A kind of terminal device authentication method, apparatus and system
Technical field
The application belongs to communication information process field more particularly to a kind of terminal device authentication method, apparatus and system.
Background technique
With the development of mobile Internet and Internet of Things, including wearable device (such as Intelligent bracelet, smartwatch etc.)
Terminal device it is more more and more universal, and be increasingly becoming the development trend of the following intelligent mobile products application.
It include often a variety of sensitive informations such as account, identity, communication, property of user in wearable device, if can
Wearable device obtains permission by attacks such as malice fishing, terminal deception, information interceptings, and immeasurable damage will be caused to user
It loses.Therefore, the security certificate certification of wearable device is increasingly taken seriously.Currently based on the security application of wearable device
Product also starts to occur, and solution mainly includes that wearable device is based on intelligent terminal (such as intelligent movable mobile phone, intelligence electricity
Device etc.) or third-party application condition code to the intelligent terminal carry out authorization identifying.
But condition code used in existing wearable device authorization identifying solution is usually single constant feature
Code, and generalling use lower using the channel safeties rank such as WIFI or bluetooth in verification process is unilateral authentication.It is existing
There is the authorization and authentication method of technology to easily lead to condition code to be intercepted, reveal or taken advantage of using the intelligent terminal of forgery
It deceives, obtains the permission of wearable device.The authorization and authentication method of wearable device still has biggish safety in the prior art
Hidden danger.
Summary of the invention
The application is designed to provide a kind of terminal device authentication method, apparatus and system, and can be includes wearable set
Standby intelligent terminal provides the two-way authentication in licensing process, improves the safety of terminal device authorization identifying.
A kind of terminal device authentication method provided by the present application, apparatus and system are achieved in that
A kind of terminal device authentication method, which comprises
First terminal sends the preset key with storage to the first key of generation and the first device identification of first terminal
Request message is opened in the authorization for carrying out encryption generation;
Second terminal obtains authorization and opens request message, is decrypted with the preset key of storage, and according to the decryption
Result judge whether to open device authorization;
When the result of the decryption is successfully, the first key obtained using the decryption is sent to the second terminal
The second device identification carry out encryption generation authorization open results messages;
First terminal obtains authorization and opens results messages, and with the first key to the authorization open results messages into
Row decryption;If successful decryption opens device authorization.
A kind of terminal device authentication method, which comprises
First terminal sends the first device identification with the first key stored to the second key and first terminal of generation
Carry out the authorization request message of encryption generation;
Second terminal obtains authorization request message, is decrypted with the first key of storage;In the successful decryption, sentence
It is disconnected whether to be stored with the first authorisation device mark corresponding with the first device identification that the decryption obtains;
The judging result be sometimes, the second terminal be based on first device identification to the first terminal into
Row authorization, and the second device identification for sending second terminal described in the second key pair obtained with the decryption carries out encryption generation
Authorization result message;
First terminal obtains Authorization result message, is decrypted with second key;In successful decryption, judge whether
It is stored with the second authorisation device corresponding with the second device identification that the decryption obtains to identify, and is based on the judging result
Determine whether to authorize the second terminal.
A kind of terminal device authentication method, which comprises
First terminal sends the first device identification with the first key stored to the second key and first terminal of generation
Carry out the authorization request message of encryption generation;
First terminal obtains the Authorization result message that second terminal is sent, and is decrypted with second key;
The first terminal judges whether to be stored with the second equipment mark obtained with the decryption in the successful decryption
Sensible corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result.
A kind of terminal device authentication method, which comprises
Second terminal obtains the authorization request message that first terminal is sent, and is decrypted with the first key of storage;
The second terminal judges whether to be stored with the first equipment mark obtained with the decryption in the successful decryption
Sensible corresponding first authorisation device mark;
The second terminal the judging result be sometimes, based on first device identification to the first terminal into
Row authorization, and the second device identification for sending second terminal described in the second key pair obtained with the decryption carries out encryption generation
Authorization result message.
A kind of terminal device authentication device, described device include:
First storage unit, for storing the first key generated, the second authorisation device of the second terminal of acquisition mark;
First encryption unit, for generating the second key, and using the first key to second key and acquisition
The first device identification encrypted, generate authorization request message;
First communication module is also used to receive the authorization knot of second terminal transmission for sending the authorization request message
Fruit message;
First decryption judging unit, for being decrypted using Authorization result message described in second key pair, and
When successful decryption, it is corresponding with the second device identification that the decryption obtains to judge whether first storage unit is stored with
Second authorisation device mark;
First authorization module determines whether for the judging result based on the first decryption judging unit to described second
Terminal is authorized.
A kind of terminal device authentication device, described device include:
Second communication module, for receiving the authorization request message of first terminal transmission and sending Authorization result message;
Second storage unit, for storing the first authorisation device mark and first key of the first terminal obtained;
Second decryption judging unit, is decrypted the authorization request message for the first key using storage, and
In successful decryption, judge whether second storage unit is stored with the first authorization corresponding with first device identification
Device identification;
Second authorization module, the judging result based on the second decryption judging unit determine whether to first equipment
The corresponding first terminal is identified to be authorized.
Second encryption unit, for being sometimes, to utilize described second in the judging result of the second decryption judging unit
Second device identification of second terminal described in key pair carries out encryption and generates Authorization result message.
A kind of terminal device authentication system, the system comprises:
First terminal, for sending the first key with storage to the second key of generation and the first equipment of first terminal
Mark carries out the authorization request message of encryption generation;It is also used to obtain the Authorization result message of second terminal transmission, and described in use
Second key is decrypted;It is also used in successful decryption, judges whether to be stored with the second equipment mark obtained with the decryption
Sensible corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result;
Second terminal sends for first terminal and obtains authorization request message, and is decrypted with the first key of storage;
It is also used in the successful decryption, judges whether to be stored with corresponding with first device identification that the decryption obtains
First authorisation device mark;It is also used in the judging result be sometimes, it is whole to described first to be based on first device identification
End is authorized, and the second device identification for sending second terminal described in the second key pair obtained with the decryption is encrypted
The Authorization result message of generation.
A kind of terminal device authentication system, the system comprises:
First terminal, for sending the first key with storage to the second key of generation and the first equipment of first terminal
Mark carries out the authorization request message of encryption generation;It is also used to obtain the Authorization result message of second terminal transmission, and described in use
Second key is decrypted;It is also used in successful decryption, judges whether to be stored with the second equipment mark obtained with the decryption
Sensible corresponding second authorisation device mark, and determine whether to authorize the second terminal based on the judging result;
Second terminal sends for first terminal and obtains authorization request message, and is decrypted with the first key of storage;
It is also used in the successful decryption, judges whether to be stored with corresponding with first device identification that the decryption obtains
First authorisation device mark;It is also used in the judging result be sometimes, it is whole to described first to be based on first device identification
End is authorized, and the second device identification for sending second terminal described in the second key pair obtained with the decryption is encrypted
The Authorization result message of generation.
A kind of terminal device authentication method provided by the present application, apparatus and system, can ensure and be opened between multiple terminals
The certification of logical device authorization and device authorization.First terminal can use the preset key encrypted authentication key prestored and equipment
Mark forms authorization and opens request message, and the second terminal for being only equally stored with preset key in this way can just be decrypted,
It completes a side and authorizes the certification opened.Then it can use the authentication secret that decryption obtains to carry out the device identification of second terminal
Encryption, is decrypted by first terminal, and successful decryption can just open authorization identifying to the first terminal, completes terminal device
Open the two-way authentication of authorization requests.Further, after opening authorization, obtaining the device identification of authorisation device, Ke Yili
The permissions such as the application on terminal device or equipment are carried out with terminal device authentication method provided by the present application carries out authorization identifying.?
Still the two-way authentication of multiple terminals is used during device authorization, and device identification is added in two-way authentication interacting message and tests
Key is demonstrate,proved, authentication secret used in preferred embodiment can also update for dynamic, and can greatly improve can for example wear
The authorization identifying of the terminal device of equipment is worn, the safety of terminal device authorization identifying is improved.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The some embodiments recorded in application, for those of ordinary skill in the art, in the premise of not making the creative labor property
Under, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of a kind of method flow schematic diagram of embodiment of terminal device authentication method of the application;
Fig. 2 is a kind of a kind of method flow schematic diagram of embodiment of terminal device authentication method of the application;
Fig. 3 is a kind of flow diagram of terminal device authentication method another kind embodiment of the application;
Fig. 4 is a kind of flow diagram of terminal device authentication method another kind embodiment of the application;
Fig. 5 is a kind of a kind of modular structure schematic diagram of embodiment of terminal device authentication device of the application;
Fig. 6 is a kind of modular structure schematic diagram of terminal device authentication device another kind embodiment of the application;
Fig. 7 is a kind of modular structure schematic diagram of terminal device authentication device another kind embodiment of the application;
Fig. 8 is a kind of a kind of modular structure schematic diagram of embodiment of terminal device authentication device of the application;
Fig. 9 is a kind of modular structure schematic diagram of terminal device authentication device another kind embodiment of the application;
Figure 10 is a kind of modular structure schematic diagram of terminal device authentication device another kind embodiment of the application.
Specific embodiment
In order to make those skilled in the art better understand the technical solutions in the application, below in conjunction with the application reality
The attached drawing in example is applied, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described implementation
Example is merely a part but not all of the embodiments of the present application.Based on the embodiment in the application, this field is common
The application protection all should belong in technical staff's every other embodiment obtained without creative efforts
Range.
Terminal described herein can include but is not limited to the terminal device of wearable device.The terminal device
Authorization identifying can be by including but is not limited to that the terminal device of user side passes through the connection sides such as Wi-Fi or cellular mobile network
The terminal device that formula is connected to internet and server-side carries out the application scenarios of authorization identifying, can also by including but not
It is limited to the modes such as Bluetooth transmission protocol, NFC near-field communication etc. and wired connection and connect with other intelligent terminals to be awarded
Weigh the application scenarios of certification.The application is below with the authorization identifying between the terminal device of wearable device and intelligent mobile mobile phone
For herein described method and device is described in detail.Wearable device described herein includes but is not limited to
Watch, glasses, shoes, cap, clothes, the jewellery etc. for being loaded with Intelligent treatment chip can be with wearable devices.
Before carrying out authorization identifying between terminal devices, it can first carry out verifying and require the terminal device of authorization identifying to be
It is no credible, it then can be awarded to requiring the terminal device of authorization to open authorization identifying further after being verified
Power.Using the leading authentication method described herein whether opened to terminal device authorization identifying, can effectively reduce illegal
Terminal device carries out authorization identifying, blocks the authorization identifying of wearable device or other terminal devices and illegal terminal logical early
News.Fig. 1 is a kind of method flow schematic diagram of herein described terminal device authentication method one embodiment, as described in Figure 1, institute
The method of stating may include:
S1: first terminal sends the preset key with storage to the first key of generation and the first equipment mark of first terminal
Know the authorization for encrypt generation and opens request message.
The preset key key0 of first terminal storage is to the first key key1 of generation and the first equipment of first terminal
Mark is encrypted, and is formed authorization and is opened request message MSG_A1, and is sent the authorization and opened request message MSG_A1.
The first terminal can be smart phone described above, may be other in other application scenarios
Mobile intelligent terminal.Can will send in the present embodiment authorizes the terminal device for opening request message MSG_A1 whole as first
End can will receive described authorize and open the terminal device of request message MSG_A1 as second terminal, in concrete implementation side
It can be using smart phone as the first terminal, eventually using the wearable device as second in such as the present embodiment in formula
End.Certainly, may be to the first terminal of the second terminal progress authorization identifying of such as wearable device in above-described embodiment
The server being specially arranged or intelligent terminal managing device etc..
Preset key key0, setting when which may include factory can be stored in the first terminal in advance
Initialization key, setting of either making an appointment with second terminal can be used for opening device authorization or device authorization certification
Key.First key key1 can be generated in the first terminal, and the first key key1 can be used for and can including described in
The second terminal of wearable device carries out authorization identifying.The first terminal can by terminal application or preset key
Generating algorithm generates the first key key1, and the first key key1 may include conventional number, character, symbol etc.
The key of data format.
It is then possible to using the preset key key0 to the first key key1's and first terminal for including generation
First device identification app_divice_id is encrypted, and request message MSG_A1 is opened in the authorization for forming the first terminal.Institute
The the first device identification app_divice_id for stating first terminal can be the identification letter for the unique identification first terminal equipment
Breath, specifically such as IMEI, MAC or other equipment identification string for may include smart phone.
After forming the authorization and opening request message MSG_A1, the first terminal can send the authorization and open and ask
Seek message MSG_A1.Specific sending method may include broadcasting the authorization by WIFI or bluetooth etc. to open request message
MSG_A1, naturally it is also possible to including the use of other of dedicated channel or network communication mode etc..
First terminal can use the preset key of storage to the first key of generation and the first equipment mark of first terminal
Knowledge is encrypted, and is formed authorization and is opened request message MSG_A1, and can by broadcast message or it is point-to-point etc. in a manner of send
Request message MSG_A1 is opened in the authorization.
S2: second terminal obtains authorization and opens request message, is decrypted with the preset key of storage, and can be according to institute
The result for stating decryption judges whether to open device authorization.
Request message MSG_A1 is opened in the authorization that the available first terminal of second terminal is sent, and can use
The preset key key0 of storage opens request message MSG_A1 to the authorization of the acquisition and is decrypted;The second terminal according to
The result of the decryption judges whether to open device authorization.
The second terminal can be to receive to get what the first terminal was sent in the form of broadcasting or is point-to-point
Message is opened in authorization.Preset key key0 is equally also stored in advance in the second terminal, such as Intelligent bracelet, smartwatch can be worn
The preset key key0 for being stored in advance in equipment and being arranged when factory is worn, the preset key in the second terminal can be with described
The preset key stored in one terminal such as smart phone is identical, can complete corresponding information encryption or decryption.Certainly at other
It is the key in embodiment or being mutually matched.In practical applications, the wearable device of the second terminal is pre-
Key is set usually and may include the authentication secret of plant out, the preset key of the first terminal may include that first terminal is logical
It crosses a certain application to obtain from private server or the downloading of service provider side, naturally it is also possible to the key including preparatory default setting.
Second terminal described herein can include but is not limited to be loaded with the watch of Intelligent treatment chip, glasses,
The wearable device of shoes, cap, clothes, jewellery, bracelet, pendant etc..
The second terminal can be decrypted after obtaining authorization request message MSG_A1 with the preset key key0 of storage.
If the authorization request message MSG_A1 that the second terminal obtains is the same message encrypted using preset key key0,
Success is decrypted in the preset key key0 that the so described second terminal can use itself accordingly.If the second terminal
Getting is illegal terminal equipment using the authorization request message forged, terminal device deception etc. is sent, and is non-preset
Key key0 encryption, the second terminal are unable to successful decryption, then device authorization certification can not be opened to it.Described
The authorization that the authorization that two terminal devices can be obtained according to described Dui imposes decryption whether message successful decryption to judge and obtain
Whether the corresponding terminal device of request message is legal, legal, and device authorization is opened to it, allows to carry out authorization identifying with it;
Otherwise it can be regarded as illegal terminal equipment, the processing such as authorization requests refusal, shielding can be carried out to it.
Request message MSG_A1 is opened in the available authorization of second terminal, it is decrypted, and can be according to solution
Close result judges whether to open device authorization, if the equipment for opening request message MSG_A1 with the authorization obtained is allowed to carry out
Authorization identifying.
S3: when the result of the decryption is successfully, the first key obtained using the decryption is sent to described second
Results messages are opened in the authorization that second device identification of terminal carries out encryption generation.
When the result of the decryption is successfully, the second terminal can open device authorization;The second terminal benefit
The second device identification auth_divice_id of the second terminal is added with the first key key0 that the decryption obtains
It is close, it forms authorization and opens results messages MSG_B1, and send the authorization and open results messages MSG_B1.If described second eventually
Request message MSG_A1 successful decryption is opened to the authorization of acquisition using the preset key key0 of itself storage in end, then and described second
Terminal device can open the service of device authorization, allow to carry out the information exchange of authorization identifying with other terminal devices.
In the application preferred embodiment, under terminal device is one-to-many or multi-to-multi application scenarios, the application
Preferred embodiment provides a kind of authentication method that different terminal equipment is distinguished based on device identification.Specifically, in the decryption
Result when being successfully, the second terminal opens device authorization and may include:
When the result of the decryption is successfully, first device identification pair of the second terminal based on the decryption acquisition
The first terminal opens device authorization.
Such as the second terminal decrypt the first terminal authorization open request message MSG_A1 success when, can obtain
The first device identification for obtaining the first terminal equipment, can store in locally applied file, then the second terminal
The first device identification of the successful decryption is corresponding to first device identification according to can be set when opening device authorization
Terminal device open the service of device authorization certification, allow the second terminal and first terminal progress authorization identifying to disappear
Breath interaction.The second terminal other still available terminal devices when opening device authorization to the first terminal are awarded
Power opens request message MSG_A1, but can the corresponding terminal device of authorization request message to non-successful decryption do not open equipment
Authorization, can also not decrypt second terminal equipment or the terminal devices such as Unrecorded device identification do not open device authorization.
After successful decryption described above, the second terminal can complete the authorization requests of opening to the first terminal
Certification, then the second terminal further can carry out Registration Authentication to the first terminal, can be used for described first
Authorization identifying is registered to the second terminal, identified and opened to terminal, completes the first terminal to the second terminal
Register, open device authorization certification etc..Second terminal described in the present embodiment can use described pair of authorization and open request
The first key key1 that message MSG_A1 decryption obtains to the second device identification auth_divice_id of the second terminal into
Row encryption forms authorization and opens results messages MSG_B1.The second terminal equally can be wide in a manner of WIFI or bluetooth
Message is broadcast, or sends the authorization with other point-to-point communication modes and opens results messages MSG_B1.Most such as intelligence
Short distance or mobile communications network or proprietary data communication can be set in the second terminal of the wearable devices such as bracelet
The module of network, the information that may be implemented between the first terminal and the second terminal communicate, and complete information exchange.
The first key that the second terminal can use acquisition in the successful decryption encrypts the second equipment mark
Know, will collect and open results messages and feed back to the first terminal.
S4: first terminal obtains authorization and opens results messages, is decrypted with the first key;If successful decryption,
Open device authorization.
The first terminal can receive the authorization that the acquisition second terminal is sent and open message, such as smart phone leads to
It crosses bluetooth scanning and acquires the Authorization result message that wearable device passes through Bluetooth broadcast.The second terminal can use institute
The authorization that takes of first key key1 docking harvest for stating generation is opened results messages MSG_B1 and is decrypted.If successful decryption,
It can then indicate that the second terminal equipment for sending the Authorization result message is reliably, can to register the phase of the second terminal
Close information, such as the second device identification auth_divice_id of second terminal equipment, and device authorization can be opened, for
Wearable device carries out the interacting message of authorization identifying, completes the certification opened to the device authorization of second terminal.
In preferred embodiment, the successful decryption described in the first terminal, opening device authorization may include: described
When first terminal equipment successful decryption, the second device identification auth_divice_id based on the decryption acquisition is to described
Second terminal opens device authorization.
When as successful such as the second terminal authorization decryption message MSG_B1 of the first terminal decryption wearable device of smart phone,
The device identification of the available wearable device, can register storage in smart phone side can be with the equipment of wearable device
Mark can also store the first key key1 simultaneously.In this way, smart phone is available and stores wearable device
Device identification only can open device authorization to the device identification of the storage, be enhanced by open device authorization of opening as point
Device authorization is opened to point type, illegal wearable device can effectively be prevented to open device authorization authentication service, terminal is improved and sets
The safety of standby two-way authentication.
It is available in the first terminal such as smart phone after the above-mentioned message interaction process for opening authorization identifying
And the second device identification auth_divice_id for being stored with second terminal such as Intelligent bracelet etc., and can store the described of generation
The first key key1 of generation;The second terminal equally also can store the equipment mark of the first terminal such as smart phone
Know the app_divice_id and first key key1, completes the first terminal and second terminal opens the double of device authorization
To certification.Compared to traditional only wearable device to the unidirectional authorization identifying of smart phone or server etc., the application is real
The two-way authentication that example first carries out opening before authorization identifying device authorization is applied, terminal device authentication authorization can be increased substantially
Safety.
First terminal described above with second terminal is two-way open device authorization services/functionalities after, equipment can be carried out
Authorization identifying.Fig. 2 is a kind of a kind of method flow schematic diagram of embodiment of terminal device authentication method described herein, is such as schemed
Shown in 2, the method that authorization identifying is carried out after the first terminal and second terminal equipment open authorization identifying function be can wrap
It includes:
S1 ': first terminal sends the first key with storage to the second key of generation and the first equipment of first terminal
Mark carries out the authorization request message of encryption generation.
First terminal can be with the first key key1 of storage to the first of the second key key2 of generation and first terminal
Device identification app_divice_id carries out encryption and forms authorization request message MSG_A2, and sends the authorization request message
MSG_A2。
The first terminal can use the application on the first terminal and generate the second key key2, and the of the generation
Two key key2 may include random or according to the authentication secret that pre-defined algorithm generates, and specifically be referred to above-mentioned first eventually
The first key key1 generated during device authorization is opened at end, and this will not be repeated here.First terminal is open-minded described in aforementioned
First key key1 is generated when device authorization, and is stored, and it is close that first terminal described herein can use described
Key adds the second key key2 of the generation and the first device identification app_divice_id of the first terminal
It is close, the authorization request message MSG_A2 to second terminals such as wearable devices is formed, and WIFI or bluetooth, infrared etc. can be passed through
Short haul connection mode or point-to-point or other private communication modes send the authorization request message MSG_A2, for described
Two terminal receptions processing.
S2 ': second terminal obtains authorization request message, is decrypted with the first key of storage;In the successful decryption
When, judge whether that being stored with the first authorisation device corresponding with the first device identification that the decryption obtains identifies.
The available authorization request message MSG_A2 of second terminal, and obtained with the first key key1 of storage to described
The authorization request message MSG_A2 taken is decrypted.The the first equipment mark for obtaining the decryption in the successful decryption
Know app_divice_id with storage the first authorisation device mark Pre_app_divice_id be compared, judge whether there is and
Corresponding first authorisation device of the first device identification app_divice_id identifies Pre_app_divice_id.Described
Second terminal can be wearable device, specifically can include but is not limited to be loaded with the watch of Intelligent treatment chip, glasses,
The wearable device of shoes, cap, clothes, jewellery, bracelet, pendant etc..
The second terminal of wearable device can authenticate the first terminal of smart phone in the present embodiment.In aforementioned
The first key key1 that the second terminal available first terminal during opening device authorization request is sent, it is described
Second terminal, which can receive, obtains the authorization request message MSG_A2 that first terminal is sent, and then can use the first key
The authorization request message MSG_A2 is decrypted in key1.If decryption failure, the second terminal are whole to described first
The device authorization at end fails.
If successful decryption, the first device identification obtained can will be decrypted to the authorization request message MSG_A2
App_divice_id is compared with device identification obtain when device authorization service and storage is opened, and is judged whether and is opened
Device identification when logical authorization service is consistent.Aforementioned second terminal equipment opens available storage first terminal when device authorization
The first device identification, first device identification that can be stored the second terminal herein is as the first authorisation device mark
Pre_app_divice_id is known, labeled as the mark of reliable terminal device.Certainly, terminal device face it is one-to-many or
Under the application scenarios of multi-to-multi, the second terminal can store multiple first authorisation devices marks, described in each
First authorisation device mark can correspond to a first terminal equipment.The second terminal can be by first device identification
App_divice_id and first authorisation device mark Pre_app_divice_id are compared, judge whether to be stored with
Corresponding first authorisation device of the first device identification app_divice_id identifies Pre_app_divice_id.
If it is judged that not have, even if it is not right also to can be set then to the authorization messages MSG_A2 successful decryption
First terminal corresponding to first device identification app_divice_id described in the authorization messages is without authorization, Huo Zhe
Two terminals fail to the first terminal authorization identifying.
S3 ': being that sometimes, it is whole to described first that the second terminal is based on first device identification in the judging result
End is authorized, and the second device identification for sending second terminal described in the second key pair obtained with the decryption is encrypted
The Authorization result message of generation.
It certainly, is that sometimes, the second terminal is based on the first device identification app_divice_ in the judging result
Id authorizes the first terminal;The second key key2 that the second terminal is obtained using decryption is to the second terminal
The second device identification auth_divice_id encrypted, form Authorization result message MSG_B2, and send the authorization and tie
Fruit message MSG_B2.
Specifically, the second terminal can be based on described in acquisition the first device identification app_divice_id label
First terminal authorizes first terminal.Second terminal described in the embodiment of the present application authorizes the first terminal
After certification, the first terminal also needs reversely to authenticate the second terminal, improves smart phone and sets with wearable
The safety and reliability of authorization identifying between standby.Therefore, it is close to can use the decryption obtains second for the second terminal
Key key2 encrypts the second device identification auth_divice_id of the second terminal, and formation feeds back to awarding for the first terminal
Weigh results messages MSG_B2.Certainly, the second terminal can send the Authorization result message MSG_B2, and specific message is handed over
Mutual transmission mode is referred to first terminal and second terminal interacting message mode in the application other embodiments, does not do herein superfluous
It states.
S4 ': first terminal obtains Authorization result message, is decrypted with second key;In successful decryption, judgement
Whether it is stored with the second authorisation device corresponding with the second device identification that the decryption obtains to identify, and is based on the judgement
As a result determine whether to authorize the second terminal.
The available Authorization result message MSG_B2 of first terminal, and with the second key key2 to the authorization
Results messages MSG_B2 is decrypted;The the second device identification auth_divice_id for obtaining the decryption in successful decryption
It is compared, judges whether there is and the second equipment mark with the second authorisation device of storage mark Pre_auth_divice_id
Know corresponding second authorisation device of auth_divice_id and identify Pre_auth_divice_id, and is based on the judging result
Determine whether to authorize the second terminal.
The first terminal can obtain Authorization result message MSG_B2 by WIFI or bluetooth etc., and utilize the life
At the second key key2 be decrypted.If successful decryption, the Authorization result message MSG_B2 will can be decrypted and be obtained
The the second device identification auth_divice_id taken is carried out with device identification obtain when device authorization service and storage is opened
Compare, judges whether to be consistent with device identification when opening authorization service.Aforementioned first terminal equipment can when opening device authorization
To obtain and store the second device identification of second terminal, the second equipment mark that can store the first terminal herein
Know and identify Pre_auth_divice_id as the second authorisation device, labeled as the mark of reliable terminal device.Certainly, at end
End equipment faces under one-to-many or multi-to-multi application scenarios, and the first terminal can store multiple second authorizations
Device identification, each described second authorisation device mark can correspond to a second terminal equipment, be such as stored with Intelligent bracelet,
The second authorisation device mark of smartwatch etc..The first terminal can be by the second device identification auth_divice_id
It is compared with second authorisation device mark Pre_auth_divice_id, judges whether to be stored with and second equipment
It identifies corresponding second authorisation device of auth_divice_id and identifies Pre_auth_divice_id.
Further, the first terminal can determine whether that setting terminal to described second carries out based on the judging result
Authorization.If the judging result is to have, the first terminal authorizes the second terminal.Such as smart phone is sentenced
Second authorisation device mark of the Intelligent bracelet that the second device identification of the disconnected Intelligent bracelet obtained and authorization identifying store when opening
Sensible same, then the smart phone can award the Intelligent bracelet based on the second device identification of the Intelligent bracelet
Power completes the authorization identifying to the Intelligent bracelet.Then the first terminal can be executed and be awarded accordingly to second terminal
Power operation.Certainly, if the judging result is the second authorisation device mark of the second terminal device identification obtained and storage
It is not consistent, then to the second terminal authorization failure.
A kind of terminal device authentication method provided by the present application can first carry out device authorization before terminal device authentication
The certification for opening request will not meet device authorization and open and the terminal device of equipment is wanted to foreclose, can effectively avoid in advance
Illegal terminal requires to open device authorization.During device authorization certification, the especially client and intelligence of wearable device
The authorization identifying of the server end of energy terminal is recognized using the first key based on preset key and generation, the two-way of the second key
Card, only the unilateral authentication of server end is greatly improved compared to traditional wearable device the safety of authentication between devices
Property and reliability, it is possible to prevente effectively from wearable device by malice fishing, terminal deception etc..
The prior art usually verifying condition code used in authorization identifying process is changeless condition code, once it is special
Sign code is stolen, and will lead to the permission that attacker obtains terminal device using the condition code obtained, and security reliability is poor.This Shen
A kind of terminal device authentication method that please be described also provides a kind of preferred embodiment, in this preferred embodiment, carries out double
Authentication secret can be converted during authorization identifying each time to the terminal device of authorization identifying, in this way, dynamic update is tested
Card key can increase substantially the safety of the authorization identifying of terminal device.Fig. 3 is a kind of terminal device authentication side of the application
The flow diagram of method another kind embodiment, as shown in figure 3, a kind of terminal device authentication method can also include:
S5 ': corresponding with the first device identification app_divice_id the is stored in second terminal judgement
When one authorisation device identifies Pre_app_divice_id, the second key key2 is replaced into the first key key1;
The the second device identification auth_divice_id phase obtained with the decryption is stored in first terminal judgement
When corresponding second authorisation device mark Pre_auth_divice_id, the second key key2 is replaced into the first key
key1。
In the preferred embodiment, authorization identifying new each time, the first terminal can generate new
Second authentication secret, after one-time authentication, the first terminal can the second terminal can be by the second new authentication secret
The first current authentication secret of replacement is as the updated first key.Terminal described in the application preferred embodiment
Equipment authentication method is updated using authentication secret dynamic, can provide the safety of terminal device authorization identifying.
Verified in conventional terminal device, especially such as intelligent terminal (smart phone, tablet computer etc.) with can wear
The verifying worn between equipment (Intelligent bracelet, smartwatch etc.) mostly uses WIFI or Bluetooth communication etc., such short distance
Information transmission belongs to the lower mode of channel safety rank in modern communication technology, is easy in message transmitting procedure by attacker
It intercepts, the information of transmission is easy to be stolen or forge.A kind of herein described terminal device authentication method is another preferred
In embodiment, additional identification information can also further be added in the information content of terminal device transmission, it is ensured that information connects
The reliability of receipts further increases the safety and reliability of information transmission.
Fig. 4 is a kind of method flow schematic diagram of herein described terminal device authentication method another kind embodiment, such as Fig. 4
Shown, a kind of terminal device authentication method can also include:
S6 ': the first key is added to raw according to pre-defined rule in the authorization request message that the first terminal is sent
At the information that is encrypted of additional information;
Addition encrypts the additional letter using second key in the Authorization result message that the second terminal returns
The information of breath;
Correspondingly, the first terminal also judges the attached of the decryption acquisition in decryption Authorization result message success
Add information and additional information when sending authorization request message whether identical, and is determined whether according to the judging result to described
Second terminal is authorized.
The additional information of the addition usually can include but is not limited to challenge code challenge, and (a string of random numbers, can be with
For encrypting message, avoid the defeated cleartext information of communication links), abstract digest (user log in account information, session id
Deng) etc..The verification information of the attachmentes such as challenge code, abstract can be added in the present embodiment in the information of transmission, it can be to channel
The message of transmission is encrypted, and attacker can effectively be prevented to send the data packet that terminal device had received, and is taken advantage of to reach
The purpose for deceiving system can effectively improve the correctness of authorization identifying in the authorization identifying of wearable device.
Based on a kind of terminal device authentication method described herein, the application provides a kind of terminal device authentication device.
Fig. 5 is a kind of modular structure schematic diagram of herein described terminal device authentication device, as shown in figure 5, described device can wrap
It includes:
First storage unit 101 can be used for storing the first key of generation, the second authorization of the second terminal of acquisition is set
Standby mark;
First encryption unit 102 can be used for generating the second key, and using the first key to second key
The first device identification with acquisition is encrypted, and authorization request message is generated;
First communication module 103 can be used for sending the authorization request message, can be also used for receiving second terminal hair
The Authorization result message sent.In the specific implementation process, the communication module may include WIFI communication module, or be based on
Bluetooth, infrared communication module of short haul connection etc., naturally it is also possible to including 2G/3G/4G and more highest version communication protocol
Mobile communications network module and wire communication module.
First decryption judging unit 104, can be used for being solved using Authorization result message described in second key pair
It is close, and in successful decryption, judge whether first storage unit 101 is stored with the second equipment mark obtained with the decryption
Sensible corresponding second authorisation device mark;
First authorization module 105 can be used for determining whether based on the judging result of the first decryption judging unit 104
The second terminal is authorized.
A kind of terminal device authentication device described in the present embodiment can be used for the example that can be authenticated with wearable device
Such as smart phone, tablet computer or dedicated server terminal device effective, safety can carry out wearable device
Device authorization certification, improves the safety of device authorization certification.
In a kind of herein described terminal device authentication device another kind preferred embodiment, the storage unit 101 is deposited
The first key of storage can also dynamically update, and all carry out key updating in the certification of device authorization each time, can significantly mention
The safety and reliability of high device authorization certification.Fig. 6 is that a kind of herein described terminal device authentication device another kind is implemented
The modular structure schematic diagram of example, as shown in fig. 6, terminal device authentication device described in preferred embodiment can also include:
First key update module 106 can be used in the judging result of the first decryption judging unit 104 being sometimes
The second key that first encryption unit 102 generates is replaced into the first key that first storage unit 101 stores.
For the synchronized update of the terminal installation authentication secret of guarantee authorization identifying, first key described in the present embodiment is more
New module 106 can it is described first decryption judging unit 104 judge first storage unit 101 whether be stored with it is described
Generate first encryption unit 102 when decrypting the second device identification corresponding second authorisation device mark obtained the
Two keys replace the first key that first storage unit 101 stores.If the judging result is to have, it can receive and award
The second terminal of power request message has passed through authorization identifying, and pre-stored authentication secret such as first key is also more in second terminal
It is newly the second key, then key when can ensure the bidirectional terminal equipment encrypting and decrypting of authorization identifying in next authorization identifying
Consistency.
In another embodiment of the application, passed to further strengthen the terminal equipment in communication channel information of authorization identifying
Defeated safety, Fig. 7 are a kind of modular structure schematic diagrams of herein described terminal device authentication device another kind embodiment, such as
Shown in Fig. 7, a kind of terminal device authentication device can also include:
Additional information module 107 can be used for adding the first key to according to predetermined in the authorization request message
The information that the additional information that rule generates is encrypted;
Correspondingly, it is described first decryption judging unit 104 decrypt the Authorization result message success when also judgement described in
It decrypts the additional information obtained and whether the additional information for being added to authorization request message is identical, first authorization module
105 determine whether to authorize the second terminal according to the judging result of the additional information.
In a kind of embodiment of terminal device authentication device described herein, the second terminal can be that can wear
Wear equipment, the second terminal can include but is not limited to be loaded with the watch of Intelligent treatment chip, glasses, shoes,
Cap, clothes, jewellery, bracelet, pendant wearable device.
Terminal device resistive thermal device described above can be used for for example intelligent hand that can be authenticated with wearable device
The terminal devices such as machine, tablet computer or dedicated server can be used for for example intelligently correspondingly, the application also provides one kind
The device authenticated in the terminal device of the wearable devices such as wrist-watch, Intelligent bracelet, for such as smart phone, server
Equal terminal devices carry out authorization identifying.Fig. 8 is a kind of a kind of module knot of herein described embodiment of terminal device authentication device
Structure schematic diagram, as shown in figure 8, the apparatus may include:
Second communication module 201 can be used for receiving the authorization request message of first terminal transmission and send Authorization result
Message;
Second storage unit 202, the first authorisation device that can be used for storing the first terminal of acquisition identifies and first is close
Key;
Second decryption judging unit 203 can be used for carrying out the authorization request message using the first key of storage
Decryption, and in successful decryption, it is corresponding with first device identification to judge whether second storage unit 202 is stored with
The first authorisation device mark;
Second authorization module 204 can be determined whether based on the judging result of the second decryption judging unit 203 to institute
The first terminal corresponding to the first device identification is stated to be authorized.
Second encryption unit 205 can be used in the judging result of the second decryption judging unit 203 being benefit sometimes
Second device identification of the second terminal described in second key pair carries out encryption and generates Authorization result message.
The device of terminal device authentication provided in this embodiment, can be in the terminal of wearable device to smart phone etc.
The terminal device of request authorization is authenticated, and the two-way authorization certification of terminal device is completed.It can use out in the present embodiment
The first key decryption and authorization request message obtained when logical authorization requests obtains the first device identification, and by its first with storage
Authorisation device mark is compared, and then judges whether the first terminal of request authorization is legal, and be according to judging result determination
It is no that first terminal is authorized.In this way can with can effectively to request authorization identifying in the terminal device of wearable device intelligence
Energy terminal, server etc. are reversely authenticated, and the safety of terminal device authorization identifying is improved.
In preferred embodiment, the device of the terminal device authentication described above that can be used for wearable device can also be into
The dynamic of row authentication secret updates, and improves the safety and reliability of terminal device authorization identifying.Fig. 9 is herein described one kind
The modular structure schematic diagram of terminal device authentication device another kind embodiment, as shown in figure 9, described device can also include:
Second key updating module 206 can be used for judging second storage in the second decryption judging unit 203
By the decryption when the first authorisation device corresponding with the first device identification that the decryption obtains that unit 202 is stored with identifies
The second key obtained replaces the first key that second storage unit 201 stores.
As described in aforementioned, after second terminal successful decryption, the first key of storage can be changed to decryption and authorization request
The second key obtained when message realizes that the dynamic of authentication secret in terminal device authorization identifying updates, provides verification process
Safety and reliability.
Figure 10 is a kind of modular structure schematic diagram of herein described terminal device authentication device another kind embodiment, is such as schemed
In another kind preferred embodiment shown in 10, described device can also include:
Additional information processing module 207 can be used for adding obtaining in the Authorization result message using the decryption
The second key encrypt it is described decryption obtain additional information information.
Additional information is added in the transmission message of terminal device authorization identifying can prevent the transmission message forged, into one
Step reinforces the safety of the terminal equipment in communication channel information transmission of authorization identifying.
Based on the first terminal equipment described herein that can be used for wearable device and smart phone, tablet computer,
The terminal device authentication device of the second terminal equipment of server, the application provide a kind of terminal device authentication system, the system
It unites and specifically may include:
First terminal can be used for sending first with the first key of storage to the second key of generation and first terminal
Device identification carries out the authorization request message of encryption generation;It can be also used for obtaining the Authorization result message that second terminal is sent,
And it is decrypted with second key;It can be also used in successful decryption, judge whether to be stored with and decryption acquisition
The second device identification corresponding second authorisation device mark, and determined whether to described second eventually based on the judging result
End is authorized;
Second terminal can be used for first terminal and send acquisition authorization request message, and carried out with the first key of storage
Decryption;It can be also used in the successful decryption, judge whether to be stored with the first equipment mark obtained with the decryption
Sensible corresponding first authorisation device mark;It can be also used in the judging result being sometimes, to be based on the first equipment mark
Knowledge authorizes the first terminal, and sends second of second terminal described in the second key pair obtained with the decryption and set
Standby mark carries out the Authorization result message of encryption generation.
In a kind of above-mentioned terminal device authentication system preferred embodiment, can also include:
The second device identification corresponding second obtained with the decryption is stored in judgement for the first terminal
Second key is replaced the device of the first key by authorisation device when identifying:
For the second terminal when judgement has the first authorisation device corresponding with first device identification mark
Second key is replaced to the device of the first key.
Terminal device authentication system described in above-described embodiment may be implemented two-way authorization between terminal device and authenticate,
The safety of device authorization certification is provided, the authentication secret dynamic used in preferred embodiment updates, and can be further improved
The safety and reliability of device authorization certification.
The application also provides one kind and can carry out opening device authorization certification terminal device authentication system before authorization identifying
System can ensure and the terminal device for carrying out authorization identifying therewith is requested to have permission carry out authorization identifying.Therefore, provided by the present application
A kind of terminal device authentication system specifically may include:
First terminal can be used for sending first with the preset key of storage to the first key of generation and first terminal
Request message is opened in the authorization that device identification carries out encryption generation;It can also be used to obtaining second terminal and send authorization and open result and disappear
Breath, and results messages are opened to the authorization with the first key;If successful decryption opens device authorization;
Second terminal, request message is opened in the authorization that can be used for obtaining first terminal transmission, with the preset key of storage
It is decrypted, and judges whether to open device authorization according to the result of the decryption;It can be also used for the result in the decryption
When being successful, sends and encryption life is carried out to the second device identification of the second terminal using the first key that the decryption obtains
At authorization open results messages.
It can also include at least one of following in the terminal device authentication system in preferred embodiment.
Second device identification for being obtained when the first terminal is in the successful decryption based on the decryption
The device of device authorization is opened to the second terminal;
The first equipment for being obtained when the result of the decryption is successfully based on the decryption in the second terminal
Mark opens the device of device authorization to the first terminal.
Second terminal can include but is not limited to be loaded with Intelligent treatment chip in terminal device authentication system described above
Watch, glasses, shoes, cap, clothes, jewellery, bracelet, pendant wearable device.
Terminal device authentication method provided by the present application, apparatus and system may be implemented to open equipment between multiple terminals and award
The two-way authentication of power and device authorization, the unilateral authentication of middle terminal device especially wearable device is big compared with the prior art
The safety of terminal device authentication is improved greatly.
Although mentioning the information based on the message such as mobile communications network, WIFI, bluetooth transmission etc in teachings herein to hand over
Mutually, still, the application is not limited to the case where must being the Data Transport Protocol of complete standard.On the basis of certain agreements slightly
Add modified transmission mechanism that can also carry out the scheme of each embodiment of above-mentioned the application.Certainly, even if not using above-mentioned general
Or the agreement of standard, but proprietary protocol is used, as long as meeting the information exchange and information judgement of the application the various embodiments described above
Identical application still may be implemented in feedback system, and details are not described herein.
The unit or module that above-described embodiment illustrates can specifically realize by computer chip or entity, or by having
The product of certain function is realized.For convenience of description, it is divided into various modules when description apparatus above with function to describe respectively.
Certainly, the function of each module can be realized in the same or multiple software and or hardware when implementing the application, it can also be with
The module for realizing same function is realized by the combination of multiple submodule or subelement.
It is also known in the art that other than realizing controller in a manner of pure computer readable program code, it is complete
Entirely can by by method and step carry out programming in logic come so that controller with logic gate, switch, specific integrated circuit, programmable
Logic controller realizes identical function with the form for being embedded in microcontroller etc..Therefore this controller is considered one kind
Hardware component, and the structure that the device for realizing various functions that its inside includes can also be considered as in hardware component.Or
Person even, can will be considered as realizing the device of various functions either the software module of implementation method can be hardware again
Structure in component.
The application can describe in the general context of computer-executable instructions executed by a computer, such as program
Module.Generally, program module includes routines performing specific tasks or implementing specific abstract data types, programs, objects, group
Part, data structure, class etc..The application can also be practiced in a distributed computing environment, in these distributed computing environments,
By executing task by the connected remote processing devices of communication network.In a distributed computing environment, program module can
To be located in the local and remote computer storage media including storage equipment.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
It realizes by means of software and necessary general hardware platform.Based on this understanding, the technical solution essence of the application
On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product
It can store in storage medium, such as ROM/RAM, magnetic disk, CD, intelligent chip, including some instructions are used so that one
Computer equipment (can be personal computer, mobile terminal, server, wearable device or the network equipment etc.) executes sheet
Apply for method described in certain parts of each embodiment or embodiment.
Each embodiment in this specification is described in a progressive manner, the same or similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.The application can be used for crowd
In mostly general or special purpose computer system or environment including Intelligent treatment chip terminal or configuration.Such as: individual calculus
Machine, server computer, handheld device or portable device, multicomputer system, based on microprocessor are at laptop device
System, programmable electronic equipment, network PC, minicomputer, mainframe computer, wearable device etc. and including any of the above
Distributed computing environment of system or equipment etc..
Although depicting the application by embodiment, it will be appreciated by the skilled addressee that the application there are many deformation and
Variation is without departing from spirit herein, it is desirable to which the attached claims include these deformations and change without departing from the application's
Spirit.