CN111327583A - Identity authentication method, intelligent equipment and authentication server - Google Patents
Identity authentication method, intelligent equipment and authentication server Download PDFInfo
- Publication number
- CN111327583A CN111327583A CN201910775077.9A CN201910775077A CN111327583A CN 111327583 A CN111327583 A CN 111327583A CN 201910775077 A CN201910775077 A CN 201910775077A CN 111327583 A CN111327583 A CN 111327583A
- Authority
- CN
- China
- Prior art keywords
- authentication
- key
- server
- application server
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Telephone Function (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an identity authentication method, intelligent equipment and an authentication server. The method comprises the following steps: if the authentication and key agreement between the intelligent equipment and the authentication server is successful, the authentication server establishes the association relationship between the temporary user identifier and the second master key, and the intelligent equipment generates a first master key and acquires the temporary user identifier; the intelligent device sends an operation request for executing target operation and authentication information to an application server, wherein the authentication information comprises the temporary user identification and a first encryption value generated based on the first master key; the application server transmits the authentication information to an authentication server; if the authentication server verifies the authentication information successfully according to the incidence relation, feeding back a response message indicating that the verification is successful; the application server executes the target operation. The method can effectively solve the problems that the operation is complex and low-efficiency due to the fact that the user inputs the authentication information, and the authentication information does not need to be written in advance in the production process of the intelligent equipment.
Description
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of communication and the technical field of internet, in particular to an identity authentication method, intelligent equipment and an authentication server.
[ background of the invention ]
With the rapid development of mobile data networks, along with the integration of the internet and communication networks and the expansion of network services of communication operators, more and more intelligent devices are accessed to the mobile data networks, and the mobile data networks not only comprise existing intelligent mobile phone devices, but also comprise a plurality of internet of things intelligent devices, such as intelligent watches, intelligent electric meters and the like.
In the using process of the intelligent device, for example, when the intelligent device accesses to the application server to obtain information and service, the intelligent device generally needs to be used after identity authentication.
In the prior art, in order to facilitate the identity authentication of the smart device, there are generally two implementation modes:
one is to enable a user to input authentication information (such as an account password) on a smart device with a touch screen and a keyboard to authenticate the smart device to an application server, but this may affect the user experience and reduce the authentication efficiency of the smart device.
For another kind of intelligent device not suitable for touch screen, keyboard input, etc., in order to implement authentication of the intelligent device to the application server, the authentication information is written into the intelligent device during production of the intelligent device, and then the intelligent device implements authentication according to the written authentication information when accessing the application server. However, since the application service provider needs to inform the manufacturer of the authentication information of the smart device in advance, the authentication information is easily leaked; in addition, since the authentication information written on each smart device needs to be unique (such as unique device identifier and key), the writing of the authentication information not only needs a special process, but also is very cumbersome, thereby greatly increasing the production cost.
It is important to note that the above background information is only used to enhance an understanding of the background of the present invention and, thus, may include prior art information that does not constitute a part of the present disclosure as known to one of ordinary skill in the art.
[ summary of the invention ]
The main purpose of the present invention is to provide an identity authentication method, an intelligent device and an authentication server, so as to solve at least to some extent one or more problems caused by the limitations and defects of the related art, including the following technical solutions:
in a first aspect, an identity authentication method is provided, which is applied to an intelligent device, and the method includes:
performing authentication and key agreement with an authentication server based on a Subscriber Identity Module (SIM), if the authentication and key agreement is successful, generating a first master key, and acquiring a temporary subscriber identity transmitted by the authentication server;
acquiring an operation instruction for requesting an application server to execute a target operation;
acquiring an application identifier of the application server;
generating a first encrypted value based on the first master key and the application identification encryption;
sending an operation request for executing the target operation to the application server, and transferring the temporary user identifier and the first encrypted value to the application server, so that the application server authenticates the temporary user identifier and the first encrypted value, and executes the target operation if authentication is successful.
Preferably, the smart device is connected to the authentication server and the application server via a data network, respectively.
Preferably, the data network includes the internet, mobile internet.
Preferably, the smart device accesses the mobile internet through a mobile data connection, a WiFi connection, or a WLAN connection.
Preferably, the mobile data includes 3G mobile data, 4G mobile data, 5G mobile data, 6G mobile data, or NB-IoT mobile data.
Preferably, the authenticating and key agreement with the authentication server based on the SIM includes:
acquiring a mobile subscriber identity of the subscriber identity module SIM;
sending an authentication and key agreement request to the authentication server, and transmitting the mobile user identifier to the authentication server, so that the authentication server acquires a random number RAND, an authentication token AUTN, a second expected response value and a second initial key from a user data system according to the mobile user identifier;
receiving an authentication and key agreement challenge message sent by the authentication server, and acquiring the random number RAND and the authentication token AUTN transmitted by the authentication server;
sending an authentication request to the subscriber identity module SIM and sending the random number RAND and the authentication token AUTN to the subscriber identity module SIM;
receiving an expected response value RES, a first encryption key CK and a first integrity key IK returned by the subscriber identity module SIM;
determining a first expected response value according to the expected response value RES;
sending an authentication and key agreement challenge response message to the authentication server and communicating the first expected response value to the authentication server, such that the authentication server determines whether authentication and key agreement is successful according to verification of the first expected response value;
if an authentication and key agreement success response message fed back by the authentication server is received, determining that the authentication and key agreement is successful, generating a first initial key based on the first encryption key CK or/and the first integrity key IK, generating a first master key based on the first initial key, and acquiring the temporary user identifier transmitted by the authentication server, wherein a generation mode of generating the first initial key is consistent with a generation mode of generating the second initial key by the user data system, and a generation mode of the first master key is consistent with a generation mode of generating the second master key by the authentication server.
Preferably, if the SIM is a USIM, and the HSS is a HSS, then:
the mobile subscriber identity is an International Mobile Subscriber Identity (IMSI);
the determining a first expected response value according to the expected response value RES comprises: taking the expected response value RES as the first expected response value; or, taking a hash value generated after the expected response value RES is hashed as the first expected response value;
the generating a first initial key based on the first ciphering key CK or/and the first integrity key IK comprises: using the first encryption key CK or/and the first integrity key IK as the first initial key; or, generating a first key KASME based on the first encryption key CK or/and the first integrity key IK, where the first key KASME is the first initial key.
Preferably, if the SIM is a USIM, and the UDM is a unified subscriber management UDM, then:
the mobile subscriber identity is a user permanent identity (SUPI);
the determining a first expected response value according to the expected response value RES comprises: generating an expected response value RES based on the expected response value RES, the expected response value RES being the first expected response value; or, taking a hash value generated after the expected response value RES is hashed as the first expected response value;
the generating a first initial key based on the first ciphering key CK or/and the first integrity key IK comprises: generating a first key KAUSF based on the first encryption key CK or/and the first integrity key IK, wherein the first key KAUSF is the first initial key.
Preferably, the sending the authentication and key agreement request to the authentication server further includes:
encrypting the user permanent identity SUPI to generate a user hidden identity SUCI;
and in the authentication and key agreement request sent to the authentication server, taking the SUCI as the mobile user identifier.
Preferably, the generating a first master key based on the first initial key comprises:
using the first initial key as the first master key; alternatively, the first and second electrodes may be,
generating the first master key based on information including the first initial key.
Preferably, the generating the first master key based on the information including the first initial key includes:
generating the first master key based on information comprising the first initial key and a fourth fixed string or/and a fourth random string or/and a fourth time stamp or/and the mobile subscriber identity, the fourth fixed string being a string that is preconfigured and has the same value as a fourth fixed string preconfigured by the authentication server, the fourth random string or/and the fourth time stamp being communicated by the authentication server.
Preferably, the obtaining the temporary user identifier transmitted by the authentication server includes:
generating the temporary user identifier according to the random number RAND, wherein the generation mode of generating the temporary user identifier is the same as the generation mode of generating the temporary user identifier by the authentication server; alternatively, the first and second electrodes may be,
and receiving the temporary user identification transmitted by the authentication server, and acquiring the transmitted temporary user identification as the temporary user identification.
Preferably, the obtaining the operation instruction for requesting the application server to execute the target operation includes:
triggering the operation instruction of the execution target operation by a user or/and an external instruction; and/or the first and/or second light sources,
and automatically triggering the operation instruction of the execution target operation according to a preset judgment condition.
Preferably, the triggering of the operation instruction by the user or an external instruction includes:
clicking an option for executing a target operation by a user to trigger an operation instruction for executing the target operation; and/or the first and/or second light sources,
accessing the application server, and acquiring the operation instruction of the execution target operation returned by the application server; and/or the first and/or second light sources,
and scanning the graphic code, and obtaining the operation instruction of the execution target operation from the decoding information of the graphic code.
Preferably, the acquiring the application identifier of the application server includes:
the operation instruction for executing the target operation comprises the application identifier, and the application identifier in the operation instruction for executing the target operation is obtained; alternatively, the first and second electrodes may be,
the application identifier is pre-configured on the intelligent device, and the pre-configured application identifier is obtained.
Preferably, the generating a first encrypted value based on the first master key and the application identification encryption comprises:
generating a first authentication key based on the first master key, wherein the generation manner of the first authentication key is consistent with the generation manner of a second authentication key generated by the authentication server, so that the values of the first authentication key and the second authentication key generated by the authentication server are the same;
generating first verification information in a manner consistent with a manner in which the authentication server generates second verification information such that the first verification information and the second verification information generated by the authentication server have the same value;
encrypting the first verification information based on the first authentication key to generate a first encrypted value;
wherein the information for generating the first authentication key or/and the information for generating the first verification information further include the application identifier.
Preferably, the generating a first authentication key based on the first master key includes:
using the first master key as the first authentication key; alternatively, the first and second electrodes may be,
generating the first authentication key based on information including the first master key.
Preferably, the generating the first authentication key based on the information including the first master key includes:
generating the first authentication key based on information including the first master key and a first fixed character string or/and a first random character string or/and a first timestamp or/and the temporary user identifier or/and the application identifier, wherein the first fixed character string is a character string which is configured in advance and has the same value as a first fixed character string configured in advance by the authentication server, the first random character string is a character string generated randomly, and the first timestamp is generated by acquiring the current system time;
if the information for generating the first authentication key comprises the first random string or/and the first timestamp, the first random string or/and the first timestamp is transmitted to the application server, so that the application server transmits the first random string or/and the first timestamp to the authentication server to generate the second authentication key.
Preferably, the generating the first verification information includes:
generating the first verification information based on information including a second fixed character string or/and a second random character string or/and a second timestamp or/and the temporary user identifier or/and the application identifier, wherein the second fixed character string is a character string which is configured in advance and has the same value as a second fixed character string configured in advance by the authentication server, the second random character string is a character string generated randomly, and the second timestamp is generated by acquiring a current system time;
if the generation of the first verification information includes being based on the second random string or/and the second timestamp, the second random string or/and the second timestamp is transmitted to the application server, so that the application server transmits the second random string or/and the second timestamp to the authentication server to generate the second verification information.
Preferably, the generating the first verification information based on the information including the second fixed character string or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier includes:
using one of the second fixed character string or the second random character string or the second timestamp or the temporary user identifier or the application identifier as the first verification information; alternatively, the first and second electrodes may be,
taking a hash value generated by one of the second fixed character string, the second random character string, the second timestamp, the temporary user identifier or the application identifier as the first verification information; alternatively, the first and second electrodes may be,
combining and splicing information comprising the second fixed character string or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier to be used as the first verification information; alternatively, the first and second electrodes may be,
and combining and splicing the information comprising the second fixed character string or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier, and then performing hash calculation to generate a hash value which is used as the first verification information.
Preferably, the encrypting the first verification information based on the first authentication key to generate a first encrypted value includes:
generating the first encrypted value by encrypting the first verification information signature based on the first authentication key by using a signature encryption algorithm; alternatively, the first and second electrodes may be,
generating the first encrypted value based on symmetric encryption of information including the first verification information using a symmetric encryption algorithm.
Preferably, the method further comprises:
and transmitting the application identification to the application server.
In a second aspect, an identity authentication method is provided, which is applied in an application server, and the method includes:
receiving an operation request which is sent by an intelligent device and used for requesting to execute a target operation, wherein the operation request is sent to an application server by the intelligent device after an operation instruction used for requesting the application server to execute the target operation is acquired;
acquiring a temporary user identifier and a first encrypted value transmitted by the intelligent device, wherein the temporary user identifier is acquired when the intelligent device and an authentication server successfully authenticate and negotiate a key, the first encrypted value is generated by the intelligent device through encryption based on a first master key and an application identifier, the first master key is generated by the intelligent device and the authentication server when the authentication and negotiation succeeds, and the application identifier is an application identifier of the application server;
sending a verification request to the authentication server and passing the temporary user identity and the first encrypted value to the authentication server;
receiving a response message indicating successful verification fed back by the authentication server, wherein the response message indicating successful verification is fed back after the authentication server successfully verifies the temporary user identifier and the first encryption value;
and executing the target operation.
Preferably, if the application identifier delivered by the smart device is received, the method further includes:
judging whether the transferred application identifier is consistent with the application identifier of the application server or not;
if yes, executing the step of sending a verification request to the authentication server;
and if not, not executing the step of sending the verification request to the authentication server.
Preferably, if the first timestamp or/and the second timestamp transmitted by the smart device is received, the method further includes:
comparing the first time stamp or/and the second time stamp with the current system time of the application server, and determining whether the time difference between the first time stamp and the second time stamp is within a preset effective range;
if the time range is within the valid range, the step of sending a verification request to the authentication server is executed, and the first time stamp or/and the second time stamp is transmitted to the authentication server;
and if the authentication request is not in the valid range, the step of sending the authentication request to the authentication server is not executed.
Preferably, if the first random character string or/and the second random character string transmitted by the smart device is received, the method further includes:
communicating the first random string or/and the second random string to the authentication server.
Preferably, the sending the verification request to the authentication server further includes:
and transmitting the application identification of the application server to the authentication server.
Preferably, the receiving the response message indicating that the verification is successful fed back by the authentication server further includes:
and receiving user identification information fed back by the authentication server, wherein the user identification information is determined by the authentication server according to the temporary user identification.
Preferably, the user identification information includes a mobile user identification or/and an MSISDN or/and a first OpenID or/and a second OpenID.
In a third aspect, an identity authentication method is provided, which is applied in an authentication server, and the method includes:
performing authentication and key agreement with the intelligent equipment based on a user data system, if the authentication and key agreement is successful, generating a second master key, generating a temporary user identifier, transmitting the temporary user identifier to the intelligent equipment, and establishing an association relationship between the temporary user identifier and the second master key;
receiving a verification request sent by an application server, wherein the verification request is sent to the authentication server by the application server after receiving an operation request sent by the intelligent device and used for requesting to execute a target operation, and the operation request is sent to the application server by the intelligent device after acquiring an operation instruction used for requesting to execute the target operation to the application server;
acquiring the temporary user identifier and a first encrypted value transmitted by the application server, wherein the temporary user identifier and the first encrypted value transmitted by the application server are transmitted by the intelligent equipment through the application server;
determining an application identifier of the application server according to the identity information of the application server;
acquiring the second master key in the association relation according to the temporary user identifier;
verifying the first cryptographic value based on the second master key and the application identification;
and if the first encryption value is successfully verified, feeding back a response message representing successful verification to the application server to trigger the application server to execute the target operation.
Preferably, the authenticating and key agreement with the smart device based on the user data system includes:
receiving an authentication and key agreement request sent by the intelligent equipment, and acquiring a mobile user identifier transmitted by the intelligent equipment;
sending an authentication request to the subscriber data system and communicating the mobile subscriber identity to the subscriber data system;
receiving an authentication response fed back by the user data system, and acquiring a random number RAND, an authentication token AUTN, a second expected response value and a second initial key fed back by the user data system;
sending an authentication and key agreement challenge message to the smart device and passing the random number RAND and the authentication token AUTN to the smart device;
receiving an authentication and key agreement challenge response message fed back by the intelligent equipment, and acquiring a first expected response value transmitted by the intelligent equipment;
verifying the first expected response value based on the second expected response value;
if the first expected response value is verified to be valid, generating a second master key based on the second initial key, generating a temporary user identifier and transmitting the temporary user identifier to the intelligent equipment, establishing an association relation between the temporary user identifier and the second master key, and sending an authentication and key agreement success response message to the intelligent equipment, wherein the generation mode of the second master key is consistent with the generation mode of the first master key generated by the intelligent equipment.
Preferably, said verifying said first expected response value based on said second expected response value comprises:
the first expected response value is a plaintext, whether the second expected response value is consistent with the first expected response value or not is compared, and if so, the first expected response value is determined to be valid; alternatively, the first and second electrodes may be,
and if the first expected response value is the hash value after the hash calculation, calculating the second expected response value by using the same hash calculation mode to generate a hash value, comparing whether the two hash values are consistent, and if so, determining that the first expected response value is valid.
Preferably, if the subscriber data system is a home subscriber server HSS, then:
the mobile subscriber identity is an International Mobile Subscriber Identity (IMSI);
the second expected response value is an expected response value XRES;
the second initial key is a second encryption key CK or/and a second integrity key IK; or, the second initial key is a second key KASME.
Preferably, if the user data system is a unified user management UDM, then:
the mobile subscriber identity is a user permanent identity (SUPI);
the second expected response value is an expected response value XRES;
the second initial key is a second key KAUSF.
Preferably, the mobile subscriber identity is a hidden subscriber identity sui generated after encrypting the SUPI, the hidden subscriber identity sui is used as the mobile subscriber identity included in the authentication request sent to the subscriber data system, the authentication response further includes obtaining the SUPI obtained after the subscriber data system decrypts the hidden subscriber identity sui, and the SUPI obtained after decryption is used as the mobile subscriber identity in the subsequent step.
Preferably, the generating a second master key based on the second initial key includes:
using the second initial key as the second master key; alternatively, the first and second electrodes may be,
generating the second master key based on information including the second initial key.
Preferably, the generating the second master key based on the information including the second initial key includes:
generating the second master key based on information including the second initial key and a fourth fixed string or/and a fourth random string or/and a fourth timestamp or/and the mobile subscriber identity, the fourth fixed string being a string that is preconfigured and has the same value as the fourth fixed string preconfigured by the smart device, the fourth random string being a randomly generated string, the fourth timestamp being generated by obtaining a current system time;
and if the information for generating the second master key comprises the fourth random character string or/and the fourth timestamp, transmitting the fourth random character string or/and the fourth timestamp to the intelligent device.
Preferably, the generating and transmitting the temporary user identifier to the smart device includes:
generating the temporary user identity according to the random number RAND, and after receiving the random number RAND, the intelligent device generating the temporary user identity according to the random number RAND on the intelligent device by using the same generation mode; alternatively, the first and second electrodes may be,
and generating the temporary user identification randomly or according to a certain rule, and transmitting the temporary user identification to the intelligent equipment.
Preferably, the determining the application identifier of the application server according to the identity information of the application server includes:
if an application account of an application server for identity authentication is used as an application identifier, acquiring the application account of the application server as the application identifier; alternatively, the first and second electrodes may be,
if the domain name of the application server is used as the application identifier, acquiring the domain name of the application server as the application identifier; alternatively, the first and second electrodes may be,
the method comprises the steps of pre-storing a corresponding relation between identity information of an application server and an application identifier, obtaining the identity information of the application server, and obtaining the application identifier in the corresponding relation according to the identity information.
Preferably, if the application identifier transmitted by the application server is received, the determining the application identifier of the application server according to the identity information of the application server further includes:
judging whether the transferred application identifier is consistent with the application identifier of the application server or not;
if yes, executing the step of obtaining the second master key in the association relation according to the temporary user identification;
and if not, not executing the step of obtaining the second master key in the association relation according to the temporary user identifier.
Preferably, the verifying the first cryptographic value based on the second master key and the application identification comprises:
generating a second authentication key based on the second master key, wherein the generation manner of the second authentication key is consistent with the generation manner of the first authentication key generated by the intelligent device, so that the value of the second authentication key is the same as that of the first authentication key generated by the intelligent device;
generating second verification information, wherein the generation mode of the second verification information is consistent with the generation mode of the intelligent device for generating first verification information, so that the value of the second verification information is the same as that of the first verification information generated by the intelligent device;
verifying the first encrypted value based on the second authentication key and the second verification information;
wherein the information for generating the second authentication key or/and the information for generating the second verification information further include the application identifier.
Preferably, the generating a second authentication key based on the second master key includes:
using the second master key as the second authentication key; alternatively, the first and second electrodes may be,
generating the second authentication key based on information including the second master key.
Preferably, the generating the second authentication key based on the information including the second master key includes:
generating the second authentication key based on information including the second master key and a first fixed string or/and a first random string or/and a first timestamp or/and the temporary user identity or/and the application identity, the first fixed string being a string that is pre-configured and has the same value as a first fixed string pre-configured by the smart device, the first random string or/and the first timestamp being communicated by the smart device through the application server.
Preferably, the generating the second verification information includes:
generating the second authentication information based on information including a second fixed string, which is a string that is pre-configured and has the same value as a second fixed string pre-configured by the smart device, or/and a second random string, which is communicated by the smart device through the application server, or/and a second timestamp, or/and the temporary user identification, or/and the application identification.
Preferably, the generating the second verification information based on the information including the second fixed character string or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier includes:
taking one of the second fixed character string or the second random character string or the second timestamp or the temporary user identifier or the application identifier as the second verification information; alternatively, the first and second electrodes may be,
taking a hash value generated by one of the second fixed character string, the second random character string, the second timestamp, the temporary user identifier or the application identifier as the second verification information; alternatively, the first and second electrodes may be,
combining and splicing information comprising the second fixed character string or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier to be used as second verification information; alternatively, the first and second electrodes may be,
and combining and splicing the information comprising the second fixed character string or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier, and then performing hash calculation to generate a hash value which is used as the second verification information.
Preferably, the verifying the first encrypted value based on the second authentication key and the second verification information includes:
if the smart device generates the first encrypted value by signature-encrypting the first verification information based on the first authentication key using a signature-encryption algorithm, verifying the first encrypted value based on the second authentication key and the second verification information using the same signature-encryption algorithm; alternatively, the first and second electrodes may be,
if the smart device symmetrically encrypts information including the first verification information based on the first authentication key using a symmetric encryption algorithm to generate the first encrypted value, the smart device verifies the first encrypted value based on the second authentication key and the second verification information using the same symmetric encryption algorithm.
Preferably, the verifying the first cryptographic value based on the second authentication key and the second verification information using the same signature encryption algorithm includes:
using a signature encryption algorithm which is the same as that of the intelligent device, carrying out signature encryption on the second verification information based on the second authentication key to generate a second encryption value;
comparing whether the second cryptographic value is identical to the first cryptographic value;
and if the first encryption value is consistent with the second encryption value, the first encryption value is determined to be successfully verified.
Preferably, the verifying the first encrypted value based on the second authentication key and the second verification information using the same symmetric encryption algorithm includes:
decrypting the first encrypted value based on the second authentication key to obtain a plaintext by using the same symmetric encryption algorithm as the intelligent device, and obtaining first verification information from the plaintext obtained by decryption;
comparing whether the second verification information is consistent with the first verification information;
and if the first encryption value is consistent with the second encryption value, the first encryption value is determined to be successfully verified.
Preferably, if the first cryptographic value is verified successfully, the method further comprises:
determining corresponding user identification information according to the temporary user identification;
and transmitting the user identification information to the application server.
Preferably, the determining the corresponding user identification information according to the temporary user identification includes:
acquiring a user identity according to the temporary user identity;
and determining the user identification information according to the user identity.
Preferably, the obtaining the user identity according to the temporary user identity includes:
acquiring a mobile user identifier in the association relationship between the temporary user identifier and the mobile user identifier according to the temporary user identifier, and determining the mobile user identifier as the user identity identifier, wherein the association relationship between the temporary user identifier and the mobile user identifier is established when the temporary user identifier is generated; alternatively, the first and second electrodes may be,
acquiring a corresponding MSISDN according to the mobile subscriber identity, and determining the corresponding MSISDN as the subscriber identity; alternatively, the first and second electrodes may be,
the method comprises the steps of establishing an incidence relation between a temporary user identifier and a user identity identifier in advance, obtaining the user identity identifier in the incidence relation between the temporary user identifier and the user identity identifier according to the temporary user identifier, wherein the incidence relation between the temporary user identifier and the user identity identifier is established when the temporary user identifier is generated.
Preferably, the determining the user identification information according to the user identification includes:
taking the user identity as the user identification information; and/or the first and/or second light sources,
acquiring a first OpenID corresponding to the user identity identifier and the application identifier, and determining that the first OpenID is the user identification information; and/or the first and/or second light sources,
and generating a second OpenID based on the user identity identification and the application identification, and determining the second OpenID as the user identification information.
Preferably, the determining, according to the user identity identifier and the application identifier, the corresponding first OpenID includes:
acquiring a corresponding first OpenID according to the user identity and the application identity;
if a corresponding first OpenID is acquired, determining that the acquired corresponding first OpenID is the first OpenID;
if the corresponding first OpenID is not acquired, generating a unique first OpenID, determining that the unique first OpenID is the first OpenID, and establishing a correspondence between the user identity and the application identity and the unique first OpenID.
In a fourth aspect, a smart device is provided, the smart device comprising: the identity authentication method comprises a memory and a processor, wherein the processor is used for operating a program stored in the memory, and the program realizes the identity authentication method applied to the intelligent device in the first aspect during operation.
Providing an application server, the application server comprising: the storage and the processor are used for operating the program stored in the storage, and the program realizes the identity authentication method applied to the application server in the second aspect when in operation.
Providing an authentication server, the authentication server comprising: the identity authentication method is applied to the authentication server in the third aspect.
There is provided a storage medium, wherein the storage medium stores a program for implementing an identity authentication method applied to a smart device including the first aspect.
There is provided a storage medium having stored therein a program for implementing an identity authentication method applied to an application server including the second aspect described above.
There is provided a storage medium having stored therein a program for implementing an identity authentication method applied to an authentication server including the third aspect described above.
In a fifth aspect, there is provided an authentication system comprising: the system comprises an authentication server, at least one application server and at least one intelligent device; the authentication server comprises the authentication server of the fourth aspect; the application server comprises the application server of the fourth aspect; the intelligent device comprises the intelligent device of the fourth aspect.
The authentication server is connected with each intelligent device and is used for performing authentication and key agreement with the intelligent devices respectively to generate a second master key and a temporary user identifier, establishing an association relationship between the temporary user identifier and the second master key, and transmitting the temporary user identifier to the intelligent devices.
Each intelligent device is respectively connected with the authentication server and is used for respectively carrying out authentication and key agreement with the authentication server so as to generate a first master key and obtain the temporary user identifier.
Each intelligent device is respectively connected with one or more application servers and used for respectively obtaining application identifiers of the correspondingly connected application servers, generating a first encryption value based on the encryption of the first master key and the application identifiers, sending an operation request for executing target operation, the temporary user identifier and the first encryption value to the correspondingly connected application servers, so that the correspondingly connected application servers authenticate the temporary user identifiers and the first encryption value, and executing the target operation if the authentication is successful.
Each application server is respectively connected with one or more intelligent devices and is used for respectively receiving the operation request for executing the target operation, the temporary user identifier and the first encryption value, which are sent by the intelligent devices.
And each application server is respectively connected with the authentication server and is used for respectively transmitting the temporary user identifier and the first encryption value to the authentication server for verification, and if a response message which is fed back by the authentication server and indicates that the verification is successful is received, executing the target operation.
The authentication server is connected with each application server and is used for respectively receiving the temporary user identification and the first encrypted value transmitted by the application server, acquiring a second master key in the association relation according to the temporary user identification, determining the application identification of the application server according to the identity information of the application server, verifying the first encrypted value based on the second master key and the application identification, and if the verification is successful, feeding back a response message indicating that the verification is successful so as to trigger the application server to execute the target operation.
In summary, the technical solution provided by the present invention has at least the following beneficial effects: on the first hand, the problem that the operation is complex and low-efficiency due to the fact that the user inputs authentication information in the existing intelligent equipment identity authentication mode is solved, and the user experience is improved; in the second aspect, the authentication information does not need to be written in advance in the production process of the intelligent equipment, so that the production efficiency of the intelligent equipment can be improved, and the production cost can be saved; in the third aspect, even if the intelligent equipment is replaced, the application server can still recognize the identity of the intelligent equipment as long as the same subscriber identity module SIM is used, so that the problems that the user account needs to be bound again after the intelligent equipment is replaced and the like are solved.
[ description of the drawings ]
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a schematic diagram of an implementation environment in accordance with various embodiments of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of an identity authentication method;
FIG. 3 is a flowchart illustrating a second embodiment of an identity authentication method;
FIG. 4 is a flowchart of a third embodiment of an identity authentication method;
FIG. 5 is a flowchart illustrating a fourth embodiment of an identity authentication method;
FIG. 6 is a flowchart illustrating an embodiment of an authentication and key agreement process;
FIG. 7 is a schematic structural diagram of a first embodiment of an authentication system;
FIG. 8 is a schematic structural diagram of a second embodiment of an authentication system;
fig. 9 is a schematic structural diagram of a third embodiment of an authentication system.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
First, related noun terms
To facilitate understanding, some terms referred to herein are introduced and described.
Mobile user identification: an Identifier for uniquely identifying the Subscriber Identity module SIM, the Mobile Subscriber Identifier includes an International Mobile Subscriber Identity (IMSI), or an IP Multimedia Private Identity (IMPI), or a Subscriber Permanent Identity (SUPI), or a Subscriber hidden Identity (SUCI), which is a result of encrypting the Subscriber Permanent Identity.
MSISDN: mobile Subscriber ISDN Number (Mobile Subscriber ISDN Number), the Number to be dialed to call a Mobile Subscriber, and the receiving Number to send a short message to a Mobile Subscriber, also known as a Mobile telephone Number.
Temporary user identification: an identifier for temporarily identifying the identity of the user.
And (3) user identity identification: the identification for long-term identification of the user identity includes a mobile subscriber identity, MSISDN or other identification that can be used for long-term identification of the user identity.
Application identification: an identification for uniquely identifying the application server. The application identifier may be a domain name or a URI (Uniform Resource identifier) of the application server, or may be a character string.
OpenID: the unique identifier for identifying the identity of the user or the smart device in the application server is an identifier generated by the authentication server from the application identifier and the user identifier and used in place of the user identifier in the application server in order not to provide the user identifier (e.g. mobile subscriber identifier, MSISDN, etc.) directly to the application server. In other words, the identity of the user or smart device is identified in the application server using OpenID.
Authentication and key agreement mechanism: the Authentication and Key Agent (AKA) is abbreviated in english, and based on a challenge response mechanism, the Authentication between a user and a mobile communication network is completed, and meanwhile, a communication encryption Key is negotiated based on the Authentication.
Subscriber identity module SIM: the system is used for storing applications including a mobile Subscriber Identity, a mobile Subscriber key (K), a home network, an AKA related algorithm and the like for a user, and the user realizes Identity authentication to a mobile communication network based on a Subscriber Identity Module SIM (Subscriber Identity Module), and specifically comprises a Universal Subscriber Identity Module (USIM) and an IP Multimedia service Identity Module (ISIM).
Signature encryption algorithm: refers to an encryption algorithm for cryptographically verifying the authenticity of information, which is a section of digital string that cannot be forged by others and can be generated only by the sender of the information, and is also a valid proof of the authenticity of the information sent by the sender of the information, such as a message authentication code (e.g., hash-based message authentication code HMAC, cipher packet chaining message authentication code CBC-MAC, galois message authentication code GMAC, etc.), a hash function with key encryption, an RSA-based digital scheme (e.g., RSA-PSS), a Digital Signature Algorithm (DSA), and an elliptic curve digital signature algorithm, etc.
Symmetric encryption algorithm: refers to an Encryption algorithm using the same key for Encryption and decryption, such as Triple Data Encryption Standard (DES), Advanced Encryption Standard (AES), and the like.
Second, the structure of the implementation environment is schematically shown
Referring to fig. 1, a schematic diagram of an implementation environment according to various embodiments of the present invention is shown. The implementation environment includes a smart device, an application server, an authentication server, and a user data system.
The intelligent equipment: the intelligent device accesses a network in a wired or wireless mode such as mobile data (including 3G mobile data, 4G mobile data, 5G mobile data, 6G mobile data or NB-IoT mobile data), WLAN, WiFi, LAN, fixed broadband and the like, is connected with an authentication server through the network for authentication and key agreement, and is connected with an application server through the network for identity authentication, wherein the network comprises data networks such as the Internet, mobile Internet and the like. The intelligent equipment can be inserted, embedded or externally connected with a subscriber identity module SIM and supports the intelligent equipment for reading the subscriber identity module SIM, not only can be wearable Internet of things intelligent equipment such as a smart watch and a smart bracelet, but also can be Internet of things intelligent equipment such as a smart electric meter, a smart water meter, a smart home, a smart vehicle-mounted terminal and an Internet of things gateway, and also can be user intelligent equipment such as a smart phone and a tablet computer.
An application server: the server is used for providing application service for the intelligent equipment and is connected with the intelligent equipment through a network so as to acquire the identity authentication of the intelligent equipment and provide the application service for the intelligent equipment; and is connected with the authentication server through a network for sending a verification request to the authentication server.
An authentication server: the system is connected with the intelligent equipment through a network and used for receiving and executing an authentication and key agreement request of the intelligent equipment; the system is connected with a user data system through a network and used for carrying out authentication and key agreement with intelligent equipment based on the user data system; and the system is connected with the application server through a network and used for receiving the verification request sent by the application server and returning a verification result to the application server. The authentication server is typically provided by the communications carrier. It will be appreciated that in an actual application environment, there may be a plurality of application servers provided by different application service providers, and the authentication server is connected to the application servers through the network respectively, and receives the verification request sent by the application servers.
A user data system: a system for storing a mobile subscriber identity, a mobile subscriber key (K), an AKA correlation algorithm, and performing identity authentication on a user in a mobile communication network, which is also referred to as a subscriber subscription server, specifically includes a Home Subscriber Server (HSS) or/and a Unified Data Management (UDM).
Those skilled in the art will appreciate that the implementation environment configuration illustrated in FIG. 1 does not constitute a limitation of the implementation environment, and may include more or fewer components than those illustrated, or some components in combination, or a different arrangement of components.
Third, an identity authentication method embodiment one
Referring to fig. 2, a flowchart of a first embodiment of an identity authentication method according to the present invention is shown. The embodiment is exemplified by applying the method to the intelligent device in the implementation environment shown in fig. 1, and the method may include:
The intelligent equipment authenticates and negotiates with a key based on a user data system based on a Subscriber Identity Module (SIM) and an authentication server; if the authentication and key agreement is successful, the authentication server generates a second master key and a temporary user identifier, establishes an association relationship between the temporary user identifier and the second master key, and transmits the temporary user identifier to the intelligent device; the intelligent device generates a first master key and acquires the temporary user identifier transmitted by the authentication server.
And 202, acquiring an operation instruction for requesting the application server to execute the target operation.
And 203, acquiring the application identifier of the application server.
And 204, encrypting and generating a first encryption value based on the first master key and the application identification.
The intelligent device sends an operation request for executing the target operation to the application server, and after the temporary user identifier and the first encryption value are transmitted to the application server, the application server transmits the temporary user identifier and the first encryption value to the authentication server, so that the authentication server obtains the second master key in the association relation according to the temporary user identifier, verifies the first encryption value according to the second master key, and if verification is successful, a response message indicating that verification is successful is fed back to the application server, and the application server is triggered to execute the target operation.
The above-mentioned implementation of sending the operation request for executing the target operation to the application server and transferring the temporary user identifier and the first encrypted value to the application server may be performed simultaneously in one step, for example, the temporary user identifier and the first encrypted value are included in the operation request; it is also possible to proceed in two steps, for example by transmitting the temporary user identification and the first cryptographic value after transmitting the operation request; it is also possible to perform the steps in more steps, for example, the temporary user identifier and the first encrypted value are transmitted separately in two steps, etc.
In summary, in the method provided in this embodiment, the smart device performs authentication and key agreement with the authentication server to generate a first master key and obtain a temporary user identifier, encrypts the first master key and the application identifier of the application server to generate a first encrypted value, and sends an operation request for executing a target operation, the temporary user identifier and the first encrypted value to the application server, so that the application server authenticates the temporary user identifier and the first encrypted value, and executes the target operation if the authentication is successful. The method provided by the embodiment can effectively solve the problems of complex and low efficiency of operation caused by the fact that the user inputs authentication information for identity authentication of the existing intelligent equipment, improves the user experience, or does not need to write the authentication information in the production process of the intelligent equipment in advance, thereby improving the production efficiency of the intelligent equipment and saving the production cost.
Fourth, an embodiment of identity authentication method
Please refer to fig. 3, which illustrates a flowchart of a second embodiment of an identity authentication method according to the present invention. The embodiment is exemplified by applying the method to an application server in the implementation environment shown in fig. 1, and the method may include:
and 301, receiving an operation request which is sent by the intelligent device and used for requesting to execute the target operation.
The operation request is sent to the application server by the intelligent device after the operation instruction for requesting the application server to execute the target operation is acquired.
And 302, acquiring the temporary user identification and the first encryption value transmitted by the intelligent device.
The temporary user identifier is obtained when the intelligent device and the authentication server successfully authenticate and negotiate with a key, the first encryption value is generated by the intelligent device through encryption based on a first master key and an application identifier, the first master key is generated by the intelligent device and the authentication server when the authentication and the key negotiation are successful, and the application identifier is the application identifier of the application server.
It should be noted that step 302 is generally performed simultaneously with step 301, that is, receiving an operation request sent by the smart device for requesting to perform a target operation, and obtaining the temporary user identifier and the first encrypted value passed by the smart device are performed simultaneously in one step, for example, if the smart device includes the temporary user identifier and the first encrypted value in the sent operation request, the application server obtains the temporary user identifier and the first encrypted value included in the operation request simultaneously when receiving the operation request. However, in the present embodiment, the step 302 and the step 301 are divided into two steps for illustration, and this is not particularly limited.
The implementation of sending a verification request to the authentication server and passing the temporary user identity and the first encrypted value to the authentication server may be done simultaneously in one step, e.g. including the temporary user identity and the first encrypted value in the verification request; it is also possible to proceed in two steps, for example by sending the temporary user identity and the first cryptographic value after sending the authentication request; it is also possible to perform the steps in more steps, for example, the temporary user identifier and the first encrypted value are transmitted separately in two steps, etc.
And step 304, receiving a response message which is fed back by the authentication server and represents that the verification is successful.
The response message indicating that the verification is successful is fed back after the authentication server successfully verifies the temporary user identifier and the first encryption value.
And 305, executing the target operation.
And after receiving the response message which is fed back by the authentication server and represents that the verification is successful, the application server determines that the identity authentication of the intelligent equipment is successful, so that the target operation is executed.
In summary, in the method provided in this embodiment, an application server transmits, by receiving an operation request for executing a target operation, a temporary user identifier, and a first encrypted value, which are sent by an intelligent device, to an authentication server for verification; and if a response message which is fed back by the authentication server after the authentication is successful and represents that the authentication is successful is received, executing the target operation. According to the method provided by the embodiment, the application server can provide a safe and convenient identity authentication mode for the intelligent equipment, so that the use experience of the application server for users is improved, and the production cost of the intelligent equipment is saved.
Fifth, embodiment of identity authentication method third
Please refer to fig. 4, which illustrates a flowchart of a third embodiment of an identity authentication method according to the present invention. The embodiment is exemplified by applying the method to the authentication server in the implementation environment shown in fig. 1, and the method may include:
The authentication server authenticates and negotiates a key based on a user data system and the intelligent equipment based on a subscriber identity module SIM; if the authentication and key agreement is successful, the authentication server generates a second master key and a temporary user identifier, establishes an association relationship between the temporary user identifier and the second master key, and transmits the temporary user identifier to the intelligent device; the intelligent device generates a first master key and acquires the temporary user identifier transmitted by the authentication server.
The verification request is sent to the authentication server by the application server after receiving an operation request sent by the intelligent device for requesting execution of a target operation, and the operation request is sent to the application server by the intelligent device after acquiring an operation instruction for requesting execution of the target operation from the application server.
And 403, acquiring the temporary user identifier and the first encryption value transmitted by the application server.
The temporary user identification and the first encryption value are transmitted by the intelligent device through the application server, the first encryption value is generated by the intelligent device through encryption based on the first master key and the application identification, and the application identification is the application identification of the application server.
It should be noted that step 403 is generally performed simultaneously with step 402, that is, receiving the verification request sent by the application server, and obtaining the temporary user identifier and the first encrypted value delivered by the application server are performed simultaneously in one step, for example, if the application server includes the temporary user identifier and the first encrypted value in the sent verification request, the authentication server obtains the temporary user identifier and the first encrypted value included in the verification request simultaneously when receiving the verification request. However, in the present embodiment, the step 403 and the step 402 are merely divided into two steps for illustration, and this is not particularly limited.
And step 404, determining the application identifier of the application server according to the identity information of the application server.
And 405, acquiring the second master key in the association relationship according to the temporary user identifier.
Since the association relationship between the temporary user identifier and the second master key is established in step 401, the second master key may be obtained in the association relationship according to the temporary user identifier.
Since the value of the second master key generated in step 401 is the same as the value of the first master key generated by the smart device, and the first encrypted value is generated by the smart device encrypted based on the first master key and the application identification, the authentication server may verify the first encrypted value based on the second master key and the application identification.
And 407, if the first encryption value is verified successfully, feeding back a response message indicating successful verification to the application server.
And if the first encryption value is verified successfully, the authentication server feeds back a response message representing successful verification to the application server so as to trigger the application server to execute the target operation.
In summary, in the method provided in this embodiment, the authentication server performs authentication and key agreement with the smart device to establish an association relationship between the temporary user identifier and the second master key, and if the temporary user identifier and the first encrypted value transmitted by the application server are received, verifies the temporary user identifier and the first encrypted value according to the association relationship; and if the verification is successful, feeding back a response message indicating that the verification is successful, thereby triggering the application server to execute the target operation. According to the method provided by the embodiment, the authentication server can provide a centralized and platform authentication service for the application server, the authentication service enables the application server to provide a safe and portable identity authentication mode for the intelligent equipment, the use experience of the application server for users is improved, and the production cost generated when the intelligent equipment needs to write authentication information in advance is effectively saved; and a centralized and platform basic service capability facing the Internet service and the Internet of things service is provided for communication operators, and the service fusion of the communication network, the Internet and the Internet of things is promoted.
Sixthly, embodiment four of identity authentication method
Please refer to fig. 5, which illustrates a flowchart of a fourth embodiment of an identity authentication method according to the present invention. The present embodiment is an embodiment formed by combining the first embodiment, the second embodiment and the third embodiment of the identity authentication method. This embodiment is illustrated by applying the method to the implementation environment shown in fig. 1, where the method may include:
step 501, the intelligent device authenticates and negotiates with an authentication server based on a subscriber identity module SIM and a subscriber data system; if the authentication and the key negotiation are successful, generating a second master key and a temporary user identifier on the authentication server, establishing an association relation between the temporary user identifier and the second master key, generating a first master key on the intelligent equipment, and acquiring the temporary user identifier.
The SIM connected with the intelligent equipment stores a mobile subscriber identity, a mobile subscriber key (K) and an AKA related algorithm, and correspondingly, the SIM connected with the authentication server stores the mobile subscriber identity, the mobile subscriber key (K) corresponding to the mobile subscriber identity and the AKA related algorithm.
Therefore, the smart device and the authentication server based on the SIM can perform authentication and key agreement through an authentication and key agreement mechanism based on the user data system, and if the authentication and key agreement is successful, the smart device and the authentication server can negotiate to generate master keys with the same value.
Meanwhile, the authentication server generates a temporary user identifier and transmits the temporary user identifier to the intelligent equipment; and establishing an association relationship between the temporary user identifier and a second master key generated by negotiation, so that the authentication server can acquire the second master key in the association relationship according to the temporary user identifier when receiving the temporary user identifier. Correspondingly, the intelligent device acquires the temporary user identifier transmitted by the authentication server.
Specifically, the authentication and key agreement between the smart device and the authentication server may include various embodiments, and in the embodiment of the authentication and key agreement process, an embodiment for implementing the authentication and key agreement between the smart device and the authentication server is provided.
And 502, the intelligent device acquires an operation instruction for requesting the application server to execute the target operation.
The target operation refers to a network operation which needs to perform identity authentication on the intelligent equipment. For example, the target operation is a login operation, a network access operation, a report state operation, various service application operations, or the like, where the login operation refers to an operation of logging in the application server by the smart device; the network access operation refers to operations such as account binding and equipment configuration which can be performed only through identity authentication when the intelligent equipment is firstly accessed to the application server; the reporting state operation refers to an operation of reporting the currently acquired state information to an application server by the intelligent device, and the reported state information may be the current state of the intelligent device or an environmental attribute (such as temperature, humidity, and the like) detected by the intelligent device.
The operation instruction for requesting execution of the target operation may be triggered by a user or an external instruction; or may be automatically triggered by the smart device, specifically including:
for example, clicking on an option to execute the target operation by the user triggers an operation instruction to execute the target operation.
For another example, the smart device accesses the application server, and if the application server determines that the access operation requires identity authentication for the smart device, an operation instruction that requires the smart device to provide identity authentication is returned to the smart device.
For another example, the application server generates a graphic code for instructing the smart device to execute the target operation, and the smart device scans the graphic code and obtains an operation instruction for executing the target operation by decoding the graphic code. The graphic code can be a two-dimensional code or a bar code, and can also be other graphics of which the information can be acquired through a scanning decoding mode. Because the two-dimensional code has wide coding range and large information capacity, the graphic code can preferably adopt the two-dimensional code.
For example, the intelligent device automatically triggers according to a preset judgment condition, such as according to a preset time period, or automatically triggers when the detected state reaches a certain condition, and the like; for example, the smart device detects whether the network has been accessed, and if the detection result is that the network has not been accessed, the network access operation is triggered to be executed.
Step 503, the intelligent device obtains the application identifier of the application server.
The intelligent device acquiring the application identifier of the application server may include various embodiments:
for example, an application identifier is included in an operation instruction for executing a target operation, and the smart device acquires the application identifier included in the operation instruction. It is to be understood that if such an implementation is employed, such implementation should be performed after step 502.
For another example, an application identifier is preconfigured on the smart device, and the smart device obtains the preconfigured application identifier. It is understood that if such an implementation is employed, such implementation may also be performed prior to step 502.
Step 504, the smart device generates a first encrypted value based on the first master key and the application identification encryption.
After the smart device obtains the first master key and the application identification, the smart device may then encrypt based on the first master key and the application identification to generate a first encrypted value. Specifically, the following multiple sub-steps may be included:
sub-step 504-1. the smart device generates a first authentication key based on the first master key.
The smart device generates a first authentication key based on the first master key, and the generation manner may include various embodiments, and at least may include:
for example, the first master key is used as the first authentication key.
As another example, a first authentication key is generated based on information including the first master key. Specifically, taking the formula of the key derivation algorithm as an example, it can be expressed as: DK ═ PBKDF2 (pashrrase, Salt, c, dkLen), where: DK is the generated first authentication key, PBKDF2 is a key derivation algorithm, passpase is a string concatenated with the first master key, or a combination of the first master key and other information, e.g. passpase is a string concatenated with the first master key and a first fixed string (1) or/and a first random string or/and a first timestamp or/and the temporary user identification or/and the application identification combination, wherein the first fixed string (1) is a string preconfigured and having the same value as a first fixed string (2) preconfigured by the authentication server, the first random string is a locally randomly generated string, and the first timestamp is generated by obtaining the current system time of the smart device; salt is a Salt value, in this example a fixed string; c is the number of iterations; dkLen is the key output length, which can be generated to fit the requirements according to the encryption algorithm used.
Sub-step 504-2. the smart device generates first authentication information.
The smart device generates first verification information such that the first verification information is used for encryption and is to be made the same value as second verification information generated by the authentication server.
The intelligent device can take one of a second fixed character string (1) or a second random character string or a second time stamp or the temporary user identification or the application identification as the first verification information; or, the smart device may perform hash calculation on one of the second fixed character string (1), the second random character string, the second timestamp, the temporary user identifier, or the application identifier by using a hash algorithm, and use the generated hash value as the first verification information; or the intelligent device combines and splices information comprising a second fixed character string (1) or/and a second random character string or/and a second time stamp or/and the temporary user identifier or/and the application identifier to generate first verification information; or the intelligent device combines and splices information comprising a second fixed character string (1) or/and a second random character string or/and a second time stamp or/and the temporary user identifier or/and the application identifier to generate information, then performs hash calculation by using a hash algorithm, and uses the generated hash value as the first verification information.
The second fixed character string (1) is a character string which is configured in advance and has the same value as the second fixed character string (2) configured in advance on the authentication server, the second random character string is a character string generated locally and randomly, and the second timestamp is generated by acquiring the current system time of the intelligent device.
In the above sub-steps 504-1 and 504-2, at least one of the information for generating the first authentication key and the information for generating the first verification information needs to include the application identifier, that is, the information for generating the first authentication key or/and the information for generating the first verification information also includes the application identifier.
Sub-step 504-3. the smart device encrypts the first verification information based on the first authentication key to generate a first encrypted value.
Based on the first authentication key and the first verification information generated in the above sub-steps 504-1 and 504-2, the smart device encrypts the first verification information based on the first authentication key to generate a first encrypted value. Various embodiments may be included, depending on the encryption algorithm used, and may include at least:
in a first embodiment, the smart device generates a first encrypted value by encrypting a first verification information signature based on a first authentication key using a signature encryption algorithm.
And the intelligent device encrypts the first verification information signature based on the first authentication key by using a signature encryption algorithm to generate a signature value, wherein the signature value is the first encrypted value. The signature value can uniquely identify the first verification information, and the same signature value can be generated only by using the same signature encryption algorithm, the same-value signature key and the same-value information to be signed.
For example, taking the signature encryption algorithm using the hash message authentication code as an example, the signature manner can be expressed as: signature is HMAC _ SHA256(k, m), where m is the information to be signed, i.e., the first verification information, k is the signing key, i.e., the first authentication key, HMAC _ SHA256 is the signing encryption algorithm, and Signature is the signing value, i.e., the first encryption value.
For another example, taking the signature encryption algorithm using a hash function with key encryption as an example, the signature manner can be expressed as: signature is SHA256(k | | | m), where m is the information to be signed, i.e., the first verification information, k is the signing key, i.e., the first authentication key, "k | | m" represents that k and m are combined and spliced, SHA256 is a hash function, and Signature is the signing value, i.e., the first encryption value.
In a second embodiment, the smart device generates the first encrypted value by symmetrically encrypting the first verification information or the information including the first verification information based on the first authentication key using a symmetric encryption algorithm.
The intelligent equipment symmetrically encrypts the first verification information or the information including the first verification information by using a symmetric encryption algorithm based on the first authentication key to generate a ciphertext, wherein the ciphertext is a first encryption value, and the ciphertext can be decrypted by using the same symmetric encryption algorithm and the same key to obtain the original plaintext.
For example, taking the symmetric encryption algorithm using AES as an example, the encryption mode may be expressed as: s is AES _ ENCRYPT (m, k), where m is plaintext, which is the first verification information or information including the first verification information, k is an encryption key, i.e., the first authentication key, AES _ ENCRYPT is an encryption algorithm, and s is an encryption result, i.e., the first encrypted value.
The information including the first verification information is used for encrypting plaintext, and includes the first verification information and other information, for example, information generated by combining and splicing the first verification information and the other information, and the other information is not limited in this embodiment, unless otherwise specified.
And 505, the intelligent device sends an operation request for executing target operation to the application server, wherein the operation request comprises the temporary user identification and the first encryption value.
And the intelligent device sends an operation request for executing the target operation to the application server according to the operation instruction for executing the target operation acquired in the step, the acquired temporary user identifier and the generated first encrypted value, wherein the operation request comprises the temporary user identifier and the first encrypted value.
The purpose of sending the temporary user identifier and the first encrypted value to the application server by the intelligent device is to enable the application server to send the temporary user identifier and the first encrypted value to the authentication server for verification, so that the application server can determine whether the identity authentication of the intelligent device is successful according to a verification result fed back by the authentication server.
Further, an application identifier may be included in the operation request.
It is to be understood that, in order to cause the authentication server to generate the second authentication key having the same value as the first authentication key, if the information for generating the first authentication key further includes the first random string and/or the first time stamp, the first random string and/or the first time stamp is further included in the operation request, so that the application server transmits the first random string and/or the first time stamp to the authentication server to generate the second authentication key.
It is to be understood that, in order to cause the authentication server to generate the second verification information having the same value as the first verification information, if the generated first verification information further includes the second random string or/and the second timestamp, the second random string or/and the second timestamp is further included in the operation request, so that the application server sends the second random string or/and the second timestamp to the authentication server to generate the second verification information.
It will be appreciated that if the generated first authentication information also includes a temporary user identification, as described above, the temporary user identification is already included in the operation request.
Accordingly, the application server receives the operation request sent by the intelligent device, and obtains the temporary user identification and the first encryption value included in the operation request. Further, if the application identification, the first random string, the second random string, the first timestamp or/and the second timestamp are also included in the operation request, the application server obtains these values.
Further, if the application identifier is obtained from the operation request, the application server determines whether the application identifier is an application identifier of the application server itself. Specifically, the application identifier is compared with the application identifier of the application identifier, and whether the application identifier and the application identifier are consistent or not is judged; if yes, go to step 506 and its subsequent steps; if not, then step 506 and subsequent steps are not performed.
Further, if the first time stamp or/and the second time stamp is/are obtained from the operation request, the application server judges whether the first time stamp or/and the second time stamp is/are valid. Specifically, the first timestamp or/and the second timestamp are/is compared with the current system time of the application server, and whether the time difference between the first timestamp and the second timestamp is within a preset effective range is determined: if so, performing step 506 and subsequent steps; if not, the following step 506 and its subsequent steps are not performed.
Step 506, the application server sends a verification request to the authentication server, wherein the verification request comprises the temporary user identifier and the first encryption value.
After receiving an operation request sent by the intelligent device for executing a target operation, the application server needs to perform identity authentication on the intelligent device in order to confirm whether the target operation is to be executed.
The application server sends a verification request to the authentication server, the verification request including the temporary user identification and the first encrypted value.
Further, if the operation request of step 505 further includes a first random string, a second random string, a first timestamp or/and a second timestamp, the transmitted verification request further includes the first random string, the second random string, the first timestamp or/and the second timestamp.
Further, the sent verification request may further include an application identifier.
Accordingly, the authentication server receives the verification request sent by the application server, and obtains the temporary user identifier and the first encryption value included in the verification request, and obtains the first random string, the second random string, the first timestamp or/and the second timestamp, and the application identifier.
And 507, the authentication server determines the application identifier of the application server according to the identity information of the application server.
The authentication server acquires the application identifier of the application server, and determines the application identifier of the application server according to the identity information of the application server in order to ensure that the acquired application identifier is indeed the application identifier of the application server.
For example, if an application account for which the application server performs identity authentication with the authentication server is used as the application identifier, the application account acquired by the authentication server after the identity authentication of the application server passes is the application identifier of the application server. It should be noted that the identity authentication here refers to identity authentication from the application server to the authentication server, for example, in the verification request sent from the application server to the authentication server in step 506, the authentication information of the application server, such as the application account and the password, the application account and the encrypted value encrypted by the key, the token or the session state, is carried, the authentication server authenticates the application server according to the identity authentication information, and after the identity authentication information passes the authentication, the application account in the identity authentication information is obtained, or the application account associated with the token or the session state is obtained, and the obtained application account is the application identifier of the application server.
For another example, the domain name is used as one kind of identity information of the application server, and if the domain name is used as the application identifier, the authentication server performs domain name reverse resolution according to the IP address of the application server to obtain the domain name, and then uses the obtained domain name as the application identifier of the application server.
For example, a corresponding relationship between the identity information of the application server and the application identifier is pre-stored in the authentication server, and the authentication server obtains the identity information of the application server (for example, obtains the identity information of the application account, IP, or domain name of the application server), and then searches for and obtains the application identifier of the application server in the corresponding relationship according to the obtained identity information.
Further, after the authentication server obtains the application identifier of the application server, if the verification request sent by the application server also includes the application identifier, the authentication server determines whether the obtained application identifier of the application server is consistent with the application identifier included in the verification request; if yes, go to step 508 and its subsequent steps; if not, then step 508 and its subsequent steps are not performed.
And step 508, the authentication server acquires a second master key according to the temporary user identifier.
In step 501, after the smart device and the authentication server successfully perform the authentication and key agreement process, an association relationship between the temporary user identifier and the second master key is stored in the authentication server, and the authentication server obtains the associated second master key in the association relationship according to the temporary user identifier. It will be appreciated that the obtained associated second master key, i.e. the second master key generated by the authentication server in step 501.
Step 509, the authentication server verifies the first cryptographic value based on the second master key and the application identification of the application server.
Since the value of the first master key generated on the smart device and the second master key generated on the authentication server are the same after authentication and key agreement is successful, the authentication server may verify the first encrypted value based on the second master key and the application identification determined in step 508 using an implementation corresponding to when the smart device encrypted the first encrypted value based on the first master key and the application identification.
Specifically, the following substeps may be included:
sub-step 509-1 the authentication server generates a second authentication key based on the second master key using the same authentication key generation as the smart device.
And the authentication server generates a second authentication key based on the second master key by using the same authentication key generation mode as that used when the intelligent equipment generates the first authentication key, wherein the same authentication key generation mode comprises the key derivation algorithm, the input information and the selected parameters which are kept the same. Since the values of the first master key on the smart device and the second master key on the authentication server are the same, the generated second authentication key and the first authentication key generated on the smart device have the same value.
Specifically, the second authentication key generation manner may include:
for example, taking the same authentication key generation as the smart device in step 504-1 as an example, if the smart device uses a first master key as the first authentication key, the authentication server uses the second master key as the second authentication key.
For another example, taking the same authentication key generation method as the smart device in step 504-1 as an example, if the smart device generates the first authentication key based on the information including the first master key, the authentication server generates the second authentication key based on the information including the second master key, and the generation method of the second authentication key is consistent with the generation method of the smart device generating the first authentication key. It will be appreciated that if the smart device generates the first authentication key also includes other input information or input parameters, the authentication server also generates the second authentication key including using the same input information or input parameters so that the value of the generated second authentication key is the same as the value of the first authentication key generated by the smart device.
Specifically, taking the example corresponding to step 504-1 as an example, the key derivation algorithm formula is: DK ═ PBKDF2 (pashrrase, Salt, c, dkLen), where: DK is the generated second authentication key, PBKDF2 is the same key derivation algorithm as the smart device, passspase is the second master key, or a string spliced by the second master key and other information combinations, the value of the other information is the same as that of the first authentication key generated by the intelligent device, and the combination splicing mode is consistent with that of the authentication server, for example, passspase is a string concatenated by the second master key and the first fixed string (2) or/and the first random string or/and the first timestamp or/and the temporary user identification or/and the application identification, wherein the first fixed character string (2) is a character string which is pre-configured and has the same value as the first fixed character string (1) pre-configured by the intelligent device, the first random character string or/and the first time stamp are/is acquired from an authentication request sent by an application server; salt is a Salt value and is a fixed character string identical to the intelligent device; c is the same number of iterations as in the smart device; dkLen is the same key output length as in the smart device.
Up to this point, since the values of the first master key on the smart device and the second master key obtained from the temporary user identity on the authentication server are the same, and since the first authentication key and the second authentication key are generated based on master keys having the same values using the same key generation method, the values of the first authentication key and the second authentication key are also the same.
Sub-step 509-2 the authentication server generates second verification information.
The authentication server generates second verification information in a manner consistent with that of the smart device generating the first verification information, such that the value of the generated second verification information is the same as that of the smart device generating the first verification information.
Taking the same way of generating the first verification information as that used in sub-step 504-2, if the smart device uses one of the second fixed string (1), the second random string, the second timestamp, the temporary user identifier, or the application identifier as the first verification information, the authentication server uses the same one of the second fixed string (2), the second random string, the second timestamp, the temporary user identifier, or the application identifier as the second verification information.
Taking the same way of generating the first verification information as that used in the sub-step 504-2, if the smart device uses the hash value of one of the second fixed string (1), the second random string, the second timestamp, the temporary user identifier, or the application identifier as the first verification information, the authentication server performs hash calculation on the same one of the second fixed string (2), the second random string, the second timestamp, the temporary user identifier, or the application identifier using the same hash algorithm, and uses the generated hash value as the second verification information.
Taking the same way of generating the first verification information as the sub-step 504-2, if the smart device generates the first verification information using the same way of generating the verification information as the sub-step, the authentication server generates the second verification information using the information comprising the second fixed string (1) or/and the second random string or/and the second timestamp or/and the temporary user identity or/and the application identity, then the authentication server generates the second verification information comprising the second fixed string (2) or/and the second random string or/and the second timestamp or/and the temporary user identity or/and the application identity. For example, if the smart device combines and splices the second fixed character string (1) or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier to be the first verification information, the authentication server combines and splices the second fixed character string (2) or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier to be the second verification information in the same way.
Taking the same way of generating the first verification information as that used in the sub-step 504-2, for example, if the smart device combines and concatenates the information including the second fixed character string (1) or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier to generate the hash value as the first verification information, the authentication server combines and concatenates the information including the second fixed character string (2) or/and the second random character string or/and the second timestamp or/and the temporary user identifier or/and the application identifier in the same way, performs hash calculation on the combined and concatenated information using the same hash algorithm, and uses the generated hash value as the second verification information.
Wherein the second fixed character string (2) is a character string that is pre-configured and has the same value as the second fixed character string (1) pre-configured on the smart device, the second random character string or/and the second timestamp is sent by the smart device, and the application identifier is the application identifier of the application server determined in step 507.
It will be appreciated that if the smart device generates the first verification information also includes other input information, the authentication server generates the second verification information also includes using the same input information so that the generated second verification information and the smart device generates the first verification information have the same value.
Up to now, since the first authentication information and the second authentication information are generated based on the same value information using the same authentication information generation method, the values of the first authentication information and the second authentication information are also the same.
It is understood that, since the smart device further includes the application identifier in the information for generating the first authentication key or/and the information for generating the first verification information, the authentication server also includes the application identifier in the information for generating the second authentication key or/and the information for generating the second verification information.
Sub-step 509-3. the authentication server verifies the first encrypted value based on the second authentication key and the second verification information.
Corresponding to various implementation modes included in the generation of the first encrypted value in the intelligent device, the authentication server verifies that the first encrypted value needs to use the corresponding implementation mode based on the second authentication key and the second verification information, and the specific implementation mode comprises the following steps:
in a first embodiment, corresponding to the embodiment in which the smart device generates the first encrypted value using the signature encryption algorithm, the authentication server verifies the first encrypted value based on the second authentication key and the second verification information using the same signature encryption algorithm as the smart device. The method specifically comprises the following substeps:
and a substep a, the authentication server uses the same signature encryption algorithm as the intelligent device to encrypt the second verification information signature based on the second authentication key to generate a second encryption value.
And the authentication server uses the same signature encryption algorithm as the intelligent equipment to encrypt the second verification information signature based on the second authentication key to generate a signature value, wherein the signature value is the second encrypted value.
For example, taking the signature encryption algorithm using the same hashed message authentication code as in sub-step 504-3 smart device as an example, the signature scheme can be expressed as: signature is HMAC _ SHA256(k, m), where m is the second verification information that is the information to be signed, k is the signing key that is the second authentication key, HMAC _ SHA256 is the same hash message authentication code as the smart device, and Signature is the signing value that is the second encryption value.
For another example, taking the signature algorithm using the same hash function with key encryption as in sub-step 504-3, the signature scheme can be expressed as: signature is SHA256(k | | | m), where m is the information to be signed, i.e., the second verification information, k is the signing key, i.e., the second authentication key, "k | | m" represents that k and m are combined and spliced, SHA256 is the same hash function as the smart device, and Signature is a Signature value, i.e., a second encryption value.
Up to this point, since the authentication server uses the same signature algorithm as the smart device, the second verification information and the first verification information are the same value of the information to be signed, and the second authentication key and the first authentication key are the same value of the signature key, the generated second encrypted value and the first encrypted value should be the same.
The authentication server compares whether the second encryption value is consistent with the first encryption value; and if the first encryption value is consistent with the second encryption value, the first encryption value is determined to be successfully verified.
The authentication server comparing whether the second encrypted value and the first encrypted value are consistent, comprising:
if the comparison result is consistent, it is determined that the first cryptographic value is successfully verified.
If the comparison result is inconsistent, it is determined that the first cryptographic value fails to be verified.
In a second embodiment, the authentication server verifies the second encrypted value based on the second authentication key and the second verification information using the same symmetric encryption algorithm as the smart device, corresponding to the smart device generating the first encrypted value using the symmetric encryption algorithm. The method specifically comprises the following steps:
and a step i, the authentication server decrypts the first encrypted value based on the second authentication key by using the same symmetric encryption algorithm as the intelligent device to obtain a plaintext, and acquires first verification information from the plaintext.
The authentication server decrypts the first encrypted value based on the second authentication key using the same symmetric encryption algorithm as the smart device, thereby obtaining a decrypted plaintext.
For example, taking the same AES symmetric encryption algorithm as used by the smart device in sub-step 504-3 as an example, the decryption mode may be expressed as: m is AES _ DENCRYPT (s, k), where m is the decrypted result value, i.e., the decrypted plaintext, k is the decryption key, i.e., the second authentication key, AES _ DENCRYPT is the decryption algorithm, and s is the ciphertext, i.e., the first encrypted value.
Since the plaintext is the first authentication information or information including the first authentication information, the decrypted first authentication information can be acquired from the plaintext.
The authentication server compares whether the second verification information is consistent with the decrypted first verification information; and if the first encryption value is consistent with the second encryption value, the first encryption value is determined to be successfully verified.
The authentication server compares whether the second verification information is consistent with the decrypted first verification information, and the method comprises the following steps:
if the comparison result is consistent, it is determined that the first cryptographic value is successfully verified.
If the comparison result is inconsistent, it is determined that the first cryptographic value fails to be verified.
Step 510, optionally, if it is determined that the first encryption value is successfully verified, the authentication server determines corresponding user identification information according to the temporary user identification.
If it is determined that the first encryption value is successfully verified, the authentication server determines corresponding user identification information according to the temporary user identification, which may specifically include:
step 510a, determining a user identity from the temporary user identity.
The temporary user identifier may be used to uniquely identify the user, as well as a user identity determined from the temporary user identifier.
For example, the mobile user identifier is obtained from the association relationship between the temporary user identifier and the mobile user identifier according to the temporary user identifier, and the mobile user identifier is determined as the user identity identifier. The association relationship between the temporary user identifier and the mobile user identifier is established in the process of authentication and key agreement between the intelligent device and the authentication server.
For another example, the mobile subscriber identity is obtained from the association relationship between the temporary subscriber identity and the mobile subscriber identity according to the temporary subscriber identity, and then the corresponding MSISDN is obtained according to the mobile subscriber identity, and the corresponding MSISDN is determined as the subscriber identity. Specifically, in a subscriber data system (for example, a home subscriber server HSS or a unified data management UDM), a mapping relationship between a mobile subscriber identity and an MSISDN is stored, and a corresponding MSISDN may be obtained in the mapping relationship according to the mobile subscriber identity. Therefore, the authentication server sends an MSISDN query request including the mobile subscriber identity to the subscriber data system, and the subscriber data system feeds back the MSISDN corresponding to the mobile subscriber identity to the authentication server, so that the authentication server obtains the corresponding MSISDN.
For another example, an association relationship between the temporary user identifier and the user identifier is pre-established, and the user identifier is obtained in the association relationship according to the temporary user identifier. Specifically, a user identity corresponding to the mobile user identity is pre-established on the authentication server, and during the process of authentication and key agreement between the intelligent device and the authentication server, the corresponding user identity is obtained according to the mobile user identity, and then the association relationship between the temporary user identity and the user identity is established, so that the user identity can be searched and obtained in the association relationship according to the temporary user identity.
And step 510b, determining user identification information according to the user identity.
The authentication server determines corresponding user identification information according to the user identity, which may include various embodiments, and specifically may include:
in the first embodiment, the user id is used as user identification information.
In the second embodiment, the first OpenID corresponding to the user identity and the application identifier is obtained, and the first OpenID is used as user identification information.
Specifically, the corresponding relationship between the user identity and the application identity and the first OpenID is stored in the authentication server, that is, the corresponding first OpenID can be found in the corresponding relationship according to the user identity and the application identity.
And the authentication server searches the corresponding first OpenID in the corresponding relation according to the user identity and the application identity.
If the corresponding first OpenID is found, it is indicated that the authentication server has created a unique identifier of the user identity corresponding to the application for the user, that is, a first OpenID for the application identifier is created for the user identity identifier, and the authentication server obtains the corresponding first OpenID.
If the corresponding first OpenID is not found, it indicates that the authentication server does not create a unique identifier corresponding to the user identity in the application for the user, that is, does not create a first OpenID for the user identity, the authentication server generates a unique OpenID, that is, generates a unique character string as the first OpenID, and establishes a corresponding relationship between the user identity and the application identity and the first OpenID, so that the first OpenID can be obtained in the corresponding relationship according to the user identity and the application identity.
In a third embodiment, a second OpenID is generated by encrypting based on the user identity and the application identity, and the second OpenID is used as user identification information.
The authentication server uses an encrypted value generated by encrypting the user identity and the application identity as the second OpenID, for example, after the user identity and the application identity are combined, a hash value is generated by using a hash algorithm, and the hash value is used as the second OpenID. And after the user identity identification and the application identification are combined in the same combination mode next time, the same Hash algorithm is used for encryption, and the second OpenID with the same value is generated.
And 511, the authentication server feeds back a corresponding response message to the application server according to the verification result of the first encryption value.
The authentication server feeds back a corresponding response message to the application server according to the verification result of the first encryption value, and the method specifically comprises the following steps:
if the first encryption value is determined to be successfully verified, feeding back a response message indicating successful verification to the application server;
further, if the step 510 is implemented, the authentication server further includes the user identification information in the response message indicating that the verification is successful, that is, the user identity, the first OpenID or/and the second OpenID is included.
And if the first encryption value is determined to fail to be verified, feeding back a response message indicating that the verification fails to the application server.
Accordingly, the application server receives the response message fed back by the authentication server.
And 512, the application server executes corresponding target operation according to the response message fed back by the authentication server.
The application server determines whether the identity authentication of the intelligent equipment is successful and executes corresponding target operation according to the received response message fed back by the authentication server, and the method comprises the following steps:
if the response message is the response message which represents that the verification is successful, the application server determines that the identity authentication of the intelligent equipment is successful and executes the target operation; for example, if the target operation is a login operation, a network access operation or a report state operation, the corresponding operation is executed.
Further, if the step 510 is implemented and the response message indicating that the verification is successful further includes user identification information, the application server may use the obtained user identity, the first OpenID, or/and the second OpenID as an identifier for identifying the identity of the user or the smart device, for example, store the user identity, the first OpenID, or/and the second OpenID for identifying the identity of the smart device in the next operation of the smart device, or bind with a user account of the user or the smart device in the application server. Thus, even if the intelligent equipment is replaced, the same subscriber identification information is obtained by the application server as long as the same subscriber identification module SIM is used, so that the consistency of the information and the service provided by the application server can be maintained.
And if the response message is the response message indicating that the verification fails, the application server determines that the identity authentication of the intelligent equipment fails and does not execute the target operation.
It should be noted that, after the step 501 is implemented once, the smart device, the application server and the authentication server may implement the steps 502 to 512 multiple times, that is, the smart device, the application server and the authentication server may implement the identity authentication process described in the steps 502 to 512 multiple times based on the information such as the master key and the temporary user identifier negotiated in the step 501, so that the identity authentication of the smart device to the application server and the target operation may be implemented multiple times.
It should be noted that, the purpose of generating the first encrypted value by the intelligent device based on the encryption of the first master key and the application identifier in step 504 is to bind the generated first encrypted value and the application identifier, and ensure that the first encrypted value is indeed the first encrypted value used for performing identity authentication on the application server corresponding to the application identifier, but not the first encrypted value used for performing identity authentication on other application servers, so as to prevent the application server from counterfeiting that the intelligent device sends an operation request to other application servers and performs identity authentication. For example, if the information for generating the first encrypted value does not include the application identifier, after receiving the temporary user identifier and the first encrypted value sent by the smart device, the application server may copy that the smart device sends the temporary user identifier and the first encrypted value to another application server, and when another application server passes the temporary user identifier and the first encrypted value to the authentication server for verification, the authentication server may pass the verification because the authentication server cannot perform authentication on whether the first encrypted value and the identity of another application server are bound, that is, the authentication server cannot authenticate whether the first encrypted value is the first encrypted value for identity authentication with the another application server.
In summary, in the method provided in this embodiment, the smart device sends an operation request for executing a target operation to the application server according to the application identifier of the application server based on the temporary user identifier and the first master key that are generated after the authentication and key agreement with the authentication server is successful, the application server sends a verification request including relevant authentication information to the authentication server, the authentication server verifies the verification request based on an association relationship between the temporary user identifier and the second master key that are generated and stored after the authentication and key agreement with the smart device is successful, and the application server determines whether the authentication of the smart device is successful and whether the target operation is executed according to a verification result fed back by the authentication server. The technical effects brought by the embodiment at least comprise: on the first hand, the problem that the operation is complex and low-efficiency due to the fact that the user inputs authentication information in the existing intelligent equipment identity authentication mode is solved, and the user experience is improved; in the second aspect, the authentication information does not need to be written in advance in the production process of the intelligent equipment, so that the production efficiency of the intelligent equipment can be improved, and the production cost can be saved; in the third aspect, even if the intelligent equipment is replaced, as long as the same subscriber identity module SIM is used, the application server can identify the identity of the intelligent equipment according to the subscriber identity information, so that the problems that the subscriber account needs to be bound again after the intelligent equipment is replaced are solved; in the fourth aspect, the authentication server can provide a centralized and platform verification service to the application server, and the verification service enables the application server to provide a safe and portable identity authentication mode for the intelligent device; in the fifth aspect, the subscriber identity module SIM is used as a necessary component of a subscriber in a mobile communication network, and is applied to the field of identity authentication of application services such as the Internet, the Internet of things and the like, so that the subscriber acquisition efficiency of an application service provider is improved, and the subscriber investment is reduced; and in the sixth aspect, a centralized and platform basic service capability facing internet services and internet of things services is provided for communication operators, and service fusion of a communication network with the internet and the internet of things is promoted.
Seventh, authentication and Key Agreement Process embodiment
Referring to fig. 6, a flowchart of an embodiment of an authentication and key agreement process provided in the present invention is shown. This embodiment is illustrated by applying the process to the implementation environment shown in fig. 1, where the process may include:
step 601, the intelligent device obtains the mobile subscriber identity of the subscriber identity module SIM.
In this embodiment, the SIM is a USIM, and the subscriber data system is a home subscriber server HSS or/and a unified data management UDM.
For example, taking the example that the used subscriber data system is a home subscriber server HSS, the mobile subscriber identity obtained on the USIM is an IMSI, the smart device obtains the IMSI through an API on the operating system (for example, the getsubscribeerid method is used on the Android system), or the smart device obtains the IMSI by reading an EFimsi value of the USIM through an APDU command.
For another example, taking the user data system used as the unified user management UDM as an example, the mobile subscriber identity acquired by the USIM is SUPI, and the SUPI is composed of an IMSI and a network identity.
It should be noted that, in practical application, the unified subscriber management UDM is mainly used as a subscriber data system of a 5G network, and the home subscriber server HSS is mainly used as a subscriber data system of a 3G/4G network, but if the unified subscriber management UDM maintains forward compatibility with the home subscriber server HSS, the example of applying the unified subscriber management UDM to the home subscriber server HSS in each step of this embodiment may also be applied to the unified subscriber management UDM.
Step 602, the smart device sends an authentication and key agreement request to an authentication server, wherein the authentication and key agreement request comprises a mobile user identification.
Further, as illustrated in step 601 above, if the mobile subscriber identity is SUPI, the SUPI may be further encrypted to generate a sui and the sui may be used as the mobile subscriber identity in the authentication and key agreement request, i.e., the smart device sends an authentication and key agreement request to the authentication server, the sui being included in the authentication and key agreement request.
Accordingly, the authentication server receives the authentication and key agreement request sent by the intelligent device and acquires the mobile user identification included in the authentication and key agreement request.
Step 603, the authentication server sends an authentication request to the subscriber data system, the authentication request including the mobile subscriber identity.
For example, taking the example that the used subscriber data system is a home subscriber server HSS and the mobile subscriber identity is an IMSI, the Multimedia-Auth-Request authentication Request may be sent to the SWx interface of the home subscriber server HSS, with the mobile subscriber identity (i.e. IMSI) included in the authentication Request.
For another example, taking the user data system used as the home subscriber server HSS and the Mobile subscriber identity as the IMSI, the Authentication-Information-Request _ S6 Authentication Request may be sent to the S6a interface of the home subscriber server HSS, where the Authentication Request includes the Mobile subscriber identity (i.e., IMSI), the serving network identity, and the network type, where the serving network identity is, for example, MCC (Mobile Country Code) + MNC (Mobile network Code), and the network type is E-UTRAN.
For another example, taking the case that the user data system used is a unified user management UDM, and the mobile subscriber identity is SUPI or SUCI, the Authentication server sends a numm _ Authentication _ Get Authentication request to the unified data management UDM, where the Authentication request includes the mobile subscriber identity (i.e., SUPI or SUCI) and a service network name (SN name), which is the service network name of the Authentication server.
It should be noted that, if the authentication server is connected to the home subscriber server HSS and the unified data management UDM at the same time, the authentication server needs to send the authentication request to the home subscriber server HSS or the unified data management UDM to which the mobile subscriber identifier belongs, for example, it is determined whether the authentication request is to be sent to the home subscriber server HSS or the unified data management UDM according to the type or range of the mobile subscriber identifier.
Step 604, the authentication server receives an authentication response fed back by the user data system, wherein the authentication response comprises a random number RAND, an authentication token AUTN, a second expected response value and a second initial key.
After the user data system receives the authentication request sent by the authentication server, the user data system feeds back a corresponding authentication response according to the authentication request, wherein the authentication response comprises a random number RAND, an authentication token AUTN, a second expected response value and a second initial key.
Accordingly, the authentication server obtains the random number RAND, the authentication token AUTN, the second expected response value and the second initial key from the authentication response.
For example, taking the example that the used subscriber data system is the home subscriber server HSS, after the home subscriber server HSS receives the Multimedia-Auth-Request authentication Request sent by the authentication server, the home subscriber server HSS returns a Multimedia-Auth-Answer authentication response to the authentication server, where the authentication response includes the random number RAND, the authentication token AUTN, the expected response value XRES, the second encryption key CK, and the second integrity key IK, where the second expected response value is the expected response value XRES, and the second initial key is the second encryption key CK or/and the second integrity key IK. It is to be understood that the second initial key is the second encryption key CK or/and the second integrity key IK, and means that the second encryption key CK or/and the second integrity key IK are included when the second initial key is generated or used.
For another example, taking the user data system used as the home subscriber server HSS as an example, after the home subscriber server HSS receives the Authentication-Information-Request _ S6 Authentication Request sent by the Authentication server, the home subscriber server HSS returns an Authentication-Information-Answer _ S6 Authentication response including the random number RAND, the Authentication token AUTN, the expected response value XRES, and the second key K to the Authentication server HSSASMEWherein the second expected response value is the expected response value XRES, and the second initial key is the second key KASME。
For another example, taking the user data system used as the unified user management UDM as an example, after the unified data management UDM receives the Nudm _ Authentication _ Get Authentication request sent by the Authentication server, the unified data management UDM returns a Nudm _ Authentication _ Get Authentication response to the Authentication server, where the Authentication response includes the random number RAND, the Authentication token AUTN, the expected response value XRES ″, and the second key KAUSFWherein the second expected response value is an expected response value XRES, and the second initial response valueThe initial key is a second key KAUSF. Further, if the mobile subscriber identity included in the Nudm _ Authentication _ Get Authentication request sent by the Authentication server to the unified data management UDM is SUCI, the Nudm _ Authentication _ Get Authentication response returned by the unified user management UDM also includes SUPI obtained by decrypting the SUCI, and the Authentication server uses the decrypted SUPI as the mobile subscriber identity in the subsequent step.
Step 605, the authentication server sends an authentication and key agreement challenge message to the smart device, the authentication and key agreement challenge message including a random number RAND and an authentication token AUTN.
The authentication server retains the second expected response value and the second initial key and sends an authentication and key agreement challenge message to the smart device, the authentication and key agreement challenge message including the random number RAND and the authentication token AUTN.
Accordingly, the smart device receives the authentication and key agreement challenge message sent by the authentication server, and obtains the random number RAND and the authentication token AUTN therefrom.
Step 606, the smart device sends an authentication request to the subscriber identity module SIM, the authentication request comprising the random number RAND and the authentication token AUTN.
The smart device sends an authentication request (for example by sending an APDU command AUTHENTICATE) to the subscriber identity module SIM, the authentication request comprising the random number RAND and the authentication token AUTN.
Step 607. the smart device receives a return value of the subscriber identity module SIM, and obtains a first expected response value according to the return value, where the return value includes the expected response value RES, the first ciphering key CK, and the first integrity key IK.
After the subscriber identity module SIM receives an authentication request sent by the smart device, the subscriber identity module SIM sends a return value to the smart device after authentication calculation, where the return value includes an expected response value RES, a first ciphering key CK, and a first integrity key IK, and the smart device receives the return value.
Taking the example that the used subscriber data system is the home subscriber server HSS, that is, the expected response value RES obtained by the smart device from the return value is the first expected response value corresponding to the second expected response value retained by the authentication server as the expected response value XRES.
Taking the example in which the user data system used is a unified user management UDM, i.e. the second expected response value retained by the authentication server corresponds to the expected response value XRES, the smart device generates the expected response value RES from the expected response value RES, i.e. the first expected response value, in the same way as the unified data management UDM generates the expected response value XRES, as referred to in "RES and XRES derivative functions" in TS33.501 Annex a.4.
Further, in order to protect the expected response value RES or the expected response value RES from being leaked during transmission, a hash algorithm (e.g., SHA256) may be used to perform hash calculation on the expected response value RES or the expected response value RES, and the hash value generated after the hash calculation is used as the first expected response value without sending the expected response value RES or the plaintext of the expected response value RES.
Step 608, the smart device sends an authentication and key agreement challenge response message to the authentication server, the authentication and key agreement challenge response message including the first expected response value.
The smart device sends an authentication and key agreement challenge-response message to the authentication server, the authentication and key agreement challenge-response message including the first expected response value.
Correspondingly, the authentication server receives an authentication and key agreement challenge response message sent by the intelligent device and acquires the first expected response value.
Step 609, the authentication server verifies the first expected response value based on the second expected response value; if the first expected response value is verified to be valid, step 610 is performed.
After the authentication server acquires the first expected response value from the received authentication and key challenge response message, the authentication server verifies the second expected response value which is locally reserved.
If the first expected response value is the expected response value RES or the plaintext of the expected response value RES, comparing whether the second expected response value is consistent with the first expected response value; if so, determining to verify that the first expected response value is valid; if not, determining that the first expected response value is invalid; alternatively, the first and second electrodes may be,
if the first expected response value is the expected response value RES or the expected response value RES is a hash value after hash calculation, calculating the second expected response value by using the same hash calculation mode to generate a hash value, and comparing whether the two hash values are consistent; if so, determining to verify that the first expected response value is valid; if not, it is determined that the verification first expected response value is invalid.
If it is determined that the first expected response value is validated, then the following step 610 is performed; if the verification is determined to be invalid, an authentication and key agreement response message is sent to the smart device, where the authentication and key agreement response message is an authentication and key agreement failure response message, and the following step 613 is skipped to be executed.
Step 610, the authentication server generates a second master key based on the second initial key.
In step 605, the authentication server maintains the second initial key, and the authentication server generates the second master key based on the second initial key.
For example, the second initial key is used as the second master key.
As another example, a second master key is generated based on information including the second initial key. Specifically, taking the formula of the key derivation algorithm as an example, it can be expressed as: DK ═ PBKDF2 (pashrrase, Salt, c, dkLen), where: DK is the generated second master key, PBKDF2 is a key derivation algorithm, pasprase is a string concatenated by the second initial key and other information combination, e.g. pasprase is the second initial key, or the second initial key and a fourth fixed string (2) or/and a fourth random string or/and a fourth timestamp or/and a string concatenated by the mobile subscriber identity combination, the fourth fixed string (2) is a string that is pre-configured and has the same value as the pre-configured fourth fixed string (1) on the smart device, the fourth random string is a locally randomly generated string, and the fourth timestamp is generated by obtaining the current system time of the authentication server; salt is a Salt value, in this example a fixed string; c is the number of iterations; dkLen is the key output length, and can generate the key length meeting the requirement according to the requirement.
Step 611, the authentication server generates a temporary user identifier and establishes an association relationship between the temporary user identifier and the second master key.
The authentication server generates a temporary user identifier and establishes an association relationship between the temporary user identifier and the second master key, so that the authentication server can acquire the second master key according to the temporary user identifier when receiving the temporary user identifier.
The authentication server may generate the temporary user identifier in various embodiments, which may specifically include:
in a first embodiment, the temporary user identity is generated from a random number RAND.
Since the random number RAND is a temporarily generated random number, the authentication server may generate a temporary user identifier according to the random number RAND, for example, using the random number RAND as the temporary user identifier, and for example, generating the temporary user identifier based on a certain rule according to the random number RAND (for example, generating the temporary user identifier by adding a prefix combination to the random number RAND).
In a second embodiment, the temporary user identifier is generated randomly or according to a certain rule.
The temporary user identifier is generated randomly, or generated according to a certain rule, for example, a unique random number is generated and a fixed prefix combination is added to generate the temporary user identifier.
Further, the authentication server establishes an association relationship between the temporary user identifier and the mobile user identifier, so that the mobile user identifier can be acquired in the association relationship according to the temporary user identifier.
Furthermore, a unique user identity is created in advance for the user on the authentication server, and a corresponding relationship between the mobile user identity and the user identity is created in advance, so that the corresponding user identity is obtained according to the mobile user identity, and then an association relationship between the temporary user identity and the user identity is created, so that the user identity can be obtained in the association relationship according to the temporary user identity.
Step 612, the authentication server sends an authentication and key agreement response message to the smart device, where the authentication and key agreement response message is an authentication and key agreement success response message.
If a third random string is also included in the information for generating the second master key, the third random string is also included in the authentication and key agreement success response message.
It should be noted that steps 610 and 611 may also be performed after step 612, that is, the authentication server sends an authentication and key agreement success response message to the smart device. Of course, if the information for generating the second master key further includes a third random string, step 610 is performed before step 612.
Step 613, the smart device receives the authentication and key agreement response message sent by the authentication server and executes corresponding operations.
The intelligent equipment receives an authentication and key agreement response message sent by an authentication server, wherein the authentication and key agreement response message comprises an authentication and key agreement success response message or an authentication and key agreement failure response message.
The intelligent device executes corresponding operation according to the authentication and key agreement response message, and the operation comprises the following steps:
if the authenticate and key agreement response message is an authenticate and key agreement success response message, the smart device performs step 614, described below.
If the authentication and key agreement response message is an authentication and key agreement failure response message, the following steps are not executed, and the authentication and key agreement process is finished.
Step 614, the smart device generates a first master key based on a first initial key, which is generated based on the first ciphering key CK or/and the first integrity key IK.
In step 607, the smart device obtains the first ciphering key CK or/and the first integrity key IK from the return value sent by the SIM to the smart device, and the smart device generates the first initial key according to the first ciphering key CK or/and the first integrity key IK.
And the intelligent device takes the first encryption key CK or/and the first integrity key IK as a first initial key corresponding to the second initial key on the authentication server being the second encryption key CK or/and the second integrity key IK. It is understood that the first initial key is the first encryption key CK or/and the first integrity key IK, and means that the first encryption key CK or/and the first integrity key IK are included when the first initial key is generated or used, and the generation or use manner is consistent with that when the second initial key is the second encryption key CK or/and the second integrity key IK, so that the first initial key and the second initial key have the same value.
The second initial key on the authentication server is the second key KASMECorrespondingly, the intelligent device refers to 'K' in TS33.401 Annex A.2ASMEDerivation of the second key K by means of a derivation function, i.e. using generation of the second key K by the Home subscriber Server HSSASMEIn the same way, the first key K is generated from the first ciphering key CK or/and the first integrity key IKASMEThe first key KASMEI.e. the first initial key.
The second initial key on the authentication server is the second key KAUSFCorrespondingly, the intelligent device refers to 'K' in TS33.501 Annex A.2AUSFDerivation of the function ", i.e. using and unifying data management UDMs to generate the second key KAUSFIn the same way, the first key K is generated from the first ciphering key CK or/and the first integrity key IKAUSFThe first key KAUSFI.e. the first initial key.
After generating the first initial key, the smart device generates a first master key based on the first initial key using the same master key generation manner as the authentication server.
For example, if the authentication server has the second initial key as the second master key in step 610, the smart device has the first initial key as the first master key.
For another example, if the authentication server generates a second master key based on information including a second initial key in step 610, the smart device generates a first master key based on information including the first initial key. Specifically, taking the same key derivation algorithm as that used to authenticate the server in step 610 as an example, the key derivation algorithm formula may be expressed as DK — PBKDF2 (passperase, Salt, c, dkLen), where: DK is the generated first master key; PBKDF2 is the same key derivation algorithm as the authentication server; passpase is a character string spliced by combining the first initial key and other information, the value of the other information is the same as that of the second master key generated by the authentication server, and the combination splicing mode is consistent with that of the authentication server, for example, passpase is a character string spliced by combining the first initial key and a fourth fixed character string (1) or/and a fourth random character string or/and a fourth time stamp or/and the mobile subscriber identity, wherein the fourth fixed character string (1) is a character string which is configured in advance on the intelligent device and is the same as the value of a fourth fixed character string (2) used when the second master key is generated on the authentication server, and the fourth random character string or/and the fourth time stamp are obtained from an authentication and key agreement success response message sent by the authentication server; salt is a Salt value, which is a fixed string identical to the authentication server; c is the same number of iterations as the authentication server; dkLen is the same key output length as the authentication server.
Since the first initial key generated on the smart device and the second initial key obtained on the authentication server have the same value, and since the master keys are generated in the same manner, the first master key generated on the smart device and the second master key generated on the authentication server have the same value.
And step 615, the intelligent device obtains the temporary user identification.
According to the embodiment in which the authentication server generates the temporary user identifier in step 611, the smart device obtains the temporary user identifier using the corresponding embodiment. The method specifically comprises the following steps:
in a first embodiment, if the authentication server generates the temporary user identifier according to the random number RAND, the smart device generates the temporary user identifier according to the random number RAND.
If the authentication server generates the temporary user identifier according to the random number RAND, since the intelligent device receives the authentication and key agreement challenge message sent by the authentication server in step 605 and acquires the random number RAND from the challenge message, the intelligent device generates the temporary user identifier according to the acquired random number RAND.
If the authentication server takes the random number RAND as a temporary user identifier, the intelligent equipment takes the random number RAND as the temporary user identifier; if the authentication server generates the temporary user identifier and the like based on a certain rule according to the random number RAND (for example, the temporary user identifier is generated by adding a prefix combination to the random number RAND), the intelligent device generates the temporary user identifier based on the same rule according to the random number RAND.
In a second implementation manner, if the authentication server generates the temporary user identifier randomly or according to a certain rule, the authentication server transmits the temporary user identifier to the intelligent device, and the intelligent device obtains the temporary user identifier.
If the authentication server generates the temporary user identifier randomly or according to a certain rule, the authentication server transmits the temporary user identifier to the intelligent device, for example, in step 612, the authentication and key agreement success response message sent by the authentication server to the intelligent device also includes the temporary user identifier, and the intelligent device obtains the temporary user identifier from the authentication and key agreement success response message after receiving the authentication and key agreement success response message; for another example, after receiving the authentication and key agreement success response message sent by the authentication server, the smart device sends an acquisition request of the temporary user identifier through a connection state or a session state maintained with the authentication server, and acquires the temporary user identifier fed back by the authentication server.
By the method provided by this embodiment, the smart device generates a second master key and a temporary user identifier on the authentication server after authentication and key agreement is successful based on the mobile subscriber identifier, the mobile subscriber key (K) and the related AKA algorithm stored in the subscriber identity module SIM and the authentication server passes through the authentication and key agreement process between the smart device and the authentication server based on the mobile subscriber identifier, the mobile subscriber key (K) and the related AKA algorithm stored in the subscriber data system, and establishes the association relationship between the temporary user identifier and the second master key, generates a first master key on the smart device, and obtains the temporary user identifier, so that the smart device can use the generated first master key and the obtained temporary user identifier to generate authentication information and then implement identity authentication to the application server, and the application server forwards the authentication information to the authentication server to request for authentication of the authentication server, and the authentication server verifies the authentication information forwarded by the application server based on the generated second master key, the temporary user identifier and the incidence relation of the temporary user identifier.
Eighth, an authentication system embodiment I
Please refer to fig. 7, which illustrates a schematic structural diagram of an authentication system according to a first embodiment of the present invention. The authentication system includes: the system comprises a first intelligent device, a first application server, a second intelligent device and an authentication server.
Wherein the first smart device is a smart device (such as a smart watch), the second smart device is another smart device (such as another smart watch), and the first application server is a server for providing application services (such as a smart watch-like application service) to the smart device.
When the first intelligent device performs identity authentication and executes target operation to the first application server, the first intelligent device is used as the intelligent device in the fourth embodiment of the identity authentication method, the first application server is used as the application server in the fourth embodiment of the identity authentication method, and the authentication server is used as the authentication server in the fourth embodiment of the identity authentication method, so as to implement the process described in the fourth embodiment of the identity authentication method; when the first smart device and the authentication server implement step 501 in the fourth embodiment of the identity authentication method, the authentication and key agreement process may also be implemented with reference to the embodiment of the authentication and key agreement process, that is, the first smart device is used as the smart device in the embodiment of the authentication and key agreement process, and the authentication server is used as the authentication server in the embodiment of the authentication and key agreement process, so as to implement the process in the embodiment of the authentication and key agreement process.
When the second smart device performs identity authentication and executes target operation to the first application server, the second smart device is used as the smart device in the fourth embodiment of the identity authentication method, the first application server is used as the application server in the fourth embodiment of the identity authentication method, and the authentication server is used as the authentication server in the fourth embodiment of the identity authentication method, so as to implement the process described in the fourth embodiment of the identity authentication method; when the second smart device and the authentication server implement step 501 in the fourth embodiment of the identity authentication method, the authentication and key agreement process may also be implemented with reference to the embodiment of the authentication and key agreement process, that is, the second smart device is used as the smart device in the embodiment of the authentication and key agreement process, and the authentication server is used as the authentication server in the embodiment of the authentication and key agreement process, so as to implement the process in the embodiment of the authentication and key agreement process.
The authentication system provided in this embodiment includes two intelligent devices, each of which is connected to the application server, and each of which performs identity authentication and executes a corresponding target operation to the application server. In practical application, the authentication system may further include a plurality of intelligent devices, each of the intelligent devices is connected to the application server, and each of the intelligent devices performs identity authentication and executes a corresponding target operation to the application server, which is not described in detail in the specific embodiment.
Ninth, an authentication system embodiment two
Please refer to fig. 8, which illustrates a schematic structural diagram of a second embodiment of an authentication system according to the present invention. The authentication system includes: the system comprises a third intelligent device, a third application server, a fourth application server and an authentication server.
Wherein the third smart device is a type of smart device (e.g., a smart watch), the third application server is a server for providing one application service to the third smart device (e.g., providing one application service to the smart watch), and the fourth application server is a server for providing another application service to the third smart device (e.g., providing another application service to the smart watch).
Wherein, the third smart device is used as the smart device in the fourth embodiment of the identity authentication method, and the authentication server is used as the authentication server in the fourth embodiment of the identity authentication method, so as to implement the step 501 described in the fourth embodiment of the identity authentication method; further, the step 501 may be implemented by referring to the authentication and key agreement process embodiment, that is, the third smart device is used as the smart device in the authentication and key agreement process embodiment, and the authentication server is used as the authentication server in the authentication and key agreement process embodiment, so as to implement the process described in the authentication and key agreement process embodiment.
After the step 501 described in the fourth embodiment of the identity authentication method is implemented, when the third smart device performs identity authentication and target execution operation on the third application server, the third smart device is used as the smart device in the fourth embodiment of the identity authentication method, the authentication server is used as the authentication server in the fourth embodiment of the identity authentication method, and the third application server is used as the application server in the fourth embodiment of the identity authentication method, so that the steps 502 to 512 described in the fourth embodiment of the identity authentication method are implemented. It should be noted that, in order to make the application identifier obtained by the third smart device be the application identifier of the third application server when step 503 is implemented, and in order to make the third smart device send the operation request for executing the target operation to the third application server when step 505 is implemented, when step 503 is implemented, the application identifier and the request address of the third application server may be included in the operation instruction for executing the target operation, and the third smart device obtains the application identifier and the request address of the third application server in the operation instruction for executing the target operation; or, an application identifier and a request address of the third application server are preconfigured on the third intelligent device, and the third intelligent device obtains the application identifier and the request address of the third application server according to an operation instruction for executing a target operation, for example, if the operation instruction is an operation instruction for executing a target operation, the application identifier and the request address of the third application server are obtained.
After the step 501 described in the fourth embodiment of the identity authentication method is implemented, when the third smart device performs identity authentication and target execution operation to the fourth application server, the third smart device is used as the smart device in the fourth embodiment of the identity authentication method, the authentication server is used as the authentication server in the fourth embodiment of the identity authentication method, and the fourth application server is used as the application server in the fourth embodiment of the identity authentication method, and the steps 502 to 512 described in the fourth embodiment of the identity authentication method are implemented, so that the identity authentication of the third smart device to the fourth application server is implemented. It should be noted that, in order to make the application identifier obtained by the third smart device be the application identifier of the fourth application server when step 503 is implemented, and in order to make the third smart device send the operation request for executing the target operation to the fourth application server when step 505 is implemented, when step 503 is implemented, the application identifier and the request address of the fourth application server may be included in the operation instruction for executing the target operation, and the application identifier and the request address of the fourth application server may be obtained by the third smart device in the operation instruction for executing the target operation; or, an application identifier and a request address of the fourth application server are preconfigured on the third intelligent device, and the third intelligent device obtains the application identifier and the request address of the fourth application server according to an operation instruction for executing a target operation, for example, if the operation instruction is an operation instruction for executing another target operation, the application identifier and the request address of the fourth application server are obtained.
It should be further noted that, after the third smart device and the authentication server implement step 501 described in the fourth embodiment of the identity authentication method once, the third smart device, the third application server and the fourth application server may respectively implement steps 502 to 512 described in the fourth embodiment of the identity authentication method many times, so that identity authentication and target execution operations of the third smart device to the third application server and the fourth application server may be respectively implemented many times.
In the authentication system provided in this embodiment, the smart device in the authentication system is connected to the two application servers respectively, and the smart device performs identity authentication and executes corresponding target operations to the two application servers respectively. In practical application, the authentication system may further include a plurality of application servers, the intelligent device is connected to the plurality of application servers, and the intelligent device performs identity authentication and executes corresponding target operations to the plurality of application servers, which is not described in detail in the specific embodiment.
Tenth, third embodiment of an authentication system
Please refer to fig. 9, which illustrates a schematic structural diagram of a third embodiment of an authentication system according to the present invention. The authentication system includes: the system comprises a first intelligent device, a first application server, a third intelligent device, a third application server, a fourth application server and an authentication server;
the implementation manner of performing identity authentication on the first application server by the first intelligent device may refer to the implementation manner of performing identity authentication on the first application server by the first intelligent device in the first authentication system embodiment, and specific implementation manners are not described in detail again.
The implementation manner in which the third intelligent device performs identity authentication to the third application server and the fourth application server respectively may refer to the implementation manner in which the third intelligent device performs identity authentication to the third application server and the fourth application server respectively in the second embodiment of the authentication system, and specific implementation manners are not described again.
It should be noted that, in this document, the terms "comprises," "comprising," "includes," "passing," "sending," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system.
The terms "first," "second," "third," and the like (if any) are used solely to distinguish one from another and are not used to describe a particular order or sequence. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The method, apparatus and system of the present invention can be implemented in a number of ways. For example, the methods, apparatus and systems of the present invention may be implemented by software, hardware, firmware or any combination of software, hardware and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. An identity authentication method is applied to intelligent equipment, and the method comprises the following steps:
performing authentication and key agreement with an authentication server based on a Subscriber Identity Module (SIM), if the authentication and key agreement is successful, generating a first master key, and acquiring a temporary subscriber identity transmitted by the authentication server;
acquiring an operation instruction for requesting an application server to execute a target operation;
acquiring an application identifier of the application server;
generating a first encrypted value based on the first master key and the application identification encryption;
sending an operation request for executing the target operation to the application server, and transferring the temporary user identifier and the first encrypted value to the application server, so that the application server authenticates the temporary user identifier and the first encrypted value, and executes the target operation if authentication is successful.
2. The method of claim 1, wherein the authenticating and key agreement with the authentication server based on the Subscriber Identity Module (SIM) comprises:
acquiring a mobile subscriber identity of the subscriber identity module SIM;
sending an authentication and key agreement request to the authentication server, and transmitting the mobile user identifier to the authentication server, so that the authentication server acquires a random number RAND, an authentication token AUTN, a second expected response value and a second initial key from a user data system according to the mobile user identifier;
receiving an authentication and key agreement challenge message sent by the authentication server, and acquiring the random number RAND and the authentication token AUTN transmitted by the authentication server;
sending an authentication request to the subscriber identity module SIM and sending the random number RAND and the authentication token AUTN to the subscriber identity module SIM;
receiving an expected response value RES, a first encryption key CK and a first integrity key IK returned by the subscriber identity module SIM;
determining a first expected response value according to the expected response value RES;
sending an authentication and key agreement challenge response message to the authentication server and communicating the first expected response value to the authentication server, such that the authentication server determines whether authentication and key agreement is successful according to verification of the first expected response value;
if an authentication and key agreement success response message fed back by the authentication server is received, determining that the authentication and key agreement is successful, generating a first initial key based on the first encryption key CK or/and the first integrity key IK, generating a first master key based on the first initial key, and acquiring the temporary user identifier transmitted by the authentication server, wherein a generation mode of generating the first initial key is consistent with a generation mode of generating the second initial key by the user data system, and a generation mode of the first master key is consistent with a generation mode of generating the second master key by the authentication server.
3. An identity authentication method is applied to an application server, and the method comprises the following steps:
receiving an operation request which is sent by an intelligent device and used for requesting to execute a target operation, wherein the operation request is sent to an application server by the intelligent device after an operation instruction used for requesting the application server to execute the target operation is acquired;
acquiring a temporary user identifier and a first encrypted value transmitted by the intelligent device, wherein the temporary user identifier is acquired when the intelligent device and an authentication server successfully authenticate and negotiate a key, the first encrypted value is generated by the intelligent device through encryption based on a first master key and an application identifier, the first master key is generated by the intelligent device and the authentication server when the authentication and negotiation succeeds, and the application identifier is an application identifier of the application server;
sending a verification request to the authentication server and passing the temporary user identity and the first encrypted value to the authentication server;
receiving a response message indicating successful verification fed back by the authentication server, wherein the response message indicating successful verification is fed back after the authentication server successfully verifies the temporary user identifier and the first encryption value;
and executing the target operation.
4. The method of claim 3, wherein receiving the response message indicating that the authentication server has fed back the verification success further comprises:
and receiving user identification information fed back by the authentication server, wherein the user identification information is determined by the authentication server according to the temporary user identification.
5. An identity authentication method is applied to an authentication server, and the method comprises the following steps:
performing authentication and key agreement with the intelligent equipment based on a user data system, if the authentication and key agreement is successful, generating a second master key, generating a temporary user identifier, transmitting the temporary user identifier to the intelligent equipment, and establishing an association relationship between the temporary user identifier and the second master key;
receiving a verification request sent by an application server, wherein the verification request is sent to the authentication server by the application server after receiving an operation request sent by the intelligent device and used for requesting to execute a target operation, and the operation request is sent to the application server by the intelligent device after acquiring an operation instruction used for requesting to execute the target operation to the application server;
acquiring the temporary user identifier and a first encrypted value transmitted by the application server, wherein the temporary user identifier and the first encrypted value transmitted by the application server are transmitted by the intelligent equipment through the application server;
determining an application identifier of the application server according to the identity information of the application server;
acquiring the second master key in the association relation according to the temporary user identifier;
verifying the first cryptographic value based on the second master key and the application identification;
and if the first encryption value is successfully verified, feeding back a response message representing successful verification to the application server to trigger the application server to execute the target operation.
6. The method of claim 5, wherein the authenticating and key agreement with the smart device based on the user data system comprises:
receiving an authentication and key agreement request sent by the intelligent equipment, and acquiring a mobile user identifier transmitted by the intelligent equipment;
sending an authentication request to the subscriber data system and communicating the mobile subscriber identity to the subscriber data system;
receiving an authentication response fed back by the user data system, and acquiring a random number RAND, an authentication token AUTN, a second expected response value and a second initial key fed back by the user data system;
sending an authentication and key agreement challenge message to the smart device and passing the random number RAND and the authentication token AUTN to the smart device;
receiving an authentication and key agreement challenge response message fed back by the intelligent equipment, and acquiring a first expected response value transmitted by the intelligent equipment;
verifying the first expected response value based on the second expected response value;
if the first expected response value is verified to be valid, generating a second master key based on the second initial key, generating a temporary user identifier and transmitting the temporary user identifier to the intelligent equipment, establishing an association relation between the temporary user identifier and the second master key, and sending an authentication and key agreement success response message to the intelligent equipment, wherein the generation mode of the second master key is consistent with the generation mode of the first master key generated by the intelligent equipment.
7. The method according to claim 30, wherein if said first cryptographic value is verified successfully, said method further comprises:
determining corresponding user identification information according to the temporary user identification;
and transmitting the user identification information to the application server.
8. A smart device, the smart device comprising: a memory, a processor for executing a program stored by the memory, the program when executed performing a method comprising any of claims 1 to 2; or/and, an application server, characterized in that, the application server comprises: a memory, a processor for executing a program stored by the memory, the program when executed performing a method comprising any of claims 3 to 4; or/and, an authentication server, characterized in that, the authentication server comprises: memory, a processor for executing a program stored by the memory, the program when executed performing a method comprising any of claims 5 to 7.
9. An authentication system, characterized in that the authentication system comprises: the system comprises an authentication server, at least one application server and at least one intelligent device;
the smart device comprises the smart device of claim 8;
the application server comprising the application server of claim 8;
the authentication server comprising the authentication server of claim 8.
10. A storage medium characterized in that the storage medium stores therein a program for implementing a method applied to an intelligent device including any one of claims 1 to 2; or/and the program is used for realizing the method applied to the application server and comprising any one of the claims 3 to 4; or/and said program is for implementing a method comprising any of claims 5 to 7 applied to an authentication server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910775077.9A CN111327583B (en) | 2019-08-22 | 2019-08-22 | Identity authentication method, intelligent equipment and authentication server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910775077.9A CN111327583B (en) | 2019-08-22 | 2019-08-22 | Identity authentication method, intelligent equipment and authentication server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111327583A true CN111327583A (en) | 2020-06-23 |
| CN111327583B CN111327583B (en) | 2022-03-04 |
Family
ID=71170652
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910775077.9A Active CN111327583B (en) | 2019-08-22 | 2019-08-22 | Identity authentication method, intelligent equipment and authentication server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111327583B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110611719A (en) * | 2019-10-16 | 2019-12-24 | 四川虹美智能科技有限公司 | Message pushing method, server and system |
| CN112073410A (en) * | 2020-09-07 | 2020-12-11 | 中国人民解放军63880部队 | Cloud data secure transmission control method based on aging |
| CN112436939A (en) * | 2020-12-11 | 2021-03-02 | 杭州海康威视数字技术股份有限公司 | Key negotiation method, device and system and electronic equipment |
| CN112543098A (en) * | 2020-11-12 | 2021-03-23 | 西安交通大学 | Intelligent building mobile equipment authentication system and method based on challenge response mechanism |
| CN113285807A (en) * | 2021-05-14 | 2021-08-20 | 广东美房智高机器人有限公司 | Method and system for network access authentication of intelligent equipment |
| CN114124502A (en) * | 2021-11-15 | 2022-03-01 | 兰州乐智教育科技有限责任公司 | Message transmission method, device, equipment and medium |
| WO2022133741A1 (en) * | 2020-12-22 | 2022-06-30 | Huawei Technologies Co., Ltd. | Registration methods using one-time identifiers for user equipments and nodes implementing the registration methods |
| CN115001841A (en) * | 2022-06-23 | 2022-09-02 | 北京瑞莱智慧科技有限公司 | Identity authentication method, identity authentication device and storage medium |
| WO2023011016A1 (en) * | 2021-08-05 | 2023-02-09 | 深圳Tcl新技术有限公司 | Internet of things device binding method, apparatus and system, and cloud server and storage medium |
| CN117641339A (en) * | 2024-01-18 | 2024-03-01 | 中国电子科技集团公司第三十研究所 | System and method for fast application layer authentication and key agreement |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012028010A1 (en) * | 2010-09-03 | 2012-03-08 | 中兴通讯股份有限公司 | Authentication method, apparatus and system |
| US8977857B1 (en) * | 2012-02-10 | 2015-03-10 | Google Inc. | System and method for granting access to protected information on a remote server |
| WO2017091959A1 (en) * | 2015-11-30 | 2017-06-08 | 华为技术有限公司 | Data transmission method, user equipment and network side device |
| WO2018010150A1 (en) * | 2016-07-14 | 2018-01-18 | 华为技术有限公司 | Authentication method and authentication system |
| US20180337783A1 (en) * | 2015-02-27 | 2018-11-22 | Feitian Technologies Co., Ltd. | Operating method for push authentication system and device |
| CN109041205A (en) * | 2018-08-23 | 2018-12-18 | 刘高峰 | Client registers method, apparatus and system |
| CN109121135A (en) * | 2018-08-23 | 2019-01-01 | 刘高峰 | Client registers and key sharing method, apparatus and system based on GBA |
-
2019
- 2019-08-22 CN CN201910775077.9A patent/CN111327583B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012028010A1 (en) * | 2010-09-03 | 2012-03-08 | 中兴通讯股份有限公司 | Authentication method, apparatus and system |
| US8977857B1 (en) * | 2012-02-10 | 2015-03-10 | Google Inc. | System and method for granting access to protected information on a remote server |
| US20180337783A1 (en) * | 2015-02-27 | 2018-11-22 | Feitian Technologies Co., Ltd. | Operating method for push authentication system and device |
| WO2017091959A1 (en) * | 2015-11-30 | 2017-06-08 | 华为技术有限公司 | Data transmission method, user equipment and network side device |
| WO2018010150A1 (en) * | 2016-07-14 | 2018-01-18 | 华为技术有限公司 | Authentication method and authentication system |
| CN108353279A (en) * | 2016-07-14 | 2018-07-31 | 华为技术有限公司 | A kind of authentication method and Verification System |
| CN109041205A (en) * | 2018-08-23 | 2018-12-18 | 刘高峰 | Client registers method, apparatus and system |
| CN109121135A (en) * | 2018-08-23 | 2019-01-01 | 刘高峰 | Client registers and key sharing method, apparatus and system based on GBA |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110611719A (en) * | 2019-10-16 | 2019-12-24 | 四川虹美智能科技有限公司 | Message pushing method, server and system |
| CN112073410A (en) * | 2020-09-07 | 2020-12-11 | 中国人民解放军63880部队 | Cloud data secure transmission control method based on aging |
| CN112543098A (en) * | 2020-11-12 | 2021-03-23 | 西安交通大学 | Intelligent building mobile equipment authentication system and method based on challenge response mechanism |
| CN112543098B (en) * | 2020-11-12 | 2021-10-01 | 西安交通大学 | Intelligent building mobile equipment authentication system and method based on challenge response mechanism |
| CN112436939A (en) * | 2020-12-11 | 2021-03-02 | 杭州海康威视数字技术股份有限公司 | Key negotiation method, device and system and electronic equipment |
| CN112436939B (en) * | 2020-12-11 | 2022-05-03 | 杭州海康威视数字技术股份有限公司 | Key negotiation method, device and system and electronic equipment |
| WO2022133741A1 (en) * | 2020-12-22 | 2022-06-30 | Huawei Technologies Co., Ltd. | Registration methods using one-time identifiers for user equipments and nodes implementing the registration methods |
| CN113285807A (en) * | 2021-05-14 | 2021-08-20 | 广东美房智高机器人有限公司 | Method and system for network access authentication of intelligent equipment |
| WO2023011016A1 (en) * | 2021-08-05 | 2023-02-09 | 深圳Tcl新技术有限公司 | Internet of things device binding method, apparatus and system, and cloud server and storage medium |
| CN114124502A (en) * | 2021-11-15 | 2022-03-01 | 兰州乐智教育科技有限责任公司 | Message transmission method, device, equipment and medium |
| CN114124502B (en) * | 2021-11-15 | 2023-07-28 | 兰州乐智教育科技有限责任公司 | Message transmission method, device, equipment and medium |
| CN115001841A (en) * | 2022-06-23 | 2022-09-02 | 北京瑞莱智慧科技有限公司 | Identity authentication method, identity authentication device and storage medium |
| CN117641339A (en) * | 2024-01-18 | 2024-03-01 | 中国电子科技集团公司第三十研究所 | System and method for fast application layer authentication and key agreement |
| CN117641339B (en) * | 2024-01-18 | 2024-04-09 | 中国电子科技集团公司第三十研究所 | System and method for fast application layer authentication and key agreement |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111327583B (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111327583B (en) | Identity authentication method, intelligent equipment and authentication server | |
| CN111050314B (en) | Client registration method, device and system | |
| US10284555B2 (en) | User equipment credential system | |
| CN111327582B (en) | Authorization method, device and system based on OAuth protocol | |
| CN111050322B (en) | GBA-based client registration and key sharing method, device and system | |
| US10411884B2 (en) | Secure bootstrapping architecture method based on password-based digest authentication | |
| KR101438243B1 (en) | Sim based authentication | |
| WO2017028593A1 (en) | Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium | |
| EP1982547B1 (en) | Method and system for recursive authentication in a mobile network | |
| EP2852118B1 (en) | Method for an enhanced authentication and/or an enhanced identification of a secure element located in a communication device, especially a user equipment | |
| US20110264913A1 (en) | Method and apparatus for interworking with single sign-on authentication architecture | |
| US9693226B2 (en) | Method and apparatus for securing a connection in a communications network | |
| CN107612889B (en) | Method for preventing user information leakage | |
| EP2637351A1 (en) | Method and system for single sign-on | |
| CN111327416A (en) | Internet of things equipment access method and device and Internet of things platform | |
| EP1811719A1 (en) | Internetwork key sharing | |
| KR20130109560A (en) | Encryption method of database of mobile communication device | |
| CN113890778B (en) | Intelligent home authentication and encryption method and system based on local area network | |
| WO2022027673A1 (en) | Algorithm negotiation method in generic bootstrapping architecture and related apparatus | |
| Culnane et al. | Formalising Application-Driven Authentication & Access-Control based on Users’ Companion Devices | |
| CN115802346A (en) | Network authentication method and device, electronic equipment and readable medium | |
| CN116074839A (en) | Authentication method for accessing quantum security terminal into quantum security network | |
| CN113785547A (en) | Security transmission method of Profile data and corresponding device | |
| WO2020037957A1 (en) | Client registration method, apparatus and system | |
| WO2020037958A1 (en) | Gba-based client registration and key sharing method, device, and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |