CN106034028B - A kind of terminal device authentication method, apparatus and system - Google Patents

Abstract

The application provides a kind of terminal device authentication method, apparatus and system.The method may include: the first key that first terminal sends storage carries out the authorization request message of encryption generation to the second key and the first device identification；Second terminal obtains authorization request message, is decrypted with the first key of storage；Judge whether that being stored with the first authorisation device corresponding with the first device identification that decryption obtains identifies when successful decryption；If so, then authorizing to the first terminal, and send the Authorization result message that encryption generation is carried out with second device identification of the second key pair；First terminal obtains Authorization result message, is decrypted with the second key；When successful decryption, judge whether that being stored with the second authorisation device corresponding with the second device identification that the decryption obtains identifies, and determine whether to authorize second terminal based on judging result.Using embodiment each in the application, the safety and reliability of terminal device authentication can be provided.

Description

A kind of terminal device authentication method, apparatus and system

Technical field

The application belongs to communication information process field more particularly to a kind of terminal device authentication method, apparatus and system.

Background technique

With the development of mobile Internet and Internet of Things, including wearable device (such as Intelligent bracelet, smartwatch etc.) Terminal device it is more more and more universal, and be increasingly becoming the development trend of the following intelligent mobile products application.

It include often a variety of sensitive informations such as account, identity, communication, property of user in wearable device, if can Wearable device obtains permission by attacks such as malice fishing, terminal deception, information interceptings, and immeasurable damage will be caused to user It loses.Therefore, the security certificate certification of wearable device is increasingly taken seriously.Currently based on the security application of wearable device Product also starts to occur, and solution mainly includes that wearable device is based on intelligent terminal (such as intelligent movable mobile phone, intelligence electricity Device etc.) or third-party application condition code to the intelligent terminal carry out authorization identifying.

But condition code used in existing wearable device authorization identifying solution is usually single constant feature Code, and generalling use lower using the channel safeties rank such as WIFI or bluetooth in verification process is unilateral authentication.It is existing There is the authorization and authentication method of technology to easily lead to condition code to be intercepted, reveal or taken advantage of using the intelligent terminal of forgery It deceives, obtains the permission of wearable device.The authorization and authentication method of wearable device still has biggish safety in the prior art Hidden danger.

Summary of the invention

The application is designed to provide a kind of terminal device authentication method, apparatus and system, and can be includes wearable set Standby intelligent terminal provides the two-way authentication in licensing process, improves the safety of terminal device authorization identifying.

A kind of terminal device authentication method provided by the present application, apparatus and system are achieved in that

A kind of terminal device authentication method, which comprises

First terminal sends the preset key with storage to the first key of generation and the first device identification of first terminal Request message is opened in the authorization for carrying out encryption generation；

Second terminal obtains authorization and opens request message, is decrypted with the preset key of storage, and according to the decryption Result judge whether to open device authorization；

When the result of the decryption is successfully, the first key obtained using the decryption is sent to the second terminal The second device identification carry out encryption generation authorization open results messages；

First terminal obtains authorization and opens results messages, and with the first key to the authorization open results messages into Row decryption；If successful decryption opens device authorization.

A kind of terminal device authentication method, which comprises

First terminal sends the first device identification with the first key stored to the second key and first terminal of generation Carry out the authorization request message of encryption generation；

Second terminal obtains authorization request message, is decrypted with the first key of storage；In the successful decryption, sentence It is disconnected whether to be stored with the first authorisation device mark corresponding with the first device identification that the decryption obtains；

The judging result be sometimes, the second terminal be based on first device identification to the first terminal into Row authorization, and the second device identification for sending second terminal described in the second key pair obtained with the decryption carries out encryption generation Authorization result message；

First terminal obtains Authorization result message, is decrypted with second key；In successful decryption, judge whether It is stored with the second authorisation device corresponding with the second device identification that the decryption obtains to identify, and is based on the judging result Determine whether to authorize the second terminal.

A kind of terminal device authentication method, which comprises

First terminal sends the first device identification with the first key stored to the second key and first terminal of generation Carry out the authorization request message of encryption generation；

First terminal obtains the Authorization result message that second terminal is sent, and is decrypted with second key；

The first terminal judges whether to be stored with the second equipment mark obtained with the decryption in the successful decryption Sensible corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result.

A kind of terminal device authentication method, which comprises

Second terminal obtains the authorization request message that first terminal is sent, and is decrypted with the first key of storage；

The second terminal judges whether to be stored with the first equipment mark obtained with the decryption in the successful decryption Sensible corresponding first authorisation device mark；

The second terminal the judging result be sometimes, based on first device identification to the first terminal into Row authorization, and the second device identification for sending second terminal described in the second key pair obtained with the decryption carries out encryption generation Authorization result message.

A kind of terminal device authentication device, described device include:

First storage unit, for storing the first key generated, the second authorisation device of the second terminal of acquisition mark；

First encryption unit, for generating the second key, and using the first key to second key and acquisition The first device identification encrypted, generate authorization request message；

First communication module is also used to receive the authorization knot of second terminal transmission for sending the authorization request message Fruit message；

First decryption judging unit, for being decrypted using Authorization result message described in second key pair, and When successful decryption, it is corresponding with the second device identification that the decryption obtains to judge whether first storage unit is stored with Second authorisation device mark；

First authorization module determines whether for the judging result based on the first decryption judging unit to described second Terminal is authorized.

A kind of terminal device authentication device, described device include:

Second communication module, for receiving the authorization request message of first terminal transmission and sending Authorization result message；

Second storage unit, for storing the first authorisation device mark and first key of the first terminal obtained；

Second decryption judging unit, is decrypted the authorization request message for the first key using storage, and In successful decryption, judge whether second storage unit is stored with the first authorization corresponding with first device identification Device identification；

Second authorization module, the judging result based on the second decryption judging unit determine whether to first equipment The corresponding first terminal is identified to be authorized.

Second encryption unit, for being sometimes, to utilize described second in the judging result of the second decryption judging unit Second device identification of second terminal described in key pair carries out encryption and generates Authorization result message.

A kind of terminal device authentication system, the system comprises:

First terminal, for sending the first key with storage to the second key of generation and the first equipment of first terminal Mark carries out the authorization request message of encryption generation；It is also used to obtain the Authorization result message of second terminal transmission, and described in use Second key is decrypted；It is also used in successful decryption, judges whether to be stored with the second equipment mark obtained with the decryption Sensible corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result；

Second terminal sends for first terminal and obtains authorization request message, and is decrypted with the first key of storage； It is also used in the successful decryption, judges whether to be stored with corresponding with first device identification that the decryption obtains First authorisation device mark；It is also used in the judging result be sometimes, it is whole to described first to be based on first device identification End is authorized, and the second device identification for sending second terminal described in the second key pair obtained with the decryption is encrypted The Authorization result message of generation.

A kind of terminal device authentication system, the system comprises:

First terminal, for sending the first key with storage to the second key of generation and the first equipment of first terminal Mark carries out the authorization request message of encryption generation；It is also used to obtain the Authorization result message of second terminal transmission, and described in use Second key is decrypted；It is also used in successful decryption, judges whether to be stored with the second equipment mark obtained with the decryption Sensible corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result；

Second terminal sends for first terminal and obtains authorization request message, and is decrypted with the first key of storage； It is also used in the successful decryption, judges whether to be stored with corresponding with first device identification that the decryption obtains First authorisation device mark；It is also used in the judging result be sometimes, it is whole to described first to be based on first device identification End is authorized, and the second device identification for sending second terminal described in the second key pair obtained with the decryption is encrypted The Authorization result message of generation.

A kind of terminal device authentication method provided by the present application, apparatus and system, can ensure and be opened between multiple terminals The certification of logical device authorization and device authorization.First terminal can use the preset key encrypted authentication key prestored and equipment Mark forms authorization and opens request message, and the second terminal for being only equally stored with preset key in this way can just be decrypted, It completes a side and authorizes the certification opened.Then it can use the authentication secret that decryption obtains to carry out the device identification of second terminal Encryption, is decrypted by first terminal, and successful decryption can just open authorization identifying to the first terminal, completes terminal device Open the two-way authentication of authorization requests.Further, after opening authorization, obtaining the device identification of authorisation device, Ke Yili The permissions such as the application on terminal device or equipment are carried out with terminal device authentication method provided by the present application carries out authorization identifying.? Still the two-way authentication of multiple terminals is used during device authorization, and device identification is added in two-way authentication interacting message and tests Key is demonstrate,proved, authentication secret used in preferred embodiment can also update for dynamic, and can greatly improve can for example wear The authorization identifying of the terminal device of equipment is worn, the safety of terminal device authorization identifying is improved.

Detailed description of the invention

In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The some embodiments recorded in application, for those of ordinary skill in the art, in the premise of not making the creative labor property Under, it is also possible to obtain other drawings based on these drawings.

Fig. 1 is a kind of a kind of method flow schematic diagram of embodiment of terminal device authentication method of the application；

Fig. 2 is a kind of a kind of method flow schematic diagram of embodiment of terminal device authentication method of the application；

Fig. 3 is a kind of flow diagram of terminal device authentication method another kind embodiment of the application；

Fig. 4 is a kind of flow diagram of terminal device authentication method another kind embodiment of the application；

Fig. 5 is a kind of a kind of modular structure schematic diagram of embodiment of terminal device authentication device of the application；

Fig. 6 is a kind of modular structure schematic diagram of terminal device authentication device another kind embodiment of the application；

Fig. 7 is a kind of modular structure schematic diagram of terminal device authentication device another kind embodiment of the application；

Fig. 8 is a kind of a kind of modular structure schematic diagram of embodiment of terminal device authentication device of the application；

Fig. 9 is a kind of modular structure schematic diagram of terminal device authentication device another kind embodiment of the application；

Figure 10 is a kind of modular structure schematic diagram of terminal device authentication device another kind embodiment of the application.

Specific embodiment

In order to make those skilled in the art better understand the technical solutions in the application, below in conjunction with the application reality The attached drawing in example is applied, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described implementation Example is merely a part but not all of the embodiments of the present application.Based on the embodiment in the application, this field is common The application protection all should belong in technical staff's every other embodiment obtained without creative efforts Range.

Terminal described herein can include but is not limited to the terminal device of wearable device.The terminal device Authorization identifying can be by including but is not limited to that the terminal device of user side passes through the connection sides such as Wi-Fi or cellular mobile network The terminal device that formula is connected to internet and server-side carries out the application scenarios of authorization identifying, can also by including but not It is limited to the modes such as Bluetooth transmission protocol, NFC near-field communication etc. and wired connection and connect with other intelligent terminals to be awarded Weigh the application scenarios of certification.The application is below with the authorization identifying between the terminal device of wearable device and intelligent mobile mobile phone For herein described method and device is described in detail.Wearable device described herein includes but is not limited to Watch, glasses, shoes, cap, clothes, the jewellery etc. for being loaded with Intelligent treatment chip can be with wearable devices.

Before carrying out authorization identifying between terminal devices, it can first carry out verifying and require the terminal device of authorization identifying to be It is no credible, it then can be awarded to requiring the terminal device of authorization to open authorization identifying further after being verified Power.Using the leading authentication method described herein whether opened to terminal device authorization identifying, can effectively reduce illegal Terminal device carries out authorization identifying, blocks the authorization identifying of wearable device or other terminal devices and illegal terminal logical early News.Fig. 1 is a kind of method flow schematic diagram of herein described terminal device authentication method one embodiment, as described in Figure 1, institute The method of stating may include:

S1: first terminal sends the preset key with storage to the first key of generation and the first equipment mark of first terminal Know the authorization for encrypt generation and opens request message.

The preset key key0 of first terminal storage is to the first key key1 of generation and the first equipment of first terminal Mark is encrypted, and is formed authorization and is opened request message MSG_A1, and is sent the authorization and opened request message MSG_A1.

The first terminal can be smart phone described above, may be other in other application scenarios Mobile intelligent terminal.Can will send in the present embodiment authorizes the terminal device for opening request message MSG_A1 whole as first End can will receive described authorize and open the terminal device of request message MSG_A1 as second terminal, in concrete implementation side It can be using smart phone as the first terminal, eventually using the wearable device as second in such as the present embodiment in formula End.Certainly, may be to the first terminal of the second terminal progress authorization identifying of such as wearable device in above-described embodiment The server being specially arranged or intelligent terminal managing device etc..

Preset key key0, setting when which may include factory can be stored in the first terminal in advance Initialization key, setting of either making an appointment with second terminal can be used for opening device authorization or device authorization certification Key.First key key1 can be generated in the first terminal, and the first key key1 can be used for and can including described in The second terminal of wearable device carries out authorization identifying.The first terminal can by terminal application or preset key Generating algorithm generates the first key key1, and the first key key1 may include conventional number, character, symbol etc. The key of data format.

It is then possible to using the preset key key0 to the first key key1's and first terminal for including generation First device identification app_divice_id is encrypted, and request message MSG_A1 is opened in the authorization for forming the first terminal.Institute The the first device identification app_divice_id for stating first terminal can be the identification letter for the unique identification first terminal equipment Breath, specifically such as IMEI, MAC or other equipment identification string for may include smart phone.

After forming the authorization and opening request message MSG_A1, the first terminal can send the authorization and open and ask Seek message MSG_A1.Specific sending method may include broadcasting the authorization by WIFI or bluetooth etc. to open request message MSG_A1, naturally it is also possible to including the use of other of dedicated channel or network communication mode etc..

First terminal can use the preset key of storage to the first key of generation and the first equipment mark of first terminal Knowledge is encrypted, and is formed authorization and is opened request message MSG_A1, and can by broadcast message or it is point-to-point etc. in a manner of send Request message MSG_A1 is opened in the authorization.

S2: second terminal obtains authorization and opens request message, is decrypted with the preset key of storage, and can be according to institute The result for stating decryption judges whether to open device authorization.

Request message MSG_A1 is opened in the authorization that the available first terminal of second terminal is sent, and can use The preset key key0 of storage opens request message MSG_A1 to the authorization of the acquisition and is decrypted；The second terminal according to The result of the decryption judges whether to open device authorization.

The second terminal can be to receive to get what the first terminal was sent in the form of broadcasting or is point-to-point Message is opened in authorization.Preset key key0 is equally also stored in advance in the second terminal, such as Intelligent bracelet, smartwatch can be worn The preset key key0 for being stored in advance in equipment and being arranged when factory is worn, the preset key in the second terminal can be with described The preset key stored in one terminal such as smart phone is identical, can complete corresponding information encryption or decryption.Certainly at other It is the key in embodiment or being mutually matched.In practical applications, the wearable device of the second terminal is pre- Key is set usually and may include the authentication secret of plant out, the preset key of the first terminal may include that first terminal is logical It crosses a certain application to obtain from private server or the downloading of service provider side, naturally it is also possible to the key including preparatory default setting.

Second terminal described herein can include but is not limited to be loaded with the watch of Intelligent treatment chip, glasses, The wearable device of shoes, cap, clothes, jewellery, bracelet, pendant etc..

The second terminal can be decrypted after obtaining authorization request message MSG_A1 with the preset key key0 of storage. If the authorization request message MSG_A1 that the second terminal obtains is the same message encrypted using preset key key0, Success is decrypted in the preset key key0 that the so described second terminal can use itself accordingly.If the second terminal Getting is illegal terminal equipment using the authorization request message forged, terminal device deception etc. is sent, and is non-preset Key key0 encryption, the second terminal are unable to successful decryption, then device authorization certification can not be opened to it.Described The authorization that the authorization that two terminal devices can be obtained according to described Dui imposes decryption whether message successful decryption to judge and obtain Whether the corresponding terminal device of request message is legal, legal, and device authorization is opened to it, allows to carry out authorization identifying with it； Otherwise it can be regarded as illegal terminal equipment, the processing such as authorization requests refusal, shielding can be carried out to it.

Request message MSG_A1 is opened in the available authorization of second terminal, it is decrypted, and can be according to solution Close result judges whether to open device authorization, if the equipment for opening request message MSG_A1 with the authorization obtained is allowed to carry out Authorization identifying.

S3: when the result of the decryption is successfully, the first key obtained using the decryption is sent to described second Results messages are opened in the authorization that second device identification of terminal carries out encryption generation.

When the result of the decryption is successfully, the second terminal can open device authorization；The second terminal benefit The second device identification auth_divice_id of the second terminal is added with the first key key0 that the decryption obtains It is close, it forms authorization and opens results messages MSG_B1, and send the authorization and open results messages MSG_B1.If described second eventually Request message MSG_A1 successful decryption is opened to the authorization of acquisition using the preset key key0 of itself storage in end, then and described second Terminal device can open the service of device authorization, allow to carry out the information exchange of authorization identifying with other terminal devices.

In the application preferred embodiment, under terminal device is one-to-many or multi-to-multi application scenarios, the application Preferred embodiment provides a kind of authentication method that different terminal equipment is distinguished based on device identification.Specifically, in the decryption Result when being successfully, the second terminal opens device authorization and may include:

When the result of the decryption is successfully, first device identification pair of the second terminal based on the decryption acquisition The first terminal opens device authorization.

Such as the second terminal decrypt the first terminal authorization open request message MSG_A1 success when, can obtain The first device identification for obtaining the first terminal equipment, can store in locally applied file, then the second terminal The first device identification of the successful decryption is corresponding to first device identification according to can be set when opening device authorization Terminal device open the service of device authorization certification, allow the second terminal and first terminal progress authorization identifying to disappear Breath interaction.The second terminal other still available terminal devices when opening device authorization to the first terminal are awarded Power opens request message MSG_A1, but can the corresponding terminal device of authorization request message to non-successful decryption do not open equipment Authorization, can also not decrypt second terminal equipment or the terminal devices such as Unrecorded device identification do not open device authorization.

After successful decryption described above, the second terminal can complete the authorization requests of opening to the first terminal Certification, then the second terminal further can carry out Registration Authentication to the first terminal, can be used for described first Authorization identifying is registered to the second terminal, identified and opened to terminal, completes the first terminal to the second terminal Register, open device authorization certification etc..Second terminal described in the present embodiment can use described pair of authorization and open request The first key key1 that message MSG_A1 decryption obtains to the second device identification auth_divice_id of the second terminal into Row encryption forms authorization and opens results messages MSG_B1.The second terminal equally can be wide in a manner of WIFI or bluetooth Message is broadcast, or sends the authorization with other point-to-point communication modes and opens results messages MSG_B1.Most such as intelligence Short distance or mobile communications network or proprietary data communication can be set in the second terminal of the wearable devices such as bracelet The module of network, the information that may be implemented between the first terminal and the second terminal communicate, and complete information exchange.

The first key that the second terminal can use acquisition in the successful decryption encrypts the second equipment mark Know, will collect and open results messages and feed back to the first terminal.

S4: first terminal obtains authorization and opens results messages, is decrypted with the first key；If successful decryption, Open device authorization.

The first terminal can receive the authorization that the acquisition second terminal is sent and open message, such as smart phone leads to It crosses bluetooth scanning and acquires the Authorization result message that wearable device passes through Bluetooth broadcast.The second terminal can use institute The authorization that takes of first key key1 docking harvest for stating generation is opened results messages MSG_B1 and is decrypted.If successful decryption, It can then indicate that the second terminal equipment for sending the Authorization result message is reliably, can to register the phase of the second terminal Close information, such as the second device identification auth_divice_id of second terminal equipment, and device authorization can be opened, for Wearable device carries out the interacting message of authorization identifying, completes the certification opened to the device authorization of second terminal.

In preferred embodiment, the successful decryption described in the first terminal, opening device authorization may include: described When first terminal equipment successful decryption, the second device identification auth_divice_id based on the decryption acquisition is to described Second terminal opens device authorization.

When as successful such as the second terminal authorization decryption message MSG_B1 of the first terminal decryption wearable device of smart phone, The device identification of the available wearable device, can register storage in smart phone side can be with the equipment of wearable device Mark can also store the first key key1 simultaneously.In this way, smart phone is available and stores wearable device Device identification only can open device authorization to the device identification of the storage, be enhanced by open device authorization of opening as point Device authorization is opened to point type, illegal wearable device can effectively be prevented to open device authorization authentication service, terminal is improved and sets The safety of standby two-way authentication.

It is available in the first terminal such as smart phone after the above-mentioned message interaction process for opening authorization identifying And the second device identification auth_divice_id for being stored with second terminal such as Intelligent bracelet etc., and can store the described of generation The first key key1 of generation；The second terminal equally also can store the equipment mark of the first terminal such as smart phone Know the app_divice_id and first key key1, completes the first terminal and second terminal opens the double of device authorization To certification.Compared to traditional only wearable device to the unidirectional authorization identifying of smart phone or server etc., the application is real The two-way authentication that example first carries out opening before authorization identifying device authorization is applied, terminal device authentication authorization can be increased substantially Safety.

First terminal described above with second terminal is two-way open device authorization services/functionalities after, equipment can be carried out Authorization identifying.Fig. 2 is a kind of a kind of method flow schematic diagram of embodiment of terminal device authentication method described herein, is such as schemed Shown in 2, the method that authorization identifying is carried out after the first terminal and second terminal equipment open authorization identifying function be can wrap It includes:

S1 ': first terminal sends the first key with storage to the second key of generation and the first equipment of first terminal Mark carries out the authorization request message of encryption generation.

First terminal can be with the first key key1 of storage to the first of the second key key2 of generation and first terminal Device identification app_divice_id carries out encryption and forms authorization request message MSG_A2, and sends the authorization request message MSG_A2。

The first terminal can use the application on the first terminal and generate the second key key2, and the of the generation Two key key2 may include random or according to the authentication secret that pre-defined algorithm generates, and specifically be referred to above-mentioned first eventually The first key key1 generated during device authorization is opened at end, and this will not be repeated here.First terminal is open-minded described in aforementioned First key key1 is generated when device authorization, and is stored, and it is close that first terminal described herein can use described Key adds the second key key2 of the generation and the first device identification app_divice_id of the first terminal It is close, the authorization request message MSG_A2 to second terminals such as wearable devices is formed, and WIFI or bluetooth, infrared etc. can be passed through Short haul connection mode or point-to-point or other private communication modes send the authorization request message MSG_A2, for described Two terminal receptions processing.

S2 ': second terminal obtains authorization request message, is decrypted with the first key of storage；In the successful decryption When, judge whether that being stored with the first authorisation device corresponding with the first device identification that the decryption obtains identifies.

The available authorization request message MSG_A2 of second terminal, and obtained with the first key key1 of storage to described The authorization request message MSG_A2 taken is decrypted.The the first equipment mark for obtaining the decryption in the successful decryption Know app_divice_id with storage the first authorisation device mark Pre_app_divice_id be compared, judge whether there is and Corresponding first authorisation device of the first device identification app_divice_id identifies Pre_app_divice_id.Described Second terminal can be wearable device, specifically can include but is not limited to be loaded with the watch of Intelligent treatment chip, glasses, The wearable device of shoes, cap, clothes, jewellery, bracelet, pendant etc..

The second terminal of wearable device can authenticate the first terminal of smart phone in the present embodiment.In aforementioned The first key key1 that the second terminal available first terminal during opening device authorization request is sent, it is described Second terminal, which can receive, obtains the authorization request message MSG_A2 that first terminal is sent, and then can use the first key The authorization request message MSG_A2 is decrypted in key1.If decryption failure, the second terminal are whole to described first The device authorization at end fails.

If successful decryption, the first device identification obtained can will be decrypted to the authorization request message MSG_A2 App_divice_id is compared with device identification obtain when device authorization service and storage is opened, and is judged whether and is opened Device identification when logical authorization service is consistent.Aforementioned second terminal equipment opens available storage first terminal when device authorization The first device identification, first device identification that can be stored the second terminal herein is as the first authorisation device mark Pre_app_divice_id is known, labeled as the mark of reliable terminal device.Certainly, terminal device face it is one-to-many or Under the application scenarios of multi-to-multi, the second terminal can store multiple first authorisation devices marks, described in each First authorisation device mark can correspond to a first terminal equipment.The second terminal can be by first device identification App_divice_id and first authorisation device mark Pre_app_divice_id are compared, judge whether to be stored with Corresponding first authorisation device of the first device identification app_divice_id identifies Pre_app_divice_id.

If it is judged that not have, even if it is not right also to can be set then to the authorization messages MSG_A2 successful decryption First terminal corresponding to first device identification app_divice_id described in the authorization messages is without authorization, Huo Zhe Two terminals fail to the first terminal authorization identifying.

S3 ': being that sometimes, it is whole to described first that the second terminal is based on first device identification in the judging result End is authorized, and the second device identification for sending second terminal described in the second key pair obtained with the decryption is encrypted The Authorization result message of generation.

It certainly, is that sometimes, the second terminal is based on the first device identification app_divice_ in the judging result Id authorizes the first terminal；The second key key2 that the second terminal is obtained using decryption is to the second terminal The second device identification auth_divice_id encrypted, form Authorization result message MSG_B2, and send the authorization and tie Fruit message MSG_B2.

Specifically, the second terminal can be based on described in acquisition the first device identification app_divice_id label First terminal authorizes first terminal.Second terminal described in the embodiment of the present application authorizes the first terminal After certification, the first terminal also needs reversely to authenticate the second terminal, improves smart phone and sets with wearable The safety and reliability of authorization identifying between standby.Therefore, it is close to can use the decryption obtains second for the second terminal Key key2 encrypts the second device identification auth_divice_id of the second terminal, and formation feeds back to awarding for the first terminal Weigh results messages MSG_B2.Certainly, the second terminal can send the Authorization result message MSG_B2, and specific message is handed over Mutual transmission mode is referred to first terminal and second terminal interacting message mode in the application other embodiments, does not do herein superfluous It states.

S4 ': first terminal obtains Authorization result message, is decrypted with second key；In successful decryption, judgement Whether it is stored with the second authorisation device corresponding with the second device identification that the decryption obtains to identify, and is based on the judgement As a result determine whether to authorize the second terminal.

The available Authorization result message MSG_B2 of first terminal, and with the second key key2 to the authorization Results messages MSG_B2 is decrypted；The the second device identification auth_divice_id for obtaining the decryption in successful decryption It is compared, judges whether there is and the second equipment mark with the second authorisation device of storage mark Pre_auth_divice_id Know corresponding second authorisation device of auth_divice_id and identify Pre_auth_divice_id, and is based on the judging result Determine whether to authorize the second terminal.

The first terminal can obtain Authorization result message MSG_B2 by WIFI or bluetooth etc., and utilize the life At the second key key2 be decrypted.If successful decryption, the Authorization result message MSG_B2 will can be decrypted and be obtained The the second device identification auth_divice_id taken is carried out with device identification obtain when device authorization service and storage is opened Compare, judges whether to be consistent with device identification when opening authorization service.Aforementioned first terminal equipment can when opening device authorization To obtain and store the second device identification of second terminal, the second equipment mark that can store the first terminal herein Know and identify Pre_auth_divice_id as the second authorisation device, labeled as the mark of reliable terminal device.Certainly, at end End equipment faces under one-to-many or multi-to-multi application scenarios, and the first terminal can store multiple second authorizations Device identification, each described second authorisation device mark can correspond to a second terminal equipment, be such as stored with Intelligent bracelet, The second authorisation device mark of smartwatch etc..The first terminal can be by the second device identification auth_divice_id It is compared with second authorisation device mark Pre_auth_divice_id, judges whether to be stored with and second equipment It identifies corresponding second authorisation device of auth_divice_id and identifies Pre_auth_divice_id.

Further, the first terminal can determine whether that setting terminal to described second carries out based on the judging result Authorization.If the judging result is to have, the first terminal authorizes the second terminal.Such as smart phone is sentenced Second authorisation device mark of the Intelligent bracelet that the second device identification of the disconnected Intelligent bracelet obtained and authorization identifying store when opening Sensible same, then the smart phone can award the Intelligent bracelet based on the second device identification of the Intelligent bracelet Power completes the authorization identifying to the Intelligent bracelet.Then the first terminal can be executed and be awarded accordingly to second terminal Power operation.Certainly, if the judging result is the second authorisation device mark of the second terminal device identification obtained and storage It is not consistent, then to the second terminal authorization failure.

A kind of terminal device authentication method provided by the present application can first carry out device authorization before terminal device authentication The certification for opening request will not meet device authorization and open and the terminal device of equipment is wanted to foreclose, can effectively avoid in advance Illegal terminal requires to open device authorization.During device authorization certification, the especially client and intelligence of wearable device The authorization identifying of the server end of energy terminal is recognized using the first key based on preset key and generation, the two-way of the second key Card, only the unilateral authentication of server end is greatly improved compared to traditional wearable device the safety of authentication between devices Property and reliability, it is possible to prevente effectively from wearable device by malice fishing, terminal deception etc..

The prior art usually verifying condition code used in authorization identifying process is changeless condition code, once it is special Sign code is stolen, and will lead to the permission that attacker obtains terminal device using the condition code obtained, and security reliability is poor.This Shen A kind of terminal device authentication method that please be described also provides a kind of preferred embodiment, in this preferred embodiment, carries out double Authentication secret can be converted during authorization identifying each time to the terminal device of authorization identifying, in this way, dynamic update is tested Card key can increase substantially the safety of the authorization identifying of terminal device.Fig. 3 is a kind of terminal device authentication side of the application The flow diagram of method another kind embodiment, as shown in figure 3, a kind of terminal device authentication method can also include:

S5 ': corresponding with the first device identification app_divice_id the is stored in second terminal judgement When one authorisation device identifies Pre_app_divice_id, the second key key2 is replaced into the first key key1；

The the second device identification auth_divice_id phase obtained with the decryption is stored in first terminal judgement When corresponding second authorisation device mark Pre_auth_divice_id, the second key key2 is replaced into the first key key1。

In the preferred embodiment, authorization identifying new each time, the first terminal can generate new Second authentication secret, after one-time authentication, the first terminal can the second terminal can be by the second new authentication secret The first current authentication secret of replacement is as the updated first key.Terminal described in the application preferred embodiment Equipment authentication method is updated using authentication secret dynamic, can provide the safety of terminal device authorization identifying.

Verified in conventional terminal device, especially such as intelligent terminal (smart phone, tablet computer etc.) with can wear The verifying worn between equipment (Intelligent bracelet, smartwatch etc.) mostly uses WIFI or Bluetooth communication etc., such short distance Information transmission belongs to the lower mode of channel safety rank in modern communication technology, is easy in message transmitting procedure by attacker It intercepts, the information of transmission is easy to be stolen or forge.A kind of herein described terminal device authentication method is another preferred In embodiment, additional identification information can also further be added in the information content of terminal device transmission, it is ensured that information connects The reliability of receipts further increases the safety and reliability of information transmission.

Fig. 4 is a kind of method flow schematic diagram of herein described terminal device authentication method another kind embodiment, such as Fig. 4 Shown, a kind of terminal device authentication method can also include:

S6 ': the first key is added to raw according to pre-defined rule in the authorization request message that the first terminal is sent At the information that is encrypted of additional information；

Addition encrypts the additional letter using second key in the Authorization result message that the second terminal returns The information of breath；

Correspondingly, the first terminal also judges the attached of the decryption acquisition in decryption Authorization result message success Add information and additional information when sending authorization request message whether identical, and is determined whether according to the judging result to described Second terminal is authorized.

The additional information of the addition usually can include but is not limited to challenge code challenge, and (a string of random numbers, can be with For encrypting message, avoid the defeated cleartext information of communication links), abstract digest (user log in account information, session id Deng) etc..The verification information of the attachmentes such as challenge code, abstract can be added in the present embodiment in the information of transmission, it can be to channel The message of transmission is encrypted, and attacker can effectively be prevented to send the data packet that terminal device had received, and is taken advantage of to reach The purpose for deceiving system can effectively improve the correctness of authorization identifying in the authorization identifying of wearable device.

Based on a kind of terminal device authentication method described herein, the application provides a kind of terminal device authentication device. Fig. 5 is a kind of modular structure schematic diagram of herein described terminal device authentication device, as shown in figure 5, described device can wrap It includes:

First storage unit 101 can be used for storing the first key of generation, the second authorization of the second terminal of acquisition is set Standby mark；

First encryption unit 102 can be used for generating the second key, and using the first key to second key The first device identification with acquisition is encrypted, and authorization request message is generated；

First communication module 103 can be used for sending the authorization request message, can be also used for receiving second terminal hair The Authorization result message sent.In the specific implementation process, the communication module may include WIFI communication module, or be based on Bluetooth, infrared communication module of short haul connection etc., naturally it is also possible to including 2G/3G/4G and more highest version communication protocol Mobile communications network module and wire communication module.

First decryption judging unit 104, can be used for being solved using Authorization result message described in second key pair It is close, and in successful decryption, judge whether first storage unit 101 is stored with the second equipment mark obtained with the decryption Sensible corresponding second authorisation device mark；

First authorization module 105 can be used for determining whether based on the judging result of the first decryption judging unit 104 The second terminal is authorized.

A kind of terminal device authentication device described in the present embodiment can be used for the example that can be authenticated with wearable device Such as smart phone, tablet computer or dedicated server terminal device effective, safety can carry out wearable device Device authorization certification, improves the safety of device authorization certification.

In a kind of herein described terminal device authentication device another kind preferred embodiment, the storage unit 101 is deposited The first key of storage can also dynamically update, and all carry out key updating in the certification of device authorization each time, can significantly mention The safety and reliability of high device authorization certification.Fig. 6 is that a kind of herein described terminal device authentication device another kind is implemented The modular structure schematic diagram of example, as shown in fig. 6, terminal device authentication device described in preferred embodiment can also include:

First key update module 106 can be used in the judging result of the first decryption judging unit 104 being sometimes The second key that first encryption unit 102 generates is replaced into the first key that first storage unit 101 stores.

For the synchronized update of the terminal installation authentication secret of guarantee authorization identifying, first key described in the present embodiment is more New module 106 can it is described first decryption judging unit 104 judge first storage unit 101 whether be stored with it is described Generate first encryption unit 102 when decrypting the second device identification corresponding second authorisation device mark obtained the Two keys replace the first key that first storage unit 101 stores.If the judging result is to have, it can receive and award The second terminal of power request message has passed through authorization identifying, and pre-stored authentication secret such as first key is also more in second terminal It is newly the second key, then key when can ensure the bidirectional terminal equipment encrypting and decrypting of authorization identifying in next authorization identifying Consistency.

In another embodiment of the application, passed to further strengthen the terminal equipment in communication channel information of authorization identifying Defeated safety, Fig. 7 are a kind of modular structure schematic diagrams of herein described terminal device authentication device another kind embodiment, such as Shown in Fig. 7, a kind of terminal device authentication device can also include:

Additional information module 107 can be used for adding the first key to according to predetermined in the authorization request message The information that the additional information that rule generates is encrypted；

Correspondingly, it is described first decryption judging unit 104 decrypt the Authorization result message success when also judgement described in It decrypts the additional information obtained and whether the additional information for being added to authorization request message is identical, first authorization module 105 determine whether to authorize the second terminal according to the judging result of the additional information.

In a kind of embodiment of terminal device authentication device described herein, the second terminal can be that can wear Wear equipment, the second terminal can include but is not limited to be loaded with the watch of Intelligent treatment chip, glasses, shoes, Cap, clothes, jewellery, bracelet, pendant wearable device.

Terminal device resistive thermal device described above can be used for for example intelligent hand that can be authenticated with wearable device The terminal devices such as machine, tablet computer or dedicated server can be used for for example intelligently correspondingly, the application also provides one kind The device authenticated in the terminal device of the wearable devices such as wrist-watch, Intelligent bracelet, for such as smart phone, server Equal terminal devices carry out authorization identifying.Fig. 8 is a kind of a kind of module knot of herein described embodiment of terminal device authentication device Structure schematic diagram, as shown in figure 8, the apparatus may include:

Second communication module 201 can be used for receiving the authorization request message of first terminal transmission and send Authorization result Message；

Second storage unit 202, the first authorisation device that can be used for storing the first terminal of acquisition identifies and first is close Key；

Second decryption judging unit 203 can be used for carrying out the authorization request message using the first key of storage Decryption, and in successful decryption, it is corresponding with first device identification to judge whether second storage unit 202 is stored with The first authorisation device mark；

Second authorization module 204 can be determined whether based on the judging result of the second decryption judging unit 203 to institute The first terminal corresponding to the first device identification is stated to be authorized.

Second encryption unit 205 can be used in the judging result of the second decryption judging unit 203 being benefit sometimes Second device identification of the second terminal described in second key pair carries out encryption and generates Authorization result message.

The device of terminal device authentication provided in this embodiment, can be in the terminal of wearable device to smart phone etc. The terminal device of request authorization is authenticated, and the two-way authorization certification of terminal device is completed.It can use out in the present embodiment The first key decryption and authorization request message obtained when logical authorization requests obtains the first device identification, and by its first with storage Authorisation device mark is compared, and then judges whether the first terminal of request authorization is legal, and be according to judging result determination It is no that first terminal is authorized.In this way can with can effectively to request authorization identifying in the terminal device of wearable device intelligence Energy terminal, server etc. are reversely authenticated, and the safety of terminal device authorization identifying is improved.

In preferred embodiment, the device of the terminal device authentication described above that can be used for wearable device can also be into The dynamic of row authentication secret updates, and improves the safety and reliability of terminal device authorization identifying.Fig. 9 is herein described one kind The modular structure schematic diagram of terminal device authentication device another kind embodiment, as shown in figure 9, described device can also include:

Second key updating module 206 can be used for judging second storage in the second decryption judging unit 203 By the decryption when the first authorisation device corresponding with the first device identification that the decryption obtains that unit 202 is stored with identifies The second key obtained replaces the first key that second storage unit 201 stores.

As described in aforementioned, after second terminal successful decryption, the first key of storage can be changed to decryption and authorization request The second key obtained when message realizes that the dynamic of authentication secret in terminal device authorization identifying updates, provides verification process Safety and reliability.

Figure 10 is a kind of modular structure schematic diagram of herein described terminal device authentication device another kind embodiment, is such as schemed In another kind preferred embodiment shown in 10, described device can also include:

Additional information processing module 207 can be used for adding obtaining in the Authorization result message using the decryption The second key encrypt it is described decryption obtain additional information information.

Additional information is added in the transmission message of terminal device authorization identifying can prevent the transmission message forged, into one Step reinforces the safety of the terminal equipment in communication channel information transmission of authorization identifying.

Based on the first terminal equipment described herein that can be used for wearable device and smart phone, tablet computer, The terminal device authentication device of the second terminal equipment of server, the application provide a kind of terminal device authentication system, the system It unites and specifically may include:

First terminal can be used for sending first with the first key of storage to the second key of generation and first terminal Device identification carries out the authorization request message of encryption generation；It can be also used for obtaining the Authorization result message that second terminal is sent, And it is decrypted with second key；It can be also used in successful decryption, judge whether to be stored with and decryption acquisition The second device identification corresponding second authorisation device mark, and determined whether to described second eventually based on the judging result End is authorized；

Second terminal can be used for first terminal and send acquisition authorization request message, and carried out with the first key of storage Decryption；It can be also used in the successful decryption, judge whether to be stored with the first equipment mark obtained with the decryption Sensible corresponding first authorisation device mark；It can be also used in the judging result being sometimes, to be based on the first equipment mark Knowledge authorizes the first terminal, and sends second of second terminal described in the second key pair obtained with the decryption and set Standby mark carries out the Authorization result message of encryption generation.

In a kind of above-mentioned terminal device authentication system preferred embodiment, can also include:

The second device identification corresponding second obtained with the decryption is stored in judgement for the first terminal Second key is replaced the device of the first key by authorisation device when identifying:

For the second terminal when judgement has the first authorisation device corresponding with first device identification mark Second key is replaced to the device of the first key.

Terminal device authentication system described in above-described embodiment may be implemented two-way authorization between terminal device and authenticate, The safety of device authorization certification is provided, the authentication secret dynamic used in preferred embodiment updates, and can be further improved The safety and reliability of device authorization certification.

The application also provides one kind and can carry out opening device authorization certification terminal device authentication system before authorization identifying System can ensure and the terminal device for carrying out authorization identifying therewith is requested to have permission carry out authorization identifying.Therefore, provided by the present application A kind of terminal device authentication system specifically may include:

First terminal can be used for sending first with the preset key of storage to the first key of generation and first terminal Request message is opened in the authorization that device identification carries out encryption generation；It can also be used to obtaining second terminal and send authorization and open result and disappear Breath, and results messages are opened to the authorization with the first key；If successful decryption opens device authorization；

Second terminal, request message is opened in the authorization that can be used for obtaining first terminal transmission, with the preset key of storage It is decrypted, and judges whether to open device authorization according to the result of the decryption；It can be also used for the result in the decryption When being successful, sends and encryption life is carried out to the second device identification of the second terminal using the first key that the decryption obtains At authorization open results messages.

It can also include at least one of following in the terminal device authentication system in preferred embodiment.

Second device identification for being obtained when the first terminal is in the successful decryption based on the decryption The device of device authorization is opened to the second terminal；

The first equipment for being obtained when the result of the decryption is successfully based on the decryption in the second terminal Mark opens the device of device authorization to the first terminal.

Second terminal can include but is not limited to be loaded with Intelligent treatment chip in terminal device authentication system described above Watch, glasses, shoes, cap, clothes, jewellery, bracelet, pendant wearable device.

Terminal device authentication method provided by the present application, apparatus and system may be implemented to open equipment between multiple terminals and award The two-way authentication of power and device authorization, the unilateral authentication of middle terminal device especially wearable device is big compared with the prior art The safety of terminal device authentication is improved greatly.

Although mentioning the information based on the message such as mobile communications network, WIFI, bluetooth transmission etc in teachings herein to hand over Mutually, still, the application is not limited to the case where must being the Data Transport Protocol of complete standard.On the basis of certain agreements slightly Add modified transmission mechanism that can also carry out the scheme of each embodiment of above-mentioned the application.Certainly, even if not using above-mentioned general Or the agreement of standard, but proprietary protocol is used, as long as meeting the information exchange and information judgement of the application the various embodiments described above Identical application still may be implemented in feedback system, and details are not described herein.

The unit or module that above-described embodiment illustrates can specifically realize by computer chip or entity, or by having The product of certain function is realized.For convenience of description, it is divided into various modules when description apparatus above with function to describe respectively. Certainly, the function of each module can be realized in the same or multiple software and or hardware when implementing the application, it can also be with The module for realizing same function is realized by the combination of multiple submodule or subelement.

It is also known in the art that other than realizing controller in a manner of pure computer readable program code, it is complete Entirely can by by method and step carry out programming in logic come so that controller with logic gate, switch, specific integrated circuit, programmable Logic controller realizes identical function with the form for being embedded in microcontroller etc..Therefore this controller is considered one kind Hardware component, and the structure that the device for realizing various functions that its inside includes can also be considered as in hardware component.Or Person even, can will be considered as realizing the device of various functions either the software module of implementation method can be hardware again Structure in component.

The application can describe in the general context of computer-executable instructions executed by a computer, such as program Module.Generally, program module includes routines performing specific tasks or implementing specific abstract data types, programs, objects, group Part, data structure, class etc..The application can also be practiced in a distributed computing environment, in these distributed computing environments, By executing task by the connected remote processing devices of communication network.In a distributed computing environment, program module can To be located in the local and remote computer storage media including storage equipment.

As seen through the above description of the embodiments, those skilled in the art can be understood that the application can It realizes by means of software and necessary general hardware platform.Based on this understanding, the technical solution essence of the application On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product It can store in storage medium, such as ROM/RAM, magnetic disk, CD, intelligent chip, including some instructions are used so that one Computer equipment (can be personal computer, mobile terminal, server, wearable device or the network equipment etc.) executes sheet Apply for method described in certain parts of each embodiment or embodiment.

Each embodiment in this specification is described in a progressive manner, the same or similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.The application can be used for crowd In mostly general or special purpose computer system or environment including Intelligent treatment chip terminal or configuration.Such as: individual calculus Machine, server computer, handheld device or portable device, multicomputer system, based on microprocessor are at laptop device System, programmable electronic equipment, network PC, minicomputer, mainframe computer, wearable device etc. and including any of the above Distributed computing environment of system or equipment etc..

Although depicting the application by embodiment, it will be appreciated by the skilled addressee that the application there are many deformation and Variation is without departing from spirit herein, it is desirable to which the attached claims include these deformations and change without departing from the application's Spirit.

Claims (22)

1. a kind of terminal device authentication method, which is characterized in that the described method includes:

The preset key that first terminal sends storage carries out the first key of generation and the first device identification of first terminal Request message is opened in the authorization that encryption generates；

Second terminal obtains authorization and opens request message, is decrypted with the preset key of storage, and according to the knot of the decryption Fruit judges whether to open device authorization；

When the result of the decryption is successfully, the first key obtained using the decryption is sent to the of the second terminal Results messages are opened in the authorization that two device identifications carry out encryption generation；

First terminal obtains authorization and opens results messages, and opens results messages to the authorization with the first key and solve It is close；If successful decryption opens device authorization.

2. a kind of terminal device authentication method as described in claim 1, which is characterized in that the second terminal includes loading The watch of Intelligent treatment chip, glasses, shoes, cap, clothes, jewellery, bracelet, pendant wearable device.

3. a kind of terminal device authentication method as claimed in claim 1 or 2, which is characterized in that be in the result of the decryption When success, the second terminal opens device authorization and includes:

When the result of the decryption is successfully, first device identification of the second terminal based on the decryption acquisition is to described First terminal opens device authorization.

4. a kind of terminal device authentication method as claimed in claim 1 or 2, which is characterized in that solved described in the first terminal Close success, opening device authorization includes:

In the first terminal successful decryption, second device identification based on the decryption acquisition is to the second terminal Open device authorization.

5. a kind of terminal device authentication method, which is characterized in that the described method includes:

The first key that first terminal sends storage carries out the first device identification of the second key and first terminal of generation Encrypt the authorization request message generated；

Second terminal obtains authorization request message, is decrypted with the first key of storage；In the successful decryption, judgement is It is no to be stored with the first authorisation device mark corresponding with the first device identification that the decryption obtains；

It is that sometimes, the second terminal is based on first device identification and awards to the first terminal in the judging result Power, and the second device identification for sending second terminal described in the second key pair obtained with the decryption carries out awarding for encryption generation Weigh results messages；

First terminal obtains Authorization result message, is decrypted with second key；In successful decryption, judge whether to store There is the second authorisation device corresponding with the second device identification that the decryption obtains to identify, and is determined based on the judging result Whether the second terminal is authorized.

6. a kind of terminal device authentication method, which is characterized in that the described method includes:

The first key that first terminal sends storage carries out the first device identification of the second key and first terminal of generation Encrypt the authorization request message generated；

First terminal obtains the Authorization result message that second terminal is sent, and is decrypted with second key；

The first terminal judges whether to be stored with the second device identification phase obtained with the decryption in the successful decryption Corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result.

7. a kind of terminal device authentication method as claimed in claim 6, which is characterized in that the method also includes:

The second authorisation device corresponding with the second device identification of the decryption acquisition is stored in first terminal judgement When mark, second key is replaced into the first key.

8. a kind of terminal device authentication method as claimed in claim 6, which is characterized in that the method also includes:

It is additional to generating according to pre-defined rule that the first key is added in the authorization request message that the first terminal is sent The information that information is encrypted；

Correspondingly, the first terminal is decrypting the additional letter for also judging that the decryption obtains when Authorization result message success Whether breath is identical as the additional information for being added to authorization request message, and is determined whether according to the judging result to described Second terminal is authorized.

9. a kind of terminal device authentication method, which is characterized in that the described method includes:

Second terminal obtains the authorization request message that first terminal is sent, and is decrypted with the first key of storage；

The second terminal judges whether to be stored with the first device identification phase obtained with the decryption in the successful decryption Corresponding first authorisation device mark；

The second terminal is sometimes, to be awarded based on first device identification to the first terminal in the judging result Power, and the second device identification for sending second terminal described in the second key pair obtained with the decryption carries out awarding for encryption generation Weigh results messages.

10. a kind of terminal device authentication method as claimed in claim 9, which is characterized in that the method also includes:

When second terminal judgement is stored with the first authorisation device corresponding with first device identification mark, by institute It states the second key and replaces the first key.

11. a kind of terminal device authentication method as claimed in claim 9, which is characterized in that the method also includes:

Addition encrypts the information of additional information using second key in the Authorization result message that the second terminal is sent.

12. a kind of terminal device authentication method as claimed in claim 9, which is characterized in that

The second terminal includes the watch for being loaded with Intelligent treatment chip, glasses, shoes, cap, clothes, jewellery, bracelet, pendant Wearable device.

13. a kind of terminal device authentication device, which is characterized in that described device includes:

First storage unit, for storing the first key generated, the second authorisation device of the second terminal of acquisition mark；

First encryption unit, for generating the second key, and using the first key to second key and obtain the One device identification is encrypted, and authorization request message is generated；

First communication module, for sending the authorization request message, the Authorization result for being also used to receive second terminal transmission disappears Breath；

First decryption judging unit, for being decrypted using Authorization result message described in second key pair, and is being decrypted When success, judge whether first storage unit is stored with the second device identification corresponding second obtained with the decryption Authorisation device mark；

First authorization module determines whether for the judging result based on the first decryption judging unit to the second terminal It is authorized.

14. a kind of terminal device authentication device as claimed in claim 13, which is characterized in that described device further include:

First key update module is to encrypt sometimes by described first for the judging result in the first decryption judging unit The second key that unit generates replaces the first key of the first storage unit storage.

15. a kind of terminal device authentication device according to claim 13 or 14, which is characterized in that described device further include:

Additional information module, it is attached to being generated according to pre-defined rule for adding the first key in the authorization request message Add the information that information is encrypted；

Correspondingly, the first decryption judging unit also judges that the decryption obtains when decrypting Authorization result message success Additional information and the additional information for being added to authorization request message it is whether identical, first authorization module is according to The judging result of additional information determines whether to authorize the second terminal.

16. a kind of terminal device authentication device, which is characterized in that described device includes:

Second communication module, for receiving the authorization request message of first terminal transmission and sending Authorization result message；

Second storage unit, for storing the first authorisation device mark and first key of the first terminal obtained；

Second decryption judging unit, is decrypted the authorization request message for the first key using storage, and solving When close success, judge whether second storage unit is stored with the first authorisation device mark corresponding with the first device identification Know；

Second authorization module, the judging result based on the second decryption judging unit determine whether to first device identification Corresponding first terminal is authorized；

Second encryption unit, for being sometimes, to utilize the second key pair the in the judging result of the second decryption judging unit Second device identification of two terminals carries out encryption and generates Authorization result message.

17. a kind of terminal device authentication device as claimed in claim 16, which is characterized in that described device further include:

Second key updating module, for judging that second storage unit is stored with and institute in the second decryption judging unit It states when corresponding first authorisation device of the first device identification that decryption obtains identifies and replaces the second key that the decryption obtains Change the first key of the second storage unit storage.

18. a kind of terminal device authentication device as described in claim 16 or 17, which is characterized in that described device further include:

Additional information processing module is added for adding in the Authorization result message using the second key that the decryption obtains The information for the additional information that the close decryption obtains.

19. a kind of terminal device authentication system, which is characterized in that the system comprises:

First terminal, for sending the first device identification with the first key stored to the second key and first terminal of generation Carry out the authorization request message of encryption generation；It is also used to obtain the Authorization result message of second terminal transmission, and with described second Key is decrypted；It is also used in successful decryption, judges whether to be stored with the second device identification phase obtained with the decryption Corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result；

Second terminal sends for first terminal and obtains authorization request message, and is decrypted with the first key of storage；Also use In first device identification corresponding first in the successful decryption, judging whether to be stored with and the decryption obtains Authorisation device mark；Be also used to the judging result be sometimes, based on first device identification to the first terminal into Row authorization, and the second device identification for sending second terminal described in the second key pair obtained with the decryption carries out encryption generation Authorization result message.

20. a kind of terminal device authentication system as claimed in claim 19, which is characterized in that the system also includes:

It is authorized for the first terminal in the second device identification corresponding second that judgement is stored with the decryption obtains Second key is replaced to the device of the first key when device identification:

For the second terminal when judgement has the first authorisation device corresponding with first device identification mark, by institute State the device that the second key replaces the first key.

21. a kind of terminal device authentication system, which is characterized in that the system comprises:

First terminal, for sending the first device identification with the first key stored to the second key and first terminal of generation Carry out the authorization request message of encryption generation；It is also used to obtain the Authorization result message of second terminal transmission, and with described second Key is decrypted；It is also used in successful decryption, judges whether to be stored with the second device identification phase obtained with the decryption Corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result；

Second terminal sends for first terminal and obtains authorization request message, and is decrypted with the first key of storage；Also use In first device identification corresponding first in the successful decryption, judging whether to be stored with and the decryption obtains Authorisation device mark；Be also used to the judging result be sometimes, based on first device identification to the first terminal into Row authorization, and the second device identification for sending second terminal described in the second key pair obtained with the decryption carries out encryption generation Authorization result message.

22. a kind of terminal device authentication system as claimed in claim 21, which is characterized in that in following At least one:

For second device identification when the first terminal is in the successful decryption based on the decryption acquisition to institute State the device that second terminal opens device authorization；

The first device identification for being obtained when the result of the decryption is successfully based on the decryption in the second terminal The device of device authorization is opened to the first terminal.