CN108512846B - Bidirectional authentication method and device between terminal and server - Google Patents
Bidirectional authentication method and device between terminal and server Download PDFInfo
- Publication number
- CN108512846B CN108512846B CN201810276386.7A CN201810276386A CN108512846B CN 108512846 B CN108512846 B CN 108512846B CN 201810276386 A CN201810276386 A CN 201810276386A CN 108512846 B CN108512846 B CN 108512846B
- Authority
- CN
- China
- Prior art keywords
- server
- terminal
- random number
- character string
- preset random
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Abstract
The embodiment of the invention provides a bidirectional authentication method and device between a terminal and a server, which are applied to the terminal, wherein the terminal can obtain an encrypted character string according to a terminal private key and a first preset random number and send the encrypted character string to the server so that the server authenticates the terminal, and decrypts a verification character string sent by the server according to a public key corresponding to the server to obtain an authentication result of the server; the method is applied to a server, when the server receives the encrypted character string sent by the terminal, the server decrypts the encrypted character string according to the public key corresponding to the terminal, if decryption fails, terminal authentication failure is judged, otherwise, terminal authentication success is judged, a verification character string is generated according to a decryption result, a server private key and a second preset random number and is sent to the terminal, and therefore the terminal authenticates the server. Based on the processing, the terminal and the server do not need to download and import the certificate, the interaction times are less, and the method is suitable for the terminal with lower computing power.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for bidirectional authentication between a terminal and a server.
Background
The intelligent household appliance has become a necessity in the life of people by virtue of the advantages of convenient operation, high efficiency, rapid response, intellectualization and the like. The microprocessor, the sensor technology and the communication technology are integrated into the traditional household appliance product, so that the household appliance becomes an intelligent terminal with a network communication function, namely an intelligent household appliance. In addition, a cloud can be set for unified management of the intelligent household appliances, and the cloud can be a server. The terminal can access the server through the network, and after the server is authenticated, the terminal can transmit service data with the server.
In the prior art, in order to ensure the security and reliability of service data transmission, authentication is generally performed by combining a certificate and a protocol handshake. For example, SSL (Secure Sockets Layer) protocol handshake.
However, authentication is performed based on the protocol handshake manner, and the terminal and the server need to download corresponding certificates and import the certificates into their own devices. In the authentication process, the terminal and the server need to exchange the certificates of both sides, and both sides need to perform interaction for at least four times, so that the authentication complexity is increased.
Disclosure of Invention
The embodiment of the invention aims to provide a bidirectional authentication method and device between a terminal and a server, which can reduce the complexity of authentication and can be suitable for terminals with lower computing power. The specific technical scheme is as follows:
in a first aspect, to achieve the above object, an embodiment of the present invention discloses a bidirectional authentication method between a terminal and a server, where the method is applied to the terminal, and the method includes:
encrypting the first preset random number according to a pre-stored terminal private key to obtain an encrypted character string;
sending the encrypted character string to a server so that the server authenticates the terminal according to the encrypted character string;
when a verification character string sent by the server is received, decrypting the verification character string according to a public key corresponding to the server;
and obtaining the authentication result of the server according to the decryption result.
Optionally, the obtaining an authentication result of the server according to the decryption result includes:
if the decryption is successful, judging that the server authentication is successful;
and if the decryption fails, judging that the server authentication fails.
Optionally, if the decryption is successful, the method further includes:
and generating a communication key according to the decryption result and a preset key generation algorithm so as to carry out encrypted communication with the server according to the communication key.
In a second aspect, to achieve the above object, an embodiment of the present invention discloses a bidirectional authentication method between a terminal and a server, where the method is applied to the server, and the method includes:
when an encrypted character string sent by a terminal is received, decrypting the encrypted character string according to a public key corresponding to the terminal;
if the decryption fails, judging that the terminal authentication fails;
if the decryption is successful, judging that the terminal authentication is successful, and generating a verification character string according to a decryption result, a prestored server private key and a second preset random number;
and sending the verification character string to the terminal so that the terminal authenticates the server according to the verification character string.
Optionally, the method further includes:
and generating a communication key according to the decryption result, the second preset random number and a preset key generation algorithm so as to carry out encrypted communication with the terminal according to the communication key.
In a third aspect, to achieve the above object, an embodiment of the present invention discloses a bidirectional authentication apparatus between a terminal and a server, where the apparatus is applied to the terminal, and the apparatus includes:
the first processing module is used for encrypting a first preset random number according to a pre-stored terminal private key to obtain an encrypted character string;
the first transceiver module is used for sending the encrypted character string to a server so that the server authenticates the terminal according to the encrypted character string; receiving a verification character string sent by the server;
the first processing module is further configured to decrypt the verification string according to a public key corresponding to the server;
and obtaining the authentication result of the server according to the decryption result.
Optionally, the first processing module is specifically configured to determine that the server is successfully authenticated if the decryption is successful;
and if the decryption fails, judging that the server authentication fails.
Optionally, if the decryption is successful, the first processing module is further configured to generate a communication key according to the decryption result and a preset key generation algorithm, so as to perform encrypted communication with the server according to the communication key.
In a fourth aspect, to achieve the above object, an embodiment of the present invention discloses a bidirectional authentication apparatus between a terminal and a server, where the apparatus is applied to the server, and the apparatus includes:
the second transceiver module is used for receiving the encrypted character string sent by the terminal;
the second processing module is used for decrypting the encrypted character string according to the public key corresponding to the terminal;
if the decryption fails, judging that the terminal authentication fails;
if the decryption is successful, judging that the terminal authentication is successful, and generating a verification character string according to a decryption result, a prestored server private key and a second preset random number;
the second transceiver module is further configured to send the verification character string to the terminal, so that the terminal authenticates the server according to the verification character string.
Optionally, the second processing module is further configured to generate a communication key according to the decryption result, the second preset random number, and a preset key generation algorithm, so as to perform encrypted communication with the terminal according to the communication key.
In another aspect of the present invention, in order to achieve the above object, an embodiment of the present invention discloses a terminal, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method steps of the first aspect when executing the program stored in the memory.
In another aspect of the present invention, in order to achieve the above object, an embodiment of the present invention discloses a server, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method steps of the second aspect when executing the program stored in the memory.
In yet another aspect of the present invention, there is also provided a computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method steps of the first aspect described above.
In yet another aspect of the present invention, there is also provided a second computer-readable storage medium having stored therein instructions which, when executed on a computer, cause the computer to perform the method steps of the second aspect.
In yet another aspect of the present invention, the present invention further provides a computer program product containing instructions, which when executed on a computer, causes the computer to perform the method steps of the first aspect.
In yet another aspect of the present invention, there is provided a second computer program product containing instructions, which when executed on a computer, causes the computer to perform the method steps of the second aspect.
The terminal can encrypt a first preset random number according to a terminal private key stored in advance to obtain an encrypted character string, the encrypted character string is sent to the server, so that the server authenticates the terminal according to the encrypted character string, when a verification character string sent by the server is received, the verification character string is decrypted according to a public key corresponding to the server, and an authentication result of the server is obtained according to a decryption result. Based on the processing, the terminal and the server do not need to download and import the certificate, the interaction times are less, the complexity of authentication can be reduced, and the method and the device can be suitable for the terminal with lower computing power.
Of course, it is not necessary for any product or method of practicing the invention to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a block diagram of a system for authentication between a terminal and a server in the prior art;
fig. 2 is a flowchart of a bidirectional authentication method applied between a terminal and a server of a terminal according to an embodiment of the present invention;
fig. 3 is a flowchart of a bidirectional authentication method applied between a terminal of a server and the server according to an embodiment of the present invention;
fig. 4 is an interaction signaling diagram of terminal and server authentication according to an embodiment of the present invention;
fig. 5 is a structural diagram of a bidirectional authentication apparatus applied between a terminal and a server of a terminal according to an embodiment of the present invention;
fig. 6 is a structural diagram of a bidirectional authentication device applied between a terminal of a server and the server according to an embodiment of the present invention;
fig. 7 is a structural diagram of a terminal according to an embodiment of the present invention;
fig. 8 is a block diagram of a server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, in order to ensure the security and reliability of service data transmission, authentication is generally performed by combining a certificate and a protocol handshake. For example, SSL (Secure Sockets Layer) protocol handshake. However, authentication is performed based on the above protocol handshake manner, and the terminal and the server need to download corresponding certificates and import the certificates into the device. In the authentication process, the terminal and the server need to exchange certificates of both sides, and both sides need to perform interaction for at least four times, so that the authentication complexity is increased, and the method is not suitable for terminals with low computing power.
In order to solve the above problem, embodiments of the present invention provide a method and an apparatus for bidirectional authentication between a terminal and a server, based on the method and the apparatus of the embodiments of the present invention, the terminal and the server do not need to download and import certificates, and interaction times are reduced, which can reduce complexity of authentication and can be applied to terminals with low computing power.
Referring to fig. 1, fig. 1 is a block diagram of a system for authentication between a terminal and a server in the prior art, where the system includes: a server and a plurality of terminals. Wherein, the terminal can be intelligent household electrical appliances, and the server can be the high in the clouds. Before a certain terminal and a server perform authentication, the terminal and the server need to download respective certificates and import the certificates into own equipment. When the terminal accesses the server, the terminal and the server need to interact for many times, and exchange certificates of both parties.
Referring to fig. 2, fig. 2 is a flowchart of a bidirectional authentication method applied between a terminal of a terminal and a server according to an embodiment of the present invention, where the method may include the following steps:
s201: and encrypting the first preset random number according to a pre-stored terminal private key to obtain an encrypted character string.
The terminal may store a private key (i.e., a terminal private key) in advance, and specifically, the terminal may store the terminal private key in a local ROM (Read-Only Memory). A random number generation program may also be configured in the terminal for generating random numbers.
In implementation, when the terminal needs to access the server, the terminal may invoke a local random number generation program to generate a random number (i.e., a first preset random number), or may select one random number from a plurality of random numbers generated in advance as the first preset random number. Specifically, the first predetermined random number may be a 32-bit random number. Then, the terminal can encrypt the first preset random number according to a local terminal private key, and an encryption result is used as an encryption character string.
S202: and sending the encrypted character string to a server so that the server authenticates the terminal according to the encrypted character string.
In implementation, the terminal may send an authentication request to the server, where the authentication request may carry the encrypted string and may also carry the terminal identifier of the terminal, so that after receiving the authentication request, the server may authenticate the terminal according to the encrypted string and the terminal identifier of the terminal. The terminal identifier of the terminal may be a hardware address of the terminal.
S203: and when receiving the verification character string sent by the server, decrypting the verification character string according to the public key corresponding to the server.
The terminal can locally pre-store a public key, the public key and a private key pre-stored in the server are paired public and private keys, and the verification character string can be generated by the server according to the first preset random number and the private key pre-stored in the server.
In implementation, when the server needs to authenticate the server by the terminal, an authentication request may be sent to the terminal, where the authentication request may carry a verification string. The terminal can receive the authentication request sent by the server, analyze the authentication request to obtain a verification character string, and then decrypt the verification character string according to the public key corresponding to the server.
S204: and obtaining the authentication result of the server according to the decryption result.
In implementation, the terminal may determine the authentication result of the server according to the decryption result. When the terminal judges that the server is successfully authenticated, the terminal can transmit the service data with the server, and when the terminal judges that the server is unsuccessfully authenticated, the terminal refuses to transmit the service data with the server.
As can be seen from the above, according to the bidirectional authentication method between a terminal and a server in the embodiments of the present invention, when performing authentication, the terminal may encrypt a first preset random number according to a terminal private key stored in advance to obtain an encrypted character string, send the encrypted character string to the server, so that the server authenticates the terminal according to the encrypted character string, and when receiving a verification character string sent by the server, decrypt the verification character string according to a public key corresponding to the server, and obtain an authentication result of the server according to a decryption result. The terminal and the server do not need to download and import certificates, interaction times are reduced, authentication complexity can be reduced, and the method and the server are suitable for terminals with low computing power.
Optionally, obtaining the authentication result of the server according to the decryption result may include the following steps: if the decryption is successful, judging that the server authentication is successful; and if the decryption fails, judging that the server authentication fails.
In implementation, if the terminal successfully decrypts the verification string according to the public key corresponding to the server, the terminal may determine that the server is successfully authenticated, and may further perform service data transmission with the server. If the terminal cannot decrypt the verification character string according to the public key corresponding to the server, the terminal can judge that the server fails to authenticate, and refuses to transmit the service data with the server.
Optionally, in the authentication process, the terminal may further obtain a communication key, so as to improve security and reliability of communication with the server. Specifically, if the decryption is successful, the method may further include the following steps: and generating a communication key according to the decryption result and a preset key generation algorithm so as to carry out encrypted communication with the server according to the communication key.
The terminal may be configured with a key generation program locally, such as a DES (Data Encryption Standard) key generator, an AES (Advanced Encryption Standard) key generator, or other key generation programs.
In implementation, if the terminal successfully decrypts the verification character according to the public key corresponding to the server, the terminal may obtain the first preset random number and the second preset random number, and then may invoke a local key generation program to process the first preset random number and the second preset random number to obtain a key (i.e., a communication key), so that the terminal may perform encrypted communication with the server according to the communication key.
Referring to fig. 3, fig. 3 is a flowchart of a bidirectional authentication method applied between a terminal of a server and the server according to an embodiment of the present invention, where the method may include the following steps:
s301: and when receiving the encrypted character string sent by the terminal, decrypting the encrypted character string according to the public key corresponding to the terminal.
The encrypted character string may be generated by the terminal according to a terminal private key and a random number stored in the terminal, the server may locally pre-store a correspondence between a terminal identifier of the terminal and a terminal public key of the terminal, and the terminal public key of the terminal and the terminal private key of the terminal are paired public and private keys.
In implementation, when the terminal needs the server to authenticate the terminal, an authentication request may be sent to the server, where the authentication request may carry the encrypted character string and the terminal identifier of the terminal. The server may receive an authentication request sent by the terminal, parse the authentication request to obtain a terminal identifier and an encrypted string, then query a correspondence between a local terminal identifier and a terminal public key of the terminal to obtain a terminal public key corresponding to the terminal identifier (i.e., the public key corresponding to the terminal), and decrypt the encrypted string according to the terminal public key.
S302: and if the decryption fails, judging that the terminal authentication fails.
In implementation, if the server cannot decrypt the encrypted string according to the public key of the terminal, the server may determine that the authentication of the terminal fails, and refuse to transmit the service data with the terminal.
S303: and if the decryption is successful, judging that the terminal authentication is successful, and generating a verification character string according to a decryption result, a prestored server private key and a second preset random number.
The server may be configured with a random number generation program for generating random numbers.
In implementation, after the server successfully decrypts the encrypted character string according to the public key of the terminal, the server may obtain a first preset random number, and then, the server may invoke a local random number generation program to generate a random number (i.e., a second preset random number), or may select one random number from a plurality of random numbers generated in advance as the second preset random number. Specifically, the second predetermined random number may be a 32-bit random number. The server can splice the first preset random number and the second preset random number, then encrypt the splicing result according to a locally stored server private key, and take the encrypted result as a verification character string.
S304: and sending the verification character string to the terminal so that the terminal authenticates the server according to the verification character string.
In an implementation, after generating the validation string, the server may send the validation string to the terminal, so that the terminal authenticates the server according to the validation string.
As can be seen from the above, according to the bidirectional authentication method between a terminal and a server in the embodiments of the present invention, when an encrypted character string sent by the terminal is received, the server may decrypt the encrypted character string according to a public key corresponding to the terminal, determine that the terminal authentication fails if the decryption fails, determine that the terminal authentication succeeds if the decryption succeeds, generate a verification character string according to a decryption result, a pre-stored server private key, and a second preset random number, and send the verification character string to the terminal, so that the terminal authenticates the server according to the verification character string. The server and the terminal do not need to download and import certificates, interaction times are reduced, complexity of authentication can be reduced, and the method and the device are suitable for terminals with low computing power.
Optionally, in the authentication process, the server may further obtain a communication key, so as to improve security and reliability of communication with the terminal. Specifically, the method may further include the steps of: and generating a communication key according to the decryption result, the second preset random number and a preset key generation algorithm so as to carry out encrypted communication according to the communication key.
The server may be configured locally with a key generation program, such as a DES (Data Encryption Standard) key generator, an AES (Advanced Encryption Standard) key generator, or other key generation programs.
In implementation, if the server successfully decrypts the encrypted string according to the public key of the terminal, the server may obtain the first preset random number, and then may invoke a local key generation program to process the first preset random number and the second preset random number to obtain a key (i.e., a communication key), so that the server may perform encrypted communication with the terminal according to the communication key.
Referring to fig. 4, fig. 4 is an interactive signaling diagram of terminal and server authentication provided in the embodiment of the present invention, including the following steps:
s401: and the terminal encrypts the first preset random number according to a pre-stored terminal private key to obtain an encrypted character string.
S402: the terminal sends the encrypted string to the server.
S403: the server successfully decrypts the encrypted character string according to the public key corresponding to the terminal, judges that the terminal is successfully authenticated, and generates a verification character string according to a decryption result, a prestored server private key and a second preset random number.
S404: the server sends the verification string to the terminal.
S405: and the terminal decrypts the verification character string according to the public key corresponding to the server and obtains the authentication result of the server according to the decryption result.
Corresponding to the embodiment of the method in fig. 2, referring to fig. 5, fig. 5 is a structural diagram of a bidirectional authentication apparatus applied between a terminal and a server in a terminal according to an embodiment of the present invention, where the apparatus includes:
the first processing module 501 is configured to encrypt a first preset random number according to a pre-stored terminal private key to obtain an encrypted character string;
a first transceiver module 502, configured to send the encrypted character string to a server, so that the server authenticates the terminal according to the encrypted character string; receiving a verification character string sent by the server;
the first processing module 501 is further configured to decrypt the verification string according to a public key corresponding to the server;
and obtaining the authentication result of the server according to the decryption result.
Optionally, the first processing module 501 is specifically configured to determine that the server is successfully authenticated if the decryption is successful;
and if the decryption fails, judging that the server authentication fails.
Optionally, if the decryption is successful, the first processing module 501 is further configured to generate a communication key according to the decryption result and a preset key generation algorithm, so as to perform encrypted communication with the server according to the communication key.
Corresponding to the embodiment of the method in fig. 3, referring to fig. 6, fig. 6 is a structural diagram of a bidirectional authentication apparatus applied between a terminal of a server and the server according to an embodiment of the present invention, where the apparatus includes:
a second transceiver module 601, configured to receive an encrypted character string sent by a terminal;
a second processing module 602, configured to decrypt the encrypted character string according to a public key corresponding to the terminal;
if the decryption fails, judging that the terminal authentication fails;
if the decryption is successful, judging that the terminal authentication is successful, and generating a verification character string according to a decryption result, a prestored server private key and a second preset random number;
the second transceiver module 601 is further configured to send the verification character string to the terminal, so that the terminal authenticates the server according to the verification character string.
Optionally, the second processing module 602 is further configured to generate a communication key according to the decryption result, the second preset random number, and a preset key generation algorithm, so as to perform encrypted communication with the terminal according to the communication key.
The embodiment of the present invention further provides a terminal, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 complete mutual communication through the communication bus 704,
a memory 703 for storing a computer program;
the processor 701 is configured to implement the following steps when executing the program stored in the memory 703:
encrypting the first preset random number according to a pre-stored terminal private key to obtain an encrypted character string;
sending the encrypted character string to a server so that the server authenticates the terminal according to the encrypted character string;
when a verification character string sent by the server is received, decrypting the verification character string according to a public key corresponding to the server;
and obtaining the authentication result of the server according to the decryption result.
The embodiment of the present invention further provides a server, as shown in fig. 8, including a processor 801, a communication interface 802, a memory 803, and a communication bus 804, where the processor 801, the communication interface 802, and the memory 803 complete mutual communication through the communication bus 804,
a memory 803 for storing a computer program;
the processor 801 is configured to implement the following steps when executing the program stored in the memory 803:
when an encrypted character string sent by a terminal is received, decrypting the encrypted character string according to a public key corresponding to the terminal;
if the decryption fails, judging that the terminal authentication fails;
if the decryption is successful, judging that the terminal authentication is successful, and generating a verification character string according to a decryption result, a prestored server private key and a second preset random number;
and sending the verification character string to the terminal so that the terminal authenticates the server according to the verification character string.
The communication bus mentioned in the above embodiments may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry standard rd Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the terminal and the server and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In still another embodiment of the present invention, there is further provided a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to execute any one of the above-described embodiments of the mutual authentication method between a terminal applied to the terminal and a server.
In another embodiment of the present invention, there is also provided a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to execute any one of the above-mentioned two-way authentication methods between a terminal and a server applied to the server.
In a further embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method of mutual authentication between a terminal and a server applied to the terminal as described in any of the above embodiments.
In a further embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method of bidirectional authentication between a terminal applied to a server and the server as described in any of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the embodiments of the apparatus, the terminal, the server, the computer-readable storage medium, and the computer program product, since they are substantially similar to the embodiments of the method, the description is simple, and the relevant points can be referred to the partial description of the embodiments of the method.
Claims (4)
1. A bidirectional authentication method between a terminal and a server is characterized in that the method is applied to the terminal and comprises the following steps:
encrypting a first preset random number according to a pre-stored terminal private key to obtain an encrypted character string, wherein the first preset random number is generated through a local random number generation program of a terminal or selected from a plurality of pre-generated random numbers;
sending the encrypted character string to a server so that the server authenticates the terminal according to the encrypted character string;
when a verification character string sent by the server is received, decrypting the verification character string according to a public key corresponding to the server; the verification character string is generated by the server according to a first preset random number, a server private key stored in the server in advance and a second preset random number, wherein the second preset random number is generated through a random number generation program local to the server or selected from a plurality of random numbers generated in advance;
if the decryption is successful, judging that the server authentication is successful, calling a local key generation program, processing the first preset random number and the second preset random number to obtain a communication key, and carrying out encryption communication with the server according to the communication key;
and if the decryption fails, judging that the server authentication fails.
2. A bidirectional authentication method between a terminal and a server is characterized in that the method is applied to the server and comprises the following steps:
when an encrypted character string sent by a terminal is received, decrypting the encrypted character string according to a public key corresponding to the terminal;
if the decryption fails, judging that the terminal authentication fails;
if the decryption is successful, a first preset random number generated by a terminal is obtained, the terminal authentication is judged to be successful, and a verification character string is generated according to the first preset random number, a pre-stored server private key and a second preset random number, wherein the second preset random number is generated through a local random number generation program of the server or is selected from a plurality of random numbers generated in advance;
sending the verification character string to the terminal so that the terminal authenticates the server according to the verification character string;
and calling a local key generation program, processing the first preset random number and the second preset random number to obtain a communication key, and carrying out encryption communication with the terminal according to the communication key.
3. A mutual authentication device between a terminal and a server, wherein the device is applied to the terminal, and the device comprises:
the first processing module is used for encrypting a first preset random number according to a pre-stored terminal private key to obtain an encrypted character string, wherein the first preset random number is generated through a local random number generation program of the terminal or selected from a plurality of random numbers generated in advance;
the first transceiver module is used for sending the encrypted character string to a server so that the server authenticates the terminal according to the encrypted character string; receiving a verification character string sent by the server; the verification character string is generated by the server according to a first preset random number, a server private key stored in the server in advance and a second preset random number, wherein the second preset random number is generated through a random number generation program local to the server or selected from a plurality of random numbers generated in advance;
the first processing module is further configured to decrypt the verification string according to a public key corresponding to the server;
if the decryption is successful, judging that the server authentication is successful, calling a local key generation program, processing the first preset random number and the second preset random number to obtain a communication key, and carrying out encryption communication with the server according to the communication key;
and if the decryption fails, judging that the server authentication fails.
4. A mutual authentication device between a terminal and a server, which is applied to the server, the device comprising:
the second transceiver module is used for receiving the encrypted character string sent by the terminal;
the second processing module is used for decrypting the encrypted character string according to the public key corresponding to the terminal;
if the decryption fails, judging that the terminal authentication fails;
if the decryption is successful, a first preset random number generated by a terminal is obtained, the terminal authentication is judged to be successful, and a verification character string is generated according to the first preset random number, a pre-stored server private key and a second preset random number, wherein the second preset random number is generated through a local random number generation program of the server or is selected from a plurality of random numbers generated in advance;
the second transceiver module is further configured to send the verification character string to the terminal, so that the terminal authenticates the server according to the verification character string;
the second processing module is further configured to invoke a local key generation program, process the first preset random number and the second preset random number to obtain a communication key, and perform encrypted communication with the terminal according to the communication key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810276386.7A CN108512846B (en) | 2018-03-30 | 2018-03-30 | Bidirectional authentication method and device between terminal and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810276386.7A CN108512846B (en) | 2018-03-30 | 2018-03-30 | Bidirectional authentication method and device between terminal and server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108512846A CN108512846A (en) | 2018-09-07 |
| CN108512846B true CN108512846B (en) | 2022-02-25 |
Family
ID=63377866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810276386.7A Active CN108512846B (en) | 2018-03-30 | 2018-03-30 | Bidirectional authentication method and device between terminal and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108512846B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111431840B (en) * | 2019-01-09 | 2022-06-07 | 北京京东尚科信息技术有限公司 | Security processing method and device, computer equipment and readable storage medium |
| WO2020172887A1 (en) * | 2019-02-28 | 2020-09-03 | 云图有限公司 | Data processing method, apparatus, smart card, terminal device, and server |
| CN110012467B (en) * | 2019-04-18 | 2022-04-15 | 苏州博联科技有限公司 | Grouping authentication method of narrow-band Internet of things |
| EP4274157A3 (en) | 2019-09-26 | 2024-04-17 | General Electric Company | Communicating securely with devices in a distributed control system |
| CN111212425B (en) * | 2020-01-10 | 2022-07-12 | 中国联合网络通信集团有限公司 | Access method, server and terminal |
| CN111931158A (en) * | 2020-08-10 | 2020-11-13 | 深圳大趋智能科技有限公司 | Bidirectional authentication method, terminal and server |
| CN112202556B (en) * | 2020-10-30 | 2023-07-04 | 联通物联网有限责任公司 | Security authentication method, device and system |
| CN112565205B (en) * | 2020-11-19 | 2022-04-08 | 湖南大学 | Credible authentication and measurement method, server, terminal and readable storage medium |
| CN112468490B (en) * | 2020-11-25 | 2023-09-08 | 国网辽宁省电力有限公司信息通信分公司 | Authentication method for access of power grid terminal layer equipment |
| CN112738052B (en) * | 2020-12-24 | 2021-11-23 | 北京深思数盾科技股份有限公司 | Authentication method between devices, storage medium and electronic device |
| CN112672342B (en) * | 2021-01-11 | 2023-03-24 | 金卡智能集团股份有限公司 | Data transmission method, device, equipment, system and storage medium |
| CN113242212A (en) * | 2021-04-15 | 2021-08-10 | 杭州链城数字科技有限公司 | Network node bidirectional communication authentication method and device, electronic equipment and storage medium |
| CN114070568A (en) * | 2021-11-04 | 2022-02-18 | 北京百度网讯科技有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN114205292A (en) * | 2021-12-10 | 2022-03-18 | 百度在线网络技术(北京)有限公司 | Router dialing configuration method and device, router, management end and storage medium |
| WO2023178686A1 (en) * | 2022-03-25 | 2023-09-28 | Oppo广东移动通信有限公司 | Security implementation method and apparatus, and terminal device, network element and certificate generation device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009556A (en) * | 2007-01-08 | 2007-08-01 | 中国信息安全产品测评认证中心 | Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism |
| CN101119196A (en) * | 2006-08-03 | 2008-02-06 | 西安电子科技大学 | Bidirectional identification method and system |
| CN101123501A (en) * | 2006-08-08 | 2008-02-13 | 西安电子科技大学 | A WAPI authentication and secret key negotiation method and system |
| CN107483388A (en) * | 2016-06-08 | 2017-12-15 | 深圳市斑点猫信息技术有限公司 | A kind of safety communicating method and its terminal and high in the clouds |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656489B (en) * | 2016-12-07 | 2020-04-14 | 浙江工商大学 | Mobile payment-oriented safety improvement method for information interaction between self-service selling equipment and server |
-
2018
- 2018-03-30 CN CN201810276386.7A patent/CN108512846B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119196A (en) * | 2006-08-03 | 2008-02-06 | 西安电子科技大学 | Bidirectional identification method and system |
| CN101123501A (en) * | 2006-08-08 | 2008-02-13 | 西安电子科技大学 | A WAPI authentication and secret key negotiation method and system |
| CN101009556A (en) * | 2007-01-08 | 2007-08-01 | 中国信息安全产品测评认证中心 | Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism |
| CN107483388A (en) * | 2016-06-08 | 2017-12-15 | 深圳市斑点猫信息技术有限公司 | A kind of safety communicating method and its terminal and high in the clouds |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108512846A (en) | 2018-09-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108512846B (en) | Bidirectional authentication method and device between terminal and server | |
| CN110336774B (en) | Mixed encryption and decryption method, equipment and system | |
| US9231925B1 (en) | Network authentication method for secure electronic transactions | |
| CN101860540B (en) | Method and device for identifying legality of website service | |
| CN107295011B (en) | Webpage security authentication method and device | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| CN109618334B (en) | Control method and related equipment | |
| KR20190028787A (en) | A method and device for providing and obtaining graphics code information, | |
| CN113225352B (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN105635062A (en) | Network access equipment verification method and device | |
| WO2023174038A9 (en) | Data transmission method and related device | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| JP2016536678A (en) | Network management security authentication method, apparatus, system, and computer storage medium | |
| CN109274500A (en) | A kind of key downloading method, client, encryption device and terminal device | |
| CN111654503A (en) | Remote control method, device, equipment and storage medium | |
| CN113411187A (en) | Identity authentication method and system, storage medium and processor | |
| CN112601218B (en) | Wireless network configuration method and device | |
| WO2022041151A1 (en) | Device verification method, device, and cloud | |
| CN112637138A (en) | Method and related device for realizing multi-server secret-free login | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN116599719A (en) | User login authentication method, device, equipment and storage medium | |
| CN107241341B (en) | Access control method and device | |
| CN112995140B (en) | Safety management system and method | |
| CN114398618A (en) | Authentication method and device for equipment identity, electronic equipment and storage medium | |
| CN110166226B (en) | Method and device for generating secret key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |