CN111740995A - Authorization authentication method and related device - Google Patents

Authorization authentication method and related device Download PDF

Info

Publication number
CN111740995A
CN111740995A CN202010572898.5A CN202010572898A CN111740995A CN 111740995 A CN111740995 A CN 111740995A CN 202010572898 A CN202010572898 A CN 202010572898A CN 111740995 A CN111740995 A CN 111740995A
Authority
CN
China
Prior art keywords
preset
equipment
server
random number
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010572898.5A
Other languages
Chinese (zh)
Other versions
CN111740995B (en
Inventor
杨劲锋
肖勇
金鑫
徐兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China South Power Grid International Co ltd
China Southern Power Grid Co Ltd
Original Assignee
China South Power Grid International Co ltd
China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China South Power Grid International Co ltd, China Southern Power Grid Co Ltd filed Critical China South Power Grid International Co ltd
Priority to CN202010572898.5A priority Critical patent/CN111740995B/en
Publication of CN111740995A publication Critical patent/CN111740995A/en
Application granted granted Critical
Publication of CN111740995B publication Critical patent/CN111740995B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses an authorization authentication method and a related device, wherein the method comprises the following steps: sending a preset ID authorization request to a server through the equipment according to the received encrypted data packet, and prompting the server to send a preset challenge random number to the equipment after the preset ID authorization request is verified to pass; generating a current response value and assistant data according to a preset challenge random number through equipment, and calculating an authentication hash value through a preset ID, the current response value, the assistant data and the preset challenge random number; and obtaining a verification response value through the server according to an original response value corresponding to the preset challenge random number and the assistant data sent by the equipment, and if the verification hash value obtained according to the verification response value, the preset challenge random number, the assistant data and the preset ID sent by the equipment is consistent with the authentication hash value sent by the equipment, the authentication is successful. The method and the device solve the technical problems that the prior art not only occupies large storage resources, but also cannot ensure the data security in the transmission process.

Description

Authorization authentication method and related device
Technical Field
The present application relates to the field of identity authentication technologies, and in particular, to an authorization authentication method and a related device.
Background
With the rapid development of the internet of things (IoT), the number of IoT devices and related cloud services is growing at a high rate; for this case, especially for authentication between a cloud server and a lightweight device or between different devices, maintaining security and reliability is an essential attribute. If an attacker can maliciously access a device and obtain confidential stored information, either physically or non-physically, he can copy confidential data or the entire device, even destroying the system, but there is always a conflict between heavyweight solutions for system security and lightweight terminals. It is a real challenge for equipment vendors and cloud service providers to balance between cost and security level.
In the existing authorization and authentication scheme, a large amount of storage resources are occupied, namely, the security of data in the transmission process is ignored, namely, better balance between the storage cost and the security cannot be realized, so that the applicability of the existing authentication scheme is limited.
Disclosure of Invention
The application provides an authorization authentication method and a related device, which are used for solving the technical problems that the prior art not only occupies larger storage resources, but also cannot ensure the data security in the transmission process.
In view of the above, a first aspect of the present application provides an authorization authentication method, including:
sending a preset ID authorization request to a server through equipment according to an encrypted data packet encrypted by a preset symmetric security key, and prompting the server to send a preset challenge random number to the equipment after the preset ID authorization request is verified to pass, wherein the preset ID authorization request comprises a preset ID and an authorization request;
generating a current response value and helper data according to the preset challenge random number through the equipment, and calculating an authentication hash value through the preset ID, the current response value, the helper data and the preset challenge random number;
and obtaining a verification response value through the server according to an original response value corresponding to the preset challenge random number and the helper data sent by the equipment, and if a verification hash value obtained according to the verification response value, the preset challenge random number, the helper data and the preset ID sent by the equipment is consistent with the authentication hash value sent by the equipment, the authentication is successful.
Preferably, the sending, by the device, a preset ID authorization request to the server according to receiving an encrypted data packet encrypted by using a preset symmetric security key, and prompting the server to send a preset challenge random number to the device after verifying that the preset ID authorization request passes, where the preset ID authorization request includes a preset ID and an authorization request, and before the sending, the method further includes:
and sending a preset ID service request to the server through the equipment, prompting the server to encrypt a target file by adopting the preset symmetric security key after the preset ID service request is verified to pass, obtaining the encrypted data packet, and sending the encrypted data packet to the equipment.
Preferably, the sending, by the device, a preset ID authorization request to the server according to receiving an encrypted data packet encrypted by using a preset symmetric security key, and prompting the server to send a preset challenge random number to the device after verifying that the preset ID authorization request passes, where the preset ID authorization request includes a preset ID and an authorization request, and before the sending, the method further includes:
and configuring the unique preset ID for the target equipment through the server.
Preferably, the obtaining, by the server, a verification response value according to an original response value corresponding to the preset challenge random number and the helper data sent by the device, and if a verification hash value obtained according to the verification response value, the preset challenge random number, the helper data, and the preset ID sent by the device is consistent with the authentication hash value sent by the device, the authentication is successful, and then the method further includes:
and symmetrically encrypting the preset symmetric security key according to the verification response value through the server to obtain a decrypted data packet, and sending the decrypted data packet to the equipment, so that the equipment decrypts the decrypted data packet by adopting the current response value to obtain the preset symmetric security key for decrypting the encrypted data packet.
A second aspect of the present application provides an authorization authentication apparatus, including:
the authorization request module is used for sending a preset ID authorization request to a server through equipment according to an encrypted data packet which is encrypted by a preset symmetric security key, and prompting the server to send a preset challenge random number to the equipment after the preset ID authorization request is verified to pass, wherein the preset ID authorization request comprises a preset ID and an authorization request;
the response calculation module is used for generating a current response value and helper data according to the preset challenge random number through the equipment and calculating an authentication hash value through the preset ID, the current response value, the helper data and the preset challenge random number;
and the verification module is used for obtaining a verification response value through the server according to an original response value corresponding to the preset challenge random number and the helper data sent by the equipment, and if a verification hash value obtained according to the verification response value, the preset challenge random number, the helper data and the preset ID sent by the equipment is consistent with the authentication hash value sent by the equipment, the authentication is successful.
Preferably, the method further comprises the following steps:
and the service request module is used for sending a preset ID service request to the server through the equipment, prompting the server to encrypt the target file by adopting the preset symmetric security key after the preset ID service request is verified to pass, obtaining the encrypted data packet, and sending the encrypted data packet to the equipment.
Preferably, the method further comprises the following steps:
and the configuration module is used for configuring the unique preset ID for the target equipment through the server.
Preferably, the method further comprises the following steps:
and the authorization module is used for symmetrically encrypting the preset symmetric security key through the server according to the verification response value to obtain a decrypted data packet and sending the decrypted data packet to the equipment, so that the equipment decrypts the decrypted data packet by adopting the current response value to obtain the preset symmetric security key for decrypting the encrypted data packet.
A third aspect of the present application provides an authorization authentication device, wherein the device includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the authorization authentication method of any of the first aspect according to instructions in the program code.
A fourth aspect of the present application provides a computer-readable storage medium, wherein the computer-readable storage medium is configured to store a program code, and the program code is configured to execute the authorization authentication method according to any one of the first aspect.
According to the technical scheme, the embodiment of the application has the following advantages:
the application provides an authorization authentication method, which comprises the following steps: sending a preset ID authorization request to a server through equipment according to an encrypted data packet encrypted by a preset symmetric security key, prompting the server to send a preset challenge random number to the equipment after the preset ID authorization request is verified to pass, wherein the preset ID authorization request comprises a preset ID and an authorization request; generating a current response value and assistant data according to a preset challenge random number through equipment, and calculating an authentication hash value through a preset ID, the current response value, the assistant data and the preset challenge random number; and obtaining a verification response value through the server according to an original response value corresponding to the preset challenge random number and the assistant data sent by the equipment, and if the verification hash value obtained according to the verification response value, the preset challenge random number, the assistant data and the preset ID sent by the equipment is consistent with the authentication hash value sent by the equipment, the authentication is successful.
The authorization authentication method is an authentication method based on the weak physical unclonable function, and because the weak physical unclonable function supports a small number of challenge response pairs, resources which need to be stored in equipment and a server for authentication are relatively few, and a large number of storage resources cannot be consumed; in addition, the encrypted data packet cannot be used without authorization, further authorization and authentication are required, and the encrypted data packet is not decrypted and has no value due to the fact that the symmetric key is used for encryption; data in the authorization authentication process are encrypted data, and the data are useless even if intercepted, because a decryption key is not available, only helper data are in a plain text form and are used for recovering a response value; in order to ensure the integrity of data in the transmission process, a method for verifying a hash value is introduced, and the hash values in the application are consistent, which indicates that a verification response value and an authentication response value are also necessarily consistent, so that a successful authentication result can be obtained; moreover, the verification of the random number can effectively cope with the copy attack. Therefore, the method and the device solve the technical problems that the prior art not only occupies larger storage resources, but also cannot ensure the data security in the transmission process.
Drawings
Fig. 1 is a schematic flowchart of an authorization authentication method according to an embodiment of the present application;
fig. 2 is another schematic flowchart of an authorization authentication method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an authorization authentication device according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The weak Physical Unclonable Function (PUF) that appears in the process described in the embodiments of the present application is explained as follows:
PUFs are produced based on microstructural changes that occur during IC manufacturing; these unique variations can characterize each IC and are extracted as random and unpredictable patterns, similar to fingerprints, each with its unique and unclonable fingerprint to identify a particular person. When a PUF system is challenged, it will respond with respect to cryptography and its manufacturing variations, which may be referred to as challenge-response pairs (CRP). One basic partitioning method of PUFs is that a powerful PUF can provide a large number of CRPs, depending on the number of CRPs, without other cryptographic designs for authentication, and thus it is difficult for an attacker to get a specific response from a challenge. Whereas weak PUFs support a small number of CRPs, even only one CRP; it is also referred to as a Physical Obfuscated Key (POK) because it may be used for the generation and storage of security keys. Theoretically, the PUF response should be repeatable for the same challenge, but in the real world, some noise is always present in PUF systems, which may be caused not only by temperature and humidity, but also by voltage fluctuations and electromagnetic interference, etc.; thus, the actual response has a range of hamming distances to the ideal response. A safe sketch is a solution for eliminating noise influence, which is composed of a sketch program and a recovery program, wherein common helper data p is generated according to an original response r, and when the Hamming distance between an actual response and the original response meets a certain condition, the original response r can be corrected by using the actual response and the common helper data; according to this idea, the fuzzy extractor can be constructed by a security sketch, first generating helper data and secret data from the original response r:
(s,p)=Gen(r);
the cipher data s is then fixed by the current response r' and the helper data p:
s=rep(r',p)。
the method and the device perform authorization authentication by combining the concept of the constructed fuzzy extractor, improve the data security of the authorization authentication and reduce the occupation amount of storage resources.
For easy understanding, please refer to fig. 1, a first embodiment of an authorization authentication method provided in the present application includes:
step 101, sending a preset ID authorization request to a server through equipment according to an encrypted data packet encrypted by a received preset symmetric security key, prompting the server to send a preset challenge random number to the equipment after the preset ID authorization request is verified to pass, wherein the preset ID authorization request comprises a preset ID and an authorization request.
It should be noted that, after the device requests the server to download the algorithm or software, the server sends the encrypted data packet to the device after passing the verification, where the encrypted data packet is the target file required by the device, but after receiving the encrypted data packet, the device cannot use the algorithm or software therein immediately, because the data packet has not been authorized by the server, the authorization and authentication are required; at this moment, the device sends a preset ID authorization request, the server can check whether the device is the only paired target device according to the preset ID, and after the verification is passed, the server can randomly generate a preset challenge random number and send the preset challenge random number to the target device to start the related authorization verification. The preset ID is not only in the equipment, but also in the server, is configured to the target equipment in advance by the server, and has uniqueness, namely the preset IDs configured by different equipment are different; this configuration process may be completed before the device is shipped.
And 102, generating a current response value and helper data by the equipment according to a preset challenge random number, and calculating to obtain an authentication hash value by using a preset ID, the current response value, the helper data and the preset challenge random number.
It should be noted that the device generates a current response value according to the received challenge random number, acquires corresponding helper data according to the constructed related concept of the fuzzy extractor, and calculates an authentication hash value through the preset ID, the current response value, the helper data, and the preset challenge random number, where the hash value can verify whether the data is complete in the transmission process. The device sends the computed authentication hash value, the preset ID and the helper data to the server, so that the server can perform computation verification in the same computation mode. The preset challenge random number exists in the server, and the preset challenge random number is not changed temporarily in the verification process, so that the preset challenge random number does not need to be transmitted again.
And 103, obtaining a verification response value through the server according to an original response value corresponding to the preset challenge random number and the assistant data sent by the equipment, and if the verification hash value obtained according to the verification response value, the preset challenge random number, the assistant data and the preset ID sent by the equipment is consistent with the authentication hash value sent by the equipment, the authentication is successful.
It should be noted that, the server first calculates a new verification response value according to an original response value corresponding to a preset challenge random number generated at that time and helper data sent by the device, theoretically, if the authentication process is not attacked or tampered, the obtained verification response value should be consistent with the current response value in the device, and then the verification hash value calculated according to the verification response value, the preset ID, the helper data and the preset challenge random number is certainly consistent with the authentication hash value; conversely, if the hash value authentication is consistent, it can indicate that the identity authentication of the device is successful. The equipment can be authorized naturally after successful authentication, namely the equipment obtains a preset symmetric security key, and the encrypted data packet can be decrypted; the specific authorization process can also encrypt the preset symmetric security key in order to protect the security of the transmitted data, but not directly transmit the preset symmetric security key, so that the transmitted data are always encrypted and useless even if intercepted. The authorized encryption and decryption process can use the characteristic that the verification response value is consistent with the current response value, and the current response value is used as a decrypted 'key', so that the 'key' does not need to be transmitted, the interception risk is reduced, and the method is safer and more reliable.
The authorization authentication method provided by the embodiment is an authentication method based on a weak physical unclonable function, and since the weak physical unclonable function supports a small number of challenge response pairs, specific related data can be set according to actual conditions, resources required to be stored in equipment and a server for authentication are relatively few, and a large number of storage resources are not consumed; in addition, the encrypted data packet cannot be used without authorization, further authorization and authentication are required, and the encrypted data packet is not decrypted and has no value due to the fact that the symmetric key is used for encryption; data in the authorization authentication process are encrypted data, and the data are useless even if intercepted, because a decryption key is not available, only helper data are in a plain text form and are used for recovering a response value; in order to ensure the integrity of data in the transmission process, a method for verifying a hash value is introduced, and the hash values in the embodiment are consistent, which indicates that a verification response value and an authentication response value are also necessarily consistent, so that a result of successful authentication can be obtained; moreover, the verification of the random number can effectively cope with the copy attack. Therefore, the embodiment solves the technical problems that the prior art not only occupies large storage resources, but also cannot ensure the data security in the transmission process.
For easy understanding, please refer to fig. 2, the present application provides a second embodiment of an authorization authentication method, including:
step 201, configuring a unique preset ID for the target device through the server.
It should be noted that various preset IDs are stored in the database of the server, and unique corresponding identifiers can be configured for different devices; therefore, the preset ID is not only in the device, but also in the server, is configured to the target device in advance by the server, and has uniqueness, namely the preset IDs configured by different devices are different; this configuration process may be completed before the device is shipped.
Step 202, sending a preset ID service request to the server through the equipment, prompting the server to encrypt the target file by using a preset symmetric security key after the preset ID service request is verified to pass, obtaining an encrypted data packet, and sending the encrypted data packet to the equipment.
It should be noted that the preset ID service request includes a preset ID and a service request, after the device sends the preset ID service request requesting downloading of an algorithm or software to the server, the server may verify whether the preset ID is recorded in the database, if there is a record, the verification passes, the server sends an encrypted data packet encrypted by a preset symmetric security key k to the device, the encrypted data packet is a target file required by the device, but after receiving the encrypted data packet, the device cannot use the algorithm or software therein immediately, because the data packet has not been authorized by the server, authorization authentication is required. The preset symmetric security key k may be generated from a random number.
Step 203, the server sends a preset ID authorization request to the server according to the encrypted data packet encrypted by the preset symmetric security key, so that the server is prompted to send a preset challenge random number to the device after the preset ID authorization request is verified to pass, wherein the preset ID authorization request comprises a preset ID and an authorization request.
It should be noted that, the preset ID authorization request sent by the device triggers the authorization authentication, the server will first check whether the preset ID record exists in the database according to the preset ID, and after the authentication is passed, the server will randomly generate a preset challenge random number TsAnd sends it to the target device to start the relevant authorization verification.
And step 204, generating a current response value and helper data by the equipment according to the preset challenge random number, and calculating to obtain an authentication hash value by the preset ID, the current response value, the helper data and the preset challenge random number.
It should be noted that the device receives the challenge random number TsAnd generating a current response value r', acquiring corresponding helper data w according to the constructed related concept of the fuzzy extractor, and calculating to obtain an authentication hash value through a preset ID, the current response value, the helper data and a preset challenge random number, wherein the hash value can verify whether the data is complete in the transmission process. The device sends the computed authentication hash value, the preset ID and the helper data to the server, so that the server can perform computation verification in the same computation mode. Preset pickThe warfare random number already exists in the server and is not changed temporarily in the verification process, so that retransmission is not needed
Step 205, obtaining a verification response value by the server according to the original response value corresponding to the preset challenge random number and the helper data sent by the device, and if the verification hash value obtained according to the verification response value, the preset challenge random number, the helper data and the preset ID sent by the device is consistent with the authentication hash value sent by the device, the authentication is successful.
It should be noted that, the server first calculates a new verification response value r according to an original response value r corresponding to a preset challenge random number generated at that time and helper data w sent by the device, theoretically, if the authentication process is not attacked or tampered, the obtained verification response value r "should be consistent with a current response value r' in the device, and then the calculated verification hash value according to the verification response value, the preset ID, the helper data and the preset challenge random number is certainly consistent with the authentication hash value; conversely, if the hash value authentication is consistent, it can indicate that the identity authentication of the device is successful.
And step 206, symmetrically encrypting the preset symmetric security key through the server according to the verification response value to obtain a decrypted data packet, and sending the decrypted data packet to the equipment, so that the equipment decrypts the decrypted data packet by adopting the current response value to obtain the preset symmetric security key for decrypting the encrypted data packet.
It should be noted that, the device can be authorized naturally after successful authentication, which means that the device obtains a preset symmetric security key k to realize decryption of the encrypted data packet; since the verification response value r 'is consistent with the current response value r', and the specific authorization process can also protect the security of the transmitted data, the preset symmetric security key k needs to be encrypted instead of directly transmitting the preset symmetric security key, so that the transmitted data is always encrypted and useless even if intercepted. Therefore, the preset symmetric security key k is symmetrically encrypted by adopting the verification response value r ' and the encrypted data packet is sent to the equipment as a decryption data packet, the equipment can directly use the current response value as a decryption ' key ' to decrypt the decryption data packet to obtain the preset symmetric security key k, and then the encrypted data packet can be decrypted by presetting the symmetric security key k to obtain the target file. The current response value is used as a decrypted 'key', so that the 'key' does not need to be completed through transmission, the risk of interception and even tampering can be reduced by not transmitting, and the method is safer and more reliable.
For ease of understanding, referring to fig. 3, the present application further provides an embodiment of an authorization authentication device, comprising:
an authorization request module 301, configured to send, by the device, a preset ID authorization request to the server according to the encrypted data packet encrypted by using the preset symmetric security key, so as to prompt the server to send a preset challenge random number to the device after the preset ID authorization request is verified to pass, where the preset ID authorization request includes a preset ID and an authorization request;
the response calculation module 302 is configured to generate, by the device, a current response value and helper data according to a preset challenge random number, and calculate an authentication hash value by using a preset ID, the current response value, the helper data, and the preset challenge random number;
the verification module 303 is configured to obtain a verification response value according to an original response value corresponding to the preset challenge random number and the helper data sent by the device through the server, and if a verification hash value obtained according to the verification response value, the preset challenge random number, the helper data, and the preset ID sent by the device is consistent with the authentication hash value sent by the device, the authentication is successful.
Further, still include:
the service request module 304 is configured to send a preset ID service request to the server through the device, so that the server encrypts the target file by using a preset symmetric security key after verifying that the preset ID service request passes, to obtain an encrypted data packet, and sends the encrypted data packet to the device.
Further, still include:
a configuration module 305 for configuring a unique preset ID for the target device through the server.
Further, still include:
and the authorization module 306 is configured to perform symmetric encryption on the preset symmetric security key through the server according to the verification response value to obtain a decrypted data packet, and send the decrypted data packet to the device, so that the device decrypts the decrypted data packet by using the current response value to obtain the preset symmetric security key for decrypting the encrypted data packet.
To facilitate understanding, the present application also provides an authorization authentication device, characterized in that the device includes a processor and a memory:
the memory is used for storing the program codes and transmitting the program codes to the processor;
the processor is configured to execute any of the above-described method embodiments according to instructions in the program code.
To facilitate understanding, the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium is configured to store program code for executing any one of the authorization authentication methods in the above-mentioned method embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for executing all or part of the steps of the method described in the embodiments of the present application through a computer device (which may be a personal computer, a server, or a network device). And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (10)

1. An authorization authentication method, comprising:
sending a preset ID authorization request to a server through equipment according to an encrypted data packet encrypted by a preset symmetric security key, and prompting the server to send a preset challenge random number to the equipment after the preset ID authorization request is verified to pass, wherein the preset ID authorization request comprises a preset ID and an authorization request;
generating a current response value and helper data according to the preset challenge random number through the equipment, and calculating an authentication hash value through the preset ID, the current response value, the helper data and the preset challenge random number;
and obtaining a verification response value through the server according to an original response value corresponding to the preset challenge random number and the helper data sent by the equipment, and if a verification hash value obtained according to the verification response value, the preset challenge random number, the helper data and the preset ID sent by the equipment is consistent with the authentication hash value sent by the equipment, the authentication is successful.
2. The authorization authentication method according to claim 1, wherein the sending, by the device, a preset ID authorization request to the server according to the encrypted data packet encrypted by using the preset symmetric security key is received, the server is prompted to send a preset challenge random number to the device after verifying that the preset ID authorization request passes, the preset ID authorization request includes a preset ID and an authorization request, and before the sending, the method further includes:
and sending a preset ID service request to the server through the equipment, prompting the server to encrypt a target file by adopting the preset symmetric security key after the preset ID service request is verified to pass, obtaining the encrypted data packet, and sending the encrypted data packet to the equipment.
3. The authorization authentication method according to claim 1, wherein the sending, by the device, a preset ID authorization request to the server according to the encrypted data packet encrypted by using the preset symmetric security key is received, the server is prompted to send a preset challenge random number to the device after verifying that the preset ID authorization request passes, the preset ID authorization request includes a preset ID and an authorization request, and before the sending, the method further includes:
and configuring the unique preset ID for the target equipment through the server.
4. The authorization and authentication method according to claim 1, wherein the obtaining, by the server, a verification response value according to an original response value corresponding to the preset challenge random number and the helper data sent by the device, and if a verification hash value obtained according to the verification response value, the preset challenge random number, the helper data, and the preset ID sent by the device is consistent with the authentication hash value sent by the device, then the authentication is successful, and thereafter:
and symmetrically encrypting the preset symmetric security key according to the verification response value through the server to obtain a decrypted data packet, and sending the decrypted data packet to the equipment, so that the equipment decrypts the decrypted data packet by adopting the current response value to obtain the preset symmetric security key for decrypting the encrypted data packet.
5. An authorization authentication apparatus, comprising:
the authorization request module is used for sending a preset ID authorization request to a server through equipment according to an encrypted data packet which is encrypted by a preset symmetric security key, and prompting the server to send a preset challenge random number to the equipment after the preset ID authorization request is verified to pass, wherein the preset ID authorization request comprises a preset ID and an authorization request;
the response calculation module is used for generating a current response value and helper data according to the preset challenge random number through the equipment and calculating an authentication hash value through the preset ID, the current response value, the helper data and the preset challenge random number;
and the verification module is used for obtaining a verification response value through the server according to an original response value corresponding to the preset challenge random number and the helper data sent by the equipment, and if a verification hash value obtained according to the verification response value, the preset challenge random number, the helper data and the preset ID sent by the equipment is consistent with the authentication hash value sent by the equipment, the authentication is successful.
6. The authorization authentication device according to claim 5, further comprising:
and the service request module is used for sending a preset ID service request to the server through the equipment, prompting the server to encrypt the target file by adopting the preset symmetric security key after the preset ID service request is verified to pass, obtaining the encrypted data packet, and sending the encrypted data packet to the equipment.
7. The authorization authentication device according to claim 5, further comprising:
and the configuration module is used for configuring the unique preset ID for the target equipment through the server.
8. The authorization authentication device according to claim 5, further comprising:
and the authorization module is used for symmetrically encrypting the preset symmetric security key through the server according to the verification response value to obtain a decrypted data packet and sending the decrypted data packet to the equipment, so that the equipment decrypts the decrypted data packet by adopting the current response value to obtain the preset symmetric security key for decrypting the encrypted data packet.
9. An authorization authentication device, the device comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute the authorization authentication method of any of claims 1-4 according to instructions in the program code.
10. A computer-readable storage medium for storing program code for performing the authorization authentication method of any of claims 1-4.
CN202010572898.5A 2020-06-22 2020-06-22 Authorization authentication method and related device Active CN111740995B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010572898.5A CN111740995B (en) 2020-06-22 2020-06-22 Authorization authentication method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010572898.5A CN111740995B (en) 2020-06-22 2020-06-22 Authorization authentication method and related device

Publications (2)

Publication Number Publication Date
CN111740995A true CN111740995A (en) 2020-10-02
CN111740995B CN111740995B (en) 2022-07-12

Family

ID=72650320

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010572898.5A Active CN111740995B (en) 2020-06-22 2020-06-22 Authorization authentication method and related device

Country Status (1)

Country Link
CN (1) CN111740995B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637249A (en) * 2021-03-10 2021-04-09 浙江宇视科技有限公司 Identification authentication method and device, electronic equipment and storage medium
CN112948808A (en) * 2021-03-01 2021-06-11 湖南优美科技发展有限公司 Authorization management method and system, authorization management device and embedded device
CN115150180A (en) * 2022-07-14 2022-10-04 江苏芯盛智能科技有限公司 Storage device management method, storage device, management device, and storage medium
CN115280813A (en) * 2020-12-24 2022-11-01 京东方科技集团股份有限公司 Interactive authentication method, device and system, computer equipment and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120131340A1 (en) * 2010-11-19 2012-05-24 Philippe Teuwen Enrollment of Physically Unclonable Functions
WO2015178597A1 (en) * 2014-05-23 2015-11-26 숭실대학교산학협력단 System and method for updating secret key using puf
CN105354604A (en) * 2015-10-30 2016-02-24 中山大学 Effective novel anti-counterfeiting method based on physical unclonable function
CN109150541A (en) * 2018-08-15 2019-01-04 飞天诚信科技股份有限公司 A kind of Verification System and its working method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120131340A1 (en) * 2010-11-19 2012-05-24 Philippe Teuwen Enrollment of Physically Unclonable Functions
WO2015178597A1 (en) * 2014-05-23 2015-11-26 숭실대학교산학협력단 System and method for updating secret key using puf
CN105354604A (en) * 2015-10-30 2016-02-24 中山大学 Effective novel anti-counterfeiting method based on physical unclonable function
CN109150541A (en) * 2018-08-15 2019-01-04 飞天诚信科技股份有限公司 A kind of Verification System and its working method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115280813A (en) * 2020-12-24 2022-11-01 京东方科技集团股份有限公司 Interactive authentication method, device and system, computer equipment and readable storage medium
CN112948808A (en) * 2021-03-01 2021-06-11 湖南优美科技发展有限公司 Authorization management method and system, authorization management device and embedded device
CN112948808B (en) * 2021-03-01 2023-11-24 湖南优美科技发展有限公司 Authorization management method and system, authorization management device and embedded device
CN112637249A (en) * 2021-03-10 2021-04-09 浙江宇视科技有限公司 Identification authentication method and device, electronic equipment and storage medium
CN112637249B (en) * 2021-03-10 2021-12-14 浙江宇视科技有限公司 Internet of things node identification authentication method and device, electronic equipment and storage medium
CN115150180A (en) * 2022-07-14 2022-10-04 江苏芯盛智能科技有限公司 Storage device management method, storage device, management device, and storage medium

Also Published As

Publication number Publication date
CN111740995B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
US11757662B2 (en) Confidential authentication and provisioning
RU2718689C2 (en) Confidential communication control
CN110932870B (en) Quantum communication service station key negotiation system and method
CN111740995B (en) Authorization authentication method and related device
KR100979576B1 (en) Methods for remotely changing a communications password
CN110990827A (en) Identity information verification method, server and storage medium
US10594479B2 (en) Method for managing smart home environment, method for joining smart home environment and method for connecting communication session with smart device
CN113691502B (en) Communication method, device, gateway server, client and storage medium
JP2009529832A (en) Undiscoverable, ie secure data communication using black data
CN111630811A (en) System and method for generating and registering secret key for multipoint authentication
CN110059458B (en) User password encryption authentication method, device and system
CN110690956B (en) Bidirectional authentication method and system, server and terminal
CN105656862B (en) Authentication method and device
CN108809633B (en) Identity authentication method, device and system
KR101531662B1 (en) Method and system for mutual authentication between client and server
KR102415628B1 (en) Method and apparatus for authenticating drone using dim
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
JP3923229B2 (en) Authentication processing method and method
CN114143777B (en) Certificate key downloading method and system of internet of things terminal based on SIM card
KR20180069425A (en) method of biometrics using session key and user terminal and the verification server performing the same
KR20120089903A (en) Apparatus and method of authentication for non-realtime iptv system
CN108243156B (en) Method and system for network authentication based on fingerprint key
KR101737925B1 (en) Method and system for authenticating user based on challenge-response
JP5446768B2 (en) Key exchange system and key exchange method
CN114385987A (en) Dynamic multi-factor identity authentication and certification method and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant