M5, it is consistent with the NVR randoms number in M1 and M2 packets;
NVR key datas in M5, are the NVR temporary public key yP exchanged for ECDH of NVR generations;
Access result field in M5 is used to indicate whether to allow access terminal;
Certificate verification result field in M5 is consistent with the certificate verification result field in M4;
Certificate server in M5 is to the certificate server in the signature field and M4 of certificate verification result field to certificate
The signature field of the result field is consistent;
NVR signature fields in M5 be to M5 packet in addition to this field all other data field signature;
Step 6. terminal is further processed after the M5 access authentication respond packets for receiving NVR transmissions;Place
The flow process of reason is as follows:
6-1. terminals verify the NVR signatures in M5 packets using NVR CertPubKeys, and step 6- is carried out if being verified
2, otherwise release linking between terminal and NVR;
The certification identification field in terminal random number, NVR randoms number and M5 in 6-2. terminal authentication M5 whether with M2
In packet, corresponding field is consistent, and step 6-3 is carried out if consistent, otherwise releases linking between terminal and NVR;
Certificate verification result field and the certificate server in M5 in 6-3. terminals extraction M5 is to certificate verification result
The signature field of field;Also there is the certificate of certificate server in terminal, authentication service is extracted from the certificate of certificate server
Device CertPubKey carries out step if being verified verifying signature of the certificate server in M5 to certificate verification result field
6-4, otherwise releases linking between terminal and NVR;
6-4. terminals check the certificate verification result of NVR in the certificate verification result field from M5, and check in M5
Result field is accessed, if the certificate verification result of NVR is correct and the access result of terminal is also to allow, then terminal is transported
Row ECDH algorithms, are calculated end side master key according to terminal temporary private x and NVR temporary public key yP.
The present invention devises a kind of ternary peer authentication architecture, using the entity authentication mechanism of online trusted third party, leads to
Five conveying flows are crossed, the bidirectional identity authentication of inter-entity is realized.It can effectively prevent the terminal for not meeting safety requirements from visiting
NVR is asked, is also avoided that terminal accesses the NVR for not meeting safety requirements.
Description of the drawings
Fig. 1 is the video surveillance network schematic diagram towards city security protection.
Fig. 2 is the verification process of the present invention with reference to figure.
Specific embodiment
With reference to concrete drawings and Examples, the invention will be further described.
It is a video surveillance network towards city security protection shown in Fig. 1, in network, each network element is explained as follows:
1)Web camera(IP Camera):Also IP video cameras are, with authentication registration, collection/coding and transmission sound
The function of video flowing etc..
2)Videoconference client(Video Client):With authentication registration, receive and real-time play, history playback audio frequency and video
The functions such as stream.
3)NVR:That is network video recorder(Network Video Recorder), also it is streaming media server, there is provided
The forwarding service of real-time media stream, there is provided the storage of media, history media information retrieval and order program service.Streaming media server connects
Receive from video camera or the media data of other media servers, and according to instruction, by these data forwardings to other it is single or
Multiple client or other media servers.
4)Certificate server(Access Server):It is responsible for each equipment in authentication region registration, interface to be provided and is answered
Use server communication.Offer digital certificate is issued, authentication function.
The verification process that the terminal such as IP video cameras or client accesses NVR is as shown in Figure 2.In fig. 2, authentication protocol operation
Before, the terminal certificate of (1) terminal oneself has been prestored in terminal, terminal certificate public key in terminal certificate, has been contained, (2)
With the terminal secret key of terminal certificate public key match.The NVR certificates of (1) NVR oneself are prestored on NVR, has been wrapped in NVR certificates
Contain NVR CertPubKeys,(2)The NVR private keys matched with NVR CertPubKeys.And there is certificate server on terminal and NVR
Certificate.
Camera-shooting and recording device entity authentication method towards city security protection proposed by the invention, detailed process are as described below:
Step one, NVR encapsulation simultaneously send M1 certifications activation packet to terminal;The lattice of the data field of M1 certifications activation packet
Formula is as follows:
Wherein:
Group character field length in M1 is 1 byte, for distinguishing different data packet types;
Certification identification field length in M1 is 32 bytes, if the lowest order of the group character field in M1(I.e. base is close
Key more new logo)Value be 1, then explanation be authentication registration process, then the certification identification field in M1 adopt following algorithm next life
Into:auth_id1=SHA256(nNVR⊕Timeactive);SHA256 is the one kind in SHA, represents XOR meter
Calculate;If the value of the lowest order of the group character field in M1 (base key more new logo) is 0, illustrate it is not authentication first
Process, but nullify operation, the certification that now value of the certification identification field in M1 is consulted by last certification authentication process
Mark;
NVR random number n in M1NVRFor the random number of 32 bytes, generated using Generating Random Number by NVR;
Certification activationary time TimeactiveAnd 32 bytes;
The identity field of local authentication server represents the certificate server that NVR trusts, the identity of local authentication server
Account of the content of field for certificate server;
ECDH parameters of curve field in M1 is made up of parameter identification, parameter length and content of parameter;ECDH is based on ECC
(Elliptic Curve Cryptosystems, elliptic curve cryptosystem)DH(Diffie-Hellman)Key is exchanged to be calculated
Method.
Parameter identification field length is 1 byte;Parameter identification value of the present invention is 1(One particular value);
Parameter length field is 2 bytes, represents the byte number of content of parameter field;
The value of content of parameter field is defined as follows:
When parameter identification is 1, content of parameter is an OID encoded radio, and this specification adopted value is 1.2.156.11235.1.1.2.1,
Coded system is the ECC field parameters that the OID encoded radios of ASN.1/DER represent national Password Management office approval.OID is Object
Identifier's writes a Chinese character in simplified form, object ID.
Parameter identification other values retain.
NVR certificate fields in M1 are denoted as the certificate of NVR entities, and the certificate of NVR is contained in the field.NVR is demonstrate,proved
On the hard disk that book has just had NVR before authentication protocol starts, account of its filename using NVR.
NVR signature fields in M1 be to M1 packet in except this field(NVR signature fields)Outside all other data
The signature of field.
Step 2, terminal are processed after M1 certifications activation packet is received, and encapsulate a M2 access authentications request point
Then M2 is sent packets to NVR by group;Specifically include:
After 2-1. terminals receive M1 certifications activation packet, the certificate of NVR is stored, NVR certificates are extracted from the certificate of NVR public
Key, the NVR during the M1 received with the checking of NVR CertPubKeys is grouped are signed, and carry out step 2-2, otherwise release if being verified
Linking between terminal and NVR;
2-2. terminal-pairs than M1 packet in certification activationary time and the system time of oneself, if the two is when acceptable
Between in the range of(Such as 120 seconds), then step 2-3 is carried out, linking between terminal and NVR is otherwise released;
The identity field of the local authentication server in the examination M1 packets of 2-3. terminals, the authentication service checked in the field
Whether device account is the certificate server for oneself wanting to connect, if then carrying out step 2-4, is otherwise released between terminal and NVR
Link;
2-4. terminals are according to the NVR random number n in the M1 packets for receivingNVRAnd certification activationary time Timeactive, meter
Calculation obtains the certification identification field in M2, and computing formula is as follows:auth_id2=SHA256(nNVR⊕Timeactive);And with M1 in
The contrast of certification identification field, step 2-5 is carried out if consistent, linking between terminal and NVR is otherwise released;
2-5. terminals generate terminal random number nTerminal, given birth to using ECDH algorithms according to the ECDH parameters of curve in M1 packets
Into the temporary public key xP of temporary private x and terminal of terminal, using terminal temporary public key xP as terminal key data
keydataTerminal;
For ECDH algorithms, following explanation is done:
Temporary private x of terminal is the integer between [1..n-1], and n is the rank of basic point P in elliptic curve domain parameter, it is desirable to
It is a prime number.
The temporary public key xP of terminal is the point on the elliptic curve of elliptic curve domain parameter definition.P is n rank elliptic curves
Generation of module Fn.
ECDH consults out key seed (xyP)abscissaIt is the x coordinate of xyP, xyP can not be infinite
Far point.Temporary private y of NVR can be spoken of in subsequent process.
2-6. terminal enclosure M2 access authentication request groups are simultaneously sent to NVR;The data word of M2 access authentication request groups
The form of section is as follows:
Group character field length in M2 is 1 byte, for distinguishing different data packet types;
Certification identification field length in M2 is 32 each bytes, the certification identification field values in M2 and the mark of the certification in M1
Field value is identical;
Terminal random number n in M2TerminalLength is 32 bytes, is generated using Generating Random Number by terminal;
As previously defined, content is that the terminal for ECDH exchanges that terminal is generated is interim to terminal key data form in M2
Public key xP;
NVR random number lengths in M2 are 32 each bytes, and this field should be consistent with the NVR randoms number in M1 packets;
The identity field of the NVR in M2:Account ID of NVRNVR;
ECDH parameters of curve field in M2 is identical with the ECDH parameter of curve fields in M1 packets;
Terminal certificate field in M2 is denoted as the terminal certificate of end entity, and the card of terminal is contained in the field
Book.Terminal certificate has just been present on terminal hard disk before authentication protocol starts, the account of its filename using terminal.
Terminal signature field in M2 be to M2 packet in except this field(Terminal signature field)Outside all other number
According to the signature of field.
Step 3, NVR are processed after M2 access authentication request groups are received, and encapsulate a M3 certificate verifications request
Then M3 is sent packets to certificate server by packet;Specifically include:
The certificate of terminal after 3-1.NVR receives M2 access authentication request groups, is preserved, and terminal is extracted from the certificate of terminal
CertPubKey, the terminal signature in being grouped with the M2 that terminal certificate public key verifications are received, carries out step 3-2 if being verified,
Linking between terminal and NVR is released otherwise;
Whether the content of the NVR identity fields that 3-2.NVR is checked in M2 is oneself account of itself, if it is, carrying out
Step 3-3, otherwise releases linking between terminal and NVR;
The NVR randoms number that 3-3.NVR is checked in M2 whether with it is consistent in M1, carry out step 3-4 if consistent, otherwise
Release linking between terminal and NVR;
3-4.NVR encapsulation M3 certificate verification requests are grouped and are sent to certificate server;M3 certificate verifications request packet
The form of data field is as follows:
Wherein:
IP address index field length in M3 is 12 bytes, by the IP address of terminal | | the IP address of NVR is constituted;
Terminal random number in M3, it is consistent with the terminal random number in M2;
NVR randoms number in M3, it is consistent with the NVR randoms number in M2;
Terminal certificate field in M3 is consistent with the terminal certificate field in M2;
NVR certificate fields in M3 are consistent with the NVR certificate fields in M1;
NVR signature fields in M3 be to M3 packet in except this field(NVR signature fields)Outside all other data
The signature of field.
Step 4, certificate server are processed after M3 certificate verifications request packet is received, and encapsulate a M4 certificate
Authentication response is grouped, and M4 is sent packets to NVR then;Specifically include:
After 4-1. certificate servers receive M3 certificate verifications request packet, the certificate of NVR is preserved, is carried from the certificate of NVR
Take NVR CertPubKeys to verify the NVR signatures in M3 packets, step 4-2 is carried out if being verified, otherwise NVR is released and is recognized
Link between card server;
4-2. certificate servers verify terminal certificate and NVR certificates, generate two corresponding certificate verification results, and use
The private key of oneself signs certificate verification result field;
4-3. certificate servers encapsulate M4 certificate verifications respond packet and are sent to NVR;M4 certificate verification respond packets
The form of data field is as follows:
Wherein:
IP address index field length in M4 is 12 bytes, by the IP address of terminal | | the IP address of NVR is constituted, should
Field value asks the value of the IP address index field in packet identical with M3 certificate verifications;
Certificate verification result field in M4 is based on certificate verification result attribute representation, the certificate verification result in M4
Include two disposable randoms number in field, first disposable random number and M3 certificate verifications ask to be grouped in terminal with
Machine number(That is nTerminal)Identical, in second disposable random number and M3 certificate verifications request packet NVR randoms number(I.e.
nNVR)It is identical;Two certificate verification results, first certificate verification result are included in the result field of the certificate in M4 also
The terminal certificate in packet is asked corresponding to M3 certificate verifications, second certificate verification result is corresponding to M3 certificate verifications request point
NVR certificates in group;Certificate verification result (1Byte) is defined as follows:
0 represents that certificate is effective;
1 represents that the issuer of certificate is indefinite;
2 represent that certificate is based on fly-by-night root certificate;
3 expression certificates do not arrive the phase of coming into force or out of date;
4 represent signature mistake;
5 expression certificates are revoked;
6 represent that certificate is not used by prescribed use;
7 represent certificate revocation Status unknown;
8 represent that certificate error reason is unknown;
Other values retain.
The general format (Type-Length-Value) of certificate verification result is as follows:
Note:In bracket, unit is eight-bit group number.
Signature field of the certificate server in M4 to certificate verification result field, the field contents are certificate server list
Only the signature to certificate verification result field;
The signature field that certificate server in M4 is grouped to M4, is to all other in addition to this field in M4 packets
The signature of data field.
Step 5, NVR are processed after M4 certificate verification respond packets are received, and encapsulate a M5 access authentications response
Then M5 is sent packets to terminal by packet;Specifically include:
5-1.NVR has the certificate of certificate server before certification, after M4 certificate verification respond packets are received, from certification
Extract certificate server CertPubKey to verify signature that the certificate server in M4 is grouped M4 in the certificate of server, if testing
Card releases linking between NVR and certificate server by then carrying out step 5-2, otherwise;
Whether the terminal random number and NVR randoms number in 5-2.NVR checking M4 be correct, if correct carries out step 5-3,
Linking between NVR and certificate server is released otherwise;
The certificate server that 5-3.NVR is extracted in certificate verification result field and M4 in M4 from M4 is tied to certification authentication
The signature field of fruit field, first with the certificate server in certificate server CertPubKey checking M4 to certificate verification result field
Signature, then by checking the certificate verification result of terminal deciding whether to allow terminal to access and register, if allowing terminal
If accessing and registering, then step 5-4 is carried out, otherwise do not allow terminal to access and register, then disconnect the link of NVR and terminal;
5-4.NVR generates temporary private y and NVR of NVR according to the ECDH parameters of curve in M1 packets using ECDH algorithms
Temporary public key yP, using the temporary public key yP of NVR as NVR key data keydataNVR;NVR generates the access of terminal
As a result, then carry out step 5-5;
For ECDH algorithms, following explanation is done:
Temporary private y of NVR is the integer between [1..n-1], and n is the rank of basic point P in elliptic curve domain parameter, it is desirable to
It is a prime number.
The temporary public key yP of NVR is the point on the elliptic curve of elliptic curve domain parameter definition.P is n rank elliptic curves
Generation of module Fn.
ECDH consults out key seed (xyP)abscissaIt is the x coordinate of xyP, xyP can not be infinite
Far point.
Step 5-5.NVR runs ECDH algorithms, according to NVR temporary privates y and terminal temporary public key xP(Terminal is previously
NVR has been sent in M2)It is calculated NVR sides master key;
Step 5-6.NVR encapsulates M5 access authentications respond packet and is sent to terminal;The number of M5 access authentication respond packets
Form according to field is as follows:
Wherein:
Group character field length in M5 is 1 byte, for distinguishing different data packet types;
Certification identification field length in M5 is 32 bytes, and this field value should be grouped with M1 certifications activation, M2 is accessed and be recognized
Certification identification field values in card request packet are identical;
Terminal random number in M5, it is consistent with the terminal random number in M2 packets;
Terminal key data in M5 are the terminal temporary public key xP exchanged for ECDH that terminal is generated, and are grouped with M2
In the field it is consistent;
NVR randoms number in M5, it is consistent with the NVR randoms number in M1 and M2 packets;
NVR key datas in M5, are the NVR temporary public key yP exchanged for ECDH of NVR generations;
Access result field length in M5 is 1 byte, for indicating whether to allow access terminal;Its concrete meaning is such as
Under:
0 represents that permission is accessed, and the certificate verification result value of counterpart terminal is 0;
1 expression cannot verify certificate, and the certificate verification result value of counterpart terminal is 1;
2 represent certificate errors, the other values of the certificate verification result of counterpart terminal in addition to 0 and 1;
3 expression local policys are forbidden;
Other values retain.
Certificate verification result field in M5 is consistent with the certificate verification result field in M4;
Certificate server in M5 is to the certificate server in the signature field and M4 of certificate verification result field to certificate
The signature field of the result field is consistent;
NVR signature fields in M5 be to M5 packet in except this field(NVR signature fields)Outside all other data
The signature of field.
Step 6. terminal is further processed after the M5 access authentication respond packets for receiving NVR transmissions;Place
The flow process of reason is as follows:
6-1. terminals use NVR CertPubKeys(Obtain in aforementioned M1)To verify the NVR signatures in M5 packets, if
It is verified, carries out step 6-2, otherwise releases linking between terminal and NVR;
The certification identification field in terminal random number, NVR randoms number and M5 in 6-2. terminal authentication M5 whether with M2
In packet, corresponding field is consistent, and step 6-3 is carried out if consistent, otherwise releases linking between terminal and NVR;
Certificate verification result field and the certificate server in M5 in 6-3. terminals extraction M5 is to certificate verification result
The signature field of field;Also there is the certificate of certificate server in terminal, authentication service is extracted from the certificate of certificate server
Device CertPubKey carries out step if being verified verifying signature of the certificate server in M5 to certificate verification result field
6-4, otherwise releases linking between terminal and NVR;
6-4. terminals check the certificate verification result of NVR in the certificate verification result field from M5, and check in M5
Result field is accessed, if the certificate verification result of NVR is correct and the access result of terminal is also to allow, then terminal is transported
Row ECDH algorithms, according to terminal temporary private x and NVR temporary public key yP(Terminal is had been issued in M5)It is calculated terminal
Side master key.
So far, authentication procedures terminate.Terminal and NVR are obtained for access result, and can confirm other side's
Identity.Terminal and NVR also consult to have obtained respective master key.NVR sides master key is consistent with end side master key, is used for
The secret communication that terminal and NVR are subsequently carried out.
Claims (8)
1. a kind of camera-shooting and recording device entity authentication method towards city security protection, it is characterised in that comprise the steps:
Step one, NVR encapsulation simultaneously send M1 certifications activation packet to terminal;M1 certifications activation packet includes following fields:In M1
Group character field, the certification identification field in M1, the NVR randoms number in M1, certification activationary time, local authentication server
Identity field, the ECDH parameter of curve fields in M1, the NVR certificate fields in M1, the NVR signature fields in M1;Wherein:
If the value of the lowest order of the group character field in M1 is the certification identification field in 1, M1 adopts following algorithm next life
Into:Auth_id1=SHA256 (nNVR⊕Timeactive);If the value of the lowest order of the group character field in M1 is 0, now
The value of the certification identification field in M1 is identified by the certification that last certification authentication process is consulted;
NVR random number n in M1NVRGenerated using Generating Random Number by NVR;TimeactiveRepresent certification activationary time;
The identity field of local authentication server represents the certificate server that NVR trusts, the identity field of local authentication server
Content for certificate server account;
The certificate of NVR is contained in NVR certificate fields in M1;
NVR signature fields in M1 be to M1 packet in addition to this field all other data field signature;
Step 2, terminal are processed after M1 certifications activation packet is received, and encapsulate a M2 access authentication request group, so
M2 is sent packets to into NVR afterwards;Specifically include:
After 2-1. terminals receive M1 certifications activation packet, the certificate of NVR is stored, NVR CertPubKeys is extracted from the certificate of NVR,
NVR during the M1 received with the checking of NVR CertPubKeys is grouped signs, and carries out step 2-2, otherwise release terminal if being verified
Linking between NVR;
2-2. terminal-pairs than M1 packet in certification activationary time and the system time of oneself, if the two was in 120 second time model
In enclosing, then step 2-3 is carried out, otherwise release linking between terminal and NVR;
The identity field of the local authentication server in the examination M1 packets of 2-3. terminals, the certificate server account checked in the field
Number it is whether the certificate server for oneself wanting to connect, if then carrying out step 2-4, otherwise releases the chain between terminal and NVR
Connect;
2-4. terminals are according to the NVR random number n in the M1 packets for receivingNVRAnd certification activationary time Timeactive, using and
In M1, identical method is calculated the certification identification field in M2, and contrasts with the certification identification field in M1, if consistent
Step 2-5 is carried out, linking between terminal and NVR is otherwise released;
2-5. terminals generate terminal random number nTerminal, generated eventually using ECDH algorithms according to the ECDH parameters of curve in M1 packets
The temporary public key xP of temporary private x and terminal at end, using terminal temporary public key xP as terminal key data
keydataTerminal;
2-6. terminal enclosure M2 access authentication request groups are simultaneously sent to NVR, and M2 access authentication request groups include following fields:
The terminal key data in the certification identification field in group character field, M2, the terminal random number in M2, M2 in M2, M2
In NVR randoms number, the NVR identity fields in M2, the ECDH parameter of curve fields in M2, the terminal certificate field in M2, M2
In terminal signature field;Wherein:
Certification identification field values in M2 are identical with the certification identification field values in M1;
Terminal random number n in M2TerminalGenerated using Generating Random Number by terminal;
The content of the terminal key data in M2 is the terminal temporary public key xP exchanged for ECDH that terminal is generated;
NVR randoms number in M2 are consistent with the NVR randoms number in M1 packets;
Account ID of the content of the NVR identity fields in M2 for NVRNVR;
ECDH parameters of curve field in M2 is identical with the ECDH parameter of curve fields in M1 packets;
The certificate of terminal is contained in terminal certificate field in M2;
Terminal signature field in M2 be to M2 packet in addition to this field all other data field signature;
Step 3, NVR are processed after M2 access authentication request groups are received, and encapsulate a M3 certificate verifications request point
Then M3 is sent packets to certificate server by group;Specifically include:
The certificate of terminal after 3-1.NVR receives M2 access authentication request groups, is preserved, and terminal certificate is extracted from the certificate of terminal
Public key, the terminal signature in being grouped with the M2 that terminal certificate public key verifications are received, carries out step 3-2, otherwise if being verified
Release linking between terminal and NVR;
Whether the content of the NVR identity fields that 3-2.NVR is checked in M2 is oneself account of itself, if it is, carrying out step
3-3, otherwise releases linking between terminal and NVR;
The NVR randoms number that 3-3.NVR is checked in M2 whether with it is consistent in M1, carry out step 3-4 if consistent, otherwise release
Linking between terminal and NVR;
3-4.NVR encapsulation M3 certificate verification requests are grouped and are sent to certificate server;Under M3 certificate verifications request packet includes
State field:
The terminal certificate field in the terminal random number in IP address index field, M3, the NVR randoms number in M3, M3 in M3,
The NVR signature fields in NVR certificate fields, M3 in M3;Wherein:
IP address of the IP address index field in M3 by terminal | | the IP address of NVR is constituted;
Terminal random number in M3, it is consistent with the terminal random number in M2;
NVR randoms number in M3, it is consistent with the NVR randoms number in M2;
Terminal certificate field in M3 is consistent with the terminal certificate field in M2;
NVR certificate fields in M3 are consistent with the NVR certificate fields in M1;
NVR signature fields in M3 be to M3 packet in addition to this field all other data field signature;
Step 4, certificate server are processed after M3 certificate verifications request packet is received, and encapsulate a M4 certificate verification
Then M4 is sent packets to NVR by respond packet;Specifically include:
After 4-1. certificate servers receive M3 certificate verifications request packet, the certificate of NVR is preserved, NVR is extracted from the certificate of NVR
CertPubKey carries out step 4-2 if being verified, otherwise releases NVR and authentication service verifying the NVR signatures in M3 packets
Link between device;
4-2. certificate servers verify terminal certificate and NVR certificates, generate two corresponding certificate verification results, and use oneself
Private key come to certificate verification result field sign;
4-3. certificate servers encapsulate M4 certificate verifications respond packet and are sent to NVR;Under M4 certificate verification respond packets include
State field:The certificate verification result field in IP address index field, M4, the certificate server in M4 in M4 is to certification authentication
The signature field that certificate server in the signature field of result field, M4 is grouped to M4;
The value of the IP address index field in M4 asks the value of the IP address index field in packet identical with M3 certificate verifications;
Two disposable randoms number, first disposable random number and M3 certificates are included in certificate verification result field in M4
Terminal random number in certification request packet is identical, in second disposable random number and M3 certificate verifications request packet
NVR randoms number are identical;Two certificate verification results, first certification authentication knot are included in certificate verification result field in M4 also
Fruit asks the terminal certificate in packet, second certificate verification result to be asked corresponding to M3 certificate verifications corresponding to M3 certificate verifications
NVR certificates in packet;
Signature field of the certificate server in M4 to certificate verification result field, the field contents be certificate server individually
Signature to certificate verification result field;
The signature field that certificate server in M4 is grouped to M4, be to M4 packet in addition to this field all other data
The signature of field;
Step 5, NVR are processed after M4 certificate verification respond packets are received, and encapsulate a M5 access authentications response point
Then M5 is sent packets to terminal by group;Specifically include:
5-1.NVR has the certificate of certificate server before certification, after M4 certificate verification respond packets are received, from authentication service
Extract certificate server CertPubKey to verify signature that the certificate server in M4 be grouped M4 in the certificate of device, if checking is led to
Cross, carry out step 5-2, otherwise release linking between NVR and certificate server;
Whether the terminal random number and NVR randoms number in 5-2.NVR checking M4 be correct, carries out step 5-3, otherwise if correct
Release linking between NVR and certificate server;
5-3.NVR extracts certificate server in certificate verification result field and M4 in M4 from M4 to certificate verification result word
The signature field of section, first verifies label of the certificate server to certificate verification result field in M4 with certificate server CertPubKey
Name, then by checking the certificate verification result of terminal deciding whether to allow terminal to access and register, if allowing terminal to access
If registration, then step 5-4 is carried out, otherwise do not allow terminal to access and register, then disconnect the link of NVR and terminal;
5-4.NVR generates temporary private y of NVR and the facing of NVR using ECDH algorithms according to the ECDH parameters of curve in M1 packets
When public key yP, using the temporary public key yP of NVR as NVR key data keydataNVR;NVR generates the access result of terminal,
Then carry out step 5-5;
Step 5-5.NVR runs ECDH algorithms, is calculated NVR sides master according to NVR temporary privates y and terminal temporary public key xP
Key;
Step 5-6.NVR encapsulates M5 access authentications respond packet and is sent to terminal;M5 access authentication respond packets include following
Field:NVR randoms number in the certification identification field in group character field, M5, the terminal random number in M5, M5 in M5,
The certificate verification result field accessed in result field, M5 in NVR key datas, M5 in M5, the certificate server in M5
The NVR signature fields in signature field, M5 to certificate verification result field;Wherein:
The certification identification field values in the activation packet of certification identification field values and M1 certifications, M2 access authentication request groups in M5
It is identical;
Terminal random number in M5, it is consistent with the terminal random number in M2 packets;
NVR randoms number in M5, it is consistent with the NVR randoms number in M1 and M2 packets;
NVR key datas in M5, are the NVR temporary public key yP exchanged for ECDH of NVR generations;
Access result field in M5 is used to indicate whether to allow access terminal;
Certificate verification result field in M5 is consistent with the certificate verification result field in M4;
Certificate server in M5 is to the certificate server in the signature field and M4 of certificate verification result field to certification authentication
The signature field of result field is consistent;
NVR signature fields in M5 be to M5 packet in addition to this field all other data field signature;
Step 6. terminal is further processed after the M5 access authentication respond packets for receiving NVR transmissions;Process
Flow process is as follows:
6-1. terminals verify the NVR signatures in M5 packets using NVR CertPubKeys, and step 6-2 is carried out if being verified, no
Linking between terminal and NVR is released then;
Whether the certification identification field in terminal random number, NVR randoms number and M5 in 6-2. terminal authentication M5 is grouped with M2
In corresponding field it is consistent, step 6-3 is carried out if consistent, linking between terminal and NVR is otherwise released;
Certificate verification result field and the certificate server in M5 in 6-3. terminals extraction M5 is to certificate verification result field
Signature field;Also there is the certificate of certificate server in terminal, certificate server card is extracted from the certificate of certificate server
Book public key carries out step 6-4 if being verified verifying signature of the certificate server in M5 to certificate verification result field,
Linking between terminal and NVR is released otherwise;
6-4. terminals check the certificate verification result of NVR, and the access checked in M5 in the certificate verification result field from M5
Result field, if the certificate verification result of NVR is correct and the access result of terminal is also to allow, then terminal operating
ECDH algorithms, are calculated end side master key according to terminal temporary private x and NVR temporary public key yP.
2. as claimed in claim 1 towards the camera-shooting and recording device entity authentication method of city security protection, it is characterised in that:In M1
ECDH parameters of curve field is made up of parameter identification, parameter length and content of parameter;
When parameter is designated the particular value of an agreement, content of parameter is an OID encoded radio.
3. as claimed in claim 2 towards the camera-shooting and recording device entity authentication method of city security protection, it is characterised in that:Content of parameter
Adopted value is 1.2.156.11235.1.1.2.1, and coded system is the OID encoded radios of ASN.1/DER.
4. the camera-shooting and recording device entity authentication method towards city security protection as described in claim 1,2 or 3, it is characterised in that:Step
In rapid four, certificate verification result is defined as follows:
0 represents that certificate is effective;
1 represents that the issuer of certificate is indefinite;
2 represent that certificate is based on fly-by-night root certificate;
3 expression certificates do not arrive the phase of coming into force or out of date;
4 represent signature mistake;
5 expression certificates are revoked;
6 represent that certificate is not used by prescribed use;
7 represent certificate revocation Status unknown;
8 represent that certificate error reason is unknown;
Other values retain.
5. as claimed in claim 4 towards the camera-shooting and recording device entity authentication method of city security protection, it is characterised in that:Step 5
In, the access result field in M5 is specifically expressed as follows:
0 represents that permission is accessed, and the certificate verification result value of counterpart terminal is 0;
1 expression cannot verify certificate, and the certificate verification result value of counterpart terminal is 1;
2 represent certificate errors, the other values of the certificate verification result of counterpart terminal in addition to 0 and 1;
3 expression local policys are forbidden;
Other values retain.
6. the camera-shooting and recording device entity authentication method towards city security protection as described in claim 1,2 or 3, it is characterised in that:M1
In certification identification field length be 32 bytes.
7. the camera-shooting and recording device entity authentication method towards city security protection as described in claim 1,2 or 3, it is characterised in that:M1
In NVR random number nNVRFor the random number of 32 bytes.
8. the camera-shooting and recording device entity authentication method towards city security protection as described in claim 1,2 or 3, it is characterised in that:
The terminal is IP video cameras or client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410130070.9A CN103905448B (en) | 2014-04-01 | 2014-04-01 | Towards the camera-shooting and recording device entity authentication method of city security protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410130070.9A CN103905448B (en) | 2014-04-01 | 2014-04-01 | Towards the camera-shooting and recording device entity authentication method of city security protection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103905448A CN103905448A (en) | 2014-07-02 |
| CN103905448B true CN103905448B (en) | 2017-04-05 |
Family
ID=50996602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410130070.9A Active CN103905448B (en) | 2014-04-01 | 2014-04-01 | Towards the camera-shooting and recording device entity authentication method of city security protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103905448B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168267B (en) * | 2014-07-23 | 2018-02-02 | 中国科学院信息工程研究所 | A kind of identity identifying method of access SIP security protection video monitoring systems |
| CN106789897B (en) * | 2016-11-15 | 2019-08-06 | 沃通电子认证服务有限公司 | Digital certificate authentication method and system for application program for mobile terminal |
| CN109151815A (en) * | 2017-06-15 | 2019-01-04 | 杭州海康威视数字技术股份有限公司 | Equipment cut-in method, apparatus and system |
| CN110034923B (en) * | 2018-01-11 | 2022-02-22 | 武汉斗鱼网络科技有限公司 | Information processing method and related equipment |
| CN110012017B (en) * | 2019-04-11 | 2021-11-26 | 乾讯信息技术(无锡)有限公司 | Application method of network security box in Internet |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436930A (en) * | 2007-11-16 | 2009-05-20 | 华为技术有限公司 | Method, system and equipment for distributing cipher key |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101521883B (en) * | 2009-03-23 | 2011-01-19 | 中兴通讯股份有限公司 | Method and system for renewing and using digital certificate |
-
2014
- 2014-04-01 CN CN201410130070.9A patent/CN103905448B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436930A (en) * | 2007-11-16 | 2009-05-20 | 华为技术有限公司 | Method, system and equipment for distributing cipher key |
Non-Patent Citations (1)
| Title |
|---|
| "城市监控联网系统建设的研究";徐国宇;《中国优秀硕士学位论文全文数据库 信息科技辑》;20090215;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103905448A (en) | 2014-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104811450B (en) | The date storage method and integrity verification method of a kind of identity-based in cloud computing | |
| CN112953727B (en) | Internet of things-oriented equipment anonymous identity authentication method and system | |
| CN103763356B (en) | A kind of SSL establishment of connection method, apparatus and system | |
| CN104184713B (en) | Terminal identification method, machine identifier register method and corresponding system, equipment | |
| CN104168267B (en) | A kind of identity identifying method of access SIP security protection video monitoring systems | |
| CN110473318B (en) | Unlocking method, equipment for realizing unlocking and computer readable medium | |
| CN103905448B (en) | Towards the camera-shooting and recording device entity authentication method of city security protection | |
| CN109194466A (en) | A kind of cloud data integrity detection method and system based on block chain | |
| CN109309565A (en) | A kind of method and device of safety certification | |
| KR101753859B1 (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
| CN108768608A (en) | The secret protection identity identifying method of thin-client is supported at block chain PKI | |
| CN108809637A (en) | The car-ground communication Non-Access Stratum authentication key agreement methods of LTE-R based on mixed cipher | |
| JP6950745B2 (en) | Key exchange device, key exchange system, key exchange method, and key exchange program | |
| CN107483191A (en) | A kind of SM2 algorithm secret keys segmentation signature system and method | |
| CN102970676B (en) | A kind of method handled initial data, Internet of things system and terminal | |
| KR101856682B1 (en) | Entity authentication method and device | |
| CN109347875A (en) | Internet of things equipment, platform of internet of things and the method and system for accessing platform of internet of things | |
| Chen et al. | Security analysis and improvement of user authentication framework for cloud computing | |
| CN106713236A (en) | End-to-end identity authentication and encryption method based on CPK identifier authentication | |
| CN111211905A (en) | Identity management method for Fabric alliance chain members based on certificate-free authentication | |
| CN107370599A (en) | A kind of management method, the device and system of remote destroying private key | |
| CN110336663A (en) | A kind of PUFs based on block chain technology certificate scheme group to group | |
| CN106209730A (en) | A kind of method and device managing application identities | |
| CN114726536A (en) | Timestamp generation method and device, electronic equipment and storage medium | |
| CN109302425A (en) | Identity identifying method and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230710 Address after: 214135 Building C, Weina Sensor Network International Innovation Park, No. 200, Linghu Avenue, the Taihu Lake International Science Park, Wuxi New District, Jiangsu Province Patentee after: JIANGSU CAS INTERNET-OF-THINGS TECHNOLOGY VENTURE CAPITAL CO.,LTD. Address before: 214135 Block C, International Innovation Park of China Sensor Network, 200 Linghu Avenue, Wuxi New District, Jiangsu Province Patentee before: JIANGSU R & D CENTER FOR INTERNET OF THINGS |