Disclosure of Invention
The embodiment of the application provides a security authentication method, which is used for carrying out targeted security authentication on electronic equipment, reducing data processing amount in the security authentication process, shortening security authentication time, enhancing the generalization of an encryption chip, being beneficial to the formation of an own ecosystem and reducing production cost.
The application provides a security authentication method, which comprises the following steps:
acquiring the security level of the electronic equipment to be authenticated;
executing a security authentication strategy corresponding to the security level according to the security level, and performing security authentication on the electronic equipment;
wherein, different security levels correspond to different security authentication policies.
In an embodiment, the obtaining the security level of the electronic device to be authenticated includes:
and determining the security level of the electronic equipment according to the service request of the electronic equipment.
In an embodiment, the performing, according to the security level, a security authentication policy corresponding to the security level to perform security authentication on the electronic device includes:
if the security level indicates a first level, a second level or a third level, determining the type of the data to be verified as one or more of factory information data according to the security level;
acquiring the data to be verified from the electronic equipment; the data to be verified is encrypted by a private key of the electronic equipment;
decrypting the data to be verified by using the public key of the electronic equipment;
and after the data to be verified is successfully decrypted, performing rationality verification on the data to be verified.
In an embodiment, the performing, according to the security level, a security authentication policy corresponding to the security level to perform security authentication on the electronic device includes:
if the security level indicates a fourth level, determining the type of the data to be verified corresponding to the fourth level as certificate data and factory information data;
acquiring data to be verified from the electronic equipment;
verifying the certificate data;
and decrypting and checking the rationality of the factory information data.
In an embodiment, the verifying the certificate data includes:
acquiring a first information abstract by using the certificate data;
calculating a second information abstract through an information abstract algorithm;
and comparing the first information abstract with the second information abstract, and if the comparison is successful, indicating that the verification is successful.
In an embodiment, the performing, according to the security level, a security authentication policy corresponding to the security level to perform security authentication on the electronic device includes:
if the security level indicates a fifth level, verifying certificate data and factory information data of the electronic equipment;
sending a first message to the electronic equipment; the first message is obtained by encrypting a public key of the electronic equipment;
comparing the first message with a second message returned by the electronic equipment, and if the comparison is successful, indicating that the verification is successful; and the second message is obtained by decrypting the electronic equipment through a private key.
In an embodiment, the performing, according to the security level, a security authentication policy corresponding to the security level to perform security authentication on the electronic device includes:
if the security level indicates a sixth level, verifying certificate data and factory information data of the electronic equipment;
sending the encrypted message to the electronic equipment, and checking a decrypted message returned by the electronic equipment;
and verifying whether the certificate serial number in the certificate data is unique.
In another aspect, the present application further provides a security authentication apparatus, including:
the level acquisition module is used for acquiring the security level of the electronic equipment to be authenticated;
the safety authentication module is used for executing a safety authentication strategy corresponding to the safety level according to the safety level and carrying out safety authentication on the electronic equipment; wherein, different security levels correspond to different security authentication policies.
Further, the present application also provides a security authentication chip, wherein the security authentication chip includes:
a processor;
a memory for storing processor-executable instructions;
wherein, the processor is configured to execute the security authentication method provided by the embodiment of the application.
Further, the present application also provides a computer-readable storage medium, where the storage medium stores a computer program, and the computer program is executable by a processor to complete the security authentication method provided by the embodiments of the present application.
According to the technical scheme provided by the embodiment of the application, the security level of the electronic equipment to be authenticated is acquired, the security authentication strategy corresponding to the security level is executed according to the security level, and the electronic equipment is subjected to security authentication.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Fig. 1 is a schematic view of an application scenario of a security authentication method according to an embodiment of the present application. As shown in fig. 1, the application scenario includes: host computer 110 and electronic equipment 120. The upper computer 110 may be a device for performing security authentication on the electronic device 120, such as a computer, a mobile phone, and the like. The electronic device 120 may be a headset plug, a security chip inside a charging plug. The upper computer 110 can perform targeted security authentication on the electronic device 120 by using the method provided by the embodiment, so that the data processing amount in the security authentication process is reduced, and the security authentication time is shortened.
The present application also provides a security authentication chip 130. The security authentication chip 130 may be an accessory of the upper computer 110 or an accessory of the electronic device 120. The secure authentication chip 130 may include a processor 111 and a memory 112 for storing instructions executable by the processor 111; wherein the processor 111 is configured to execute the security authentication method provided herein.
The Memory 112 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk.
The present application also provides a computer-readable storage medium storing a computer program executable by the processor 111 to perform the security authentication method provided herein.
Fig. 2 is a schematic flowchart of a security authentication method according to an embodiment of the present application. The method may be executed by a host computer, as shown in fig. 2, and includes the following steps S210-S220.
Step S210: and acquiring the security level of the electronic equipment to be authenticated.
The electronic device has different requirements on security and different security risks according to different application scenarios. For example, the chip security requirements in the headset are lower, while the chip security requirements in the bank U shield are higher. According to the level of the safety requirement of the electronic equipment, a plurality of different safety levels can be divided. In this step, the security level of the electronic device to be authenticated is obtained.
Step S220: executing a security authentication strategy corresponding to the security level according to the security level, and performing security authentication on the electronic equipment; wherein, different security levels correspond to different security authentication policies.
The security authentication policy refers to a manner of security authentication for the electronic device. And the different security levels correspond to different security authentication strategies, and the security strategy corresponding to the security level is executed according to the security level of the electronic equipment. In different security authentication policies, different security authentication modes can be adopted, or different security authentication conditions can be set. And when the electronic equipment meets the safety certification condition, indicating that the safety certification is successful, and if the safety certification condition is not met, indicating that the safety certification fails. In one embodiment, if the security requirements of the electronic device are higher, i.e., the security level is higher, the more complex the security authentication policy to be implemented and the lower the security risk.
According to the technical scheme provided by the embodiment of the application, the security level of the electronic equipment to be authenticated is acquired, the security authentication strategy corresponding to the security level is executed according to the security level, and the electronic equipment is subjected to security authentication.
In one embodiment, step S210 includes: and determining the security level of the electronic equipment according to the service request of the electronic equipment.
Since the electronic device may be maliciously replaced or the service request may be tampered with, there is still a high security risk in pre-storing the security level of the electronic device and directly performing security authentication according to the pre-stored security level. In addition, the electronic device may have different functions at different times and may send different service requests, so that it is inconvenient to set a fixed security level for the electronic device.
Considering these factors, the security level of the electronic device may be determined according to the service request after receiving the service request sent by the electronic device each time. In an embodiment, all the service requests that may occur may be divided into different security levels, a corresponding set of the service requests and the security levels is pre-stored, and when a service request sent by the electronic device is received, the security level corresponding to the service request is found from the corresponding set.
In one embodiment, the service request may include a transfer of funds, a voice transmission, and the like. Correspondingly, the safety level of the fund transfer can be set as A level, and the safety level of the voice transmission can be set as B level. If a service request sent by electronic equipment is fund transfer, determining the security level of the electronic equipment to be A level; and if the service request sent by the electronic equipment is voice transmission, determining that the security level of the electronic equipment is B level.
In one embodiment, as shown in FIG. 3, step S220 includes the following steps S310-S340.
Step S310: and if the security level indicates a first level, a second level or a third level, determining the type of the data to be verified as one or more of factory information data according to the security level.
The factory information data refers to inherent information data of the electronic device, and may include model data, manufacturer data, production date, validity period, developer information, manufacturing information, and the like. According to different security levels, the type of the data to be verified of the electronic device can be one or more of factory information data. The higher the security level, the more data types are to be verified.
In one embodiment, when the security level indicates a first level, determining that the type of data to be verified is model data; when the security level indicates a second level, determining the type of the data to be verified as model data, manufacturer data and production date; when the security level indicates a third level, it is determined that the type of data to be verified is model data, manufacturer data, production date, and validity period.
In other embodiments, the data type to be verified may further include other data types in the factory information data according to different security levels.
Step S320: acquiring the data to be verified from the electronic equipment; and the data to be verified is encrypted by a private key of the electronic equipment.
After determining the data type to be verified, the data type to be verified may be sent to the electronic device. The electronic device encrypts the data to be verified with its own private key. In this step, the encrypted data to be verified is obtained from the electronic device.
Step S330: and decrypting the data to be verified by using the public key of the electronic equipment.
The public key and the private key of the electronic equipment form a unique pair of keys, and the information encrypted by the private key of the electronic equipment can only be decrypted by the public key corresponding to the private key. In an upper computer for carrying out security authentication on the electronic equipment, a public key of the electronic equipment is prestored, and the public key is utilized to decrypt data to be verified. If the decryption succeeds, the private key of the electronic equipment and the public key prestored in the upper computer are paired, and the authenticity of the identity of the electronic equipment can be proved to a certain extent.
Step S340: and after the data to be verified is successfully decrypted, performing rationality verification on the data to be verified.
The rationality check refers to checking whether the data is reasonable. Because the acquired data to be verified are all data with real significance, whether the data are reasonable or not can be verified, and the identity of the electronic equipment can be further verified. In one embodiment, it may be verified whether the vendor data is a valid vendor, or whether the production date and expiration date are in a valid date range.
In one embodiment, as shown in FIG. 4, step S220 includes the following steps S410-S440.
Step S410: and if the security level indicates a fourth level, determining the type of the data to be verified corresponding to the fourth level as certificate data and factory information data.
The certificate data refers to digital certificate data of the electronic device. The digital certificate is issued by a certificate authority and can verify the identity of the holder of the digital certificate.
Step S420: and acquiring the data to be verified from the electronic equipment.
The factory information data is encrypted by a private key of the electronic equipment, and the certificate data is encrypted by a private key of a certificate authority.
Step S430: and verifying the certificate data.
To verify the certificate data, the public key of the certificate authority is used to decrypt the certificate data. In an embodiment, the upper computer first pre-stores a root certificate, in which a public key of a certificate authority is pre-stored. The certificate data can be decrypted by using the root certificate, so that the certificate data is verified.
Step S440: and decrypting and checking the rationality of the factory information data.
In this step, the method for decrypting and checking the rationality of the factory information data may refer to the embodiment corresponding to fig. 3, and will not be described herein again.
In one embodiment, as shown in fig. 5, step S430 specifically includes the following steps S510-S530.
Step S510: and acquiring a first information abstract by using the certificate data.
When the electronic device registers the certificate, the certificate authority distributes the certificate to the pair of key pairs of the electronic device. Wherein the private key is retained by the electronic device and the public key is recorded in the certificate. When the electronic equipment sends information, first information abstract which is uniquely corresponding to the information is generated through an information abstract algorithm, then the first information abstract is encrypted through a private key, and the information, the first information abstract and the certificate are sent to the upper computer together. In one embodiment, the message digest algorithm may be MD5, SHA-1, SHA-256, RIPEMD128, RIPEMD160, or the like, including but not limited to these algorithms.
After the upper computer receives the data, the upper computer can decrypt the certificate by using the public key of the certificate authority, and after the certificate data is decrypted successfully, the certificate is a trustable certificate issued by the certificate authority. And acquiring the public key of the electronic equipment from the certificate, and decrypting the first message digest by using the public key.
Step S520: and calculating a second message digest through a message digest algorithm.
And calculating a second information abstract through the received information by adopting an information abstract algorithm which is the same as that of the electronic equipment.
Step S530: and comparing the first information abstract with the second information abstract, and if the comparison is successful, indicating that the verification is successful.
Because the information digests generated by different information are different through the information digest algorithm, the directly received information digest is compared with the information digest generated by calculation, and if the comparison is successful, the information is not tampered in the transmission process. In this step, the first information abstract and the second information abstract are compared, and if the comparison is successful, the certificate data is verified successfully.
In one embodiment, as shown in FIG. 6, step S220 includes the following steps S610-S630.
Step S610: and if the safety level indicates a fifth level, verifying the certificate data and the factory information data of the electronic equipment.
For verifying the certificate data and the factory information data of the electronic device, embodiments corresponding to fig. 3, fig. 4, and fig. 5 may be referred to.
Step S620: sending a first message to the electronic equipment; the first message is obtained by encrypting the public key of the electronic equipment.
And encrypting the first message by using the public key of the electronic equipment, and sending the encrypted first message to the electronic equipment.
Step S630: comparing the first message with a second message returned by the electronic equipment, and if the comparison is successful, indicating that the verification is successful; and the second message is obtained by decrypting the electronic equipment through a private key.
After receiving the first message, the electronic device may decrypt the first message with the private key, and the message after decryption is referred to as a second message. And after the decryption is successful, sending the second message to the upper computer. And after receiving the second message, the upper computer compares the second message with the first message, and if the comparison is successful, the verification is successful.
In one embodiment, as shown in FIG. 7, step S220 includes the following steps S710-S730.
Step S710: and if the safety level indicates a sixth level, verifying the certificate data and the factory information data of the electronic equipment.
The specific implementation process of this step may refer to the embodiments corresponding to fig. 3, fig. 4, and fig. 5.
Step S720: and sending the encrypted message to the electronic equipment, and checking the decrypted message returned by the electronic equipment.
The specific implementation process of this step may refer to the embodiment corresponding to fig. 6.
Step S730: and verifying whether the certificate serial number in the certificate data is unique.
In order to further ensure the safety, one upper computer can only bind one electronic device, namely, the certificate serial number of the electronic device corresponding to the upper computer is unique. The certificate data sent by the electronic device includes the certificate serial number, and in this step, it is verified whether the certificate serial number is unique. In an embodiment, when a certificate serial number sent by the electronic device is received for the first time, the certificate serial number may be stored, and then the received certificate serial number is compared with the stored certificate serial number each time, if the comparison is successful, the certificate serial number is unique, the verification is successful, otherwise, the verification fails.
The following is an embodiment of the apparatus of the present application, which can be used to execute the above-mentioned embodiments of the security authentication method of the present application. For details not disclosed in the embodiments of the device of the present application, please refer to the embodiments of the security authentication method of the present application.
Fig. 8 is a block diagram of a security authentication apparatus according to an embodiment of the present application. As shown in fig. 8, the apparatus includes a level acquisition module 810 and a security authentication module 820.
The level obtaining module 810 is configured to obtain a security level of the electronic device to be authenticated.
A security authentication module 820, configured to execute a security authentication policy corresponding to the security level according to the security level, and perform security authentication on the electronic device; wherein, different security levels correspond to different security authentication policies.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above security authentication method, and is not described herein again.
In the embodiments provided in the present application, the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.