CN110855442A - PKI (public key infrastructure) technology-based inter-device certificate verification method - Google Patents

PKI (public key infrastructure) technology-based inter-device certificate verification method Download PDF

Info

Publication number
CN110855442A
CN110855442A CN201910960038.6A CN201910960038A CN110855442A CN 110855442 A CN110855442 A CN 110855442A CN 201910960038 A CN201910960038 A CN 201910960038A CN 110855442 A CN110855442 A CN 110855442A
Authority
CN
China
Prior art keywords
certificate
cert
authentication
digital certificate
digital
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910960038.6A
Other languages
Chinese (zh)
Inventor
马娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing WatchData System Co Ltd
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing WatchSmart Technologies Co Ltd filed Critical Beijing WatchSmart Technologies Co Ltd
Priority to CN201910960038.6A priority Critical patent/CN110855442A/en
Publication of CN110855442A publication Critical patent/CN110855442A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Abstract

The invention provides a certificate verification method between devices based on PKI technology, which is characterized in that only through one-time verification, a Hash table (comprising a device ID and a device certificate Hash value) of a device certificate which passes the first-time verification is stored in an authentication device, and the subsequent authentication only needs to inquire whether the Hash table contains related information to obtain an authentication result, so that the certificate is not required to be analyzed and verified in each authentication, steps are reduced, the required computing resources during the device authentication are reduced, the authentication time delay is shortened, and the efficiency is improved.

Description

PKI (public key infrastructure) technology-based inter-device certificate verification method
Technical Field
The invention relates to an information security technology, in particular to a certificate verification system between devices based on a PKI technology.
Background
Pki (public Key infrastructure) is a short for public Key infrastructure, and is a system that provides system information security services using public Key theory and digital certificates and is responsible for verifying the identity of the holder of the digital certificate. PKI is the core and key of the current network security construction, and also is the basis for providing guarantee for the development of electronic commerce, and ensures the privacy, integrity, non-repudiation and source authentication of communication data.
In the process of transmitting digital information between devices, the certificate, the complete certificate chain and the information of the devices need to be analyzed, and the subsequent normal business operation can be performed after the certificate passes the authentication. However, each time the digital certificate is received, the digital certificate needs to be analyzed and verified, and the authentication process is complex and needs a certain time length.
With the rapid development of the internet of things technology, the requirement for mutual authentication of devices between objects is obviously increased, the internet of things devices generally require low power consumption and low time delay, and the original PKI technology certificate authentication process is complex and time-consuming during the authentication between the devices, so that the requirement for mutual rapid authentication between the devices cannot be met.
Disclosure of Invention
The invention aims to provide a method for verifying certificates among devices based on a PKI technology, which is used for solving the problems that an authentication process is complex, long time is needed and time is prolonged during authentication among devices.
The invention provides a certificate verification method between devices based on PKI technology, wherein the verification device at least comprises a Certificate Authority (CA), a device A needing to be authenticated and a device B, and a device digital certificate Cert is stored in the device AAAnd a root certificate Cert of a certificate Authority centre CACAIn the device B at least the root certificate Cert of the certificate authority CA is storedCA
Saving table T in device BBThe table includes the authenticated device ID and the digital certificate Cert of the device AAThe Hash value of (c).
The authentication of the device a by the device B comprises the following steps:
first step S1, device A combines its device ID with device A digital certificate CertASending the data to equipment B;
second step S2, Cert of device A by device BACarrying out Hash operation to obtain a Hash value H (Cert)A) And checks the device ID and Cert of the device AAHash value of H (Cert)A) Whether there is a table TBPerforming the following steps;
if Cert of device AAHash value of H (Cert)A) And the device ID is present in the table TBIf the authentication is successful, otherwise, the process proceeds to a third step S3;
a third step S3, device B verifying device a digital certificate validity;
when the digital certificate of the device a is valid, the process proceeds to a fourth step S4;
a fourth step S4, connecting the device ID and Cert of the device AAIs shown in Table TBAnd (5) passing the authentication.
Further, the device ID is an ID that can uniquely identify the device in the network.
Further, the device B verifying the validity of the device a digital certificate comprises: verifying the device digital certificate validity period and checking the certificate chain validity by the root certificate.
Further, the device B verifying the validity of the device a digital certificate further comprises: the root certificate validity and certificate revocation list CRL are verified.
Further, Cert is also stored in device BBAnd a table T is also stored in the equipment AAThe table includes the authenticated device ID and the digital certificate Cert of the device BBAnd the device A authenticates the device B by adopting the same steps as the device B, and the device A and the device B perform bidirectional authentication.
Further, a plurality of certificate authorities CA are included, and a root certificate Cert of the plurality of certificate authorities CA is respectively stored in the equipment A and the equipment BCAAnd the device A and the device B cross-verify the validity of the digital certificate of the device according to different root CAs.
Drawings
FIG. 1 is a PKI technology inter-device certificate verification system
FIG. 2 is a diagram of a digital certificate structure;
FIG. 3 is a specific example of a process for fast verifying a device digital certificate;
fig. 4 is a conventional PKI-based digital certificate verification process.
Detailed Description
The invention is explained in detail below with reference to the figures and examples.
As shown in fig. 1, the system for verifying a certificate between devices in PKI technology is composed of a certificate authority CA (server) and devices A, B, …, N that need to be authenticated.
The CA is responsible for the issuance of the digital certificate Cert for the device. The issuing flow of the digital certificate Cert follows the issuing flow under the traditional PKI technology, and supports, but is not limited to, asymmetric algorithms such as RSA, ECC and SM 2.
The devices A, B, …, N store respective digital certificates CertA、CertB、…、CertNAnd root certificate CertCA
Fig. 2 is a diagram of a digital certificate structure. The digital certificate Cert is a file digitally signed by a certificate authority CA (hereinafter referred to as CA). The digital certificate Cert includes two parts: information such as the public key and subject name of the owner (equipment) and the like, the name of the issuer (CA), the validity period of the secret key, the signature algorithm used by the issuer to issue the certificate and the like, and form certificate information; and the issuer signs the certificate information part by using a signature algorithm by using a private key to form signature information.
Meanwhile, in the devices A, B, …, and N, the two devices that authenticate each other also store a Hash table T of authenticated device certificates, respectively, where the table includes the authenticated device ID and the device digital certificate Hash value. The generation of the Hash table T for the device digital certificate is described in detail below.
The following describes a device digital certificate authentication procedure between a device a and a device B, taking the device a and the device B as an example.
After the process of issuing the digital certificate Cert of the equipment is completed, the equipment A and the equipment B respectively store the respective digital certificate CertA、CertBAnd root certificate CertCA
At the same time, device A and device B also store device certificate Cert respectivelyAAnd CertBHash table TAAnd TBThe table contains the authenticated device ID and the device certificate Hash value. When there is no authenticated device, the Hash table is empty.
As shown in fig. 3, the flow of device B authenticating device a certificate is as follows:
first step S1, device A combines its device ID with device A' S digital certificate CertAAnd sent to device B.
The device ID may be a MAC address, IMEI number, or the like that uniquely identifies the device in the network.
Second step S2, Cert of device A by device BACarrying out Hash operation to obtain a Hash value H (Cert)A) And checks the device ID and Cert of the device AAHash value of H (Cert)A) Whether it is in table TBIn (1).
If the digital certificate Cert of device AAHash value of H (Cert)A) And the device ID is present in the table TBIn (1), a digital certificate Cert representing device AAAuthenticated and its content unmodified. At this time, the authentication is passed, and the subsequent normal business operation can be safely carried out.
Otherwise, the digital certificate Cert representing device AANot authenticated, its validity is verified by device B. Proceed to the third step S3.
Third step S3, device B verifies the digital certificate Cert of device AAEffectiveness.
This step is the same as the existing PKI technology-based digital certificate validation process. I.e. as shown in fig. 4.
In step S31, device B obtains the digital certificate CertACertificate information and signature information.
Step S32, read CertAAnd judging whether the current date is within the valid period or not according to the content of the valid period in the certificate information. If the current date is not within the validity period, the authentication is directly returned to fail, otherwise, the process proceeds to step S33.
Step S33, read CertAThe content of 'signature algorithm' in the certificate information uses the root certificate CertCAAnd the public key of the middle CA decrypts the signature information to obtain the hashed abstract H.
Step S34, the digital certificate CertAThe certificate information part of the system is subjected to Hash operation to obtain a Hash abstract H ', and whether H and H' are the same or not is judged. If they are the same, the associated certificate chain is valid, and the process goes to the fourth step S4.
Fourth step S4, device B combines the ID of device A with the digital certificate CertAAdd Table TBAnd (5) the authentication is passed, and the authentication flow is ended.
In the above embodiment, device B verifies the digital certificate Cert of device aAValidity is by verifying CertAThe "validity period" content in the certificate information and the certificate chain validity is checked by the root certificate.
In a modification, in the third step S3, the verifying, by the device B, the validity of the digital certificate of the device a further includes: the root certificate validity and certificate revocation list CRL are verified.
The embodiment is formed by the above, and it can be seen from the embodiment that, in the method for verifying the certificate between devices based on the PKI technology provided by the invention, through one-time verification, the Hash table (including the device ID and the Hash value of the device certificate) of the device certificate which passes the authentication for the first time is stored in the authentication device, and the subsequent authentication only needs to inquire whether the Hash table contains related information to obtain the authentication result, and the certificate does not need to be analyzed and verified for each authentication, thereby reducing steps, reducing the required computing resources during the device authentication, shortening the authentication time delay, and improving the efficiency.
Moreover, a CA server does not need to be modified, and the equipment authentication requirement under the environment of the Internet of things is met while the safety is ensured.
The above describes the process of device B authenticating the certificate of device a, but device a can also authenticate the digital certificate of device B, and the process is identical to the above process. After the digital certificate passes the authentication, subsequent normal business operations, such as key exchange, data encryption and decryption, signature verification and the like, can be performed between the equipment A and the equipment B.
The method is also suitable for the authentication among a plurality of cross-CA certificates, and only a plurality of CA certificates are stored at the equipment end. And the validity of the certificate is verified in a cross way according to different roots of CA during the first authentication, and after the verification is passed, the re-authentication process is consistent with the single CA authentication process.
The present embodiments are to be considered as merely illustrative of, and not restrictive on, the principles of the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.

Claims (6)

1. A certification verification method between devices based on PKI technology, the verification device at least includes certification authority center CA, device A and device B which need certification, the device A stores device digital certificate CertAAnd a root certificate Cert of a certificate Authority centre CACAWithin said apparatus B at leastStoring a root certificate Cert of a certificate authority CACAThe method is characterized in that the method comprises the following steps of,
saving the table T in the device BBThe table includes the authenticated device ID and the digital certificate Cert of the device AAThe Hash value of (c),
the authentication of the device a by the device B comprises the steps of:
in a first step (S1), device A combines its device ID with a device A digital certificate CertASending the data to equipment B;
second step (S2), device B pairs Cert of device AACarrying out Hash operation to obtain a Hash value H (Cert)A) And checks the device ID and Cert of the device AAHash value of H (Cert)A) Whether there is a table TBPerforming the following steps;
if Cert of device AAHash value of H (Cert)A) And the device ID is present in the table TBIf the authentication is successful, otherwise, the third step (S3) is carried out;
a third step (S3) in which device B verifies the validity of the device a digital certificate;
if the digital certificate of the device A is valid, the fourth step is carried out (S4);
a fourth step (S4) of comparing the device ID and Cert of the device AAIs shown in Table TBAnd (5) passing the authentication.
2. The PKI technology-based inter-device certificate authentication method as recited in claim 1, wherein said device ID is an ID that can uniquely identify a device in a network.
3. The PKI technology based inter-device certificate validation method as recited in claim 2, wherein device B validating device a digital certificate comprises: verifying the device digital certificate validity period and checking the certificate chain validity by the root certificate.
4. The PKI technology based inter-device certificate validation method as recited in claim 2, wherein device B validating device a digital certificate further comprises: the root certificate validity and certificate revocation list CRL are verified.
5. The PKI technology-based inter-device certificate verification method of any one of claims 1 to 4, wherein a Cert is also stored in the device BBAnd a table T is also stored in the equipment AAThe table includes the authenticated device ID and the digital certificate Cert of the device BBAnd the device A authenticates the device B by adopting the same steps as the device B, and the device A and the device B perform bidirectional authentication.
6. The PKI technology-based inter-device certificate verification method of claim 5, comprising a plurality of Certificate Authorities (CA), wherein a root certificate Cert of each of the plurality of CA is stored in each of the device A and the device BCAAnd the device A and the device B cross-verify the validity of the digital certificate of the device according to different root CAs.
CN201910960038.6A 2019-10-10 2019-10-10 PKI (public key infrastructure) technology-based inter-device certificate verification method Pending CN110855442A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910960038.6A CN110855442A (en) 2019-10-10 2019-10-10 PKI (public key infrastructure) technology-based inter-device certificate verification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910960038.6A CN110855442A (en) 2019-10-10 2019-10-10 PKI (public key infrastructure) technology-based inter-device certificate verification method

Publications (1)

Publication Number Publication Date
CN110855442A true CN110855442A (en) 2020-02-28

Family

ID=69597258

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910960038.6A Pending CN110855442A (en) 2019-10-10 2019-10-10 PKI (public key infrastructure) technology-based inter-device certificate verification method

Country Status (1)

Country Link
CN (1) CN110855442A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113395160A (en) * 2020-03-11 2021-09-14 大唐移动通信设备有限公司 Certificate management method and device, issuing entity, management entity and vehicle networking equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060095388A1 (en) * 2004-10-29 2006-05-04 Research In Motion Limited System and method for verifying digital signatures on certificates
CN101090316A (en) * 2006-06-16 2007-12-19 普天信息技术研究院 Identify authorization method between storage card and terminal equipment at off-line state
CN102647394A (en) * 2011-02-16 2012-08-22 中兴通讯股份有限公司 Routing device identity authentication method and routing device identity authentication device
CN103701609A (en) * 2013-03-15 2014-04-02 福建联迪商用设备有限公司 Bidirectional authentication method and system for server and operating terminal
CN105592059A (en) * 2015-10-14 2016-05-18 杭州华三通信技术有限公司 Digital certificate verification method and device
CN105791272A (en) * 2016-02-23 2016-07-20 青岛海尔智能家电科技有限公司 Method and device for secure communication in Internet of Things
US20180278427A1 (en) * 2017-03-24 2018-09-27 Cable Television Laboratories, Inc System and method for distributed pki root
CN109409041A (en) * 2018-09-04 2019-03-01 航天信息股份有限公司 A kind of server-side safety certifying method and system based on the application of more certificates

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060095388A1 (en) * 2004-10-29 2006-05-04 Research In Motion Limited System and method for verifying digital signatures on certificates
CN101090316A (en) * 2006-06-16 2007-12-19 普天信息技术研究院 Identify authorization method between storage card and terminal equipment at off-line state
CN102647394A (en) * 2011-02-16 2012-08-22 中兴通讯股份有限公司 Routing device identity authentication method and routing device identity authentication device
CN103701609A (en) * 2013-03-15 2014-04-02 福建联迪商用设备有限公司 Bidirectional authentication method and system for server and operating terminal
CN105592059A (en) * 2015-10-14 2016-05-18 杭州华三通信技术有限公司 Digital certificate verification method and device
CN105791272A (en) * 2016-02-23 2016-07-20 青岛海尔智能家电科技有限公司 Method and device for secure communication in Internet of Things
US20180278427A1 (en) * 2017-03-24 2018-09-27 Cable Television Laboratories, Inc System and method for distributed pki root
CN109409041A (en) * 2018-09-04 2019-03-01 航天信息股份有限公司 A kind of server-side safety certifying method and system based on the application of more certificates

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113395160A (en) * 2020-03-11 2021-09-14 大唐移动通信设备有限公司 Certificate management method and device, issuing entity, management entity and vehicle networking equipment

Similar Documents

Publication Publication Date Title
CN107810617B (en) Secret authentication and provisioning
US9853818B2 (en) Method and system for signing and authenticating electronic documents via a signature authority which may act in concert with software controlled by the signer
US9838205B2 (en) Network authentication method for secure electronic transactions
WO2018049656A1 (en) Blockchain-based identity authentication method, device, node and system
US9992189B2 (en) Generation and validation of derived credentials
KR100962399B1 (en) Method for providing anonymous public key infrastructure and method for providing service using the same
CN109067801B (en) Identity authentication method, identity authentication device and computer readable medium
CN104580250A (en) System and method for authenticating credible identities on basis of safety chips
CN104753881B (en) A kind of WebService safety certification access control method based on software digital certificate and timestamp
CN108768664A (en) Key management method, device, system, storage medium and computer equipment
CN109309565A (en) A kind of method and device of safety certification
TW201426383A (en) System and method for identifying users
CN103414699A (en) Authentication method for client certificate, server and client
CN110677376B (en) Authentication method, related device and system and computer readable storage medium
EP2608477A1 (en) Trusted certificate authority to create certificates based on capabilities of processes
CN1697376A (en) Method and system for authenticating or enciphering data by using IC card
CN108885658A (en) By voucher to the proof of equipment authenticity
CN110855442A (en) PKI (public key infrastructure) technology-based inter-device certificate verification method
CN102065092A (en) Method and system for authorizing digital signature of application program of set top box
US10447467B2 (en) Revocable PKI signatures
KR101358704B1 (en) Method of authenticating for single sign on
US20210006555A1 (en) Authentication system and computer readable medium
JP2011113157A (en) Authentication system, authentication method, and program
JP2004140636A (en) System, server, and program for sign entrustment of electronic document
TWI698113B (en) Identification method and systerm of electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination