CN104811303A - Two-way authentication method, two-way authentication device and two-way authentication system - Google Patents
Two-way authentication method, two-way authentication device and two-way authentication system Download PDFInfo
- Publication number
- CN104811303A CN104811303A CN201410036296.2A CN201410036296A CN104811303A CN 104811303 A CN104811303 A CN 104811303A CN 201410036296 A CN201410036296 A CN 201410036296A CN 104811303 A CN104811303 A CN 104811303A
- Authority
- CN
- China
- Prior art keywords
- terminal
- certification
- server
- nonce
- response value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a two-way authentication method, a two-way authentication device and a two-way authentication system. The two-way authentication method comprises the following steps: a terminal initiates a certification request to a server; the server generates a random number, calculates the nonce response value of the certification according to the random number, an authentication key and the nonce response value of last certification, and sends the random number and an encrypted authentication key to the terminal; the terminal calculates the nonce response value of the certification according to the random number, the encrypted authentication key, a terminal root key and the nonce response value of last certification, and uploads the nonce response value of the certification to the server; and the server compares the nonce response value of the certification sent by the terminal with the nonce response value of the certification calculated by the server, and the terminal passes the certification if the nonce response value of the certification sent by the terminal is matched with the nonce response value of the certification calculated by the server. By adopting the method, the device and the system of the invention, terminal cloning is effectively prevented, and the security of terminals is ensured. Moreover, the generality of terminals is improved, and a horizontal terminal market is realized.
Description
Technical field
The present invention relates to digital television techniques field, especially relate to a kind of method of two-way authentication, Apparatus and system.
Background technology
In current digital TV field, the safety chip based on the terminal (such as Set Top Box) of the single, double business to network and content protective system all adopts " ETSI TS103162V1.1.1 (2010-10) " standard.The common practice of its production safety chip is as follows:
1, cable operator proposes buying safety chip demand to the business of locality and content approach provider, and business and content approach business are supplied to the safety chip manufacturer list that operator has become with scheme quotient set;
2, after cable operator selects safety chip manufacturer, propose to safety chip manufacturer to customize the safety chip mated with local business and content approach provider;
3, a flight data recorder is placed in each integrated safety chip manufacturer by business and content approach provider, the safe key (SCK) of carrier customization safety chip is sent to flight data recorder by business and content approach provider, wherein, the safe key (SCK) of safety chip is also referred to as terminal root key.
4, safe key (SCK) is write safety chip by flight data recorder, safety chip manufacturers produce safety chip;
5, the safety chip of production is issued the safe key (SCK) that safety chip is returned simultaneously by business and content approach provider by safety chip manufacturer;
6, the safety chip of buying and safe key (SCK) are supplied to cable operator by business and content approach provider.
From said process, in prior art, the safety chip of each terminal wants pre-buried safe key (SCK) when producing, and safe key (SCK) needs business and content approach provider to provide, and the safe key of each business and content approach provider (SCK) is not identical, which results in the key provider that terminal can only mate oneself, that is, the digital operators that only have employed key provider scheme could use these terminals, thus result in the poor universality of terminal.
In addition, according to " ETSI TS103162V1.1.1 (2010-10) " standard, system authentication process only needs front-end server to produce random number, terminal using random number as the nonce(certification factor) send into self safety chip, the safety chip of terminal produces the response of the nonce response(certification factor) return front-end server and namely complete certification.In this verification process, as long as clone person obtains the random number that front-end server issues, cracking nonce acknowledgement mechanism just can the clone of complete paired terminal, and therefore, the fail safe of existing terminal is not high, exists by the risk intercepting clone.
Summary of the invention
The object of the present invention is to provide a kind of method of two-way authentication, Apparatus and system, to improve the fail safe of terminal.
For achieving the above object, the invention provides a kind of terminal authentication method, comprising the following steps:
Authentication request is initiated to server;
Receive the random number R andom of described server transmission and the authenticate key EK3 (K2) of encryption;
The certification factor obtaining this certification according to the certification factor response L_Nonce Response value of described Random, described EK3 (K2), terminal root key SCK and last certification responds Nonce Response value;
Described Nonce Response value is uploaded to described server.
Terminal authentication method of the present invention, described according to described Random, described EK3 (K2), described SCK and the described Nonce Response value of described L_Nonce Response value acquisition, specifically comprise:
Certification factor generating algorithm is adopted to calculate the certification factor Nonce value of this certification according to described Random and described L_Nonce Response value;
Operator root key K3 is generated according to described SCK;
Decipher described EK3 (K2) with described K3 and obtain authenticate key K2;
According to described Nonce value and described K2 and adopt the certification factor respond generating algorithm calculate described NonceResponse value.
Terminal authentication method of the present invention, described SCK obtains in the following manner:
In registered in advance process, terminal receives the terminal root key ESCK of the encryption that described server issues, and will obtain described SCK after described ESCK deciphering and be write in self read-only memory.
Terminal authentication method of the present invention, described in registered in advance process, terminal receives the ESCK that described server issues, and is specially:
Initiate application for registration to described server, described application for registration comprises the first terminal certificate that Termination ID and root encryption equipment are signed and issued;
Receive the second terminal certificate that described server is signed and issued at the operator certificate of the legal rear transmission of the described first terminal certificate of checking, described ESCK and operator's encryption equipment.
For achieving the above object, present invention also offers a kind of server authentication method, comprising the following steps:
The authentication request that receiving terminal is initiated;
Produce random number R andom, and respond according to the certification factor of described Random, authenticate key K2 and last certification the certification factor response Nonce Response value that L_Nonce Response value obtains this certification;
The authenticate key EK3 (K2) of described Random and encryption is handed down to described terminal;
Receive the Nonce Response value that described terminal sends;
The Nonce Response value described terminal sent and the Nonce Response value self calculated compare, if coupling, then pass through certification.
Server authentication method of the present invention, described according to described Random, described K2, described SCK and the described Nonce Response value of described L_Nonce Response value acquisition, specifically comprise:
Certification factor generating algorithm is adopted to calculate the certification factor Nonce value of this certification according to described Random and described L_Nonce Response value;
According to described Nonce value and described K2 and adopt the certification factor respond generating algorithm calculate described NonceResponse value.
Server authentication method of the present invention, described K2 and described EK3 (K2) obtains in the following manner:
Described K2 is generated according to authenticate key KeyID;
Encrypt described K2 with operator root key K3, generate described EK3 (K2).
For achieving the above object, present invention also offers a kind of mutual authentication method, comprising the following steps:
Terminal to server initiates authentication request;
Described server produces random number R andom, and respond according to the certification factor of described Random, authenticate key K2 and last certification the certification factor response NonceResponse value that L_Nonce Response value calculates this certification, and the authenticate key EK3 (K2) of described Random and encryption is issued to described terminal;
Described terminal calculates Nonce Response value according to described Random, described EK3 (K2), terminal root key SCK and described L_NonceResponse value, and is uploaded to described server;
The Nonce Response value that described terminal sends by described server and the NonceResponse value self calculated compare, if coupling, then pass through certification.
For achieving the above object, present invention also offers a kind of terminal, comprising:
Request sending module, for initiating authentication request to server;
Data reception module, for receiving the random number R andom and the authenticate key EK3 (K2) of encryption that described server sends;
Authentication calculations module, responds NonceResponse value for the certification factor obtaining this certification according to the certification factor response L_Nonce Response value of described Random, described EK3 (K2), terminal root key SCK and last certification;
Response sending module, for being uploaded to described server by described Nonce Response value.
Terminal of the present invention, described SCK obtains in the following manner:
In registered in advance process, terminal receives the terminal root key ESCK of the encryption that described server issues, and will obtain described SCK after described ESCK deciphering and be write in self read-only memory.
For achieving the above object, present invention also offers a kind of server, comprising:
Request receiving module, for the authentication request that receiving terminal is initiated;
Identification processing module, for generation of random number R andom, and responds according to the certification factor of described Random, authenticate key K2 and last certification the certification factor response Nonce Response value that L_Nonce Response value obtains this certification;
Data distributing module, for being handed down to described terminal by the authenticate key EK3 (K2) of described Random and encryption;
Response receiver module, for receiving the Nonce Response value that described terminal sends;
Certification comparison module, compares for the Nonce Response value described terminal sent and the NonceResponse value self calculated, if coupling, then passes through certification.
Server of the present invention, described SCK obtains in the following manner:
In registered in advance process, described server issues the terminal root key ESCK of encryption to described terminal;
Described terminal will obtain described SCK after described ESCK deciphering and be write in self read-only memory.
For achieving the above object, present invention also offers a kind of two-way authentication system, comprising:
At least one above-mentioned terminal and above-mentioned server.
Mutual authentication method of the present invention, even if clone person can be truncated to the random number that server issues, but because clone terminal cannot obtain the certification factor response of last certification, also the certification factor response of this certification cannot just be drawn, thus the two-way authentication with server cannot be completed, therefore, the present invention effectively can prevent the clone to terminal, improves the fail safe of terminal.
In addition, due in mutual authentication method of the present invention, when registered in advance, server is the authenticate key of terminal distribution encryption, and the safety chip of terminal is also just without the need to pre-buried terminal root key, like this, all support bilateral networks on market and the terminal of reception server signal being all suitable for, and be no longer confined to the custom terminal of pre-buried terminal root key, therefore, invention increases the versatility of terminal, achieve the complanation of terminal market.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, forms a application's part, does not form limitation of the invention.In the accompanying drawings:
Fig. 1 is the flow chart of an embodiment of terminal authentication method of the present invention;
Fig. 2 is the flow chart of an embodiment of server authentication method of the present invention;
Fig. 3 is the flow chart of an embodiment of mutual authentication method of the present invention;
Fig. 4 is the flow chart of another embodiment of mutual authentication method of the present invention;
Fig. 5 is the structural representation of an embodiment of two-way authentication system of the present invention.
Fig. 6 is the structural representation of terminal in two-way authentication system of the present invention;
Fig. 7 is the structural representation of server in two-way authentication system of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly understand, below in conjunction with embodiment and accompanying drawing, the present invention is described in further details.At this, schematic description and description of the present invention is for explaining the present invention, but not as a limitation of the invention.
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in further detail.
Shown in figure 1, the terminal authentication method of the embodiment of the present invention comprises the following steps:
Step S11, to server initiate authentication request.
The authenticate key (i.e. EK3 (K2)) of the random number (i.e. Random) that step S12, reception server send and encryption.
Step S13, calculate the certification factor response (i.e. NonceResponse value) of this certification according to the certification factor response (i.e. L_Nonce Response value) of Random, EK3 (K2), terminal root key (i.e. SCK) and last certification.Concrete, first, certification factor generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) is adopted to calculate the certification factor values (i.e. Nonce value) of this certification according to Random and L_Nonce Response value, wherein, in certification factor generating algorithm, L_NonceResponse is as secret key, and Random is as input; Then, operator's root key (i.e. K3) is generated according to SCK; Then, decipher EK3 (K2) with K3 and obtain K2(authenticate key); Finally, adopt the certification factor to respond generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) to calculate Nonce Response value according to Nonce value and K2, wherein, the certification factor responds in generating algorithm, K2 is as key, and Nonce is as input.
Step S14, Nonce Response value to be uploaded onto the server.
In addition, in the embodiment of the present invention, the SCK of terminal obtains in the following manner:
In registered in advance process, the terminal root key (i.e. ESCK) of the encryption that terminal reception server issues, will ESCK decipher after obtain SCK and write self OTP(One Time Programable, One Time Programmable) in read-only memory.Wherein, in registered in advance process, the ESCK that terminal reception server issues, detailed process is:
Terminal to server initiates application for registration, and application for registration comprises the first terminal certificate that Termination ID and root encryption equipment are signed and issued; Then, terminal reception server is verifying the second terminal certificate that the operator certificate of the legal rear transmission of first terminal certificate, ESCK and operator's encryption equipment are signed and issued.
In the embodiment of the present invention, terminal each with server communication time, all need the certification obtaining server, certification is by obtaining the information of being correlated with.Like this, even if clone person can be truncated to the random number that server issues, but because clone terminal cannot obtain the certification factor response of last certification, also the certification factor response of this certification cannot just be drawn, thus the two-way authentication with server cannot be completed, therefore, the embodiment of the present invention effectively can prevent the clone to terminal, improves the fail safe of terminal.
In the embodiment of the present invention, due to when registering server as terminal distribution SCK, terminal is just without the need to pre-buried SCK, like this, all support bilateral networks on market and the terminal (such as bi-directional set-top box, smart mobile phone etc.) of reception server signal being all suitable for, and be no longer confined to the custom terminal of pre-buried SCK, thus improve the versatility of terminal, achieve the complanation of terminal market.
Shown in figure 2, the server authentication method of the embodiment of the present invention comprises the following steps:
The authentication request that step S21, receiving terminal are initiated.
Step S22, generation Random, calculate the Nonce Response value of this certification according to Random, K2 and L_Nonce Response value.Concrete, first, certification factor generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) is adopted to calculate the Nonce value of this certification according to Random and L_Nonce Response value, wherein, in certification factor generating algorithm, L_NonceResponse is as secret key, and Random is as input; Then, adopt the certification factor to respond generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) to calculate Nonce Response value according to Nonce value and K2, wherein, the certification factor responds in generating algorithm, K2 is as key, and Nonce is as input.
Step S23, Random and EK3 (K2) is handed down to terminal.
The Nonce Response value that step S24, receiving terminal send.
Step S25, Nonce Response value terminal sent and the Nonce Response value self calculated compare, if coupling, then pass through certification; Otherwise server assert that terminal is illegally also refused by certification.
In addition, in the embodiment of the present invention, K2 and EK3 (K2) obtains in the following manner:
K2 is generated according to authenticate key (i.e. KeyID);
Encrypt K2 with K3, generate EK3 (K2).
In the embodiment of the present invention, terminal each with server communication time, all need the certification obtaining server, certification is by obtaining the information of being correlated with.Like this, even if clone person can be truncated to the random number that server issues, but because clone terminal cannot obtain the certification factor response of last certification, also the certification factor response of this certification cannot just be drawn, thus the two-way authentication with server cannot be completed, therefore, the embodiment of the present invention effectively can prevent the clone to terminal, improves the fail safe of terminal.
Shown in figure 3, the mutual authentication method of the embodiment of the present invention comprises the following steps:
Step S31, terminal to server initiate authentication request.
Step S32, server produce Random, calculate the Nonce Response value of this certification, and Random and EK3 (K2) is issued to terminal according to Random, K2 and L_Nonce Response value.Concrete, first, certification factor generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) is adopted to calculate the Nonce value of this certification according to Random and L_Nonce Response value, wherein, in certification factor generating algorithm, L_NonceResponse is as secret key, and Random is as input; Then, adopt the certification factor to respond generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) to calculate Nonce Response value according to Nonce value and K2, wherein, the certification factor responds in generating algorithm, K2 is as key, and Nonce is as input; Finally Random and EK3 (K2) is issued to terminal.
Step S33, terminal calculate Nonce Response value according to the certification factor response L_Nonce Response value of Random, EK3 (K2), SCK and last certification, and are uploaded onto the server.Concrete, first, certification factor generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) is adopted to calculate Nonce value according to Random and L_Nonce Response value, wherein, in certification factor generating algorithm, L_NonceResponse is as secret key, and Random is as input; Then, K3 is generated according to SCK; Then, decipher EK3 (K2) with K3 and obtain K2; Then, according to Nonce value and K2 and adopt the certification factor respond generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) calculate Nonce Response value, wherein, in certification factor response generating algorithm, K2 is as key, the Nonce Response value calculated, as input, finally, uploads onto the server by Nonce.
The Nonce Response value that terminal sends by step S34, server and the NonceResponse value self calculated compare, if coupling, then pass through certification; Otherwise server assert that terminal is illegally also refused by certification.
In addition, in the embodiment of the present invention, the SCK of terminal obtains in the following manner:
In registered in advance process, the terminal root key (i.e. ESCK) of the encryption that terminal reception server issues, will ESCK decipher after obtain SCK and write in self OTP read-only memory.Wherein, in registered in advance process, the ESCK that terminal reception server issues, detailed process is:
Terminal to server initiates application for registration, and application for registration comprises the first terminal certificate that Termination ID and root encryption equipment are signed and issued; Then, terminal reception server is verifying the second terminal certificate that the operator certificate of the legal rear transmission of first terminal certificate, ESCK and operator's encryption equipment are signed and issued.
In the embodiment of the present invention, terminal each with server communication time, all need the certification obtaining server, certification is by obtaining the information of being correlated with.Like this, even if clone person can be truncated to the random number that server issues, but because clone terminal cannot obtain the certification factor response of last certification, also the certification factor response of this certification cannot just be drawn, thus the two-way authentication with server cannot be completed, therefore, the embodiment of the present invention effectively can prevent the clone to terminal, improves the fail safe of terminal.
In the embodiment of the present invention, due to when registering server as terminal distribution SCK, terminal is just without the need to pre-buried SCK, like this, all support bilateral networks on market and the terminal (such as bi-directional set-top box, smart mobile phone etc.) of reception server signal being all suitable for, and be no longer confined to the custom terminal of pre-buried SCK, thus improve the versatility of terminal, achieve the complanation of terminal market.
Shown in figure 4, the mutual authentication method of the another embodiment of the present invention comprises the following steps:
Step S41, terminal forward end server initiate authentication request.
Step S42, front-end server judge that whether this terminal is registered, if registered, perform step S43, otherwise the authentication request of refusal front-end server, also can send registration prompting by forward end server simultaneously.This step is optional step.
Step S43, front-end server send authentication processing instruction according to authentication request to operator's encryption equipment.KeyID and L_Nonce Response value is comprised in this authentication processing instruction.Step S44, operator's encryption equipment, according to the Nonce Response value of this certification of authentication processing command calculations, namely carry out authentication processing according to authentication processing instruction.Concrete processing procedure is as follows:
1), operator's encryption equipment generates key K 2 according to the KeyID in authentication processing instruction;
2), operator encryption equipment K3 encrypts K2, generation EK3 (K2);
3), operator's encryption equipment produces Random;
4), operator's encryption equipment adopts certification factor generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) to calculate Nonce value according to Random and L_Nonce Response value, wherein, in certification factor generating algorithm, L_NonceResponse is as secret key, and Random is as input;
5), operator's encryption equipment according to Nonce and K2 and adopt the certification factor respond generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) calculate Nonce Response value, wherein, in certification factor response generating algorithm, K2 is as key, and Nonce is as input.
Random, EK3 (K2) and Nonce Response value are issued front-end server, as the response to authentication processing instruction by step S45, operator's encryption equipment.
Random and EK3 (K2) is handed down to terminal, as the response to authentication request by step S46, front-end server.
Step S47, terminal calculate NonceResponse value according to Random, L_Nonce Response value, SCK and EK3 (K2), and detailed process is as follows:
1), terminal adopts certification factor generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) to calculate Nonce value according to Random and L_Nonce Response value, wherein, in certification factor generating algorithm, L_NonceResponse is as secret key, and Random is as input;
2), K3 is generated according to SCK;
3), decipher EK3 (K2) with K3 and obtain K2;
4), according to Nonce value and K2 and adopt the certification factor respond generating algorithm (such as AES, DES, 3DES, RSA or RC4 scheduling algorithm) calculate Nonce Response value, wherein, in certification factor response generating algorithm, K2 is as key, and Nonce is as input.
Step S48, terminal return Nonce Response value to front-end server, retain this Nonce Response value simultaneously.
The Nonce Response value that the Nonce Response value that terminal returns by step S49, front-end server and operator's encryption equipment send compares; If coupling, then pass through certification.Otherwise front-end server assert that terminal is illegally also refused by certification.
Be with the difference of mutual authentication method shown in Fig. 3, the work of the server in the embodiment of the present invention has been shared out the work and help one another by front-end server and operator's encryption equipment.Further, in the embodiment of the present invention, front-end server also carries out registration and judges after receiving authentication request, be only registered terminal, and front-end server just provides authentication service for it.
In addition, in the embodiment of the present invention, the SCK of terminal obtains in the following manner:
In registered in advance process, the terminal root key (i.e. ESCK) of the encryption that terminal reception server issues, will ESCK decipher after obtain SCK and write in self OTP read-only memory.Wherein, in registered in advance process, the ESCK that terminal reception server issues, detailed process is:
Terminal to server initiates application for registration, and application for registration comprises the first terminal certificate that Termination ID and root encryption equipment are signed and issued; Then, terminal reception server is verifying the second terminal certificate that the operator certificate of the legal rear transmission of first terminal certificate, ESCK and operator's encryption equipment are signed and issued.
In the embodiment of the present invention, terminal each with server communication time, all need the certification obtaining server, certification is by obtaining the information of being correlated with.Like this, even if clone person can be truncated to the random number that server issues, but because clone terminal cannot obtain the certification factor response of last certification, also the certification factor response of this certification cannot just be drawn, thus the two-way authentication with server cannot be completed, therefore, the embodiment of the present invention effectively can prevent the clone to terminal, improves the fail safe of terminal.
In the embodiment of the present invention, due to when registering server as terminal distribution SCK, terminal is just without the need to pre-buried SCK, like this, all support bilateral networks on market and the terminal (such as bi-directional set-top box, smart mobile phone etc.) of reception server signal being all suitable for, and be no longer confined to the custom terminal of pre-buried SCK, thus improve the versatility of terminal, achieve the complanation of terminal market.
Shown in figure 5, the two-way authentication system of the embodiment of the present invention comprises server 52 and at least one terminal 51.
Shown in composition graphs 6, terminal 51 comprises request sending module 511, data reception module 512, authentication calculations module 513 and response sending module 514.Request sending module 511 is for initiating authentication request to server; Random and EK3 (K2) that data reception module 512 sends for reception server; Authentication calculations module is used for obtaining Nonce Response value (detailed process is see above-mentioned terminal authentication method embodiment) according to Random, EK3 (K2), SCK and L_Nonce Response value; Response sending module 514 is for uploading onto the server Nonce Response value.Wherein, SCK obtains in the following manner:
In registered in advance process, the ESCK that terminal reception server issues, will ESCK decipher after obtain SCK and write in self OTP read-only memory.
Shown in composition graphs 7, server 52 comprises request receiving module 521, identification processing module 522, data distributing module 523, response receiver module 524 and certification comparison module 525.The authentication request that request receiving module 521 is initiated for receiving terminal; Identification processing module 522 for generation of Random, and obtains Nonce Response value (detailed process is see above-mentioned server authentication embodiment of the method) according to Random, K2 and L_NonceResponse value; Data distributing module 523 is for being handed down to terminal by Random and EK3 (K2); The Nonce Response value that response receiver module 524 sends for receiving terminal; Certification comparison module 525 compares for Nonce Response value terminal sent and the Nonce Response value self calculated, if coupling, then by certification, otherwise, assert that terminal is illegally also refused by certification.
In the embodiment of the present invention, terminal each with server communication time, all need the certification obtaining server, certification is by obtaining the information of being correlated with.Like this, even if clone person can be truncated to the random number that server issues, but because clone terminal cannot obtain the certification factor response of last certification, also the certification factor response of this certification cannot just be drawn, thus the two-way authentication with server cannot be completed, therefore, the embodiment of the present invention effectively can prevent the clone to terminal, improves the fail safe of terminal.
In the embodiment of the present invention, due to when registering server as terminal distribution SCK, terminal is just without the need to pre-buried SCK, like this, all support bilateral networks on market and the terminal (such as bi-directional set-top box, smart mobile phone etc.) of reception server signal being all suitable for, and be no longer confined to the custom terminal of pre-buried SCK, thus improve the versatility of terminal, achieve the complanation of terminal market.
Those skilled in the art can also recognize that various illustrative components, blocks, unit and step that the embodiment of the present invention is listed can be realized by hardware, software or both combinations.So to being realized the designing requirement depending on specific application and whole system by hardware or software.Those skilled in the art for often kind of specifically application, can use the function described in the realization of various method, but this realization can should not be understood to the scope exceeding embodiment of the present invention protection.
Various illustrative logical block described in the embodiment of the present invention, or unit can pass through general processor, digital signal processor, application-specific integrated circuit (ASIC) (ASIC), field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the design of above-mentioned any combination realizes or operates described function.General processor can be microprocessor, and alternatively, this general processor also can be any traditional processor, controller, microcontroller or state machine.Processor also can be realized by the combination of calculation element, such as digital signal processor and microprocessor, multi-microprocessor, and a Digital Signal Processor Core combined by one or more microprocessor, or other similar configuration any realizes.
The software module that method described in the embodiment of the present invention or the step of algorithm directly can embed hardware, processor performs or the combination of both.Software module can be stored in the storage medium of other arbitrary form in RAM memory, flash memory, ROM memory, eprom memory, eeprom memory, register, hard disk, moveable magnetic disc, CD-ROM or this area.Exemplarily, storage medium can be connected with processor, with make processor can from storage medium reading information, and write information can be deposited to storage medium.Alternatively, storage medium can also be integrated in processor.Processor and storage medium can be arranged in ASIC, and ASIC can be arranged in user terminal.Alternatively, processor and storage medium also can be arranged in the different parts in user terminal.
In one or more exemplary design, the above-mentioned functions described by the embodiment of the present invention can realize in the combination in any of hardware, software, firmware or this three.If realized in software, these functions can store on the medium with computer-readable, or are transmitted on the medium of computer-readable with one or more instruction or code form.Computer readable medium comprises computer storage medium and is convenient to make to allow computer program transfer to the communication medium in other place from a place.Storage medium can be that any general or special computer can the useable medium of access.Such as, such computer readable media can include but not limited to RAM, ROM, EEPROM, CD-ROM or other optical disc storage, disk storage or other magnetic storage device, or other anyly may be used for carrying or store the medium that can be read the program code of form with instruction or data structure and other by general or special computer or general or special processor.In addition, any connection can be properly termed computer readable medium, such as, if software is by a coaxial cable, fiber optic cables, twisted-pair feeder, Digital Subscriber Line (DSL) or being also comprised in defined computer readable medium with wireless way for transmittings such as such as infrared, wireless and microwaves from a web-site, server or other remote resource.Described video disc (disk) and disk (disc) comprise Zip disk, radium-shine dish, CD, DVD, floppy disk and Blu-ray Disc, and disk is usually with magnetic duplication data, and video disc carries out optical reproduction data with laser usually.Above-mentioned combination also can be included in computer readable medium.
Above-described specific embodiment; object of the present invention, technical scheme and beneficial effect are further described; be understood that; the foregoing is only specific embodiments of the invention; the protection range be not intended to limit the present invention; within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. a terminal authentication method, is characterized in that, comprises the following steps:
Authentication request is initiated to server;
Receive the random number R andom of described server transmission and the authenticate key EK3 (K2) of encryption;
The certification factor obtaining this certification according to the certification factor response L_Nonce Response value of described Random, described EK3 (K2), terminal root key SCK and last certification responds Nonce Response value;
Described Nonce Response value is uploaded to described server.
2. terminal authentication method according to claim 1, is characterized in that, described according to described Random, described EK3 (K2), described SCK and the described Nonce Response value of described L_Nonce Response value acquisition, specifically comprises:
Certification factor generating algorithm is adopted to calculate the certification factor Nonce value of this certification according to described Random and described L_Nonce Response value;
Operator root key K3 is generated according to described SCK;
Decipher described EK3 (K2) with described K3 and obtain authenticate key K2;
According to described Nonce value and described K2 and adopt the certification factor respond generating algorithm calculate described NonceResponse value.
3. terminal authentication method according to claim 1, is characterized in that, described SCK obtains in the following manner:
In registered in advance process, terminal receives the terminal root key ESCK of the encryption that described server issues, and will obtain described SCK after described ESCK deciphering and be write in self read-only memory.
4. terminal authentication method according to claim 3, is characterized in that, described in registered in advance process, terminal receives the ESCK that described server issues, and is specially:
Initiate application for registration to described server, described application for registration comprises the first terminal certificate that Termination ID and root encryption equipment are signed and issued;
Receive the second terminal certificate that described server is signed and issued at the operator certificate of the legal rear transmission of the described first terminal certificate of checking, described ESCK and operator's encryption equipment.
5. a server authentication method, is characterized in that, comprises the following steps:
The authentication request that receiving terminal is initiated;
Produce random number R andom, and respond according to the certification factor of described Random, authenticate key K2 and last certification the certification factor response Nonce Response value that L_Nonce Response value obtains this certification;
The authenticate key EK3 (K2) of described Random and encryption is handed down to described terminal;
Receive the Nonce Response value that described terminal sends;
The Nonce Response value described terminal sent and the Nonce Response value self calculated compare, if coupling, then pass through certification.
6. server authentication method according to claim 5, is characterized in that, described according to described Random, described K2, described SCK and the described Nonce Response value of described L_Nonce Response value acquisition, specifically comprises:
Certification factor generating algorithm is adopted to calculate the certification factor Nonce value of this certification according to described Random and described L_Nonce Response value;
According to described Nonce value and described K2 and adopt the certification factor respond generating algorithm calculate described NonceResponse value.
7. server authentication method according to claim 5, is characterized in that, described K2 and described EK3 (K2) obtains in the following manner:
Described K2 is generated according to authenticate key KeyID;
Encrypt described K2 with operator root key K3, generate described EK3 (K2).
8. a mutual authentication method, is characterized in that, comprises the following steps:
Terminal to server initiates authentication request;
Described server produces random number R andom, and respond according to the certification factor of described Random, authenticate key K2 and last certification the certification factor response NonceResponse value that L_Nonce Response value calculates this certification, and the authenticate key EK3 (K2) of described Random and encryption is issued to described terminal;
Described terminal calculates Nonce Response value according to described Random, described EK3 (K2), terminal root key SCK and described L_NonceResponse value, and is uploaded to described server;
The Nonce Response value that described terminal sends by described server and the NonceResponse value self calculated compare, if coupling, then pass through certification.
9. a terminal, is characterized in that, comprising:
Request sending module, for initiating authentication request to server;
Data reception module, for receiving the random number R andom and the authenticate key EK3 (K2) of encryption that described server sends;
Authentication calculations module, responds NonceResponse value for the certification factor obtaining this certification according to the certification factor response L_Nonce Response value of described Random, described EK3 (K2), terminal root key SCK and last certification;
Response sending module, is uploaded to described server by described Nonce Response value.
10. terminal according to claim 9, is characterized in that, described SCK obtains in the following manner:
In registered in advance process, terminal receives the terminal root key ESCK of the encryption that described server issues, and will obtain described SCK after described ESCK deciphering and be write in self read-only memory.
11. 1 kinds of servers, is characterized in that, comprising:
Request receiving module, for the authentication request that receiving terminal is initiated;
Identification processing module, for generation of random number R andom, and responds according to the certification factor of described Random, authenticate key K2 and last certification the certification factor response Nonce Response value that L_Nonce Response value obtains this certification;
Data distributing module, for being handed down to described terminal by the authenticate key EK3 (K2) of described Random and encryption;
Response receiver module, for receiving the Nonce Response value that described terminal sends;
Certification comparison module, compares for the Nonce Response value described terminal sent and the NonceResponse value self calculated, if coupling, then passes through certification.
12. servers according to claim 11, is characterized in that, described SCK obtains in the following manner:
In registered in advance process, described server issues the terminal root key ESCK of encryption to described terminal;
Described terminal will obtain described SCK after described ESCK deciphering and be write in self read-only memory.
13. 1 kinds of two-way authentication systems, is characterized in that, comprising:
At least one terminal according to claim 9 and server according to claim 11;
Or, at least one terminal according to claim 10 and server according to claim 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410036296.2A CN104811303B (en) | 2014-01-24 | 2014-01-24 | The method, apparatus and system of two-way authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410036296.2A CN104811303B (en) | 2014-01-24 | 2014-01-24 | The method, apparatus and system of two-way authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104811303A true CN104811303A (en) | 2015-07-29 |
| CN104811303B CN104811303B (en) | 2018-12-18 |
Family
ID=53695822
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410036296.2A Active CN104811303B (en) | 2014-01-24 | 2014-01-24 | The method, apparatus and system of two-way authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104811303B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107704758A (en) * | 2017-08-25 | 2018-02-16 | 郑州云海信息技术有限公司 | A kind of SQL injection leak detection method and detection means |
| CN108476224A (en) * | 2016-01-19 | 2018-08-31 | 英国电讯有限公司 | The certification of data transmission device |
| CN108718237A (en) * | 2018-03-20 | 2018-10-30 | 如般量子科技有限公司 | A kind of modified AKA identity authorization systems and method based on pool of symmetric keys |
| WO2020172887A1 (en) * | 2019-02-28 | 2020-09-03 | 云图有限公司 | Data processing method, apparatus, smart card, terminal device, and server |
| CN112016082A (en) * | 2020-10-26 | 2020-12-01 | 成都掌控者网络科技有限公司 | Authority list safety control method |
| CN112738043A (en) * | 2020-12-22 | 2021-04-30 | 北京八分量信息科技有限公司 | Method, system and related product for carrying out legality authentication on user identity in big data system |
| CN112751674A (en) * | 2020-12-30 | 2021-05-04 | 上海果通通信科技股份有限公司 | Virtual private network access authentication method, system, device and readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101807994A (en) * | 2009-12-18 | 2010-08-18 | 北京握奇数据系统有限公司 | Method and system for application data transmission of IC card |
| CN102047266A (en) * | 2008-10-10 | 2011-05-04 | 松下电器产业株式会社 | Information processing device, authentication system, authentication device, information processing method, information processing program, recording medium, and integrated circuit |
-
2014
- 2014-01-24 CN CN201410036296.2A patent/CN104811303B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102047266A (en) * | 2008-10-10 | 2011-05-04 | 松下电器产业株式会社 | Information processing device, authentication system, authentication device, information processing method, information processing program, recording medium, and integrated circuit |
| CN101807994A (en) * | 2009-12-18 | 2010-08-18 | 北京握奇数据系统有限公司 | Method and system for application data transmission of IC card |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108476224A (en) * | 2016-01-19 | 2018-08-31 | 英国电讯有限公司 | The certification of data transmission device |
| CN108476224B (en) * | 2016-01-19 | 2020-12-04 | 英国电讯有限公司 | Method for authenticating communication connection, data communication device, and storage medium |
| CN107704758A (en) * | 2017-08-25 | 2018-02-16 | 郑州云海信息技术有限公司 | A kind of SQL injection leak detection method and detection means |
| CN108718237A (en) * | 2018-03-20 | 2018-10-30 | 如般量子科技有限公司 | A kind of modified AKA identity authorization systems and method based on pool of symmetric keys |
| WO2020172887A1 (en) * | 2019-02-28 | 2020-09-03 | 云图有限公司 | Data processing method, apparatus, smart card, terminal device, and server |
| CN112016082A (en) * | 2020-10-26 | 2020-12-01 | 成都掌控者网络科技有限公司 | Authority list safety control method |
| CN112738043A (en) * | 2020-12-22 | 2021-04-30 | 北京八分量信息科技有限公司 | Method, system and related product for carrying out legality authentication on user identity in big data system |
| CN112738043B (en) * | 2020-12-22 | 2023-06-27 | 北京八分量信息科技有限公司 | Method, system and related products for legality authentication of user identity in big data system |
| CN112751674A (en) * | 2020-12-30 | 2021-05-04 | 上海果通通信科技股份有限公司 | Virtual private network access authentication method, system, device and readable storage medium |
| CN112751674B (en) * | 2020-12-30 | 2023-05-02 | 上海优咔网络科技有限公司 | Virtual private network access authentication method, system, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104811303B (en) | 2018-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102328725B1 (en) | Method of using one device to unlock another device | |
| US9729526B2 (en) | Apparatus and method for secure delivery of data from a communication device | |
| CN104811303A (en) | Two-way authentication method, two-way authentication device and two-way authentication system | |
| US11601409B2 (en) | Establishing a secure communication session with an external security processor | |
| CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
| CN103428696B (en) | Virtual SIM card achieving method and system and relevant device | |
| US10826704B2 (en) | Blockchain key storage on SIM devices | |
| CA2948895C (en) | Provisioning drm credentials on a client device using an update server | |
| CN105516103B (en) | Method, device and system for binding intelligent household electrical appliance | |
| WO2016201733A1 (en) | Security verification method, security verification device and security verification system | |
| CN103067333A (en) | Method for verifying set top box access identity and authentication server | |
| US9330250B2 (en) | Authorization of media content transfer between home media server and client device | |
| KR101410764B1 (en) | Apparatus and method for remotely deleting important information | |
| CN108023727B (en) | Authorization method and system thereof | |
| US10256976B2 (en) | Method and apparatus for information interaction | |
| KR101835640B1 (en) | Method for authentication of communication connecting, gateway apparatus thereof, and communication system thereof | |
| CN103780609A (en) | Cloud data processing method and device and cloud data security gateway | |
| CN109639644B (en) | Authorization verification method and device, storage medium and electronic equipment | |
| CN104702408A (en) | Method and system for authenticating connection on basis of iBeacon | |
| CN103152326A (en) | Distributed authentication method and authentication system | |
| CN104244030A (en) | Recorded program sharing method and system | |
| KR101658861B1 (en) | Key distribution method and system for key distribution | |
| CN115690955A (en) | Security authentication method and device for digital key, vehicle and digital key equipment | |
| CN105512536A (en) | Resource transfer method based on security certification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |