CN110572800B

CN110572800B - Equipment identity authentication method and device in machine-to-machine environment

Info

Publication number: CN110572800B
Application number: CN201910748663.4A
Authority: CN
Inventors: 程庆丰; 孟良霖; 刘文芬; 丁文博; 李钰汀; 胡学先; 张军琪
Original assignee: Information Engineering University of PLA Strategic Support Force
Current assignee: Information Engineering University of PLA Strategic Support Force
Priority date: 2019-08-14
Filing date: 2019-08-14
Publication date: 2022-04-05
Anticipated expiration: 2039-08-14
Also published as: CN110572800A

Abstract

The invention belongs to the technical field of information security, and particularly relates to a method and a device for authenticating equipment identity in a machine-to-machine environment, wherein the method comprises the following steps: the intelligent sensor equipment in the Internet of things determines self identity information, a pre-shared key is negotiated between the authentication server and the router, and meanwhile, the intelligent card performs read-write operation and opens up a storage space; the intelligent sensor equipment completes a registration request to the authentication server through the intelligent card and by utilizing the identity information of the intelligent sensor equipment; the intelligent sensor equipment accessed to the machine-to-machine communication environment reads the equipment through the intelligent card, and performs mutual authentication and key agreement with the router in the Internet of things through the pre-shared key so as to realize data interaction with other sensor equipment in the Internet of things. The method can resist test attack, pre-shared key leakage attack, session key leakage attack, man-in-the-middle attack and the like aiming at the smart card, effectively improves the safety in the data interaction process of the Internet of things, and has better application prospect.

Description

Equipment identity authentication method and device in machine-to-machine environment

Technical Field

The invention belongs to the technical field of information security, and particularly relates to a method and a device for authenticating equipment identity in a machine-to-machine environment.

Background

Machine-to-machine (M2M) communication is a key technology for implementing the Industrial Internet of Things (IIoT). In the M2M technology, all devices and machines can communicate with each other through a wireless network. M2M technology can generally provide data exchange between resource-constrained devices without human intervention. One important role of M2M is to enable real-time data communication between smart sensor equipped devices and a central management application in order to collect important data for its users that is transmitted from remote devices. Since the M2M technology is located within embedded cells through 3GPP technologies (such as GSM/GPRS, UMTS/HSPA (+) and LTE networks), it has become more mobile and intelligent than before. However, similar to Wireless Sensor Networks (WSNs), 3GPP cellular networks are vulnerable to some well-known information security threats. Therefore, similar to WSN, there is a need to ensure confidentiality, integrity of transmitted data and robustness against attacks from external entities. These security requirements can be met by designing a safe and effective communication scheme. In the M2M technology employed in the industrial internet of things (IIoT), the system model consists of three main entities: smart sensors, routers and Authentication Servers (AS). A pre-shared key is set between the router and the authentication server, the registration process of the intelligent sensor is carried out between the intelligent sensor and the authentication server, and the mutual authentication process is carried out between the intelligent sensor and the router.

In order to ensure secure communication between M2M devices, an authentication scheme and a key agreement scheme (AKA) have been proposed in recent years of research. These schemes should not only be able to securely perform mutual authentication and session key establishment, but also should be able to satisfy high efficiency. However, most of the existing lightweight authentication mechanisms and key agreement mechanisms can also be applied to the field of internet of things, and provide a security mechanism for asymmetric encryption, but the calculation cost is high, so that many security problems are caused. The traditional identity authentication and key agreement protocol is not suitable for the environment of the internet of things, and the traditional encryption mode and protocol are specifically restricted in the environment of a sensing layer, because the intelligent terminal equipment of the internet of things is generally weaker in storage and calculation capacity and cannot bear a large amount of data processing and data calculation, further requirements are provided for the authentication protocol during identity authentication and the authenticated key agreement protocol.

Disclosure of Invention

Therefore, the equipment identity authentication method and device in the machine-to-machine environment can resist security problems such as test attack, pre-shared key leakage attack, session key leakage attack and man-in-the-middle attack aiming at the smart card, and effectively improve the security in the data interaction process of the Internet of things.

According to the design scheme provided by the invention, the equipment identity authentication method oriented to the machine-to-machine environment comprises the following steps:

in the initialization stage, the intelligent sensor equipment in the Internet of things determines the identity information of the intelligent sensor equipment, a pre-shared key is negotiated between the authentication server and the router, and meanwhile, the intelligent card performs read-write operation and opens up a storage space;

in the registration stage, the intelligent sensor equipment completes a registration request to the authentication server through the intelligent card and by utilizing self identity information;

and in the authentication negotiation stage, the intelligent sensor equipment accessed into the machine-to-machine communication environment reads the equipment through an intelligent card, and performs mutual authentication and key negotiation with the router in the Internet of things through a pre-shared key so as to realize data interaction with other sensor equipment in the Internet of things.

In the registration phase, the smart sensor device obtains and stores temporary identity information and temporary session key information by using the smart card, where the temporary session key information includes password data of the smart sensor device; and initiating a registration request to the authentication server through a secure channel, and constructing a temporary session key between the intelligent sensor device and the authentication server, so that mutual authentication between the intelligent sensor device and the router is completed.

The registration stage specifically includes the following contents:

the intelligent sensor equipment sends self identity information to an authentication server;

after receiving the identity information of the intelligent sensor equipment, the authentication server generates a temporary identity set and a session key set for the intelligent sensor equipment, writes the temporary identity set and the session key set into the intelligent card, and simultaneously sends message data containing the temporary identity set, the session key set and a pre-shared key of the two parties to the intelligent sensor equipment;

and after receiving the message data, the intelligent sensor equipment selects a self password, updates the temporary identity set and the session key set according to the password, and stores the updated data into the intelligent card.

In the authentication negotiation stage, the smart sensor device reads data through the smart card, generates a sending message, and sends the sending message to the router; the router carries out message verification after receiving the message and feeds back the verification result to the authentication server, the authentication server generates a session key and an authentication message between the intelligent sensor equipment and the router, and the intelligent sensor equipment and the router carry out identity authentication of the intelligent sensor equipment and the router according to the session key and the authentication message.

According to the session key and the authentication message, the intelligent sensor equipment verifies and updates the session key set after receiving the router feedback message, generates a new message and sends the new message to the router, and the router verifies the message after receiving the new message so as to complete the identity authentication of the intelligent sensor equipment.

Furthermore, the present invention also provides an apparatus for authenticating device identity in a machine-to-machine environment, comprising: an initialization module, a registration module, and an authentication negotiation module, wherein,

the initialization module is used for determining self identity information of the intelligent sensor equipment of the Internet of things in an initialization stage, negotiating a pre-shared key between the authentication server and the router, and simultaneously carrying out read-write operation and opening up a storage space by the intelligent card;

the registration stage is used for completing a registration request to the authentication server by the intelligent sensor equipment through the intelligent card and by utilizing the identity information of the intelligent sensor equipment;

and the authentication negotiation module is used for reading equipment by the intelligent sensor equipment accessed into the machine-to-machine communication environment through the intelligent card in the authentication negotiation stage, and performing mutual authentication and key negotiation with the router in the Internet of things through the pre-shared key so as to realize data interaction with other sensor equipment in the Internet of things.

The invention has the beneficial effects that:

based on the smart card and password two-factor authentication mode, the pre-shared secret key between the router and the authentication server is encrypted and protected through the smart card and the password, a session secret key between the smart sensor and the router is generated by negotiation in the mutual authentication process between the smart sensor and the router, and the security in the data interaction process can be still ensured even if the temporary session secret key is leaked; aiming at attack modes of security vulnerabilities such as test attack, pre-shared key leakage attack, session key leakage attack, man-in-the-middle attack and the like of the intelligent card, the method can effectively ensure the anti-attack performance, improves the information security and has better application prospect.

Description of the drawings:

FIG. 1 is a flow chart of an embodiment of a method for identity authentication;

FIG. 2 is a flowchart of registration in an embodiment;

FIG. 3 is a diagram of an embodiment of an identity authentication device;

FIG. 4 is a flow chart of an intelligent sensor device registration phase in an embodiment;

fig. 5 is a schematic diagram of an authentication and key agreement process between the smart sensor device and the router in the embodiment.

The specific implementation mode is as follows:

in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.

For the situations that the conventional identity authentication and key agreement protocol is not suitable for the environment of the internet of things, and the conventional encryption manner and protocol are subject to specific constraints in the environment of the sensing layer, the embodiment of the present invention, as shown in fig. 1, provides an equipment identity authentication method in a machine-to-machine environment, including the following contents:

s101) in an initialization stage, the intelligent sensor equipment in the Internet of things determines identity information of the intelligent sensor equipment, a pre-shared key is negotiated between an authentication server and a router, and meanwhile, the intelligent card performs read-write operation and opens up a storage space;

s102) in a registration stage, the intelligent sensor equipment completes a registration request to an authentication server through an intelligent card and by using self identity information;

s103) in the authentication negotiation stage, the intelligent sensor equipment accessed into the machine-to-machine communication environment reads the equipment through the intelligent card, and performs mutual authentication and key negotiation with the router in the Internet of things through the pre-shared key so as to realize data interaction with other sensor equipment in the Internet of things.

Based on a smart card and password two-factor authentication mode, a pre-shared key between the router and the authentication server is encrypted and protected through the smart card and the password, a session key between the smart sensor and the router is generated by negotiation in the mutual authentication process between the smart sensor and the router, and the security in the data interaction process can be still ensured even if a temporary session key is leaked.

Furthermore, in the embodiment of the present invention, the smart sensor SE initiates a registration request to the authentication server AS through the secure channel, and the smart sensor device obtains and stores temporary identity information and temporary session key information by using the smart card, where the temporary session key information includes password data of the smart sensor device; and initiating a registration request to the authentication server through a secure channel, and constructing a temporary session key between the intelligent sensor device and the authentication server, so that mutual authentication between the intelligent sensor device and the router is completed.

Further, in the embodiment of the present invention, the registration phase, as shown in fig. 2, specifically includes the following contents:

s201) the intelligent sensor equipment sends self identity information to an authentication server;

s202) after receiving the identity information of the intelligent sensor equipment, the authentication server generates a temporary identity set and a session key set for the intelligent sensor equipment, writes the temporary identity set and the session key set into the intelligent card, and simultaneously sends message data containing the temporary identity set, the session key set and a pre-shared key of the two parties to the intelligent sensor equipment;

s203) after the intelligent sensor equipment receives the message data, the intelligent sensor equipment selects a self password, updates the temporary identity set and the session key set according to the password, and stores the updated data into the intelligent card.

The intelligent sensor SE sends the identity information ID of the intelligent sensor SE_iAnd sending the data to an authentication server AS. After the authentication server AS receives the message of the intelligent sensor SE, f is calculated_1i＝h(ID_i||x)，f_2i＝h(f_1i) The authentication server AS generates a temporary identity set PID ═ PID for the intelligent sensor SE₁,pid₂… } where pid ═ h (ID)_i||r_j||f_1i). The authentication server then generates a set of session keys for the smart sensor

Wherein

Computing

And mixing PID, K_SAH (-) is written into the smart card SMC. After the computation is finished, the authentication server AS sends a message { f_2i,PID,K_SA,T_SRH (·) } to the smart sensor SE. After receiving the message, the intelligent sensor selects the password PSW of the intelligent sensor_iAnd calculate

Will be updated

And storing the data into the smart card.

Furthermore, in the embodiment of the present invention, the smart sensor SE and the router R perform an authentication and key agreement process, in which both sides perform mutual authentication and key agreement, and the smart sensor device reads data through the smart card, generates a sending message, and sends the sending message to the router; the router carries out message verification after receiving the message and feeds back the verification result to the authentication server, the authentication server generates a session key and an authentication message between the intelligent sensor equipment and the router, and the intelligent sensor equipment and the router carry out identity authentication of the intelligent sensor equipment and the router according to the session key and the authentication message.

Further, in the embodiment of the present invention, according to the session key and the authentication message, the intelligent sensor device verifies and updates the session key set after receiving the router feedback message, generates a new message, and sends the new message to the router, and the router verifies the message after receiving the new message to complete the identity authentication of the intelligent sensor device.

The smart sensor SE inserts the smart card into the reader device and submits its ID_iAnd PSW_iThe smart card being calculated by the reading device

And transmitting the calculation result to an intelligent sensor SE, and obtaining PID and K by the intelligent sensor SE_SARandom number r is arbitrarily selected₁And calculate

M₂＝h(r₁||M₁||pid_i). After the computation is completed, a message { M } is sent₁,M₂,PID,T_SRGive router R. Router R receives message { M₁,M₂,PID,T_SRAfter the previous step, calculate

f_2i＝h(f_1i)，

Calculating h (r)₁||M₁||pid_i) And verify h (r)₁||M₁||pid_i) Whether or not to equal M₂If not, the router immediately terminates the authentication process and sends the intelligent sensor SE to the server_iPid of_iServer AS deletes PID from PID set_i. Otherwise, if equal, the router R selects the random number R₂And calculate

Then the AID is used_iSending to the authentication server AS, the authentication server updating

Then calculate

M′₂＝h(M′₁||AID_i||r₂) Generating a smart sensor SE_iAnd a session key SK between the router R_ij＝h(r₁||r₂). Generate message { M'₁,M′₂,AID_j}. Smart sensor SE receiving message { M 'sent by router'₁,M″₂,AID_jAfter the previous step, calculate

And verifies h (M'₁||AID_i||r₂) And M'₂Whether equal, if equal, calculate

Updating

Then the message is sent

To the router R. The router R receives the message M ″₁Then, verify

Whether or not it is equal to h (r)₂) If not, then the smart sensor SE_iAuthentication fails; if equal, the authentication is successful.

In the password updating phase, the intelligent sensor SE can freely change its own password without the help of the router. It needs to identify its own identity information ID_iOriginal password PSW_iAnd a new password PSW_i ^*Submitting the information to an intelligent card SMC, and after receiving the information submitted by the intelligent sensor, the intelligent card sends the original information in the intelligent card

Delete, and calculate

New PID to be generated^**And

and storing the data into the smart card.

Further, based on the above method, an embodiment of the present invention further provides an apparatus for authenticating identity of a device in a machine-to-machine environment, as shown in fig. 3, including: an initialization module 101, a registration module 102, and an authentication negotiation module 103, wherein,

the initialization module 101 is configured to, in an initialization stage, determine identity information of the internet of things intelligent sensor device, negotiate a pre-shared key between the authentication server and the router, and simultaneously perform read-write operation and open up a storage space by the smart card;

a registration stage 102, in which the smart sensor device completes a registration request to the authentication server through the smart card and by using the identity information of the smart sensor device;

and the authentication negotiation module 103 is used for reading the intelligent sensor device accessed to the machine-to-machine communication environment through the intelligent card in the authentication negotiation stage, and performing mutual authentication and key negotiation with the router in the internet of things through the pre-shared key so as to realize data interaction with other sensor devices in the internet of things.

The invention provides an efficient and safe machine-to-machine environment-oriented lightweight authentication and key agreement mechanism, which realizes the security protection of a pre-shared key and a session key based on a smart card and password two-factor authentication model, thereby ensuring the security and reliability of the lightweight authentication protocol. The lightweight authentication and key agreement oriented to the machine-to-machine environment is mainly divided into four processes: an initialization process, a registration process, an authentication and key agreement process, and a password update process. Following with the intelligent sensor SE_iAnd a router R_jThe authentication between the processes is taken as an example, and the specific implementation steps of each process are respectively described as follows:

1) initialization procedure

First of all, the intelligent sensor SE_iDetermining an identity ID of a user in a connected internet of things_iSecond, the smart sensor SE_iAnd router R_jNegotiate a pre-shared key PSK between the two_jAnd read-write operation is carried out on the smart card SMC, and a storage space is opened up.

2) Registration process

Referring to fig. 4, a smart sensor SE_iSending a registration request to the authentication server AS, the purpose of the registration being to enable the smart sensor SE_iAnd a router R_jCan authenticate each other. First of all intelligenceSensor SE_iSending own identity information ID_iTo the authentication server AS, which is receiving the smart sensor SE_iAfter the identity information of (c), f is calculated_1i＝h(ID_i||x)，f_2i＝h(f_1i) The authentication server AS is an intelligent sensor SE_iGenerating a temporary identity set PID ═ PID₁,pid₂… } where pid ═ h (ID)_i||r_j||f_1i). The authentication server then generates a set of session keys for the smart sensor

Wherein

Computing

And mixing PID, K_SAH (-) is written into the smart card SMC. After the computation is finished, the authentication server AS sets the Message1 to f_2i,PID,K_SA,T_SRH (-) sends to the smart sensor SE_i. After receiving the message, the intelligent sensor selects the password PSW of the intelligent sensor_iAnd calculate

Will be updated

And storing the data into the smart card.

3) Authentication and key agreement procedure

Referring to fig. 5, a smart sensor SE_iAfter registration, will be connected into the context of machine-to-machine communication, in which communication context the smart sensor SE is_iThrough and router R_jAnd the connection is communicated with other intelligent sensors in the Internet of things. Therefore, during the authentication process, a smart sensor SE is required_iAnd router R_jMutual authentication is performed and a secure session key is formed. First, the smart sensor SE_iInserting and reading smart cardIn the fetching device, submitting its ID_iAnd PSW_iThe smart card being calculated by the reading device

And transmits the calculation result to the intelligent sensor SE_iIntelligent sensor SE_iGet PID and K_SARandom number r is arbitrarily selected₁And calculate

M₂＝h(r₁||M₁||pid_i). After the calculation is completed, a Message2 ═ { M ═ is sent₁,M₂,PID,T_SRGive router R_j。

Router R_jReceived Message2 ═ M₁,M₂,PID,T_SRAfter the previous step, calculate

f_2i＝h(f_1i)，

Calculating h (r)₁||M₁||pid_i) And verify h (r)₁||M₁||pid_i) Whether or not to equal M₂If not, the router immediately terminates the authentication process and sends the intelligent sensor SE to the server_iPid of_iServer AS deletes PID from PID set_i. Otherwise, if equal, the router R_jSelecting a random number r₂And calculate

Then calculate

M′₂＝h(M′₁||AID_i||r₂) Generating a smart sensor SE_iAnd a router R_jSK of session key between_ij＝h(r₁||r₂). Generating Message3 ═ M'₁,M′₂,AID_j}。

Intelligent sensor SE_iWhen the Message3 ═ M 'sent by the router is received'₁,M′₂,AID_jAfter the previous step, calculate

And verifies h (M'₁||AID_i||r₂) And M'₂Whether equal, if equal, calculate SK_ij＝h(r₁||r₂)，

Updating

Then the message is sent

To router R_j。

Router R_jReceipt of message M ″)₁Then, verify

4) Password update procedure

In the intelligent sensor SE_iAnd a router R_jAfter one mutual authentication and key agreement, the intelligent sensor SE_iThe password of the user can be freely changed without the help of the router. It needs to identify its own identity information ID_iOriginal password PSW_iAnd a new password PSW_i ^*Submitting to a smart card SMC, the smart card receiving a smart sensor SE_iAfter the submitted information, the original information in the smart card is sent

Delete, and calculate

New PID to be generated^**And

and storing the data into the smart card.

Under the application environment of the industrial Internet of things, the lightweight identity authentication and key agreement protocol realized in the embodiment of the invention facing to the machine-to-machine communication environment can resist not only the pre-shared key leakage attack, the key leakage disguised attack, the anonymity leakage attack, the known key attack and the man-in-the-middle attack, but also the hardware attack of the smart card, can ensure the security of the session key and the anonymity of both communication parties, and has better application prospect.

Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.

Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.

Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.

The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. An equipment identity authentication method oriented to a machine-to-machine environment, comprising:

in the authentication negotiation stage, intelligent sensor equipment accessed into a machine-to-machine communication environment performs equipment reading through an intelligent card, and performs mutual authentication and key negotiation with a router in the Internet of things through a pre-shared key so as to realize data interaction with other sensor equipment in the Internet of things;

the registration stage specifically includes the following contents:

after receiving the message data, the intelligent sensor device selects a self password, updates the temporary identity set and the session key set according to the password, and stores the updated data into the intelligent card;

in the authentication negotiation stage, the intelligent sensor equipment reads data through an intelligent card, generates a sending message and sends the sending message to the router; the router carries out message verification after receiving the message and feeds back the verification result to the authentication server, the authentication server generates a session key and an authentication message between the intelligent sensor equipment and the router, and the intelligent sensor equipment and the router carry out identity authentication of the intelligent sensor equipment and the router according to the session key and the authentication message.

2. The equipment identity authentication method in the machine-to-machine environment oriented to the claim 1, characterized in that in the registration phase, the smart sensor equipment uses the smart card to obtain and store the temporary identity information and the temporary session key information, wherein the temporary session key information contains password data of the smart sensor equipment; and initiating a registration request to the authentication server through a secure channel, and constructing a temporary session key between the intelligent sensor device and the authentication server, so that mutual authentication between the intelligent sensor device and the router is completed.

3. The equipment identity authentication method in the machine-to-machine environment as claimed in claim 1, wherein according to the session key and the authentication message, the smart sensor equipment verifies and updates the session key set after receiving the router feedback message, generates a new message and sends the new message to the router, and the router verifies the message after receiving the new message to complete the identity authentication of the smart sensor equipment.

4. An apparatus for authenticating device identity in a machine-to-machine environment, comprising: an initialization module, a registration module, and an authentication negotiation module, wherein,

the authentication negotiation module is used for reading equipment by intelligent sensor equipment accessed into a machine-to-machine communication environment through an intelligent card in an authentication negotiation stage, and performing mutual authentication and key negotiation with a router in the Internet of things through a pre-shared key so as to realize data interaction with other sensor equipment in the Internet of things;

the registration stage specifically includes the following contents: