CN110995710A - Smart home authentication method based on eUICC - Google Patents
Smart home authentication method based on eUICC Download PDFInfo
- Publication number
- CN110995710A CN110995710A CN201911236842.6A CN201911236842A CN110995710A CN 110995710 A CN110995710 A CN 110995710A CN 201911236842 A CN201911236842 A CN 201911236842A CN 110995710 A CN110995710 A CN 110995710A
- Authority
- CN
- China
- Prior art keywords
- authentication
- equipment
- binding
- center terminal
- home
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
Abstract
The invention relates to an intelligent home authentication method based on an eUICC (universal integrated circuit card). the eUICC is applied and installed in home center equipment, the authentication method is divided into binding authentication and access authentication of the equipment in sequence, and the binding and access authentication of the equipment are completed through key agreement between home center terminal equipment and an authentication server. The invention also provides an intelligent home authentication system based on the eUICC, and the system executes an intelligent home authentication method based on the eUICC. After the equipment authentication and the communication between the equipment and the eUICC are realized, the method can be applied to other Internet of things equipment, and the bidirectional authentication between the equipment and an application platform is realized by utilizing the safety encryption and decryption capability of the card application in the eUICC.
Description
Technical Field
The invention relates to the field of authentication security, in particular to an intelligent home authentication method based on an eUICC.
Background
The rapid development of internet technology has increased the demand of people for safety and convenience in home life. Along with the emergence of various technologies of smart home and the Internet of things, effective information interaction can be carried out among smart home equipment, a cloud control center and a user. The user obtains more information in the family, and the safety requirement on authentication is higher and higher. The traditional authentication mostly uses a service account number and a password or a short message verification code, and risks of password leakage, short message interception and the like exist. At present, many device security events have been exposed, for example, a camera is illegally accessed, and an internet of things device is operated by an illegal platform. Meanwhile, the perfection of the user authorization mechanism needs to be considered. How to realize high-strength bidirectional authentication between the terminal equipment and the authentication platform and combine the high-strength bidirectional authentication with user authorization is a great challenge for smart homes in the era of internet of things.
The major access authentication security concerns include the following.
(1) Weak user name and cipher strength
At present, most household devices log in and manage devices by using a user name and a password, but the strength of the user name and the password is not generally required, even a weak password is directly used, most terminal devices print the default user name and the default password on the surface of the terminal device, and the password is rarely changed by a user. The insufficient password strength and the untight password management result in the risks that the user name and the password are easy to leak, scanned, violently cracked and hijacked.
(2) Loss of access authorization
Most intelligent home devices do not need extra authorization for access, and when the devices are broken and illegally accessed, the device owners do not know the conditions, so that the devices are easily controlled, and the privacy of users is invisibly exposed.
(3) IP address exposure
By the scanner, the IP address of the household intelligent equipment (such as a camera) can be obtained by scanning a large-scale IP address and port by using a weak password secret code (such as a user and admin), and once the IP address is exposed and the weak password is matched, data resources can be directly obtained. Besides the potential safety hazard of the intelligent household equipment, many public outdoor network equipment also have the risk of being cracked.
Disclosure of Invention
This section provides a general summary of the disclosure, and is not a comprehensive disclosure of its full scope or all of its features.
The disclosed aim is to provide an intelligent home authentication method based on an eUICC, wherein an eUICC application is installed in home center equipment, and the authentication method is divided into binding authentication and access authentication of the equipment in sequence;
the binding authentication specifically comprises:
a1, powering on the home center terminal equipment and accessing to the network;
a2, generating an equipment key pair of the home center terminal equipment, storing an equipment private key in the key pair, and uploading an equipment public key in the key pair and the home center terminal equipment ID to an authentication server;
a3, generating access binding request data according to the ID of the home center terminal equipment, and sending the access binding request data to a user management mobile phone to request authorization;
a4, after confirming the authorization, sending an authorization notice to an authentication server, and the authentication server generating and returning a binding result;
a5, decrypting the returned binding result by using the private key of the device to finish binding;
the access authentication specifically includes:
b1, detecting that the intelligent household equipment sends data outwards;
b2, calling an eUICC signature interface, using an eUICC private key to sign the event description, and sending the event description to an authentication server;
b3, after the signature event description is received, checking the signature, and authenticating the identity of the intelligent household equipment;
b4, after finishing the authentication of the authentication server, issuing authorization request data to the user management mobile phone;
b5, receiving an authorization notification returned by the user management mobile phone, encrypting the generated authorization result by using a server private key, and sending the authorization result to the home center terminal equipment;
and B6, after receiving the encrypted authorization result, decrypting the data by using the server public key, and determining to pass or block the data sent to the outside according to the authorization result.
Further, before generating the device key pair, first detecting a device binding identifier, and if the binding identifier exists, indicating that the device is bound, thereby ending the device binding authentication process; and if not, performing the subsequent key pair generation step.
Further, after receiving the authorization notification, generating a binding identifier including the ID of the home center terminal device and binding success information, and encrypting the identifier, the success information, and the authentication server identity information by using a server private key and then transmitting the encrypted information to the home center terminal device.
Further, after the binding authentication is completed, if the smart home device is accessed to the home center terminal device, the home center terminal device encrypts the accessed device information by using the private key and submits the encrypted device information to the authentication server for access authentication.
Further, when the signature event description is received, after the signature is checked by using the eUICC public key received in advance, the corresponding event description is obtained, the relevant information in the event description is matched with the authentication information stored in the authentication server in advance, and the authentication passing message is returned after the information is successful.
The invention also provides an intelligent home authentication system based on the eUICC, which comprises home center terminal equipment, a plurality of intelligent home equipment, a user management mobile phone and an authentication server, wherein an eUICC module is installed in the home center terminal equipment, and the system executes the method of any one of claims 1 to 5;
the home center terminal equipment is used for uniformly managing access and security access authentication of each intelligent home equipment in a home internal network and completing self equipment security binding authentication;
the eUICC module is used for assisting the encryption/decryption of authentication data of the home center terminal equipment in the authentication process, and comprises key generation, storage and synchronization, symmetric encryption/decryption and asymmetric encryption/decryption;
the user management mobile phone is used for completing user authorization in the process of equipment binding and access authentication;
the authentication server is used for carrying out corresponding equipment safety authentication in the equipment binding and access processes;
and the communication channel between the family center terminal equipment and the eUICC carries out protocol conversion on the terminal equipment side, and the terminal equipment communicates with the eUICC through an ISO 7816 protocol or an SPI protocol.
Has the advantages that: aiming at the conditions that the account/password authentication strength is weak, the equipment ID is easy to be tampered and the remote configuration management is weak in the current smart home application, the method provides the bidirectional authentication of the equipment side and the cloud side based on the eUICC, and has the following main advantages:
introduction of hardware level authentication. The identity authentication and access control with high security level are realized, and the information security of the household equipment is guaranteed.
After the communication between the equipment authentication and the eUICC is realized, the method can be applied to other equipment of the Internet of things, and the bidirectional authentication between the equipment and an application platform is realized by utilizing the safety encryption and decryption capability of the application in the eUICC card. There is a similar industry application requirement at present.
The eUICC is based on a Java platform, supports PKI asymmetric computing capability, has stronger software and hardware capability than a common SIM card, and can be compatible with the capability requirements of various card authentications.
The existing home network equipment realizes authentication based on a line binding mode and a user name and password binding mode, so that the physical space and the authentication mode of application are limited. The introduction of eUICC can break through these limitations, and is more flexible in application.
Further areas of applicability will become apparent from the description provided herein. The description and specific examples in this summary are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure.
Drawings
The drawings described herein are for illustrative purposes only of selected embodiments and not all possible implementations, and are not intended to limit the scope of the present disclosure. In the drawings:
fig. 1 is a flowchart of an eUICC-based smart home authentication method;
fig. 2 is a schematic diagram of an eUICC-based smart home authentication system.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiments thereof have been shown by way of example in the drawings and are herein described in detail. It should be understood, however, that the description herein of specific embodiments is not intended to limit the disclosure to the particular forms disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the disclosure. It is noted that throughout the several views, corresponding reference numerals indicate corresponding parts.
Detailed Description
Examples of the present disclosure will now be described more fully with reference to the accompanying drawings. The following description is merely exemplary in nature and is not intended to limit the present disclosure, application, or uses.
Example embodiments are provided so that this disclosure will be thorough, and will fully convey the scope to those skilled in the art. Numerous specific details are set forth such as examples of specific components, devices, and methods to provide a thorough understanding of embodiments of the present disclosure. It will be apparent to those skilled in the art that specific details need not be employed, that example embodiments may be embodied in many different forms and that neither should be construed to limit the scope of the disclosure. In certain example embodiments, well-known processes, well-known structures, and well-known technologies are not described in detail.
The technical problems posed by the present disclosure will be explained in detail below. It is to be noted that this technical problem is merely exemplary and is not intended to limit the application of the present invention.
The invention provides an intelligent home authentication method based on an eUICC (universal integrated circuit card). an eUICC application is installed in home center terminal equipment, and the authentication method is divided into binding authentication and access authentication of the equipment in sequence.
The binding authentication specifically comprises:
and A1, powering on the home center terminal equipment and accessing the home center terminal equipment to the network.
The home center terminal device is usually a central control device such as a gateway, a set-top box, a router, and the like, and connects each smart home device in a home with the home center terminal device through an in-home network. The home internal network can be WIFI, Bluetooth and the like; the intelligent household equipment is intelligent equipment such as a camera, an intelligent television and an intelligent lock.
And connecting the home center terminal equipment with an authentication server or other equipment through an external network, wherein the external network is internet and the like.
A2, generating a device key pair of the home center terminal device, storing a device private key in the key pair, and uploading the device public key in the key pair and the home center terminal device ID to the authentication server.
Before generating a device key pair, firstly detecting a device binding identifier of the home center terminal device, and if the binding identifier exists, indicating that the device is bound, thereby ending the device binding authentication process; and if not, performing subsequent key generation peer-to-peer steps.
And when the device key pair is generated, obtaining a corresponding device public key and a device private key by using the EID in the eUICC through a preset algorithm, and storing the device public key and the device private key in the home center terminal device.
Subsequently, the above-described device public key is transmitted to the authentication server together with the home center terminal device ID.
A3, generating access binding request data according to the ID of the home center terminal equipment, and sending the access binding request data to the user management mobile phone to request authorization.
Before sending the access binding request data to the user management mobile phone, the user management mobile phone also completes registration on the authentication server in advance, generates a mobile phone key pair, and then sends a mobile phone public key in the mobile phone key pair to the authentication server. The mobile phone key pair comprises a mobile phone public key and a mobile phone private key.
And after receiving the ID and the equipment public key, the authentication server generates access binding request data according to the ID, encrypts the access binding request data by using the mobile phone public key and sends the encrypted data to the user management mobile phone.
And meanwhile, generating a server key pair, encrypting a server public key in the server key pair by using the equipment public key, and sending the encrypted server public key to the home center terminal equipment. The server key pair includes a server public key and a server private key.
After confirming the authorization, a4 sends an authorization notification to the authentication server, and the authentication server generates and returns a binding result.
And after receiving the encrypted access binding request data, the user management mobile phone decrypts the data by using a mobile phone private key to obtain the request data, and displays a user confirmation interface according to corresponding information in the request data. And after the authorization is confirmed, sending the authorization notification information to the authentication server.
And after receiving the authorization notification, generating a binding identifier containing the ID of the home center terminal equipment and binding success information, encrypting the identifier, the success information and the identity information of the authentication server by using an equipment public key, and then sending the encrypted information to the home center terminal equipment. The encrypted identification, success information and authentication server identity information are the returned binding results.
And A5, decrypting the returned binding result by using the private key of the device to finish binding.
And after receiving the returned binding result, decrypting the binding result by using the equipment private key to obtain a binding identifier and binding success information, and confirming and storing the binding identifier and the corresponding authentication server identity information according to the binding success information, namely finishing the binding authentication of the home center terminal equipment.
A6, after binding authentication is completed, if the smart home device accesses the home center terminal device, the home center terminal device encrypts the accessed device information by using a private key in its own asymmetric key pair, and submits the encrypted device information to the authentication server for access authentication.
And if one or more pieces of intelligent home equipment in the home internal network where the home center terminal equipment is located need to be used and accessed into the home center terminal equipment, sending the corresponding intelligent home equipment ID to the home center terminal equipment.
And after receiving the ID of the intelligent household equipment, generating an access authentication request, encrypting the access authentication request by using an equipment private key, and then sending the encrypted access authentication request to an authentication server.
And receiving an authentication result returned by the authentication server, and completing access authentication of the one or more intelligent household devices. And if the authentication result is that the authentication is passed, confirming that the intelligent household equipment completes network access.
The access authentication specifically includes:
and B1, detecting that the intelligent household equipment sends data outwards.
When the external equipment requests the related data of the intelligent household equipment in the family through the network, the intelligent household equipment prepares the related data, generates a data request sent to the outside and sends the request to the family center terminal equipment. The request for sending the data to the outside comprises the ID of the intelligent household equipment and the description of the data to be sent.
When the home center terminal device receives the data sending request, it is detected that the smart home device sending the request is to send data to the external device.
B2, calling an eUICC signature interface, signing the event description by using an eUICC private key, and sending the event description to an authentication server.
An eUICC key pair for access authentication is generated in advance, wherein the eUICC key pair comprises an eUICC public key and an eUICC private key. Subsequently, the eUICC public key is sent to an authentication server.
And after the request for sending the data to the outside is received, acquiring the ID of the intelligent household equipment and the description of the data to be sent in the request, and generating a corresponding event description. And then, signing the event description by using an eUICC private key, and sending the event description to an authentication server.
And B3, after the signature event description is received, checking the signature, and authenticating the identity of the intelligent household equipment.
When the signature event description is received, after the signature is checked by using the eUICC public key received in advance, the corresponding event description is obtained, the relevant information in the event description is matched with the authentication information stored in the authentication server in advance, and the authentication passing message is returned after the information is successful.
The authentication information pre-stored in the authentication server is the authentication information stored after the binding authentication is passed through the request of the home center terminal device to the authentication server in the binding authentication process.
B4, after finishing the authentication of the authentication server, sending the authorization request data to the user management mobile phone.
The authentication server generates a server key pair in advance, wherein the server key pair comprises a server public key and a server private key. And then, respectively sending the server public key to the user management mobile phone and the home center terminal equipment.
And after the authentication is finished, encrypting the authorization request data by using the server private key, and sending the authorization request data to the user management mobile phone.
B5, receiving an authorization notification returned by the user management mobile phone, encrypting an authorization result by using a server private key, and sending the authorization result to the home center terminal equipment.
And after receiving the encrypted authorization request data, decrypting the encrypted authorization request data by using the server public key, acquiring user confirmation authorization information, and generating a corresponding authorization notice. And then sent to the authentication server.
And after receiving the authorization notification, generating an authorization result, encrypting the authorization result by using a server private key, and sending the authorization result to the family center terminal equipment. The authorization result includes authentication server identity information.
And B6, after receiving the encrypted authorization result, decrypting the data by using the server public key, and determining to pass or block the data sent to the outside according to the authorization result.
And after receiving the encrypted authorization result, decrypting by using the pre-acquired server public key to obtain the authentication server identity information. And then, matching the obtained authentication server identity information with the authentication server identity information obtained in the pre-stored binding authentication, and after the authentication server identity information passes the pre-stored binding authentication, determining that the authentication of the authentication server is successful.
And when the authentication is successful, notifying the corresponding intelligent household equipment to send corresponding data to the external equipment according to the authorization result.
And if the authentication is unsuccessful, notifying corresponding intelligent household equipment of warning information, and preventing corresponding data from being sent to external equipment.
The invention also provides an intelligent home authentication system based on the eUICC, which comprises home center terminal equipment, a plurality of intelligent home equipment, a user management mobile phone and an authentication server, wherein the eUICC module is installed in the home center terminal equipment.
The home center terminal device is used for uniformly managing access and security access authentication of each intelligent home device in the home internal network and completing self device security binding authentication.
The eUICC module is used for assisting the encryption/decryption of authentication data of the home center terminal equipment in the authentication process, and comprises key generation, storage and synchronization, symmetric encryption/decryption and asymmetric encryption/decryption.
The user management mobile phone is used for completing user authorization in the process of equipment binding and access authentication.
And the authentication server is used for carrying out corresponding equipment safety authentication in the equipment binding and access processes.
Further, the communication channel between the home center terminal device and the eUICC may perform protocol conversion on the terminal device side, and the terminal device may communicate with the eUICC through an ISO 7816 protocol or an SPI protocol.
The working contents of each device or module will be described in detail below through two phases of binding authentication and access authentication.
Wherein, in the binding authentication phase:
and the family center terminal equipment is powered on and is accessed to the network.
The method specifically comprises the following steps: the home center terminal device is usually a central control device such as a gateway, a set-top box, a router, and the like, and connects each smart home device in a home with the home center terminal device through an in-home network. The home internal network can be WIFI, Bluetooth and the like; the intelligent household equipment is intelligent equipment such as a camera, an intelligent television and an intelligent lock.
The home center terminal device is connected with an authentication server or other devices through an external network, and the external network is an internet or the like.
The eUICC module in the family center terminal equipment generates an equipment key pair of the family center terminal equipment, then the family center terminal equipment obtains the key pair, stores an equipment private key in the key pair, and uploads an equipment public key in the key pair and the family center terminal equipment ID to an authentication server.
The method specifically comprises the following steps: before the eUICC module generates an equipment key pair, firstly detecting an equipment binding identifier, and if the equipment binding identifier exists, indicating that the equipment is bound, thereby ending an equipment binding authentication process; and if not, the eUICC module performs subsequent key generation peer-to-peer processing.
And when the eUICC module generates the equipment key pair, the corresponding equipment public key and the corresponding equipment private key are obtained by using the EID in the eUICC through a preset algorithm and are sent to the home center terminal equipment for storage.
Subsequently, the home center terminal device transmits the device public key to the authentication server together with the home center terminal device ID.
And the authentication server generates access binding request data and sends the access binding request data to the user management mobile phone to request for authorization.
The method specifically comprises the following steps: before the authentication server sends the access binding request data to the user management mobile phone, the user management mobile phone completes registration on the authentication server in advance and generates a mobile phone key pair.
And the user management mobile phone sends the mobile phone public key in the mobile phone key pair to the authentication server. The mobile phone key pair comprises a mobile phone public key and a mobile phone private key.
And after receiving the ID and the equipment public key, the authentication server generates access binding request data according to the ID and encrypts the access binding request data by using the mobile phone public key. And then, the authentication server sends the encrypted data to the user management mobile phone.
Meanwhile, the authentication server generates a server key pair, encrypts a server public key in the server key pair by using the device public key, and then sends the server public key to the home center terminal device. The server key pair includes a server public key and a server private key.
And after the user management mobile phone finishes the confirmation and authorization, sending an authorization notification to the authentication server, and generating and returning a binding result by the authentication server.
The method specifically comprises the following steps: and after receiving the encrypted access binding request data, the user management mobile phone decrypts the encrypted access binding request data by using a mobile phone private key to obtain the request data, and displays a user confirmation interface according to corresponding information in the request data. Subsequently, after the user confirms the authorization, the user management mobile phone sends the authorization notification information to the authentication server.
And after receiving the authorization notification, the authentication server generates a binding identifier containing the ID of the home center terminal equipment and binding success information, encrypts the identifier, the success information and the authentication server identity information by using an equipment public key and then sends the encrypted identifier, the success information and the authentication server identity information to the home center terminal equipment. The encrypted identification, success information and authentication server identity information are the returned binding results.
And the family center terminal equipment decrypts the returned binding result by using the equipment private key to finish binding.
The method specifically comprises the following steps:
and after receiving the returned binding result, the home center terminal equipment decrypts by using the equipment private key to obtain the binding identifier and the binding success information. And then, the home center terminal equipment confirms and stores the binding identifier and the corresponding authentication server identity information according to the binding success information, and then the binding authentication of the home center terminal equipment is completed.
After the home center terminal equipment completes the binding authentication, if the smart home equipment is accessed to the home center terminal equipment, the home center terminal equipment encrypts the accessed equipment information by using a private key in an asymmetric key pair of the home center terminal equipment and submits the encrypted equipment information to an authentication server for access authentication.
The method specifically comprises the following steps: and if one or more pieces of intelligent home equipment in the home internal network where the home center terminal equipment is located need to be used and accessed into the home center terminal equipment, sending the corresponding intelligent home equipment ID to the home center terminal equipment.
The home center terminal device generates an access authentication request after receiving the ID of the intelligent home device and encrypts the access authentication request by using a device private key, and then the home center terminal device sends the encrypted access authentication request to an authentication server.
And the home center terminal equipment receives an authentication result returned by the authentication server and completes access authentication of the one or more intelligent home equipment. And if the authentication result is that the authentication is passed, confirming that the intelligent household equipment completes network access.
Wherein, in the access authentication phase:
the home center terminal device detects data content to be sent out by the intelligent home device.
The method specifically comprises the following steps: when the external equipment requests the related data of the intelligent household equipment in the family through the network, the intelligent household equipment prepares the related data, generates a data sending request to the outside and sends the request to the family center terminal equipment. The request for sending the data to the outside comprises the ID of the intelligent household equipment and the description of the data to be sent.
After receiving the data sending request, the home center terminal device detects that the smart home device sending the request is to send data to the external device.
And the home center terminal equipment calls an eUICC signature interface, uses an eUICC private key to sign the event description, and sends the event description to an authentication server.
The method specifically comprises the following steps: the eUICC module generates an eUICC key pair for access authentication in advance, wherein the eUICC key pair comprises an eUICC public key and an eUICC private key. And then, the eUICC module sends the eUICC public key to an authentication server through the home center terminal equipment.
And after receiving the data sending request, the home center terminal equipment acquires the ID of the intelligent home equipment and the data description to be sent in the data sending request, and generates a corresponding event description. And then, the home center terminal equipment signs the event description by using an eUICC private key and sends the event description to an authentication server.
And the authentication server checks the signature after receiving the description of the signature event and authenticates the identity of the intelligent household equipment.
The method specifically comprises the following steps: and when the authentication server receives the signature event description, the authentication server utilizes the pre-received eUICC public key to check the signature, and then obtains the corresponding event description. And then, the authentication server matches the relevant information in the event description with authentication information stored in the authentication server in advance, and returns an authentication passing message after the success.
The authentication information pre-stored in the authentication server is the authentication information stored after the binding authentication is passed through the request of the home center terminal device to the authentication server in the binding authentication process.
And after the authentication server completes authentication, issuing authorization request data to the user management mobile phone.
The method specifically comprises the following steps: the authentication server generates a server key pair in advance, wherein the server key pair comprises a server public key and a server private key. And then, the authentication server respectively sends the server public keys to the user management mobile phone and the home center terminal equipment.
And after the authentication is finished, the authentication server encrypts the authorization request data by using a server private key and sends the authorization request data to the user management mobile phone.
And after the user management mobile phone completes user authorization, the authentication server encrypts an authorization result by using a server private key and sends the authorization result to the home center terminal equipment.
The method specifically comprises the following steps: and after receiving the encrypted authorization request data, the user management mobile phone obtains user confirmation authorization information and generates a corresponding authorization notice after decrypting the encrypted authorization request data by using the server public key. Subsequently, the user management handset sends an authorization notification to an authentication server.
And after receiving the authorization notification, the authentication server generates an authorization result, encrypts the authorization result by using a server private key and sends the authorization result to the home center terminal equipment. The authorization result includes authentication server identity information.
And after receiving the encrypted authorization result, the home center terminal equipment decrypts by using the server public key and determines to pass or block the data sent to the outside according to the authorization result.
The method specifically comprises the following steps: and after receiving the encrypted authorization result, the home center terminal equipment decrypts by using the pre-acquired server public key to obtain the authentication server identity information. And then, the home center terminal equipment matches the obtained authentication server identity information with authentication server identity information obtained in pre-stored binding authentication, and after the authentication server identity information passes the matching, the authentication server is considered to be successfully authenticated.
And after the authentication is successful, the home center terminal equipment informs the corresponding intelligent home equipment to send corresponding data to the external equipment according to the authorization result.
And if the authentication is unsuccessful, the home center terminal equipment informs corresponding intelligent home equipment of warning information and prevents corresponding data from being sent to external equipment.
The preferred embodiments of the present disclosure are described above with reference to the drawings, but the present disclosure is of course not limited to the above examples. Various changes and modifications within the scope of the appended claims may be made by those skilled in the art, and it should be understood that these changes and modifications naturally will fall within the technical scope of the present disclosure.
For example, a plurality of functions included in one unit may be implemented by separate devices in the above embodiments. Alternatively, a plurality of functions implemented by a plurality of units in the above embodiments may be implemented by separate devices, respectively. In addition, one of the above functions may be implemented by a plurality of units. Needless to say, such a configuration is included in the technical scope of the present disclosure.
In this specification, the steps described in the flowcharts include not only the processing performed in time series in the described order but also the processing performed in parallel or individually without necessarily being performed in time series. Further, even in the steps processed in time series, needless to say, the order can be changed as appropriate.
Although the embodiments of the present disclosure have been described in detail with reference to the accompanying drawings, it should be understood that the above-described embodiments are merely illustrative of the present disclosure and do not constitute a limitation of the present disclosure. It will be apparent to those skilled in the art that various modifications and variations can be made in the above-described embodiments without departing from the spirit and scope of the disclosure. Accordingly, the scope of the disclosure is to be defined only by the claims appended hereto, and by their equivalents.
Claims (10)
1. An eUICC-based smart home authentication method is characterized in that an eUICC application is installed in home center equipment, and the authentication method is sequentially divided into binding authentication and access authentication of the equipment;
the binding authentication specifically comprises:
a1, powering on the home center terminal equipment and accessing to the network;
a2, generating an equipment key pair of the home center terminal equipment, storing an equipment private key in the key pair, and uploading an equipment public key in the key pair and the home center terminal equipment ID to an authentication server;
a3, generating access binding request data according to the ID of the home center terminal equipment, and sending the access binding request data to a user management mobile phone to request authorization;
a4, after confirming the authorization, sending an authorization notice to an authentication server, and the authentication server generating and returning a binding result;
a5, decrypting the returned binding result by using the private key of the device to finish binding;
the access authentication specifically includes:
b1, detecting that the intelligent household equipment sends data outwards;
b2, calling an eUICC signature interface, using an eUICC private key to sign the event description, and sending the event description to an authentication server;
b3, after the signature event description is received, checking the signature, and authenticating the identity of the intelligent household equipment;
b4, after finishing the authentication of the authentication server, issuing authorization request data to the user management mobile phone;
b5, receiving an authorization notification returned by the user management mobile phone, encrypting the generated authorization result by using a server private key, and sending the authorization result to the home center terminal equipment;
and B6, after receiving the encrypted authorization result, decrypting the data by using the server public key, and determining to pass or block the data sent to the outside according to the authorization result.
2. The method of claim 1, wherein before generating the device key pair, the device binding identifier is first detected, and if the device binding identifier exists, it indicates that the device is bound, thereby ending the device binding authentication procedure; and if not, performing the subsequent key pair generation step.
3. The method of claim 1, wherein after receiving the authorization notification, generating a binding identifier including the ID of the home center terminal device and binding success information, and encrypting the binding identifier, the binding success information and the authentication server identity information by using a server private key and then transmitting the encrypted binding identifier, the binding success information and the authentication server identity information to the home center terminal device.
4. The method of claim 1, further comprising: after binding authentication is completed, if the intelligent home equipment is accessed to the home center terminal equipment, the home center terminal equipment encrypts accessed equipment information by using a private key and submits the encrypted equipment information to an authentication server for access authentication.
5. The method according to claim 1, wherein step B3 is specifically: when the signature event description is received, after the signature is checked by using the eUICC public key received in advance, the corresponding event description is obtained, the relevant information in the event description is matched with the authentication information stored in the authentication server in advance, and the authentication passing message is returned after the information is successful.
6. An intelligent home authentication system based on an eUICC (electronic integrated circuit card), which comprises home center terminal equipment, a plurality of intelligent home equipment, a user management mobile phone and an authentication server, wherein an eUICC module is installed in the home center terminal equipment, and the system executes the method of any one of claims 1-5;
the home center terminal equipment is used for uniformly managing access and security access authentication of each intelligent home equipment in a home internal network and completing self equipment security binding authentication;
the eUICC module is used for assisting the encryption/decryption of authentication data of the home center terminal equipment in the authentication process, and comprises key generation, storage and synchronization, symmetric encryption/decryption and asymmetric encryption/decryption;
the user management mobile phone is used for completing user authorization in the process of equipment binding and access authentication;
the authentication server is used for carrying out corresponding equipment safety authentication in the equipment binding and access processes;
and the communication channel between the family center terminal equipment and the eUICC carries out protocol conversion on the terminal equipment side, and the terminal equipment communicates with the eUICC through an ISO 7816 protocol or an SPI protocol.
7. The system according to claim 6, wherein the eUICC module, before generating the device key pair, first detects a device binding identifier, and if the binding identifier exists, it indicates that the device is bound, thereby ending the device binding authentication procedure; and if not, executing subsequent key pair generation processing.
8. The system of claim 6, wherein the authentication server generates a binding identifier including the ID of the home center terminal device and binding success information after receiving the authorization notification, and encrypts the binding identifier, the success information and the authentication server identity information by using a server private key and then sends the encrypted binding identifier, the success information and the authentication server identity information to the home center terminal device.
9. The system according to claim 6, wherein after the home center terminal device completes the binding authentication, if there is an intelligent home device accessing the home center terminal device, the home center terminal device encrypts the accessed device information by using a private key, and submits the encrypted device information to an authentication server for access authentication.
10. The system according to claim 6, wherein when the authentication server receives the signature event description, after the signature is verified by using the pre-received eUICC public key, the corresponding event description is obtained, and the related information in the event description is matched with the authentication information pre-stored in the authentication server, and after the matching is successful, the authentication pass message is returned.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911236842.6A CN110995710B (en) | 2019-12-05 | 2019-12-05 | Smart home authentication method based on eUICC |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911236842.6A CN110995710B (en) | 2019-12-05 | 2019-12-05 | Smart home authentication method based on eUICC |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110995710A true CN110995710A (en) | 2020-04-10 |
| CN110995710B CN110995710B (en) | 2021-12-07 |
Family
ID=70090559
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911236842.6A Active CN110995710B (en) | 2019-12-05 | 2019-12-05 | Smart home authentication method based on eUICC |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110995710B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073414A (en) * | 2020-09-08 | 2020-12-11 | 国网电子商务有限公司 | Industrial Internet equipment secure access method and related device |
| CN112565265A (en) * | 2020-12-04 | 2021-03-26 | 国网辽宁省电力有限公司沈阳供电公司 | Authentication method, authentication system and communication method between terminal devices of Internet of things |
| CN113282007A (en) * | 2021-04-22 | 2021-08-20 | 深圳市亿联无限科技有限公司 | Intelligent household control method and system |
| CN113596030A (en) * | 2021-07-29 | 2021-11-02 | 深圳Tcl新技术有限公司 | Equipment network distribution method and device, storage medium and electronic equipment |
| CN114710348A (en) * | 2022-03-31 | 2022-07-05 | 湖北工业大学 | Authorization authentication and key agreement method for user to use household intelligent equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106230900A (en) * | 2016-07-21 | 2016-12-14 | 上海交通大学 | Use Intelligent home remote monitoring system and its implementation of Web |
| EP3136273A1 (en) * | 2015-08-27 | 2017-03-01 | Carrier Corporation | Intrusion security device with sms based notification and control |
| CN106657655A (en) * | 2016-12-30 | 2017-05-10 | 深圳智乐信息科技有限公司 | Control method and system |
| CN107948027A (en) * | 2017-11-02 | 2018-04-20 | 南京物联传感技术有限公司 | One kind carries smart home data safety backup system and method for work |
| CN107959686A (en) * | 2017-12-13 | 2018-04-24 | 恒宝股份有限公司 | A kind of Internet of Things security certification system and authentication method |
| US20180124085A1 (en) * | 2016-11-02 | 2018-05-03 | Cujo LLC | Extracting Encryption Metadata and Terminating Malicious Connections Using Machine Learning |
| CN109743237A (en) * | 2018-12-12 | 2019-05-10 | 中国联合网络通信集团有限公司 | A kind of method for authenticating and gateway of APP |
-
2019
- 2019-12-05 CN CN201911236842.6A patent/CN110995710B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3136273A1 (en) * | 2015-08-27 | 2017-03-01 | Carrier Corporation | Intrusion security device with sms based notification and control |
| CN106230900A (en) * | 2016-07-21 | 2016-12-14 | 上海交通大学 | Use Intelligent home remote monitoring system and its implementation of Web |
| US20180124085A1 (en) * | 2016-11-02 | 2018-05-03 | Cujo LLC | Extracting Encryption Metadata and Terminating Malicious Connections Using Machine Learning |
| CN106657655A (en) * | 2016-12-30 | 2017-05-10 | 深圳智乐信息科技有限公司 | Control method and system |
| CN107948027A (en) * | 2017-11-02 | 2018-04-20 | 南京物联传感技术有限公司 | One kind carries smart home data safety backup system and method for work |
| CN107959686A (en) * | 2017-12-13 | 2018-04-24 | 恒宝股份有限公司 | A kind of Internet of Things security certification system and authentication method |
| CN109743237A (en) * | 2018-12-12 | 2019-05-10 | 中国联合网络通信集团有限公司 | A kind of method for authenticating and gateway of APP |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073414A (en) * | 2020-09-08 | 2020-12-11 | 国网电子商务有限公司 | Industrial Internet equipment secure access method and related device |
| CN112565265A (en) * | 2020-12-04 | 2021-03-26 | 国网辽宁省电力有限公司沈阳供电公司 | Authentication method, authentication system and communication method between terminal devices of Internet of things |
| CN112565265B (en) * | 2020-12-04 | 2022-11-01 | 国网辽宁省电力有限公司沈阳供电公司 | Authentication method, authentication system and communication method between terminal devices of Internet of things |
| CN113282007A (en) * | 2021-04-22 | 2021-08-20 | 深圳市亿联无限科技有限公司 | Intelligent household control method and system |
| CN113596030A (en) * | 2021-07-29 | 2021-11-02 | 深圳Tcl新技术有限公司 | Equipment network distribution method and device, storage medium and electronic equipment |
| CN113596030B (en) * | 2021-07-29 | 2023-10-17 | 深圳Tcl新技术有限公司 | Equipment network distribution method and device, storage medium and electronic equipment |
| CN114710348A (en) * | 2022-03-31 | 2022-07-05 | 湖北工业大学 | Authorization authentication and key agreement method for user to use household intelligent equipment |
| CN114710348B (en) * | 2022-03-31 | 2023-07-04 | 湖北工业大学 | Authorization authentication and key negotiation method for user to use home intelligent equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110995710B (en) | 2021-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110995710B (en) | Smart home authentication method based on eUICC | |
| CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
| CN105516103B (en) | Method, device and system for binding intelligent household electrical appliance | |
| CN105847247A (en) | Authentication system and working method thereof | |
| CN107888603B (en) | Internet of things intelligent equipment registration and authentication method and Internet of things | |
| US20120300927A1 (en) | Method of registering smart phone when accessing security authentication device and method of granting access permission to registered smart phone | |
| CN107113613B (en) | Server, mobile terminal, network real-name authentication system and method | |
| CN109949461B (en) | Unlocking method and device | |
| JP2005196776A (en) | Safe data communication method and its system between communication terminal and communication equipment | |
| CN110336788B (en) | Data security interaction method for Internet of things equipment and mobile terminal | |
| DK2924944T3 (en) | Presence authentication | |
| CN109920100B (en) | Unlocking method and system of intelligent lock | |
| WO2012037897A1 (en) | Method, system and device for binding and operating a secure digital memory card | |
| CN105635094A (en) | Security authentication method, security authentication device and security verification system | |
| CN112396735B (en) | Internet automobile digital key safety authentication method and device | |
| CN111131300B (en) | Communication method, terminal and server | |
| CN107612949B (en) | Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint | |
| US20090044007A1 (en) | Secure Communication Between a Data Processing Device and a Security Module | |
| CN104618401A (en) | Real-name system-based wifi one-key logging method | |
| CN103152326A (en) | Distributed authentication method and authentication system | |
| CN110598469A (en) | Information processing method and device and computer storage medium | |
| CN108667800B (en) | Access authority authentication method and device | |
| US20090319778A1 (en) | User authentication system and method without password | |
| CN109639418A (en) | A kind of authentication method of configuration information, device and rent-a-car | |
| KR20150005788A (en) | Method for authenticating by using user's key value |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |