CN109067550A - Two-way authentication system and mutual authentication method based on CPK tagged keys - Google Patents
Two-way authentication system and mutual authentication method based on CPK tagged keys Download PDFInfo
- Publication number
- CN109067550A CN109067550A CN201811114348.8A CN201811114348A CN109067550A CN 109067550 A CN109067550 A CN 109067550A CN 201811114348 A CN201811114348 A CN 201811114348A CN 109067550 A CN109067550 A CN 109067550A
- Authority
- CN
- China
- Prior art keywords
- terminal
- key
- sent
- random number
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 230000005540 biological transmission Effects 0.000 claims abstract description 24
- 150000001875 compounds Chemical class 0.000 claims abstract description 24
- 239000011159 matrix material Substances 0.000 claims description 64
- 238000012795 verification Methods 0.000 claims description 16
- 238000013507 mapping Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims 2
- 230000008901 benefit Effects 0.000 abstract description 6
- 238000004891 communication Methods 0.000 abstract description 4
- 230000009471 action Effects 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012905 input function Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to technical field of communication safety and comprising more particularly to a kind of two-way authentication systems and mutual authentication method based on CPK tagged keys.The system includes first terminal, for first terminal ID to be sent to key management apparatus;It is also used to carry out compound, obtains first terminal key;Second terminal public key is calculated;It generates authentication information to be verified, if being verified, generates session key and communicated with second terminal;Second terminal, for second terminal ID to be sent to key management apparatus;It is also used to carry out compound, obtains second terminal key;First terminal public key is calculated;It generates authentication information to be verified, if being verified, generates session key and communicated with first terminal;Key management apparatus, for calculating first terminal tagged keys and second terminal tagged keys;First terminal and second terminal include that NB-IoT mould group carries out information transmission.The present invention has the advantages that safe and reliable.
Description
Technical field
The present invention relates to technical field of communication safety and comprising more particularly to a kind of two-way authentication systems based on CPK tagged keys
And mutual authentication method.
Background technique
It is caused in the recent period based on cellular narrowband Internet of Things NB-IoT (Narrow Band Internet of Things)
Extensive concern.NB-IoT is implemented in cellular network, only consumes the frequency range of about 180KHz, can be deployed directly into global mobile communication
System (GSM) network, Universal Mobile Communication System (UMTS) network or LTE (Long Term Evolution, long term evolution skill
Art) network, to reduce lower deployment cost, realization smooth upgrade.NB-IoT supports stand-by time short, higher to network connectivity requirements to set
Standby efficient connection, while very comprehensive indoor cellular data connection covering can be provided, it has also become the one of all things on earth internet
A important branch is that one kind can widely applied emerging technology in the world.NB-IoT has wide covering, multi-connection, low
The features such as rate, low cost, few power consumption, excellent framework, can be widely applied to a variety of vertical industries, as remote meter reading, assets with
Track, intelligent parking, wisdom agricultural etc..While NB-IoT system is gradually mature, China also often payes attention to entire NB-IoT ecology
Chain is made.In April, 2016, industry and information portion hold NB-IoT work and promote meeting, carry forward vigorously and to cultivate NB-IoT entire
Industrial chain.Major operator's active response industrial policy takes laboratory proofing, field testing, commercial " three-step-march " opened
Strategy, starting the POC verifying based on NB-IoT standard, (Proof of Concept is the verifying for client's concrete application
Property test) and laboratory proofing.With the maturation and scale shipment of NB-IoT chip and terminal, it is contemplated that will realize within 2018 true
Positive scale commercialization deployment.However to be also faced with such as access authentication, secret protection, wireless sensor node anti-fake by NB-IoT
Equal security threats.Therefore, how to guarantee the safety that business information, physical space resource use in NB-IoT system,
The urgent problems as important in NB-IoT commercialization deployment process.
The main NB-IOT mould group of Vehicles Collected from Market research and development is concentrated mainly on the realization of basic communication transfer function, and inside uses
Algorithm be also all based on International Algorithmic realization greatly, such as Des, AES, RSA scheduling algorithm do not design corresponding cryptoguard measure.
The disadvantage is that: 1, cannot achieve the authentication to terminal mould group;2, the key stored in mould group does not have safety protecting mechanism;3,
Communication data does not encrypt or Encryption Algorithm intensity is too weak;4, certification needs third party's CA system end to end.
Therefore, it is badly in need of a kind of two-way authentication system and mutual authentication method based on CPK tagged keys.
Summary of the invention
The present invention provides a kind of two-way authentication system and mutual authentication method based on CPK tagged keys, in order to more
Add and securely achieves end-to-end two-way authentication.
One aspect of the present invention provides a kind of two-way authentication system based on CPK tagged keys, comprising:
First terminal is sent to key management dress for prestoring first terminal ID and cipher key matrix, and by first terminal ID
It sets;It is also used to generate first terminal local key according to cipher key matrix, first terminal tagged keys and first terminal are locally close
Key progress is compound, obtains first terminal key;The second terminal ID that second terminal is sent is received, and is calculated according to second terminal ID
Obtain second terminal public key;Authentication information is generated using the private key in second terminal public key and first terminal key to be sent to
Second terminal is verified, if being verified, the generating random number of random number and the second terminal generation generated according to itself
Session key is communicated with second terminal;
Second terminal is sent to key management dress for prestoring second terminal ID and cipher key matrix, and by second terminal ID
It sets;It is also used to generate second terminal local key according to cipher key matrix, second terminal tagged keys and second terminal are locally close
Key progress is compound, obtains second terminal key;The first terminal ID that first terminal is sent is received, and is calculated according to first terminal ID
Obtain first terminal public key;Authentication information is generated using the private key in first terminal public key and second terminal key to be sent to
First terminal is verified, if being verified, the generating random number of random number and the first terminal generation generated according to itself
Session key is communicated with first terminal;
Key management apparatus, for first terminal ID and second terminal ID to be substituted into preset cipher key matrix, and benefit respectively
First terminal tagged keys and second terminal tagged keys are calculated separately out with CPK tagged keys mapping algorithm, are respectively sent to
First terminal and second terminal;
Wherein, first terminal and second terminal include NB-IoT mould group, and first terminal and second terminal pass through NB-
IoT mould group carries out information transmission.
Further, first terminal includes the pre- memory cell of first terminal ID, first key matrix unit, first terminal key
Recombiner unit, first terminal public key computing unit, first terminal authentication information edit cell, first terminal authentication list
Member, first terminal random number generation unit, first terminal session key generation unit and the first NB-IoT mould group, second terminal packet
It includes the pre- memory cell of second terminal ID, the second cipher key matrix unit, second terminal key recombiner unit, second terminal public key and calculates list
Member, second terminal authentication information edit cell, second terminal identity authenticating unit, second terminal random number generation unit,
Second terminal session key generation unit and the 2nd NB-IoT mould group, wherein
The pre- memory cell of first terminal ID, for prestoring first terminal ID and being sent to key management apparatus;
First key matrix unit is used for prestored secret key matrix, and locally close according to cipher key matrix generation first terminal
Key is sent to first terminal key recombiner unit;
First terminal key recombiner unit, for being answered first terminal tagged keys and first terminal local key
It closes, obtains first terminal key and be sent to first terminal authentication information edit cell;
First terminal public key computing unit, for receiving the second terminal ID of second terminal transmission, and according to second terminal
ID is calculated second terminal public key and is sent to first terminal authentication information edit cell;
First terminal authentication information edit cell, for utilizing the private in second terminal public key and first terminal key
Key generation first terminal authentication information is sent to second terminal and is verified;
First terminal identity authenticating unit, second for receiving the transmission of second terminal authentication information edit cell are whole
End authentication information is simultaneously verified, if being verified, verification result is sent to first terminal random number generation unit;
First terminal random number generation unit is sent to first for receiving verification result and generating first terminal random number
Terminal session Key generating unit;
First terminal session key generation unit, for according to first terminal random number and second terminal generating random number list
The generating random number first terminal session key that member is sent is sent to the first NB-IoT mould group;
First NB-IoT mould group, for carrying out the letter between first terminal and second terminal according to first terminal session key
Breath transmission;
The pre- memory cell of second terminal ID, for prestoring second terminal ID and being sent to key management apparatus;
Second cipher key matrix unit is used for prestored secret key matrix, and locally close according to cipher key matrix generation second terminal
Key is sent to second terminal key recombiner unit;
Second terminal key recombiner unit, for being answered second terminal tagged keys and second terminal local key
It closes, obtains second terminal key and be sent to second terminal authentication information edit cell;
Second terminal public key computing unit, for receiving the first terminal ID of first terminal transmission, and according to first terminal
ID is calculated first terminal public key and is sent to second terminal authentication information edit cell;
Second terminal authentication information edit cell, for utilizing the private in first terminal public key and second terminal key
Key generation second terminal authentication information is sent to first terminal and is verified;
Second terminal identity authenticating unit, first for receiving the transmission of first terminal authentication information edit cell are whole
End authentication information is simultaneously verified, if being verified, verification result is sent to second terminal random number generation unit;
Second terminal random number generation unit is sent to second for receiving verification result and generating second terminal random number
Terminal session Key generating unit;
Second terminal session key generation unit, for according to second terminal random number and first terminal generating random number list
The second session key of generating random number that member is sent is sent to the first NB-IoT mould group;
2nd NB-IoT mould group, for being conversated according to the second session key and the first NB-IoT mould group.
Further, first key matrix unit is identical as the cipher key matrix in the second cipher key matrix unit.
Further, first terminal key recombiner unit and second terminal key recombiner unit utilize distributed collaboration to calculate
Method carries out compound obtain first terminal key and second terminal key.
Further, first terminal random number generation unit and second terminal random number generation unit are random number
Device.
Further, randomizer generates random number using SM4 algorithm.
Further, the second terminal ID in first terminal identity authenticating unit verifying second terminal authentication information is
No is whether preset second terminal ID and second terminal signature are correct, if being, is verified.
The second aspect of the invention is provided and a kind of is recognized based on described among the above based on the two-way of CPK tagged keys
The mutual authentication method based on CPK tagged keys that card system is realized, comprising the following steps:
First terminal ID and cipher key matrix are prestored using first terminal, and first terminal ID is sent to key management dress
It sets;First terminal local key is generated according to cipher key matrix, first terminal tagged keys and first terminal local key are carried out
It is compound, obtain first terminal key;The second terminal ID that second terminal is sent is received, and is calculated the according to second terminal ID
Two terminal public key;Authentication information, which is generated, using the private key in second terminal public key and first terminal key is sent to second eventually
End is verified, if being verified, the generating random number session that the random number and second terminal generated according to itself generates is close
Key is communicated with second terminal;
Second terminal ID and cipher key matrix are prestored using second terminal, and second terminal ID is sent to key management dress
It sets;Second terminal local key is generated according to cipher key matrix, second terminal tagged keys and second terminal local key are carried out
It is compound, obtain second terminal key;The first terminal ID that first terminal is sent is received, and is calculated the according to first terminal ID
One terminal public key;Authentication information, which is generated, using the private key in first terminal public key and second terminal key is sent to first eventually
End is verified, if being verified, the generating random number session that the random number and first terminal generated according to itself generates is close
Key is communicated with first terminal;
Using key management apparatus first terminal ID and second terminal ID are substituted into preset cipher key matrix respectively, and utilized
CPK tagged keys mapping algorithm calculates separately out first terminal tagged keys and second terminal tagged keys, is respectively sent to
One terminal and second terminal;
First terminal NB-IoT mould group and second terminal NB-IoT mould group conversate.
Two-way authentication system and mutual authentication method provided by the invention based on CPK tagged keys, with prior art phase
Than with following progress: by key management apparatus according to the ID of terminal generate tagged keys, then by the key of terminal local with
Tagged keys carry out it is compound obtain final terminal key, be conducive to improve the safety that uses of key;Between terminal and terminal
Information transmission and the bi-directional verification of both sides' identity are carried out by NB-IoT mould group, electronic third-party business confirming is not needed and awards
It weighs mechanism and certificate management is provided, improve the safety and reliability of information transmission.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is that the device of the two-way authentication system based on CPK tagged keys in the embodiment of the present invention connects block diagram;
The step of Fig. 2 is the mutual authentication method in the embodiment of the present invention based on CPK tagged keys is schemed.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art
Language and scientific term), there is meaning identical with the general understanding of those of ordinary skill in fields of the present invention.Should also
Understand, those terms such as defined in the general dictionary, it should be understood that have in the context of the prior art
The consistent meaning of meaning, and unless otherwise will not be explained in an idealized or overly formal meaning by specific definitions.
Present embodiments provide a kind of two-way authentication system and mutual authentication method based on CPK tagged keys.
Such as Fig. 1, the two-way authentication system based on CPK tagged keys of the present embodiment, comprising:
First terminal is sent to key management dress for prestoring first terminal ID and cipher key matrix, and by first terminal ID
It sets;It is also used to generate first terminal local key according to cipher key matrix, first terminal tagged keys and first terminal are locally close
Key progress is compound, obtains first terminal key;The second terminal ID that second terminal is sent is received, and is calculated according to second terminal ID
Obtain second terminal public key;Authentication information is generated using the private key in second terminal public key and first terminal key to be sent to
Second terminal is verified, if being verified, the generating random number of random number and the second terminal generation generated according to itself
Session key is communicated with second terminal;
Second terminal is sent to key management dress for prestoring second terminal ID and cipher key matrix, and by second terminal ID
It sets;It is also used to generate second terminal local key according to cipher key matrix, second terminal tagged keys and second terminal are locally close
Key progress is compound, obtains second terminal key;The first terminal ID that first terminal is sent is received, and is calculated according to first terminal ID
Obtain first terminal public key;Authentication information is generated using the private key in first terminal public key and second terminal key to be sent to
First terminal is verified, if being verified, the generating random number of random number and the first terminal generation generated according to itself
Session key is communicated with first terminal;
Key management apparatus, for first terminal ID and second terminal ID to be substituted into preset cipher key matrix, and benefit respectively
First terminal tagged keys and second terminal tagged keys are calculated separately out with CPK tagged keys mapping algorithm, are respectively sent to
First terminal and second terminal;
Wherein, first terminal and second terminal include NB-IoT mould group, and first terminal and second terminal pass through NB-
IoT mould group carries out information transmission.
The two-way authentication system based on CPK tagged keys of the present embodiment, by key management apparatus according to the ID of terminal
Generate tagged keys, then by the key of terminal local and tagged keys carry out it is compound obtain final terminal key, be conducive to mention
The safety that high key uses;Pair of information transmission and both sides' identity is carried out between terminal and terminal by NB-IoT mould group
To verifying, do not need electronic third-party business confirming authorized organization and certificate management be provided, improve information transmission safety and
Reliability.
Key management apparatus utilizes CPK (Combined Public Key, combined public-key scheme or tagged keys system)
Tagged keys mapping algorithm generates terminal iidentification key corresponding with Termination ID, can use the resource of very little, support ultra-large
User, what memory space needed lacks, and operational efficiency is high, and processing energy is big, and then greatly expands its application range.
Such as Fig. 1, when it is implemented, first terminal includes the pre- memory cell of first terminal ID, first key matrix unit, first
Terminal key recombiner unit, first terminal public key computing unit, first terminal authentication information edit cell, first terminal body
Part authentication unit, first terminal random number generation unit, first terminal session key generation unit and the first NB-IoT mould group, the
Two terminals include the pre- memory cell of second terminal ID, the second cipher key matrix unit, second terminal key recombiner unit, second terminal public affairs
Key computing unit, second terminal authentication information edit cell, second terminal identity authenticating unit, second terminal random number are raw
At unit, second terminal session key generation unit and the 2nd NB-IoT mould group, wherein
The pre- memory cell of first terminal ID, for prestoring first terminal ID and being sent to key management apparatus;
First key matrix unit is used for prestored secret key matrix, and locally close according to cipher key matrix generation first terminal
Key is sent to first terminal key recombiner unit;
First terminal key recombiner unit, for being answered first terminal tagged keys and first terminal local key
It closes, obtains first terminal key and be sent to first terminal authentication information edit cell;
First terminal public key computing unit, for receiving the second terminal ID of second terminal transmission, and according to second terminal
ID is calculated second terminal public key and is sent to first terminal authentication information edit cell;
First terminal authentication information edit cell, for utilizing the private in second terminal public key and first terminal key
Key generation first terminal authentication information is sent to second terminal and is verified;
First terminal identity authenticating unit, second for receiving the transmission of second terminal authentication information edit cell are whole
End authentication information is simultaneously verified, if being verified, verification result is sent to first terminal random number generation unit;
First terminal random number generation unit is sent to first for receiving verification result and generating first terminal random number
Terminal session Key generating unit;
First terminal session key generation unit, for according to first terminal random number and second terminal generating random number list
The generating random number first terminal session key that member is sent is sent to the first NB-IoT mould group;
First NB-IoT mould group, for carrying out the letter between first terminal and second terminal according to first terminal session key
Breath transmission;
The pre- memory cell of second terminal ID, for prestoring second terminal ID and being sent to key management apparatus;
Second cipher key matrix unit is used for prestored secret key matrix, and locally close according to cipher key matrix generation second terminal
Key is sent to second terminal key recombiner unit;
Second terminal key recombiner unit, for being answered second terminal tagged keys and second terminal local key
It closes, obtains second terminal key and be sent to second terminal authentication information edit cell;
Second terminal public key computing unit, for receiving the first terminal ID of first terminal transmission, and according to first terminal
ID is calculated first terminal public key and is sent to second terminal authentication information edit cell;
Second terminal authentication information edit cell, for utilizing the private in first terminal public key and second terminal key
Key generation second terminal authentication information is sent to first terminal and is verified;
Second terminal identity authenticating unit, first for receiving the transmission of first terminal authentication information edit cell are whole
End authentication information is simultaneously verified, if being verified, verification result is sent to second terminal random number generation unit;
Second terminal random number generation unit is sent to second for receiving verification result and generating second terminal random number
Terminal session Key generating unit;
Second terminal session key generation unit, for according to second terminal random number and first terminal generating random number list
The second session key of generating random number that member is sent is sent to the first NB-IoT mould group;
2nd NB-IoT mould group, for being conversated according to the second session key and the first NB-IoT mould group.
When it is implemented, first key matrix unit is identical as the cipher key matrix in the second cipher key matrix unit.Pass through phase
With cipher key matrix calculate the public key of distant terminal, it is fairly simple, have convenient for the subsequent authentication for carrying out distant terminal
Effect.
When it is implemented, first terminal key recombiner unit and second terminal key recombiner unit utilize distributed collaboration
Algorithm carries out compound obtain first terminal key and second terminal key.Using distributed collaboration operation, according to terminal iidentification
Key and terminal local key carry out calculate and it is compound, terminal iidentification key and terminal local can not be deduced according to intermediate result
The sensitive information of key, and terminal iidentification key and terminal local key did not occur completely from beginning to end, can be greatly reduced
The risk of terminal iidentification key and terminal local Key Exposure, improves the reliability in use process.
When it is implemented, first terminal random number generation unit and second terminal random number generation unit are random number hair
Raw device, and randomizer generates random number using SM4 algorithm, upper layer sets entropy input function, institute by readjustment form
It obtains entropy and meets safe second level demand, improve safety.
When it is implemented, the second terminal ID in first terminal identity authenticating unit verifying second terminal authentication information
Whether be preset second terminal ID and second terminal signature it is whether correct, if being, be verified.Due to terminal
It, can be by the other side in distant terminal authentication information when verifying the identity of distant terminal through prestoring the ID of distant terminal
Termination ID is compared with the distant terminal ID prestored, if unanimously, authentication success can carry out subsequent session,
If inconsistent, authentication failure.When it is implemented, the verifying for distant terminal identity information, may also include pair
The verifying of distant terminal signature, terminal have preserved the public key of distant terminal, have utilized the public key verifications distant terminal of distant terminal
Signature.When it is implemented, verification mode can also be configured as needed by user.
Such as Fig. 2, the present embodiment additionally provide it is a kind of based on the above embodiment described in based on the two-way of CPK tagged keys
The mutual authentication method based on CPK tagged keys that Verification System is realized, comprising the following steps:
First terminal ID and cipher key matrix are prestored using first terminal, and first terminal ID is sent to key management dress
It sets;First terminal local key is generated according to cipher key matrix, first terminal tagged keys and first terminal local key are carried out
It is compound, obtain first terminal key;The second terminal ID that second terminal is sent is received, and is calculated the according to second terminal ID
Two terminal public key;Authentication information, which is generated, using the private key in second terminal public key and first terminal key is sent to second eventually
End is verified, if being verified, the generating random number session that the random number and second terminal generated according to itself generates is close
Key is communicated with second terminal;
Second terminal ID and cipher key matrix are prestored using second terminal, and second terminal ID is sent to key management dress
It sets;Second terminal local key is generated according to cipher key matrix, second terminal tagged keys and second terminal local key are carried out
It is compound, obtain second terminal key;The first terminal ID that first terminal is sent is received, and is calculated the according to first terminal ID
One terminal public key;Authentication information, which is generated, using the private key in first terminal public key and second terminal key is sent to first eventually
End is verified, if being verified, the generating random number session that the random number and first terminal generated according to itself generates is close
Key is communicated with first terminal;
Using key management apparatus first terminal ID and second terminal ID are substituted into preset cipher key matrix respectively, and utilized
CPK tagged keys mapping algorithm calculates separately out first terminal tagged keys and second terminal tagged keys, is respectively sent to
One terminal and second terminal;
First terminal NB-IoT mould group and second terminal NB-IoT mould group conversate.
The mutual authentication method based on CPK tagged keys of the present embodiment, by key management apparatus according to the ID of terminal
Generate tagged keys, then by the key of terminal local and tagged keys carry out it is compound obtain final terminal key, be conducive to mention
The safety that high key uses;Pair of information transmission and both sides' identity is carried out between terminal and terminal by NB-IoT mould group
To verifying, do not need electronic third-party business confirming authorized organization and certificate management be provided, improve information transmission safety and
Reliability.
For embodiment of the method, for simple description, therefore, it is stated as a series of action combinations, but this field
Technical staff should be aware of, and embodiment of that present invention are not limited by the describe sequence of actions, because implementing according to the present invention
Example, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know that, specification
Described in embodiment belong to preferred embodiment, the actions involved are not necessarily necessary for embodiments of the present invention.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of two-way authentication system based on CPK tagged keys characterized by comprising
First terminal is sent to key management apparatus for prestoring first terminal ID and cipher key matrix, and by first terminal ID;Also
For generating first terminal local key according to cipher key matrix, first terminal tagged keys and first terminal local key are carried out
It is compound, obtain first terminal key;The second terminal ID that second terminal is sent is received, and is calculated the according to second terminal ID
Two terminal public key;Authentication information, which is generated, using the private key in second terminal public key and first terminal key is sent to second eventually
End is verified, if being verified, the generating random number session that the random number and second terminal generated according to itself generates is close
Key is communicated with second terminal;
Second terminal is sent to key management apparatus for prestoring second terminal ID and cipher key matrix, and by second terminal ID;Also
For generating second terminal local key according to cipher key matrix, second terminal tagged keys and second terminal local key are carried out
It is compound, obtain second terminal key;The first terminal ID that first terminal is sent is received, and is calculated the according to first terminal ID
One terminal public key;Authentication information, which is generated, using the private key in first terminal public key and second terminal key is sent to first eventually
End is verified, if being verified, the generating random number session that the random number and first terminal generated according to itself generates is close
Key is communicated with first terminal;
Key management apparatus for first terminal ID and second terminal ID to be substituted into preset cipher key matrix respectively, and utilizes CPK
Tagged keys mapping algorithm calculates separately out first terminal tagged keys and second terminal tagged keys, is respectively sent to first eventually
End and second terminal;
Wherein, first terminal and second terminal include NB-IoT mould group, and first terminal and second terminal pass through NB-IoT mould
Group carries out information transmission.
2. the two-way authentication system according to claim 1 based on CPK tagged keys, which is characterized in that first terminal packet
It includes the pre- memory cell of first terminal ID, first key matrix unit, first terminal key recombiner unit, first terminal public key and calculates list
Member, first terminal authentication information edit cell, first terminal identity authenticating unit, first terminal random number generation unit,
First terminal session key generation unit and the first NB-IoT mould group, second terminal include the pre- memory cell of second terminal ID, second
Cipher key matrix unit, second terminal key recombiner unit, second terminal public key computing unit, second terminal authentication information are compiled
Volume unit, second terminal identity authenticating unit, second terminal random number generation unit, second terminal session key generation unit and
2nd NB-IoT mould group, wherein
The pre- memory cell of first terminal ID, for prestoring first terminal ID and being sent to key management apparatus;
First key matrix unit is used for prestored secret key matrix, and generates first terminal local key hair according to cipher key matrix
It send to first terminal key recombiner unit;
First terminal key recombiner unit, it is compound for carrying out first terminal tagged keys and first terminal local key, it obtains
First terminal authentication information edit cell is sent to first terminal key;
First terminal public key computing unit is counted for receiving the second terminal ID of second terminal transmission, and according to second terminal ID
Calculation obtains second terminal public key and is sent to first terminal authentication information edit cell;
First terminal authentication information edit cell, for raw using the private key in second terminal public key and first terminal key
Second terminal is sent at first terminal authentication information to be verified;
First terminal identity authenticating unit, for receiving the second terminal body of second terminal authentication information edit cell transmission
Part authentication information is simultaneously verified, if being verified, verification result is sent to first terminal random number generation unit;
First terminal random number generation unit is sent to first terminal for receiving verification result and generating first terminal random number
Session key generation unit;
First terminal session key generation unit, for being sent out according to first terminal random number and second terminal random number generation unit
The generating random number first terminal session key sent is sent to the first NB-IoT mould group;
First NB-IoT mould group, the information for being carried out between first terminal and second terminal according to first terminal session key pass
It is defeated;
The pre- memory cell of second terminal ID, for prestoring second terminal ID and being sent to key management apparatus;
Second cipher key matrix unit is used for prestored secret key matrix, and generates second terminal local key hair according to cipher key matrix
It send to second terminal key recombiner unit;
Second terminal key recombiner unit, it is compound for carrying out second terminal tagged keys and second terminal local key, it obtains
Second terminal authentication information edit cell is sent to second terminal key;
Second terminal public key computing unit is counted for receiving the first terminal ID of first terminal transmission, and according to first terminal ID
Calculation obtains first terminal public key and is sent to second terminal authentication information edit cell;
Second terminal authentication information edit cell, for raw using the private key in first terminal public key and second terminal key
First terminal is sent at second terminal authentication information to be verified;
Second terminal identity authenticating unit, for receiving the first terminal body of first terminal authentication information edit cell transmission
Part authentication information is simultaneously verified, if being verified, verification result is sent to second terminal random number generation unit;
Second terminal random number generation unit is sent to second terminal for receiving verification result and generating second terminal random number
Session key generation unit;
Second terminal session key generation unit, for being sent out according to second terminal random number and first terminal random number generation unit
The second session key of generating random number sent is sent to the 2nd NB-IoT mould group;
2nd NB-IoT mould group, for being conversated according to the second session key and the first NB-IoT mould group.
3. the two-way authentication system according to claim 2 based on CPK tagged keys, which is characterized in that first key square
Array element is identical as the cipher key matrix in the second cipher key matrix unit.
4. the two-way authentication system according to claim 3 based on CPK tagged keys, which is characterized in that first terminal is close
Key recombiner unit and second terminal key recombiner unit using distributed collaboration algorithm carry out it is compound obtain first terminal is close
Key and second terminal key.
5. the two-way authentication system according to claim 4 based on CPK tagged keys, which is characterized in that first terminal with
Machine number generation unit and second terminal random number generation unit are randomizer.
6. the two-way authentication system according to claim 5 based on CPK tagged keys, which is characterized in that random number occurs
Device generates random number using SM4 algorithm.
7. the two-way authentication system according to claim 6 based on CPK tagged keys, which is characterized in that first terminal body
Whether the second terminal ID in part authentication unit verifying second terminal authentication information is preset second terminal ID, Yi Ji
Whether two terminals signature is correct, if being, is verified.
8. what a kind of two-way authentication system based on described in claim 1 based on CPK tagged keys was realized is identified close based on CPK
The mutual authentication method of key, which comprises the following steps:
First terminal ID and cipher key matrix are prestored using first terminal, and first terminal ID is sent to key management apparatus;Root
First terminal local key is generated according to cipher key matrix, first terminal tagged keys and the progress of first terminal local key are compound,
Obtain first terminal key;The second terminal ID that second terminal is sent is received, and is calculated second eventually according to second terminal ID
Hold public key;Using in second terminal public key and first terminal key private key generate authentication information be sent to second terminal into
Row verifying, if being verified, according to itself generate random number and second terminal generate generating random number session key with
Second terminal is communicated;
Second terminal ID and cipher key matrix are prestored using second terminal, and second terminal ID is sent to key management apparatus;Root
Second terminal local key is generated according to cipher key matrix, second terminal tagged keys and the progress of second terminal local key are compound,
Obtain second terminal key;The first terminal ID that first terminal is sent is received, and is calculated first eventually according to first terminal ID
Hold public key;Using in first terminal public key and second terminal key private key generate authentication information be sent to first terminal into
Row verifying, if being verified, according to itself generate random number and first terminal generate generating random number session key with
First terminal is communicated;
Using key management apparatus first terminal ID and second terminal ID are substituted into preset cipher key matrix respectively, and utilizes CPK
Tagged keys mapping algorithm calculates separately out first terminal tagged keys and second terminal tagged keys, is respectively sent to first eventually
End and second terminal;
First terminal NB-IoT mould group and second terminal NB-IoT mould group conversate.
9. the two-way authentication system method according to claim 8 based on CPK tagged keys, which is characterized in that first eventually
It holds identical as the cipher key matrix in second terminal.
10. the two-way authentication system method according to claim 9 based on CPK tagged keys, which is characterized in that first eventually
End and second terminal are close to carry out compound obtain first terminal key and second terminal key using distributed collaboration algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811114348.8A CN109067550B (en) | 2018-09-25 | 2018-09-25 | Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811114348.8A CN109067550B (en) | 2018-09-25 | 2018-09-25 | Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109067550A true CN109067550A (en) | 2018-12-21 |
| CN109067550B CN109067550B (en) | 2021-10-22 |
Family
ID=64763605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811114348.8A Active CN109067550B (en) | 2018-09-25 | 2018-09-25 | Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109067550B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111756531A (en) * | 2020-05-11 | 2020-10-09 | 北京仁信证科技有限公司 | Communication system and method of LoRa terminal based on CPK |
| CN113615220A (en) * | 2021-06-22 | 2021-11-05 | 华为技术有限公司 | Secure communication method and device |
| CN115549961A (en) * | 2022-08-19 | 2022-12-30 | 海南视联通信技术有限公司 | Terminal authentication method and device, electronic equipment and storage medium |
| WO2024139603A1 (en) * | 2022-12-27 | 2024-07-04 | 中国银联股份有限公司 | Bidirectional authentication method and system based on internet of things |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488853A (en) * | 2009-01-15 | 2009-07-22 | 赵建国 | Cross-certification method based on seed key management |
| WO2011150811A1 (en) * | 2010-05-31 | 2011-12-08 | Pettersson Hans Jerry Urban | Method for performing bidirectional communication by adopting optical vision codes |
| CN105577377A (en) * | 2014-10-13 | 2016-05-11 | 航天信息股份有限公司 | Identity-based authentication method and identity-based authentication system with secret key negotiation |
| CN106713236A (en) * | 2015-11-17 | 2017-05-24 | 成都腾甲数据服务有限公司 | End-to-end identity authentication and encryption method based on CPK identifier authentication |
| CN108322486A (en) * | 2018-05-07 | 2018-07-24 | 安徽大学 | Authentication protocol towards multiserver framework under a kind of car networking cloud environment |
-
2018
- 2018-09-25 CN CN201811114348.8A patent/CN109067550B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488853A (en) * | 2009-01-15 | 2009-07-22 | 赵建国 | Cross-certification method based on seed key management |
| WO2011150811A1 (en) * | 2010-05-31 | 2011-12-08 | Pettersson Hans Jerry Urban | Method for performing bidirectional communication by adopting optical vision codes |
| CN105577377A (en) * | 2014-10-13 | 2016-05-11 | 航天信息股份有限公司 | Identity-based authentication method and identity-based authentication system with secret key negotiation |
| CN106713236A (en) * | 2015-11-17 | 2017-05-24 | 成都腾甲数据服务有限公司 | End-to-end identity authentication and encryption method based on CPK identifier authentication |
| CN108322486A (en) * | 2018-05-07 | 2018-07-24 | 安徽大学 | Authentication protocol towards multiserver framework under a kind of car networking cloud environment |
Non-Patent Citations (1)
| Title |
|---|
| 谢永、吴黎兵、张宇波、叶璐瑶: "《面向车联网的多服务器架构的匿名双向认证与密钥协商协议》", 《计算机研究与发展》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111756531A (en) * | 2020-05-11 | 2020-10-09 | 北京仁信证科技有限公司 | Communication system and method of LoRa terminal based on CPK |
| CN111756531B (en) * | 2020-05-11 | 2023-12-26 | 北京信长城科技发展有限公司 | Communication system and method of LoRa terminal based on CPK |
| CN113615220A (en) * | 2021-06-22 | 2021-11-05 | 华为技术有限公司 | Secure communication method and device |
| CN113615220B (en) * | 2021-06-22 | 2023-04-18 | 华为技术有限公司 | Secure communication method and device |
| CN115549961A (en) * | 2022-08-19 | 2022-12-30 | 海南视联通信技术有限公司 | Terminal authentication method and device, electronic equipment and storage medium |
| WO2024139603A1 (en) * | 2022-12-27 | 2024-07-04 | 中国银联股份有限公司 | Bidirectional authentication method and system based on internet of things |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109067550B (en) | 2021-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110995642B (en) | Providing secure connections using pre-shared keys | |
| CN109067550A (en) | Two-way authentication system and mutual authentication method based on CPK tagged keys | |
| US20220094545A1 (en) | Low power encryption in motion | |
| Chen et al. | An enhanced direct anonymous attestation scheme with mutual authentication for network-connected UAV communication systems | |
| Wang et al. | A secure and efficient multiserver authentication and key agreement protocol for internet of vehicles | |
| CN103259667A (en) | Method and system for eID authentication on mobile terminal | |
| Lee et al. | Mutual authentication in wireless body sensor networks (WBSN) based on physical unclonable function (PUF) | |
| CN105162772A (en) | IoT equipment authentication and key agreement method and device | |
| CN103415008A (en) | Encryption communication method and encryption communication system | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| CN106600775A (en) | Non-networking dynamic password generation method used for intelligent access control system | |
| CN109787761A (en) | A kind of equipment certification and key distribution system and method based on physics unclonable function | |
| CN105701873B (en) | A kind of Non-contact attendance recording method and attendance record system | |
| KR102135710B1 (en) | Hardware secure module | |
| CN102970676A (en) | Method for processing original data, internet of thing system and terminal | |
| CN102916809B (en) | Dynamic authentication method for intelligent power network control command based on state estimation | |
| Jeon et al. | Design of an LPWAN communication module based on secure element for smart parking application | |
| CN110972136A (en) | Internet of things safety communication module, terminal, safety control system and authentication method | |
| Navarro-Ortiz et al. | Improving hardware security for LoRaWAN | |
| Naoui et al. | Novel smart home authentication protocol LRP-SHAP | |
| Xingzhong et al. | The research on identity authentication scheme of Internet of Things equipment in 5G network environment | |
| CN103916851A (en) | Safety certification method, device and system | |
| Lin et al. | Research on PUF-based security enhancement of narrow-band Internet of Things | |
| Vaidya et al. | Efficient authentication mechanism for PEV charging infrastructure | |
| Tabassum et al. | Scapach: Scalable password-changing protocol for smart grid device authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Luo Yanjing Inventor after: Liu Peng Inventor before: Luo Yanjing |
|
| CB03 | Change of inventor or designer information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: A1501, 15 / F, No. 22, Zhongguancun Street, Haidian District, Beijing 100089 Patentee after: Beijing xinchangcheng Technology Development Co.,Ltd. Address before: 100080 room 1505, 15 / F, block B, 3 Haidian Street, Haidian District, Beijing Patentee before: BEIJING RENXINZHENG TECHNOLOGY CO.,LTD. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231019 Address after: 610, Floor 6, Block A, No. 2, Lize Middle Second Road, Chaoyang District, Beijing 100102 Patentee after: Zhongguancun Technology Leasing Co.,Ltd. Address before: A1501, 15 / F, No. 22, Zhongguancun Street, Haidian District, Beijing 100089 Patentee before: Beijing xinchangcheng Technology Development Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240202 Address after: A1501, 15 / F, No. 22, Zhongguancun Street, Haidian District, Beijing 100089 Patentee after: Beijing xinchangcheng Technology Development Co.,Ltd. Country or region after: China Address before: 610, Floor 6, Block A, No. 2, Lize Middle Second Road, Chaoyang District, Beijing 100102 Patentee before: Zhongguancun Technology Leasing Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |