CN109067550B - Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key - Google Patents

Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key Download PDF

Info

Publication number
CN109067550B
CN109067550B CN201811114348.8A CN201811114348A CN109067550B CN 109067550 B CN109067550 B CN 109067550B CN 201811114348 A CN201811114348 A CN 201811114348A CN 109067550 B CN109067550 B CN 109067550B
Authority
CN
China
Prior art keywords
terminal
key
unit
authentication information
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811114348.8A
Other languages
Chinese (zh)
Other versions
CN109067550A (en
Inventor
罗燕京
刘鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xinchangcheng Technology Development Co ltd
Original Assignee
Beijing Renxinzheng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Renxinzheng Technology Co ltd filed Critical Beijing Renxinzheng Technology Co ltd
Priority to CN201811114348.8A priority Critical patent/CN109067550B/en
Publication of CN109067550A publication Critical patent/CN109067550A/en
Application granted granted Critical
Publication of CN109067550B publication Critical patent/CN109067550B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to the technical field of communication security, in particular to a bidirectional authentication system and a bidirectional authentication method based on a CPK (Combined public Key) identification key. The system comprises a first terminal for sending a first terminal ID to a key management device; the method is also used for compounding to obtain a first terminal key; calculating to obtain a second terminal public key; generating identity authentication information for verification, and if the identity authentication information passes the verification, generating a session key for communication with the second terminal; a second terminal for transmitting a second terminal ID to the key management apparatus; the first terminal key is also used for compounding to obtain a second terminal key; calculating to obtain a first terminal public key; generating identity authentication information for verification, and if the identity authentication information passes the verification, generating a session key for communication with the first terminal; a key management device for calculating a first terminal identification key and a second terminal identification key; the first terminal and the second terminal both comprise NB-IoT modules for information transmission. The invention has the advantages of safety and reliability.

Description

Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key
Technical Field
The invention relates to the technical field of communication security, in particular to a bidirectional authentication system and a bidirectional authentication method based on a CPK (Combined public Key) identification key.
Background
The cellular-based narrowband Internet of things NB-iot (narrow Band Internet of things) has recently attracted a lot of attention. The NB-IoT is constructed in a cellular network, only consumes a frequency band of about 180KHz, and can be directly deployed in a global system for mobile communications (GSM) network, a Universal Mobile Telecommunications System (UMTS) network or an LTE (Long Term Evolution) network, so that the deployment cost is reduced, and smooth upgrade is realized. The NB-IoT supports efficient connection of devices with short standby time and high requirements for network connection, can provide very comprehensive indoor cellular data connection coverage, becomes an important branch of the internet of everything, and is an emerging technology which can be widely applied in the global scope. The NB-IoT has the characteristics of wide coverage, multiple connections, low speed, low cost, less power consumption, excellent architecture and the like, and can be widely applied to various vertical industries, such as remote meter reading, asset tracking, intelligent parking, intelligent agriculture and the like. While NB-IoT systems mature gradually, china also often focuses on the creation of the entire NB-IoT ecological chain. In 2016, 4 months, the industry and information held the NB-IoT work push, vigorously pushing and breeding the NB-IoT whole industry chain. Each large operator actively responds to the industrial policy, adopts laboratory verification, outfield test and commercial open 'three-step' strategy, and starts POC verification (Proof of Concept, which is a verification test specific to a customer) and laboratory verification based on NB-IoT standard. With the maturity and scale shipment of NB-IoT chips and terminals, it is expected that a true-scale commercial deployment will be achieved in 2018. However, NB-IoT is also exposed to security threats such as access authentication, privacy protection, wireless sensor node anti-counterfeiting, etc. Therefore, how to guarantee the security of the service information and the physical space resource usage in the NB-IoT system has become an important and urgent issue in the NB-IoT commercial deployment process.
The main NB-IOT modules researched and developed in the current market are mainly focused on realizing the basic communication transmission function, and algorithms adopted in the modules are also realized on the basis of international algorithms, such as Des, AES, RSA and the like, and corresponding password protection measures are not designed. The disadvantages are that: 1. the identity authentication of the terminal module cannot be realized; 2. the key stored in the module has no security protection mechanism; 3. the communication data is not encrypted or the encryption algorithm strength is too weak; 4. end-to-end authentication requires a third party CA system.
Therefore, a bidirectional authentication system and a bidirectional authentication method based on the CPK identification key are urgently needed.
Disclosure of Invention
The invention provides a bidirectional authentication system and a bidirectional authentication method based on a CPK (Combined public Key) identification key, so as to realize end-to-end bidirectional authentication more safely.
In one aspect of the present invention, a bidirectional authentication system based on CPK identification key is provided, which includes:
the first terminal is used for prestoring a first terminal ID and a key matrix and sending the first terminal ID to the key management device; the first terminal identification key is used for identifying the first terminal identification key and the first terminal local key; receiving a second terminal ID sent by a second terminal, and calculating according to the second terminal ID to obtain a second terminal public key; generating identity authentication information by using a public key of a second terminal and a private key in a secret key of a first terminal, sending the identity authentication information to the second terminal for verification, and if the identity authentication information passes the verification, generating a session secret key according to a random number generated by the second terminal and a random number generated by the second terminal to communicate with the second terminal;
the second terminal is used for prestoring a second terminal ID and a key matrix and sending the second terminal ID to the key management device; the key matrix is used for generating a first terminal local key according to the first terminal identification key and a first terminal local key; receiving a first terminal ID sent by a first terminal, and calculating to obtain a first terminal public key according to the first terminal ID; generating identity authentication information by using a first terminal public key and a private key in a second terminal key, sending the identity authentication information to the first terminal for verification, and if the identity authentication information passes the verification, generating a session key according to a random number generated by the first terminal and a random number generated by the first terminal to communicate with the first terminal;
the key management device is used for substituting the first terminal ID and the second terminal ID into a preset key matrix respectively, calculating a first terminal identification key and a second terminal identification key by using a CPK identification key mapping algorithm, and sending the first terminal identification key and the second terminal identification key to the first terminal and the second terminal respectively;
the first terminal and the second terminal both comprise NB-IoT modules, and the first terminal and the second terminal transmit information through the NB-IoT modules.
Further, the first terminal comprises a first terminal ID pre-storing unit, a first key matrix unit, a first terminal key compounding unit, a first terminal public key calculating unit, a first terminal identity authentication information editing unit, a first terminal identity verification unit, a first terminal random number generating unit, a first terminal session key generating unit and a first NB-IoT module, the second terminal comprises a second terminal ID pre-storing unit, a second key matrix unit, a second terminal key compounding unit, a second terminal public key calculating unit, a second terminal identity authentication information editing unit, a second terminal identity verification unit, a second terminal random number generating unit, a second terminal session key generating unit and a second NB-IoT module, wherein,
a first terminal ID pre-storing unit for pre-storing a first terminal ID and sending the first terminal ID to the key management device;
the first key matrix unit is used for pre-storing a key matrix, generating a first terminal local key according to the key matrix and sending the first terminal local key to the first terminal key combination unit;
the first terminal key compounding unit is used for compounding the first terminal identification key and the first terminal local key to obtain a first terminal key and sending the first terminal key to the first terminal identity authentication information editing unit;
the first terminal public key calculation unit is used for receiving a second terminal ID sent by a second terminal, calculating according to the second terminal ID to obtain a second terminal public key and sending the second terminal public key to the first terminal identity authentication information editing unit;
the first terminal identity authentication information editing unit is used for generating first terminal identity authentication information by using a second terminal public key and a private key in a first terminal secret key and sending the first terminal identity authentication information to the second terminal for verification;
the first terminal identity verification unit is used for receiving and verifying the second terminal identity authentication information sent by the second terminal identity authentication information editing unit, and if the verification is passed, sending a verification result to the first terminal random number generation unit;
the first terminal random number generating unit is used for receiving the verification result, generating a first terminal random number and sending the first terminal random number to the first terminal session key generating unit;
the first terminal session key generation unit is used for generating a first terminal session key according to the first terminal random number and the random number sent by the second terminal random number generation unit and sending the first terminal session key to the first NB-IoT module;
the first NB-IoT module is used for transmitting information between the first terminal and the second terminal according to the first terminal session key;
a second terminal ID pre-storing unit for pre-storing a second terminal ID and sending the second terminal ID to the key management device;
the second key matrix unit is used for pre-storing the key matrix, generating a second terminal local key according to the key matrix and sending the second terminal local key to the second terminal key combination unit;
the second terminal key compounding unit is used for compounding the second terminal identification key and the second terminal local key to obtain a second terminal key and sending the second terminal key to the second terminal identity authentication information editing unit;
the second terminal public key calculation unit is used for receiving the first terminal ID sent by the first terminal, calculating according to the first terminal ID to obtain a first terminal public key and sending the first terminal public key to the second terminal identity authentication information editing unit;
the second terminal identity authentication information editing unit is used for generating second terminal identity authentication information by using the first terminal public key and a private key in a second terminal secret key and sending the second terminal identity authentication information to the first terminal for verification;
the second terminal identity verification unit is used for receiving and verifying the first terminal identity authentication information sent by the first terminal identity authentication information editing unit, and sending a verification result to the second terminal random number generation unit if the verification is passed;
the second terminal random number generating unit is used for receiving the verification result, generating a second terminal random number and sending the second terminal random number to the second terminal session key generating unit;
the second terminal session key generation unit is used for generating a second session key according to the second terminal random number and the random number sent by the first terminal random number generation unit and sending the second session key to the first NB-IoT module;
and the second NB-IoT module is used for carrying out conversation with the first NB-IoT module according to the second conversation key.
Further, the key matrix in the first key matrix unit is the same as the key matrix in the second key matrix unit.
Further, the first terminal key combination unit and the second terminal key combination unit are both combined by using a distributed cooperation algorithm to obtain a first terminal key and a second terminal key.
Further, the first terminal random number generation unit and the second terminal random number generation unit are both random number generators.
Further, the random number generator generates random numbers using the SM4 algorithm.
Further, the first terminal identity verification unit verifies whether a second terminal ID in the second terminal identity authentication information is a preset second terminal ID and whether a second terminal signature is correct, and if both the second terminal ID and the second terminal ID are correct, the verification is passed.
In a second aspect of the present invention, a CPK identification key-based mutual authentication method implemented based on the CPK identification key-based mutual authentication system described above is provided, including the following steps:
pre-storing a first terminal ID and a key matrix by using a first terminal, and sending the first terminal ID to a key management device; generating a first terminal local key according to the key matrix, and combining the first terminal identification key and the first terminal local key to obtain a first terminal key; receiving a second terminal ID sent by a second terminal, and calculating according to the second terminal ID to obtain a second terminal public key; generating identity authentication information by using a public key of a second terminal and a private key in a secret key of a first terminal, sending the identity authentication information to the second terminal for verification, and if the identity authentication information passes the verification, generating a session secret key according to a random number generated by the second terminal and a random number generated by the second terminal to communicate with the second terminal;
pre-storing a second terminal ID and a key matrix by using a second terminal, and sending the second terminal ID to a key management device; generating a second terminal local key according to the key matrix, and combining the second terminal identification key and the second terminal local key to obtain a second terminal key; receiving a first terminal ID sent by a first terminal, and calculating to obtain a first terminal public key according to the first terminal ID; generating identity authentication information by using a first terminal public key and a private key in a second terminal key, sending the identity authentication information to the first terminal for verification, and if the identity authentication information passes the verification, generating a session key according to a random number generated by the first terminal and a random number generated by the first terminal to communicate with the first terminal;
respectively substituting the first terminal ID and the second terminal ID into a preset key matrix by using a key management device, respectively calculating a first terminal identification key and a second terminal identification key by using a CPK identification key mapping algorithm, and respectively sending the first terminal identification key and the second terminal identification key to the first terminal and the second terminal;
the first terminal NB-IoT module and the second terminal NB-IoT module are in conversation.
Compared with the prior art, the bidirectional authentication system and the bidirectional authentication method based on the CPK identification key provided by the invention have the following advantages that: an identification key is generated by the key management device according to the ID of the terminal, and then the local key of the terminal and the identification key are compounded to obtain a final terminal key, so that the use safety of the key is improved; the information transmission and the two-way verification of the identity of the two parties are carried out between the terminals through the NB-IoT module, and a third-party e-commerce authentication and authorization authority is not required to provide certificate management, so that the safety and the reliability of the information transmission are improved.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a block diagram of the device connection of a mutual authentication system based on a CPK identification key according to an embodiment of the present invention;
fig. 2 is a step diagram of a bidirectional authentication method based on a CPK identification key in the embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The embodiment provides a bidirectional authentication system and a bidirectional authentication method based on a CPK (Combined public Key) identification key.
As shown in fig. 1, the bidirectional authentication system based on the CPK identification key of this embodiment includes:
the first terminal is used for prestoring a first terminal ID and a key matrix and sending the first terminal ID to the key management device; the first terminal identification key is used for identifying the first terminal identification key and the first terminal local key; receiving a second terminal ID sent by a second terminal, and calculating according to the second terminal ID to obtain a second terminal public key; generating identity authentication information by using a public key of a second terminal and a private key in a secret key of a first terminal, sending the identity authentication information to the second terminal for verification, and if the identity authentication information passes the verification, generating a session secret key according to a random number generated by the second terminal and a random number generated by the second terminal to communicate with the second terminal;
the second terminal is used for prestoring a second terminal ID and a key matrix and sending the second terminal ID to the key management device; the key matrix is used for generating a first terminal local key according to the first terminal identification key and a first terminal local key; receiving a first terminal ID sent by a first terminal, and calculating to obtain a first terminal public key according to the first terminal ID; generating identity authentication information by using a first terminal public key and a private key in a second terminal key, sending the identity authentication information to the first terminal for verification, and if the identity authentication information passes the verification, generating a session key according to a random number generated by the first terminal and a random number generated by the first terminal to communicate with the first terminal;
the key management device is used for substituting the first terminal ID and the second terminal ID into a preset key matrix respectively, calculating a first terminal identification key and a second terminal identification key by using a CPK identification key mapping algorithm, and sending the first terminal identification key and the second terminal identification key to the first terminal and the second terminal respectively;
the first terminal and the second terminal both comprise NB-IoT modules, and the first terminal and the second terminal transmit information through the NB-IoT modules.
In the bidirectional authentication system based on the CPK identification key of the embodiment, the identification key is generated by the key management device according to the ID of the terminal, and then the local key of the terminal is combined with the identification key to obtain the final terminal key, which is beneficial to improving the security of key usage; the information transmission and the two-way verification of the identity of the two parties are carried out between the terminals through the NB-IoT module, and a third-party e-commerce authentication and authorization authority is not required to provide certificate management, so that the safety and the reliability of the information transmission are improved.
The Key management device generates a terminal identification Key corresponding to the terminal ID by using a CPK (Combined Public Key, Combined Public Key System or identification Key System) identification Key mapping algorithm, can support ultra-large-scale users by using very small resources, requires less storage space, has high operation efficiency and large processing energy, and further greatly expands the application range of the Key management device.
As shown in fig. 1, in an implementation, the first terminal includes a first terminal ID pre-storing unit, a first key matrix unit, a first terminal key combination unit, a first terminal public key calculating unit, a first terminal identity authentication information editing unit, a first terminal identity verifying unit, a first terminal random number generating unit, a first terminal session key generating unit, and a first NB-IoT module, the second terminal includes a second terminal ID pre-storing unit, a second key matrix unit, a second terminal key combination unit, a second terminal public key calculating unit, a second terminal identity authentication information editing unit, a second terminal identity verifying unit, a second terminal random number generating unit, a second terminal session key generating unit, and a second NB-IoT module, wherein,
a first terminal ID pre-storing unit for pre-storing a first terminal ID and sending the first terminal ID to the key management device;
the first key matrix unit is used for pre-storing a key matrix, generating a first terminal local key according to the key matrix and sending the first terminal local key to the first terminal key combination unit;
the first terminal key compounding unit is used for compounding the first terminal identification key and the first terminal local key to obtain a first terminal key and sending the first terminal key to the first terminal identity authentication information editing unit;
the first terminal public key calculation unit is used for receiving a second terminal ID sent by a second terminal, calculating according to the second terminal ID to obtain a second terminal public key and sending the second terminal public key to the first terminal identity authentication information editing unit;
the first terminal identity authentication information editing unit is used for generating first terminal identity authentication information by using a second terminal public key and a private key in a first terminal secret key and sending the first terminal identity authentication information to the second terminal for verification;
the first terminal identity verification unit is used for receiving and verifying the second terminal identity authentication information sent by the second terminal identity authentication information editing unit, and if the verification is passed, sending a verification result to the first terminal random number generation unit;
the first terminal random number generating unit is used for receiving the verification result, generating a first terminal random number and sending the first terminal random number to the first terminal session key generating unit;
the first terminal session key generation unit is used for generating a first terminal session key according to the first terminal random number and the random number sent by the second terminal random number generation unit and sending the first terminal session key to the first NB-IoT module;
the first NB-IoT module is used for transmitting information between the first terminal and the second terminal according to the first terminal session key;
a second terminal ID pre-storing unit for pre-storing a second terminal ID and sending the second terminal ID to the key management device;
the second key matrix unit is used for pre-storing the key matrix, generating a second terminal local key according to the key matrix and sending the second terminal local key to the second terminal key combination unit;
the second terminal key compounding unit is used for compounding the second terminal identification key and the second terminal local key to obtain a second terminal key and sending the second terminal key to the second terminal identity authentication information editing unit;
the second terminal public key calculation unit is used for receiving the first terminal ID sent by the first terminal, calculating according to the first terminal ID to obtain a first terminal public key and sending the first terminal public key to the second terminal identity authentication information editing unit;
the second terminal identity authentication information editing unit is used for generating second terminal identity authentication information by using the first terminal public key and a private key in a second terminal secret key and sending the second terminal identity authentication information to the first terminal for verification;
the second terminal identity verification unit is used for receiving and verifying the first terminal identity authentication information sent by the first terminal identity authentication information editing unit, and sending a verification result to the second terminal random number generation unit if the verification is passed;
the second terminal random number generating unit is used for receiving the verification result, generating a second terminal random number and sending the second terminal random number to the second terminal session key generating unit;
the second terminal session key generation unit is used for generating a second session key according to the second terminal random number and the random number sent by the first terminal random number generation unit and sending the second session key to the first NB-IoT module;
and the second NB-IoT module is used for carrying out conversation with the first NB-IoT module according to the second conversation key.
In specific implementation, the key matrix in the first key matrix unit is the same as that in the second key matrix unit. The public key of the opposite terminal is calculated through the same key matrix, so that the identity verification of the opposite terminal is conveniently carried out subsequently, and the method is simple and effective.
In specific implementation, the first terminal key combination unit and the second terminal key combination unit are combined by using a distributed cooperation algorithm to obtain a first terminal key and a second terminal key. The distributed cooperative operation is adopted, calculation and composition are carried out according to the terminal identification key and the terminal local key, sensitive information of the terminal identification key and the terminal local key cannot be deduced according to an intermediate result, and the terminal identification key and the terminal local key are not completely appeared all the time, so that the risk of leakage of the terminal identification key and the terminal local key is greatly reduced, and the reliability in the using process is improved.
In specific implementation, the first terminal random number generation unit and the second terminal random number generation unit are both random number generators, the random number generators generate random numbers by using an SM4 algorithm, an entropy input function is set by the upper layer in a callback mode, the obtained entropy meets the security secondary requirement, and the security is improved.
In specific implementation, the first terminal identity verification unit verifies whether the second terminal ID in the second terminal identity authentication information is a preset second terminal ID and whether the second terminal signature is correct, and if both the second terminal ID and the second terminal ID are correct, the verification is passed. Because the terminal prestores the ID of the opposite terminal, when the identity of the opposite terminal is verified, the ID of the opposite terminal in the identity authentication information of the opposite terminal can be compared with the prestored ID of the opposite terminal, if the ID of the opposite terminal is consistent with the prestored ID of the opposite terminal, the identity verification is successful, the subsequent conversation can be carried out, and if the ID of the opposite terminal is inconsistent with the prestored ID of the opposite terminal, the identity verification fails. In a specific implementation, the verification of the identity information of the opposite terminal may also include verification of a signature of the opposite terminal, where the terminal already stores a public key of the opposite terminal, and the public key of the opposite terminal is used to verify the signature of the opposite terminal. In specific implementation, the verification mode can be set by a user according to needs.
As shown in fig. 2, this embodiment further provides a CPK identification key-based mutual authentication method implemented based on the CPK identification key-based mutual authentication system described in the foregoing embodiment, including the following steps:
pre-storing a first terminal ID and a key matrix by using a first terminal, and sending the first terminal ID to a key management device; generating a first terminal local key according to the key matrix, and combining the first terminal identification key and the first terminal local key to obtain a first terminal key; receiving a second terminal ID sent by a second terminal, and calculating according to the second terminal ID to obtain a second terminal public key; generating identity authentication information by using a public key of a second terminal and a private key in a secret key of a first terminal, sending the identity authentication information to the second terminal for verification, and if the identity authentication information passes the verification, generating a session secret key according to a random number generated by the second terminal and a random number generated by the second terminal to communicate with the second terminal;
pre-storing a second terminal ID and a key matrix by using a second terminal, and sending the second terminal ID to a key management device; generating a second terminal local key according to the key matrix, and combining the second terminal identification key and the second terminal local key to obtain a second terminal key; receiving a first terminal ID sent by a first terminal, and calculating to obtain a first terminal public key according to the first terminal ID; generating identity authentication information by using a first terminal public key and a private key in a second terminal key, sending the identity authentication information to the first terminal for verification, and if the identity authentication information passes the verification, generating a session key according to a random number generated by the first terminal and a random number generated by the first terminal to communicate with the first terminal;
respectively substituting the first terminal ID and the second terminal ID into a preset key matrix by using a key management device, respectively calculating a first terminal identification key and a second terminal identification key by using a CPK identification key mapping algorithm, and respectively sending the first terminal identification key and the second terminal identification key to the first terminal and the second terminal;
the first terminal NB-IoT module and the second terminal NB-IoT module are in conversation.
In the bidirectional authentication method based on the CPK identification key of the embodiment, the identification key is generated by the key management device according to the ID of the terminal, and then the local key of the terminal is combined with the identification key to obtain the final terminal key, which is beneficial to improving the security of key usage; the information transmission and the two-way verification of the identity of the two parties are carried out between the terminals through the NB-IoT module, and a third-party e-commerce authentication and authorization authority is not required to provide certificate management, so that the safety and the reliability of the information transmission are improved.
For simplicity of explanation, the method embodiments are described as a series of acts or combinations, but those skilled in the art will appreciate that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently with other steps in accordance with the embodiments of the invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A mutual authentication system based on CPK identification key, comprising:
the first terminal is used for prestoring a first terminal ID and a key matrix and sending the first terminal ID to the key management device; the first terminal identification key is used for identifying the first terminal identification key and the first terminal local key; receiving a second terminal ID sent by a second terminal, and calculating according to the second terminal ID to obtain a second terminal public key; generating identity authentication information by using a public key of a second terminal and a private key in a secret key of a first terminal, sending the identity authentication information to the second terminal for verification, and if the identity authentication information passes the verification, generating a session secret key according to a random number generated by the second terminal and a random number generated by the second terminal to communicate with the second terminal;
the second terminal is used for prestoring a second terminal ID and a key matrix and sending the second terminal ID to the key management device; the key matrix is used for generating a first terminal local key according to the first terminal identification key and a first terminal local key; receiving a first terminal ID sent by a first terminal, and calculating to obtain a first terminal public key according to the first terminal ID; generating identity authentication information by using a first terminal public key and a private key in a second terminal key, sending the identity authentication information to the first terminal for verification, and if the identity authentication information passes the verification, generating a session key according to a random number generated by the first terminal and a random number generated by the first terminal to communicate with the first terminal;
the key management device is used for substituting the first terminal ID and the second terminal ID into a preset key matrix respectively, calculating a first terminal identification key and a second terminal identification key by using a CPK identification key mapping algorithm, and sending the first terminal identification key and the second terminal identification key to the first terminal and the second terminal respectively;
the first terminal and the second terminal both comprise NB-IoT modules, and the first terminal and the second terminal transmit information through the NB-IoT modules.
2. The mutual authentication system based on the CPK identification key of claim 1, wherein the first terminal comprises a first terminal ID pre-storing unit, a first key matrix unit, a first terminal key composition unit, a first terminal public key calculation unit, a first terminal authentication information editing unit, a first terminal authentication unit, a first terminal random number generation unit, a first terminal session key generation unit, and a first NB-IoT module, and the second terminal comprises a second terminal ID pre-storing unit, a second key matrix unit, a second terminal key composition unit, a second terminal public key calculation unit, a second terminal authentication information editing unit, a second terminal authentication unit, a second terminal random number generation unit, a second terminal session key generation unit, and a second NB-IoT module, wherein,
a first terminal ID pre-storing unit for pre-storing a first terminal ID and sending the first terminal ID to the key management device;
the first key matrix unit is used for pre-storing a key matrix, generating a first terminal local key according to the key matrix and sending the first terminal local key to the first terminal key combination unit;
the first terminal key compounding unit is used for compounding the first terminal identification key and the first terminal local key to obtain a first terminal key and sending the first terminal key to the first terminal identity authentication information editing unit;
the first terminal public key calculation unit is used for receiving a second terminal ID sent by a second terminal, calculating according to the second terminal ID to obtain a second terminal public key and sending the second terminal public key to the first terminal identity authentication information editing unit;
the first terminal identity authentication information editing unit is used for generating first terminal identity authentication information by using a second terminal public key and a private key in a first terminal secret key and sending the first terminal identity authentication information to the second terminal for verification;
the first terminal identity verification unit is used for receiving and verifying the second terminal identity authentication information sent by the second terminal identity authentication information editing unit, and if the verification is passed, sending a verification result to the first terminal random number generation unit;
the first terminal random number generating unit is used for receiving the verification result, generating a first terminal random number and sending the first terminal random number to the first terminal session key generating unit;
the first terminal session key generation unit is used for generating a first terminal session key according to the first terminal random number and the random number sent by the second terminal random number generation unit and sending the first terminal session key to the first NB-IoT module;
the first NB-IoT module is used for transmitting information between the first terminal and the second terminal according to the first terminal session key;
a second terminal ID pre-storing unit for pre-storing a second terminal ID and sending the second terminal ID to the key management device;
the second key matrix unit is used for pre-storing the key matrix, generating a second terminal local key according to the key matrix and sending the second terminal local key to the second terminal key combination unit;
the second terminal key compounding unit is used for compounding the second terminal identification key and the second terminal local key to obtain a second terminal key and sending the second terminal key to the second terminal identity authentication information editing unit;
the second terminal public key calculation unit is used for receiving the first terminal ID sent by the first terminal, calculating according to the first terminal ID to obtain a first terminal public key and sending the first terminal public key to the second terminal identity authentication information editing unit;
the second terminal identity authentication information editing unit is used for generating second terminal identity authentication information by using the first terminal public key and a private key in a second terminal secret key and sending the second terminal identity authentication information to the first terminal for verification;
the second terminal identity verification unit is used for receiving and verifying the first terminal identity authentication information sent by the first terminal identity authentication information editing unit, and sending a verification result to the second terminal random number generation unit if the verification is passed;
the second terminal random number generating unit is used for receiving the verification result, generating a second terminal random number and sending the second terminal random number to the second terminal session key generating unit;
the second terminal session key generation unit is used for generating a second session key according to the second terminal random number and the random number sent by the first terminal random number generation unit and sending the second session key to the second NB-IoT module;
and the second NB-IoT module is used for carrying out conversation with the first NB-IoT module according to the second conversation key.
3. A bidirectional authentication system based on CPK identification key as claimed in claim 2, characterized in that the key matrix in the first key matrix unit is the same as the key matrix in the second key matrix unit.
4. A mutual authentication system based on a CPK identification key as claimed in claim 3, wherein the first terminal key combination unit and the second terminal key combination unit both use a distributed cooperation algorithm to combine the first terminal key and the second terminal key.
5. A mutual authentication system based on a CPK identification key according to claim 4, wherein the first terminal random number generation unit and the second terminal random number generation unit are both random number generators.
6. A CPK identification key based mutual authentication system according to claim 5, wherein the random number generator generates random numbers using SM4 algorithm.
7. The mutual authentication system according to claim 6, wherein the first terminal identity verification unit verifies whether the second terminal ID in the second terminal identity authentication information is a preset second terminal ID, and whether the second terminal signature is correct, and if both are true, the verification is passed.
8. A CPK identification key-based mutual authentication method implemented by the CPK identification key-based mutual authentication system according to claim 1, comprising the following steps:
the method comprises the steps that a first terminal prestores a first terminal ID and a key matrix, and sends the first terminal ID to a key management device; generating a first terminal local key according to the key matrix, and combining the first terminal identification key and the first terminal local key to obtain a first terminal key; receiving a second terminal ID sent by a second terminal, and calculating according to the second terminal ID to obtain a second terminal public key; generating identity authentication information by using a public key of a second terminal and a private key in a secret key of a first terminal, sending the identity authentication information to the second terminal for verification, and if the identity authentication information passes the verification, generating a session secret key according to a random number generated by the second terminal and a random number generated by the second terminal to communicate with the second terminal;
the second terminal prestores a second terminal ID and a key matrix and sends the second terminal ID to the key management device; generating a second terminal local key according to the key matrix, and combining the second terminal identification key and the second terminal local key to obtain a second terminal key; receiving a first terminal ID sent by a first terminal, and calculating to obtain a first terminal public key according to the first terminal ID; generating identity authentication information by using a first terminal public key and a private key in a second terminal key, sending the identity authentication information to the first terminal for verification, and if the identity authentication information passes the verification, generating a session key according to a random number generated by the first terminal and a random number generated by the first terminal to communicate with the first terminal;
the key management device substitutes the first terminal ID and the second terminal ID into a preset key matrix respectively, calculates a first terminal identification key and a second terminal identification key respectively by using a CPK identification key mapping algorithm, and sends the first terminal identification key and the second terminal identification key to the first terminal and the second terminal respectively;
the first terminal NB-IoT module and the second terminal NB-IoT module are in conversation.
9. A bidirectional authentication method based on CPK identification key as claimed in claim 8, characterized in that the key matrix in the first terminal is the same as that in the second terminal.
10. The mutual authentication method based on the CPK identification key of claim 9, wherein the first terminal key and the second terminal key are both obtained by combining using a distributed cooperative algorithm.
CN201811114348.8A 2018-09-25 2018-09-25 Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key Active CN109067550B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811114348.8A CN109067550B (en) 2018-09-25 2018-09-25 Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811114348.8A CN109067550B (en) 2018-09-25 2018-09-25 Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key

Publications (2)

Publication Number Publication Date
CN109067550A CN109067550A (en) 2018-12-21
CN109067550B true CN109067550B (en) 2021-10-22

Family

ID=64763605

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811114348.8A Active CN109067550B (en) 2018-09-25 2018-09-25 Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key

Country Status (1)

Country Link
CN (1) CN109067550B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756531B (en) * 2020-05-11 2023-12-26 北京信长城科技发展有限公司 Communication system and method of LoRa terminal based on CPK
WO2022266845A1 (en) * 2021-06-22 2022-12-29 华为技术有限公司 Secure communication method and device
CN115549961A (en) * 2022-08-19 2022-12-30 海南视联通信技术有限公司 Terminal authentication method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488853A (en) * 2009-01-15 2009-07-22 赵建国 Cross-certification method based on seed key management
WO2011150811A1 (en) * 2010-05-31 2011-12-08 Pettersson Hans Jerry Urban Method for performing bidirectional communication by adopting optical vision codes
CN105577377A (en) * 2014-10-13 2016-05-11 航天信息股份有限公司 Identity-based authentication method and identity-based authentication system with secret key negotiation
CN106713236A (en) * 2015-11-17 2017-05-24 成都腾甲数据服务有限公司 End-to-end identity authentication and encryption method based on CPK identifier authentication
CN108322486A (en) * 2018-05-07 2018-07-24 安徽大学 Authentication protocol towards multiserver framework under a kind of car networking cloud environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488853A (en) * 2009-01-15 2009-07-22 赵建国 Cross-certification method based on seed key management
WO2011150811A1 (en) * 2010-05-31 2011-12-08 Pettersson Hans Jerry Urban Method for performing bidirectional communication by adopting optical vision codes
CN105577377A (en) * 2014-10-13 2016-05-11 航天信息股份有限公司 Identity-based authentication method and identity-based authentication system with secret key negotiation
CN106713236A (en) * 2015-11-17 2017-05-24 成都腾甲数据服务有限公司 End-to-end identity authentication and encryption method based on CPK identifier authentication
CN108322486A (en) * 2018-05-07 2018-07-24 安徽大学 Authentication protocol towards multiserver framework under a kind of car networking cloud environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《面向车联网的多服务器架构的匿名双向认证与密钥协商协议》;谢永、吴黎兵、张宇波、叶璐瑶;《计算机研究与发展》;20160428;全文 *

Also Published As

Publication number Publication date
CN109067550A (en) 2018-12-21

Similar Documents

Publication Publication Date Title
CN101777978B (en) Method and system based on wireless terminal for applying digital certificate and wireless terminal
CN102594555B (en) Security protection method for data, entity on network side and communication terminal
CN109067550B (en) Bidirectional authentication system and bidirectional authentication method based on CPK (Combined public Key) identification key
CN210719302U (en) Safety communication system of gas meter
CN109756877B (en) Quantum-resistant rapid authentication and data transmission method for massive NB-IoT (NB-IoT) equipment
CN109716724A (en) The method and system authenticated with double nets of the communication equipment of server communication
CN111212426B (en) Terminal access method, terminal, micro base station and access system
US10880079B2 (en) Private key generation method and system, and device
KR20190004499A (en) Apparatus and methods for esim device and server to negociate digital certificates
CN101287277B (en) Method and system for providing service to customer's terminal in wireless personal area network
KR101835640B1 (en) Method for authentication of communication connecting, gateway apparatus thereof, and communication system thereof
CN111263361B (en) Connection authentication method and device based on block chain network and micro base station
CN102970676A (en) Method for processing original data, internet of thing system and terminal
Mbarek et al. Energy efficient security protocols for wireless sensor networks: SPINS vs TinySec
Raad et al. Secure data in lorawan network by adaptive method of elliptic-curve cryptography
CN114531680A (en) Lightweight IBC bidirectional identity authentication system and method based on quantum key
CN105744524A (en) Mobile device networking authentication mechanism in WIA-PA industrial wireless network
Lin et al. Research on PUF-based security enhancement of narrow-band Internet of Things
Al Hamadi et al. A novel security scheme for the smart grid and SCADA networks
CN108881256A (en) Key exchange method, device, water power stake and the network equipment
Jeon et al. Implementation of a LoRaWAN protocol processing module on an embedded device using Secure Element
Iqbal et al. Low-cost and secure communication system for SCADA system of remote microgrids
Huang et al. Improving Security Levels of IEEE802. 16e Authentication by Involving Diffie-Hellman PKDS.
Wu et al. Efficient authentication for Internet of Things devices in information management systems
CN114500064B (en) Communication security verification method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Luo Yanjing

Inventor after: Liu Peng

Inventor before: Luo Yanjing

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: A1501, 15 / F, No. 22, Zhongguancun Street, Haidian District, Beijing 100089

Patentee after: Beijing xinchangcheng Technology Development Co.,Ltd.

Address before: 100080 room 1505, 15 / F, block B, 3 Haidian Street, Haidian District, Beijing

Patentee before: BEIJING RENXINZHENG TECHNOLOGY CO.,LTD.

CP03 Change of name, title or address
TR01 Transfer of patent right

Effective date of registration: 20231019

Address after: 610, Floor 6, Block A, No. 2, Lize Middle Second Road, Chaoyang District, Beijing 100102

Patentee after: Zhongguancun Technology Leasing Co.,Ltd.

Address before: A1501, 15 / F, No. 22, Zhongguancun Street, Haidian District, Beijing 100089

Patentee before: Beijing xinchangcheng Technology Development Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240202

Address after: A1501, 15 / F, No. 22, Zhongguancun Street, Haidian District, Beijing 100089

Patentee after: Beijing xinchangcheng Technology Development Co.,Ltd.

Country or region after: China

Address before: 610, Floor 6, Block A, No. 2, Lize Middle Second Road, Chaoyang District, Beijing 100102

Patentee before: Zhongguancun Technology Leasing Co.,Ltd.

Country or region before: China

TR01 Transfer of patent right