CN109618334B - Control method and related equipment - Google Patents

Control method and related equipment Download PDF

Info

Publication number
CN109618334B
CN109618334B CN201811391443.2A CN201811391443A CN109618334B CN 109618334 B CN109618334 B CN 109618334B CN 201811391443 A CN201811391443 A CN 201811391443A CN 109618334 B CN109618334 B CN 109618334B
Authority
CN
China
Prior art keywords
equipment
authentication
key
control
character string
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811391443.2A
Other languages
Chinese (zh)
Other versions
CN109618334A (en
Inventor
靳松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huada Zhibao Electronic System Co Ltd
Original Assignee
Beijing Huada Zhibao Electronic System Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huada Zhibao Electronic System Co Ltd filed Critical Beijing Huada Zhibao Electronic System Co Ltd
Priority to CN201811391443.2A priority Critical patent/CN109618334B/en
Publication of CN109618334A publication Critical patent/CN109618334A/en
Application granted granted Critical
Publication of CN109618334B publication Critical patent/CN109618334B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The invention provides a control method, which comprises the following steps: when the control end receives a control command, sending a command data transmission request to an equipment end, and triggering the equipment end to perform identity authentication on the control end; when the control end passes the identity authentication of the equipment end; the control end authenticates the identity of the equipment end, determines a transmission key for data transmission with the equipment end when the identity authentication of the equipment end passes, and encrypts instruction data according to the transmission key; the equipment terminal decrypts according to the transmission key and executes corresponding control operation according to the data instruction obtained by decryption; when the control method provided by the invention is applied, the identity of the opposite side is authenticated when the control end and the equipment end transmit the instruction data, and after the identity passes the authentication, the instruction data to be transmitted is encrypted, transmitted and decrypted according to the determined transmission key; this increases the security of the data information transmission.

Description

Control method and related equipment
Technical Field
The present invention relates to the field of data information security, and in particular, to a control method and related device.
Background
With the rapid development of scientific technology, the intelligent equipment is applied to aspects of our life, can be connected through remote internet or connected through Bluetooth and NFC of a local area network and a near field, and realizes remote control of the intelligent equipment through plaintext transmission of data, intelligent home life is realized, and our life is more convenient.
The inventor finds that digital information is easily stolen by lawless persons in the transmission process and has low security through the research of the prior art, so that the transmitted data needs to be encrypted to protect the data information to be transmitted and improve the security of the data information urgently.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a control method, which can improve the security of digital information during the transmission of the digital information, reduce the possibility of stealing the information, and improve the security of data transmission.
The invention also provides a control device for ensuring the realization and the application of the method in practice.
A control method, comprising:
when a control instruction is received, sending an instruction data transmission request to an equipment end, and triggering the equipment end to perform identity authentication on the control end;
when the control terminal passes the identity authentication of the equipment terminal, acquiring equipment information of the equipment terminal, and performing identity authentication on the equipment terminal according to the equipment information;
when the identity authentication of the equipment terminal is passed, determining a transmission key for data transmission with the equipment terminal;
encrypting the transmission key according to a preset encryption mode, and encrypting the instruction data to be transmitted according to the transmission key;
and transmitting the encrypted transmission key and the encrypted instruction data to the equipment end so that the equipment end executes control operation corresponding to the instruction data after acquiring the instruction data.
Optionally, in the method, triggering the device end to perform identity authentication on the control end includes:
triggering the equipment end to send an identification character string and a random character string to the control end;
when the identification character string is received, calling a preset authentication root key to perform decentralized operation on the identification character string to obtain a first authentication key;
encrypting the random character string according to the first authentication key to obtain an authentication ciphertext;
and sending the authentication ciphertext to the equipment end so that the equipment end decrypts the authentication ciphertext to obtain a random character string contained in the authentication ciphertext, matching the random character string contained in the authentication ciphertext with the random character string sent to the control end, and authenticating the identity of the control end when the random character string contained in the authentication ciphertext is matched with the random character string sent to the control end.
Optionally, the obtaining the device information of the device end and performing identity authentication on the device end according to the device information in the method described above includes:
acquiring a signature value and a public key in a channel encryption key pair contained in the equipment terminal, wherein the signature value is the signature value of a private key in a preset production key pair to the public key in the preset channel encryption key pair;
and calling a public key in a preset production key pair, carrying out signature verification operation on the signature value, confirming that the public key in the channel encryption key pair in the equipment end is a legal public key when the signature is verified successfully, and passing the identity authentication of the equipment end.
Optionally, the method for determining a transmission key for data transmission with the device side includes:
and calling a preset random number generation method to generate the transmission key.
Optionally, the above method, where the encrypting the transmission key according to a preset encryption manner includes:
and encrypting the transmission key by using a public key in a channel encryption key pair acquired from the equipment terminal.
A control device is applied to a control end and comprises:
the sending unit is used for sending an instruction data transmission instruction to an equipment end when receiving a control instruction, and triggering the equipment end to perform identity authentication on the control end;
the obtaining unit is used for obtaining the equipment information of the equipment end when the control end passes the identity authentication of the equipment end, and performing the identity authentication on the equipment end according to the equipment information;
the determining unit is used for determining a transmission key for data transmission with the equipment terminal when the identity authentication of the equipment terminal is passed;
the encryption unit is used for encrypting the transmission key according to a preset encryption mode and encrypting the instruction data to be transmitted according to the transmission key;
and the first control unit is used for transmitting the encrypted transmission key and the encrypted instruction data to the equipment end so that the equipment end executes control operation corresponding to the instruction data after acquiring the instruction data.
A control method is applied to a device side and comprises the following steps:
when receiving an encrypted transmission key and encrypted instruction data sent by a control end, decrypting the encrypted transmission key according to a preset decryption mode to obtain the transmission key;
decrypting the encrypted instruction data by applying the transmission key to obtain the instruction data;
and controlling the equipment terminal according to the instruction data.
Optionally, in the method, the decrypting the encrypted transmission key according to a preset encryption manner includes:
and decrypting the encrypted transmission key by using a private key in a preset channel encryption key pair.
A control device, an application device side, comprises:
the first decryption unit is used for decrypting the encrypted transmission key according to a preset decryption mode when receiving the encrypted transmission key and the encrypted instruction data sent by the control end to obtain the transmission key;
the second decryption unit is used for decrypting the encrypted instruction data by applying the transmission key to obtain the instruction data;
and the second control unit is used for controlling the equipment terminal according to the instruction data.
A control system, comprising:
a control end and an equipment end;
wherein:
the control terminal is used for executing the control method applied to the control terminal;
the device side is used for executing the control method applied to the device side.
Compared with the prior art, the invention has the following advantages:
the invention provides a control method, which comprises the following steps: when the control end receives a control command, sending a command data transmission request to an equipment end, and triggering the equipment end to perform identity authentication on the control end; when the control terminal passes the identity authentication of the equipment terminal, acquiring related equipment information of the equipment terminal, and performing the identity authentication on the equipment terminal; when the identity authentication of the equipment end is passed, determining a transmission key for data transmission with the equipment, encrypting instruction data according to the transmission key, and sending the encrypted instruction data to the equipment end; the equipment terminal decrypts according to the transmission key and executes corresponding control operation according to the data instruction obtained by decryption; when the control method provided by the invention is applied, the identity of the opposite side is authenticated when the control end and the equipment end transmit the data instruction, and after the identity passes the authentication, the data instruction to be transmitted is encrypted, transmitted and decrypted according to the determined transmission key; therefore, the safety of data information transmission is improved, and the possibility that the data information is stolen by lawbreakers is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a control method provided by the present invention;
FIG. 2 is another flow chart of a control method provided by the present invention;
FIG. 3 is another flow chart of a control method provided by the present invention;
FIG. 4 is another flow chart of a control method provided by the present invention;
FIG. 5 is another flow chart of a control method provided by the present invention;
FIG. 6 is a schematic structural diagram of a control device according to the present invention;
FIG. 7 is a schematic view of another structure of a control device according to the present invention;
fig. 8 is a schematic structural diagram of a control system according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the terms "comprises", "comprising", or any other variation thereof are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The present invention is operational with numerous general purpose or special purpose network device environments or configurations. For example: personal computers, server computers, internet appliances, intelligent door locks, intelligent air conditioners, electronic products including any of the above devices or intelligence, and the like.
An embodiment of the present invention provides a control method, which may be applied to a plurality of intelligent electronic products, where an execution subject of the control method may be a server of the intelligent electronic product, or an intelligent electronic product subject, such as a personal computer, a tablet computer, a smart phone, and the like, and a flowchart of the method is shown in fig. 1, and specifically includes:
s101: when a control instruction is received, sending an instruction data transmission request to an equipment end, and triggering the equipment end to perform identity authentication on the control end;
in the method provided by the embodiment of the invention, when a control end receives a control instruction that a user needs to operate an equipment end, the control end sends a data transmission request of the control instruction to the equipment end, so that an identity authentication process of the equipment end to the control end is triggered;
it should be noted that the control end and the device end may be an intelligent device end having a wireless connection function, for example, the control end and the device end may be connected to each other through internet, lan, bluetooth or NFC, and may perform data transmission and reception through an electronic channel, the control end may be a smart phone, a tablet computer, or the like, and the device end may be an air conditioner, a refrigerator, an intelligent door lock, or the like that may be connected to each other through bluetooth or internet.
S102: when the control terminal passes the identity authentication of the equipment terminal, acquiring equipment information of the equipment terminal, and performing identity authentication on the equipment terminal according to the equipment information;
in the method provided by the embodiment of the invention, when the control end passes the identity authentication of the equipment end, the control end needs to perform the identity authentication on the equipment end, and obtains the equipment information of the equipment end through a calling interface to perform the identity authentication on the equipment end;
it should be noted that, the device information of the device end is obtained by calling an interface of the device end, and the device information may be a unique identification number, a sequence SN, which is written into the device end in advance, or a random character string generated by the device end itself.
S103: when the identity authentication of the equipment terminal is passed, determining a transmission key for data transmission with the equipment terminal;
in the method provided by the embodiment of the invention, when the identities of both parties pass authentication, a transmission key for data transmission with the equipment end is determined, and the transmission key is obtained through a series of encryption operations and used for encrypting data by the control end and decrypting data by the equipment end; it should be noted that the determination of the transmission key is to perform encryption processing on data to be transmitted, so as to reduce the possibility of data theft and leakage and improve the security of data transmission.
S104: encrypting the transmission key according to a preset encryption mode, and encrypting the instruction data to be transmitted according to the transmission key;
in the method provided by the embodiment of the invention, after the transmission key is determined, the transmission key needs to be encrypted and sent to the equipment end, the transmission key is encrypted to prevent the transmission key from being leaked, and the security index of a data instruction for subsequent transmission is reduced.
S105: transmitting the encrypted transmission key and the encrypted instruction data to the equipment end so that the equipment end executes control operation corresponding to the instruction data after acquiring the instruction data;
in the method provided by the embodiment of the invention, the control end sends the encrypted transmission key and the encrypted instruction data to the equipment end, the equipment end decrypts the encrypted transmission key by using the information preset in the equipment end to obtain the transmission key, decrypts the encrypted instruction data according to the transmission key, and executes corresponding control operation according to the obtained instruction data.
In the method provided by the embodiment of the invention, the safety of data information transmission is improved through double-end validity authentication of the control end and the equipment end, when the identities of the two parties pass verification, the encrypted transmission key is sent to the equipment end, because the encrypted transmission key avoids the possibility of leakage of the transmission key and ensures the confidentiality of subsequent instruction data, the instruction data encrypted by the transmission key is sent to the equipment end, the equipment end uses the received transmission key to decrypt the encrypted ciphertext to obtain the instruction data, and corresponding operation is executed according to the instruction data; the method provided by the embodiment of the invention improves the safety of the instruction data when the instruction data is sent, and the encryption method provided by the embodiment of the invention is real-time, thereby effectively reducing the replay attack of an attacker and improving the safety of the data instruction when the data instruction is transmitted.
In the method provided in the embodiment of the present invention, when the control end sends a command data request to the device end, the device end needs to authenticate the identity of the control end, and determine whether the identity of the control end is legal, so as to improve the security of data transmission, and a specific process of authenticating the identity of the control end specifically includes, as shown in fig. 2:
s201: triggering the equipment end to send an identification character string and a random character string to the control end;
in the method provided by the embodiment of the invention, when the identity authentication needs to be carried out on the control terminal, the control terminal sends an instruction for acquiring an identification character string and a random character string to the equipment terminal; the equipment end receives the acquisition instruction and feeds back an identification character string and a random character string to the control end, wherein the identification character string can be a unique identification number of the equipment end or equivalent data such as a Serial Number (SN); it should be noted that the unique identification number of the equipment end is a unique and unrepeated identification number character string written in advance during production of the equipment end; the random character string is an 8-byte random character string randomly generated by the device side, and the generated random character string can also be 16 bytes, 32 bytes and the like, and is not limited to the 8-byte random character string; it should be noted that, when the device side sends the identification character string and the random character string to the control side, the identification character string and the random character string may be sent simultaneously or sequentially.
S202: when the identification character string is received, calling a preset authentication root key to perform decentralized operation on the identification character string to obtain a first authentication key;
in the method provided by the embodiment of the invention, when an identification character string fed back by the equipment end is received, the control end calls a preset authentication root key to perform decentralized operation on the identification character string to obtain a first authentication key;
it should be noted that the preset authentication root key is a 16-byte symmetric key, and the authentication root key performs a decentralized operation on the unique identification number to obtain a unique authentication key, where the authentication keys of each device end are different; the authentication key is used to authenticate the identity of an external access node, such as an authentication control.
S203: encrypting the random character string according to the first authentication key to obtain an authentication ciphertext;
in the method provided by the embodiment of the present invention, after the authentication root key performs a distributed operation on the identification character string to obtain a first authentication key, an encryption operation is performed on the obtained random character string according to the first authentication key to obtain an authentication ciphertext.
S204: sending the authentication ciphertext to the equipment end so that the equipment end decrypts the authentication ciphertext to obtain a random character string contained in the authentication ciphertext, matching the random character string contained in the authentication ciphertext with the random character string sent to the control end, and authenticating the identity of the control end when the random character string contained in the authentication ciphertext is matched with the random character string sent to the control end;
in the method provided by the embodiment of the present invention, when the device end receives the authentication ciphertext sent by the control end, the authentication ciphertext is decrypted by using the authentication key preset at the device end to obtain the identification character string, and when the random character string is consistent with the random character string at the device end, the identity of the control end is legal, that is, the identity authentication of the control end is passed.
It should be noted that, when the device end sends the unique identification number written in the device end in advance to the control end, the device end receives the authentication ciphertext encrypted by the control end, and the device end performs decryption operation by using the authentication key written in by the production system during production; the authentication key is obtained by the production system performing scattered operation on the unique identification number of the equipment end by using the authentication root key;
it should be noted that the authentication key preset at the device end is that, in the production process of the device end, the authentication root key performs a decentralized operation on the unique identification number of the device end to obtain a unique authentication key, and writes the unique authentication key into the device end, where the device end may be an intelligent door lock, an intelligent air conditioner, an intelligent water heater, or the like.
In the method provided by the embodiment of the invention, when the data instruction is sent to the equipment end, the equipment end firstly authenticates the identity of the control end, so that the possibility that the equipment end is attacked by lawbreakers is reduced, and the safety of data transmission is improved; after the control end passes the authentication of the device end, the control end also needs to authenticate the device end, so as to avoid data transmission errors and improve the security and the correctness of data transmission, and the encryption and decryption algorithm adopted in the embodiment can be an international general algorithm 3DES, a national secret SM4 algorithm and an equivalent symmetric key algorithm.
In the method provided by the embodiment of the present invention, the device side is authenticated by the signature value preset at the device side, so as to improve the security of data transmission, and the process of authenticating the identity of the device side is shown in fig. 3, and the specific contents are as follows:
s301: acquiring a signature value and a public key in a channel encryption key pair contained in the equipment terminal, wherein the signature value is the signature value of a private key in a preset production key pair to a public key in a preset channel encryption key pair;
in the method provided by the embodiment of the invention, when the control end needs to authenticate the identity of the equipment end, the control end sends an acquisition instruction to the equipment end, and the equipment end responds to the instruction to send the signature value and a public key in a channel encryption key to the control end; the signature value is the signature value of a public key in a preset channel encryption key pair of a private key pair of a production key pair, the production system carries out Hash signature on the public key in the preset channel encryption key pair by using the private key in the production key pair when the equipment end is produced, the signature result is set in a secret file in an internal memory of the equipment end, the read/write permission of the file is set to be plaintext read/administrator controlled write, and the file is not allowed to be updated during the use period of the equipment end.
S302: calling a public key in a preset production key pair, carrying out signature verification operation on the signature value, confirming that the public key in a channel encryption key pair in the equipment end is a legal public key when the signature is verified successfully, and passing the identity authentication of the equipment end;
in the method provided by the embodiment of the invention, after the signature value is obtained, the control end calls the public key arranged in the production key pair of the control end to check the signature of the signature value, the signature checking process is a process of decrypting the signature value, and when the signature information obtained by decryption is consistent with the obtained signature information, the signature passes verification; namely, when the signature is verified successfully, the public key in the channel encryption key pair in the equipment end can be confirmed to be a legal public key, namely, the equipment identity authentication is passed;
in the method provided by the embodiment of the invention, the obtained signature value is decrypted and verified according to the obtained signature value information and the public key in the production key, and when the signature authentication passes, the channel encryption key in the equipment end is legal to the public key, namely, the identity authentication of the equipment end is passed; and the public key of the channel encryption key pair in the equipment end is an RSA public key, and the public key of the channel encryption key pair is obtained through a preset RSA encryption algorithm.
In the method provided by the embodiment of the invention, the signature value preset in the equipment end is checked to verify whether the equipment end is legal or not, and when the equipment end is legal, data transmission is carried out, so that data leakage caused by data transmission to a wrong equipment end is avoided; thereby improving the security of data transmission.
In the method provided by the embodiment of the invention, when the identities of the two ends are successfully authenticated with each other, instruction data needs to be transmitted, when the instruction data is transmitted, the instruction data needs to be encrypted to prevent the data from being leaked or stolen, a transmission key needs to be determined between the two ends before the instruction data is encrypted, so that the data is encrypted and decrypted, and a flow chart for determining the transmission key for encrypting and decrypting the instruction data is shown in fig. 4, and the specific process is as follows;
s401: calling a preset random number generation method to generate the transmission key;
in the method provided by the embodiment of the invention, a preset random number generation method is called to generate a random number, the preset method can be preset at a control end or an equipment end, when a transmission key is required to be generated by using the random number, the preset method is called to generate the random number, and the transmission key is generated according to the random number;
optionally, bit complementing is performed on the random number, and the random number forms a transmission key; optionally, an algorithm is performed on the random number, thereby generating the transmission key.
It should be noted that, the random number generated here is different from the random character string described in fig. 2, a preset generation method is called when the random number is generated here, the preset method may be preset at the device side or at the control side, the random number is generated by calling the preset method, and the random number generated by the method is used for generating the transmission key; the random character string shown in fig. 2 is generated by the device side and used for authenticating the identity of the control side.
S402: carrying out encryption operation on the transmission key, and sending the transmission key to the equipment end;
in the method provided by the embodiment of the invention, encryption operation is carried out on the obtained transmission key so as to avoid the leakage of the transmission key; encrypting the transmission key, optionally, performing PKCS #1_ v1.5 bit-padding operation on the transmission key to obtain bit-padded data; then, according to a public key in a channel encryption key pair obtained from the equipment end, encrypting the data after the bit complementing operation to form an encrypted ciphertext, and sending the encrypted ciphertext to the equipment end; the device side decrypts and verifies the data format by using the corresponding private key, and a transmission key is obtained after the verification is successful; it should be noted that the private key decrypted by the device side is a private key of a preset channel transmission key pair, and the private key of the channel transmission key pair is preset during production of the device side; it should be noted that the bit-padding operation here is not the same as the bit-padding of the random number in step S401, the transmission key is obtained after the random number is padded in step S401, the data after the bit-padding operation is obtained by performing PKCS #1_ v1.5 bit-padding operation on the transmission key, and the data after the bit-padding operation is used for verifying whether the format is correct or not after the device decrypts the encrypted bit-padded data.
S403: encrypting the instruction data by using the transmission key and sending the instruction data to the equipment end;
in the method provided by the embodiment of the invention, when encrypted instruction data are received, a decryption process of the equipment end is triggered, the equipment end decrypts the encrypted instruction data by using the transmission key obtained by decryption, and corresponding instruction operation is executed according to the obtained instruction.
In the method provided by the embodiment of the invention, when the identities of the equipment end and the control end pass authentication, a transmission key for data transmission is determined so as to facilitate the encryption and decryption operations of the two ends, and when the transmission key is determined, encryption operation is performed according to a random number to obtain the transmission key; the data command to be transmitted is encrypted by setting the transmission key, and a symmetric algorithm is used in the process of determining the transmission key, so that the energy consumption of the equipment end at the control end is reduced to a certain extent, the service life is prolonged, and the safety of data transmission is improved.
In the method provided by the embodiment of the present invention, after the two parties determine the transmission key, the device side needs to decrypt the encrypted instruction data, and the specific decryption process for the device side is as follows:
when receiving an encrypted transmission key and encrypted instruction data sent by a control end, decrypting the encrypted transmission key according to a preset decryption mode to obtain the transmission key;
decrypting the encrypted instruction data by applying the transmission key to obtain the instruction data;
and controlling the equipment terminal according to the instruction data.
In the method provided by the embodiment of the invention, when the equipment end receives the encrypted transmission key and the encrypted instruction data sent by the control end, the encrypted transmission key is decrypted according to a private key of a channel transmission key pair preset at the equipment end to obtain the transmission key, the transmission key is used for decrypting the encrypted instruction data, and the corresponding control operation is executed according to the obtained instruction.
In the method provided by the embodiment of the invention, the encrypted transmission key sent by the control end is decrypted to obtain the key for decrypting the encrypted instruction data, and the decrypted key is determined, so that the transmitted instruction data is prevented from being intercepted or cracked, the safety of data transmission is improved, and the safety of data transmission is ensured; among the methods provided by the examples of the present invention, to further illustrate the methods provided by the present invention, a more detailed discussion is provided in the following examples.
The control method provided by the embodiment of the invention is applied to a control system, the control system comprises a control end and a sending end, when the control end receives a control instruction, a data transmission request is sent to an equipment end, and the identity authentication processes of the equipment end and the control end are triggered;
the control end sends an acquisition instruction to the equipment end, wherein the acquisition instruction is an instruction for acquiring an identification character string and a random character string, and the instruction transmission request sent by the control end to the equipment end comprises the instruction for acquiring the identification character string and the random character string; the equipment end receives the acquisition instruction, and returns the identification character string and the random character string to the equipment end in response to the acquisition instruction; when the control end receives the identification character string, the identification character string is equivalent data such as a unique identification number or a serial number SN preset at the equipment end, the unique identification number is calculated by using a preset authentication root key to obtain a first authentication key, encryption operation is carried out on the random character string according to the first authentication key to obtain ciphertext data D1, and the control end sends an authentication ciphertext to the equipment end; the equipment end decrypts the ciphertext data D1 by using an authentication key preset at the equipment end to obtain authentication data D2, the equipment end compares a random character string obtained by decryption with a random character string sent to the control end, and if the comparison is consistent, the equipment end passes the identity authentication of the control end;
optionally, when the device end receives the obtaining instruction, the device end responds to the instruction and sends the identification character string to the control end, and the control end performs a decentralized operation on the obtained identification character string by using a preset authentication root key to obtain a first authentication root key; the equipment end sends the random character string to the control end, the control end uses the generated first authentication key to carry out encryption operation on the obtained random character string to obtain an encrypted authentication ciphertext, and the encrypted authentication ciphertext is sent to the equipment end; the device side compares whether the random character string obtained by decryption is consistent with the random character string sent to the control side, and if so, the identity of the control side passes authentication; it should be noted that, the device side responds to the control instruction sent by the control side, and when the device side sends the identification character string and the random character string to the control side, the two can be sent at the same time; or sequentially transmitted without any order.
The authentication key preset at the equipment end is that when the equipment end is in production, the authentication root key in the production system performs scattered operation on the unique identification number of the equipment end to form the authentication key corresponding to each identification number, and the authentication key is written into the corresponding equipment end, and the authentication key of each equipment end is different.
After the identity of the control end passes the authentication of the equipment end, the control end authenticates the identity of the equipment end before the instruction data is transmitted, and confirms a transmission key; the method comprises the steps that a control end obtains a signature value preset at an equipment end, the signature value is a signature value of a private key in a production key pair to a public key in a preset channel encryption key pair, the signature value is verified through obtained signature information and the production public key, so that the identity of the equipment end is authenticated, when the identity of the equipment end passes authentication, an encrypted transmission key is sent to the equipment end, the equipment end decrypts received encrypted instruction data through the obtained transmission key after decryption, instruction data are obtained, and corresponding instruction control is executed according to the instruction data, and the specific flow is shown in fig. 5;
the method comprises the steps that a control end sends an acquisition instruction to an equipment end, wherein the acquisition instruction is '8071000280' and '8071000180', the equipment end responds to the acquisition instruction and sends a public key in a channel transmission key pair and a signature value of a public key in a channel transmission key pair of a private key pair in a production key pair to the control end; verifying the signature value by using the signature information and a public key in a production public key pair, wherein when the signature passes the verification, the public key in a channel encryption key pair in the equipment end is legal, namely the identity of the equipment end passes the authentication;
the control end calculates the random number by calling a random number generation method to obtain a transmission key, encrypts the transmission key by using a public key of an obtained channel transmission key pair and sends the encrypted transmission key to the equipment end, the equipment end decrypts a private key of the preset channel transmission key pair to obtain the transmission key, encrypts the instruction data encrypted by using the transmission key by using the control end and sends the encrypted instruction data to the equipment end, and decrypts the encrypted instruction data by using the decrypted transmission key to obtain the instruction data and execute corresponding instruction control;
for example, the intelligent door lock receives encrypted instruction data sent remotely by a mobile phone, the intelligent door lock decrypts the encrypted instruction data through a transmission key obtained by decryption, the decrypted instruction data is a password for opening the intelligent door lock, and the intelligent door lock decrypts the encrypted instruction data and then executes corresponding instruction control, namely, the door lock is opened; the intelligent air conditioner can also receive encrypted instruction data sent by the mobile phone, wherein the instruction data is that the air conditioner is turned on and the temperature is set at 26 ℃; after receiving an encryption instruction sent remotely by the mobile phone, the intelligent air conditioner performs decryption operation, and sets the temperature at 26 ℃;
when the control end sends the instruction data to the device end again after the data transmission between the control end and the device end is finished, that is, after the channel for transmitting data between the control end and the receiving end is interrupted, the identities of the control end and the device end need to be authenticated again, and the transmission key needs to be determined again.
In the method provided by the embodiment of the invention, the safety of data information transmission is improved through double-end validity authentication of a control end and an equipment end, when the identities of the two parties pass verification, an encrypted transmission key is sent to the equipment end, because the encrypted transmission key avoids the possibility of leakage of the transmission key, the instruction data encrypted by the transmission key is sent to the equipment end, the equipment end decrypts an encrypted ciphertext by using the received transmission key to obtain the instruction data, and corresponding operation is executed according to the instruction data; the method provided by the embodiment of the invention improves the safety of the data instruction when the data instruction is sent, and the encryption method provided by the embodiment of the invention is real-time, thereby effectively reducing the replay attack of an attacker and improving the safety of the data instruction when the data instruction is transmitted.
The embodiment of the present invention further provides a control device, which is applied to a control end, and a schematic structural diagram of the control device is shown in fig. 6, and specifically includes:
a sending unit 601, configured to send an instruction data transmission instruction to an equipment end when receiving a control instruction, and trigger the equipment end to perform identity authentication on the control end;
an obtaining unit 602, configured to obtain device information of the device end when the control end passes the identity authentication of the device end, and perform identity authentication on the device end according to the device information;
a determining unit 603, configured to determine, when the identity authentication of the device side is passed, a transmission key for performing data transmission with the device side;
an encrypting unit 604, configured to encrypt the transmission key according to a preset encryption manner, and encrypt the instruction data to be transmitted according to the transmission key;
the first control unit 605 is configured to transmit the encrypted transmission key and the encrypted instruction data to the device side, so that the device side executes a control operation corresponding to the instruction data after acquiring the instruction data.
The embodiment of the present invention further provides a control device, which is applied to an equipment end, and a schematic structural diagram of the control device is shown in fig. 7, and specifically includes:
a first decryption unit 701, configured to decrypt the encrypted transmission key according to a preset decryption manner when receiving the encrypted transmission key and the encrypted instruction data sent by the control end, so as to obtain the transmission key;
a second decryption unit 702, configured to decrypt the encrypted instruction data by using the transmission key to obtain the instruction data;
the second control unit 703 is configured to control the device side according to the instruction data.
The control method provided by the embodiment of the invention is applied, when the control end and the equipment end transmit the instruction data, the identity of the opposite side is authenticated, and after the identity passes the authentication, the instruction data to be transmitted is encrypted and transmitted and decrypted according to the determined transmission key; therefore, the safety of data information transmission is improved, and the possibility that the data information is stolen by lawbreakers is reduced.
The embodiment of the present invention further provides a control system, a schematic structural diagram of which is shown in fig. 8, and specifically includes a control end 801 and an equipment end 802;
the control terminal 801 and the device terminal 802 perform the following operations:
when a control instruction is received, sending an instruction data transmission request to an equipment end, and triggering the equipment end to perform identity authentication on the control end; when the control terminal passes the identity authentication of the equipment terminal, acquiring equipment information of the equipment terminal, and performing identity authentication on the equipment terminal according to the equipment information; when the identity authentication of the equipment terminal is passed, determining a transmission key for data transmission with the equipment terminal; encrypting the transmission key according to a preset encryption mode, and encrypting the instruction data to be transmitted according to the transmission key; and transmitting the encrypted transmission key and the encrypted instruction data to the equipment end so that the equipment end executes control operation corresponding to the instruction data after acquiring the instruction data.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device type, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A control method is applied to a control end and comprises the following steps:
when a control instruction is received, sending an instruction data transmission request to an equipment end, and triggering the equipment end to perform identity authentication on the control end; the triggering the device end to perform identity authentication on the control end includes:
triggering the equipment end to send an identification character string and a random character string to the control end; when the identification character string is received, calling a preset authentication root key to perform decentralized operation on the identification character string to obtain a first authentication key; encrypting the random character string according to the first authentication key to obtain an authentication ciphertext; sending the authentication ciphertext to the equipment end so that the equipment end decrypts the authentication ciphertext to obtain a random character string contained in the authentication ciphertext, matching the random character string contained in the authentication ciphertext with the random character string sent to the control end, and authenticating the identity of the control end when the random character string contained in the authentication ciphertext is matched with the random character string sent to the control end;
when the control terminal passes the identity authentication of the equipment terminal, acquiring equipment information of the equipment terminal, and performing identity authentication on the equipment terminal according to the equipment information;
when the identity authentication of the equipment terminal is passed, determining a transmission key for data transmission with the equipment terminal;
encrypting the transmission key according to a preset encryption mode, and encrypting the instruction data to be transmitted according to the transmission key;
and transmitting the encrypted transmission key and the encrypted instruction data to the equipment end so that the equipment end executes control operation corresponding to the instruction data after acquiring the instruction data.
2. The method according to claim 1, wherein the obtaining the device information of the device side and performing the identity authentication on the device side according to the device information comprises:
acquiring a signature value and a public key in a channel encryption key pair contained in the equipment terminal, wherein the signature value is the signature value of a private key in a preset production key pair to the public key in the preset channel encryption key pair;
and calling a public key in a preset production key pair, carrying out signature verification operation on the signature value, confirming that the public key in the channel encryption key pair in the equipment end is a legal public key when the signature is verified successfully, and passing the identity authentication of the equipment end.
3. The method of claim 1, wherein the determining a transmission key for data transmission with the device side comprises:
and calling a preset random number generation method to generate the transmission key.
4. The method according to claim 2, wherein the encrypting the transmission key according to the preset encryption mode comprises:
and encrypting the transmission key by using a public key in a channel encryption key pair acquired from the equipment terminal.
5. A control device, applied to a control terminal, includes:
the sending unit is used for sending an instruction data transmission request to an equipment end when receiving a control instruction, and triggering the equipment end to perform identity authentication on the control end; the triggering the device end to perform identity authentication on the control end includes:
triggering the equipment end to send an identification character string and a random character string to the control end; when the identification character string is received, calling a preset authentication root key to perform decentralized operation on the identification character string to obtain a first authentication key; encrypting the random character string according to the first authentication key to obtain an authentication ciphertext; sending the authentication ciphertext to the equipment end so that the equipment end decrypts the authentication ciphertext to obtain a random character string contained in the authentication ciphertext, matching the random character string contained in the authentication ciphertext with the random character string sent to the control end, and authenticating the identity of the control end when the random character string contained in the authentication ciphertext is matched with the random character string sent to the control end;
the obtaining unit is used for obtaining the equipment information of the equipment end when the control end passes the identity authentication of the equipment end, and performing the identity authentication on the equipment end according to the equipment information;
the determining unit is used for determining a transmission key for data transmission with the equipment terminal when the identity authentication of the equipment terminal is passed;
the encryption unit is used for encrypting the transmission key according to a preset encryption mode and encrypting the instruction data to be transmitted according to the transmission key;
and the first control unit is used for transmitting the encrypted transmission key and the encrypted instruction data to the equipment end so that the equipment end executes control operation corresponding to the instruction data after acquiring the instruction data.
6. A control method is applied to a device side and comprises the following steps:
when receiving an encrypted transmission key and encrypted instruction data sent by a control end, decrypting the encrypted transmission key according to a preset decryption mode to obtain the transmission key; before receiving the encrypted transmission key and the encrypted instruction data sent by the control end, the method further comprises: receiving a command data transmission request sent by the control end, and triggering the equipment end to perform identity authentication on the control end; the instruction data transmission request is sent when the control end receives a control instruction; the triggering the device end to perform identity authentication on the control end includes: triggering the equipment end to send an identification character string and a random character string to the control end; when the control end receives the identification character string, calling a preset authentication root key to perform decentralized operation on the identification character string to obtain a first authentication key; encrypting the random character string according to the first authentication key to obtain an authentication ciphertext; sending the authentication ciphertext to the equipment end to enable the equipment end to decrypt the authentication ciphertext to obtain a random character string contained in the authentication ciphertext, matching the random character string contained in the authentication ciphertext with the random character string sent to the control end, and when the random character string contained in the authentication ciphertext is matched with the random character string sent to the control end, enabling the equipment end to pass identity authentication of the control end;
when the control end passes the identity authentication of the equipment end, sending the equipment information of the equipment end to the control end so that the control end carries out the identity authentication on the equipment end according to the equipment information; the transmission key is determined when the control end passes the identity authentication of the equipment end; decrypting the encrypted instruction data by applying the transmission key to obtain the instruction data;
and controlling the equipment terminal according to the instruction data.
7. The method according to claim 6, wherein the decrypting the encrypted transmission key according to a predetermined encryption manner comprises:
and decrypting the encrypted transmission key by using a private key in a preset channel encryption key pair.
8. A control device is characterized by being applied to an equipment side and comprising:
the first decryption unit is used for decrypting the encrypted transmission key according to a preset decryption mode when receiving the encrypted transmission key and the encrypted instruction data sent by the control end to obtain the transmission key; before receiving the encrypted transmission key and the encrypted instruction data sent by the control end, the method further comprises the following steps: receiving a command data transmission request sent by the control end, and triggering the equipment end to perform identity authentication on the control end; the instruction data transmission request is sent when the control end receives a control instruction; the triggering the device end to perform identity authentication on the control end includes: triggering the equipment end to send an identification character string and a random character string to the control end; when the control end receives the identification character string, calling a preset authentication root key to perform decentralized operation on the identification character string to obtain a first authentication key; encrypting the random character string according to the first authentication key to obtain an authentication ciphertext; sending the authentication ciphertext to the equipment end to enable the equipment end to decrypt the authentication ciphertext to obtain a random character string contained in the authentication ciphertext, matching the random character string contained in the authentication ciphertext with the random character string sent to the control end, and when the random character string contained in the authentication ciphertext is matched with the random character string sent to the control end, enabling the equipment end to pass identity authentication of the control end;
when the control end passes the identity authentication of the equipment end, sending the equipment information of the equipment end to the control end so that the control end carries out the identity authentication on the equipment end according to the equipment information; the transmission key is determined when the control end passes the identity authentication of the equipment end;
the second decryption unit is used for decrypting the encrypted instruction data by applying the transmission key to obtain the instruction data;
and the second control unit is used for controlling the equipment terminal according to the instruction data.
9. A control system, comprising:
a control end and an equipment end;
wherein:
the control end is used for executing the control method of any one of claims 1-4;
the device side is used for executing the control method of any one of claims 6 or 7.
CN201811391443.2A 2018-11-21 2018-11-21 Control method and related equipment Active CN109618334B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811391443.2A CN109618334B (en) 2018-11-21 2018-11-21 Control method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811391443.2A CN109618334B (en) 2018-11-21 2018-11-21 Control method and related equipment

Publications (2)

Publication Number Publication Date
CN109618334A CN109618334A (en) 2019-04-12
CN109618334B true CN109618334B (en) 2022-03-22

Family

ID=66003780

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811391443.2A Active CN109618334B (en) 2018-11-21 2018-11-21 Control method and related equipment

Country Status (1)

Country Link
CN (1) CN109618334B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110278080B (en) * 2019-07-11 2020-10-02 珠海格力电器股份有限公司 Method, system and computer readable storage medium for data transmission
CN112987581B (en) * 2019-12-16 2022-11-11 华为技术有限公司 Control method for intelligent household equipment, medium and terminal thereof
CN112218249B (en) * 2020-11-17 2022-06-24 深圳开立生物医疗科技股份有限公司 Data transmission method, data transmission device, data downloading method and related equipment
CN114650151A (en) * 2020-12-15 2022-06-21 宝能汽车集团有限公司 Data transmission method, device and system based on vehicle CAN bus and storage medium
CN114615012A (en) * 2022-01-28 2022-06-10 北京威尔文教科技有限责任公司 Device connection method and device, electronic device and readable storage medium
CN115002770A (en) * 2022-05-24 2022-09-02 矩阵时光数字科技有限公司 Near field communication system based on quantum key
CN117475533A (en) * 2022-07-21 2024-01-30 广州汽车集团股份有限公司 Data transmission method and device, equipment and computer readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101527908B (en) * 2009-04-08 2011-04-20 中兴通讯股份有限公司 Method for pre-identifying wireless local area network terminal and wireless local area network system
CN101969438B (en) * 2010-10-25 2013-10-09 胡祥义 Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
CN105636037B (en) * 2015-06-29 2019-11-12 宇龙计算机通信科技(深圳)有限公司 Authentication method, device and electronic equipment
CN108809645A (en) * 2018-07-24 2018-11-13 南方电网科学研究院有限责任公司 The method, apparatus and electrical power distribution automatization system of key agreement

Also Published As

Publication number Publication date
CN109618334A (en) 2019-04-12

Similar Documents

Publication Publication Date Title
CN109618334B (en) Control method and related equipment
US11070364B2 (en) Secure communication method and smart lock system based thereof
US11516020B2 (en) Key management method, apparatus, and system, storage medium, and computer device
CN108512846B (en) Bidirectional authentication method and device between terminal and server
CN109410406B (en) Authorization method, device and system
CN101828357B (en) Credential provisioning method and device
WO2018127081A1 (en) Method and system for obtaining encryption key
CN105553666B (en) Intelligent power terminal safety authentication system and method
CN101588245A (en) A kind of method of authentication, system and memory device
US11206496B2 (en) Hearing device with service mode and related method
WO2018119623A1 (en) Method of unlocking electronic lock device, and client and electronic lock device thereof
EP3668120A1 (en) Hearing device with service mode and related method
CN110690956B (en) Bidirectional authentication method and system, server and terminal
CN113114668B (en) Information transmission method, mobile terminal, storage medium and electronic equipment
CN105282179A (en) Family Internet of things security control method based on CPK
CN105100102A (en) Authority configuration method and device as well as information configuration method and device
CN109547303B (en) Control method and related equipment
CN111583482A (en) Access control system based on two-dimensional code and control method thereof
JP7064653B2 (en) Communications system
CN109922022A (en) Internet of Things communication means, platform, terminal and system
WO2017020530A1 (en) Enhanced wlan certificate authentication method, device and system
CN112184960B (en) Intelligent lock control method and device, intelligent lock system and storage medium
JP2011199594A (en) Initial setting method and initial setting apparatus for terminal
CN110061894B (en) Household control method and system and household master control device
CN113593088A (en) Intelligent unlocking method, intelligent lock, mobile terminal and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant