CN111815814A - Electronic lock security system and binding authentication method thereof - Google Patents
Electronic lock security system and binding authentication method thereof Download PDFInfo
- Publication number
- CN111815814A CN111815814A CN202010576085.3A CN202010576085A CN111815814A CN 111815814 A CN111815814 A CN 111815814A CN 202010576085 A CN202010576085 A CN 202010576085A CN 111815814 A CN111815814 A CN 111815814A
- Authority
- CN
- China
- Prior art keywords
- binding
- electronic lock
- mobile communication
- random number
- communication terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00571—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
Abstract
The invention discloses an electronic lock security system and a binding authentication method thereof.A first random number is generated by an electronic lock end, a public key of a mobile communication end is adopted to encrypt the first random number, data generated based on the first random number and a second random number are decrypted by utilizing a first component of a private key of the mobile communication end and a private key of a security chip of the electronic lock to obtain a first random number copy, and authentication of the mobile communication end is realized by comparing the first random number with the first random number copy. The mobile communication terminal decrypts the encrypted data based on the first random number by adopting the second component of the private key of the mobile communication terminal, encrypts the second random number by adopting the public key of the security chip of the electronic lock, decrypts the array generated based on the second random number by using the first random number to obtain a copy of the second random number, and compares the second random number with the copy of the second random number to realize the authentication of the electronic lock. The authentication of the electronic lock and the mobile communication terminal is realized, and the one-to-one correspondence between the electronic lock and the mobile communication terminal is ensured.
Description
Technical Field
The invention relates to the technical field of electronic locks, in particular to an electronic lock security system and a binding authentication method thereof.
Background
At present, in the field of safety technology prevention, an electronic lock overcomes the defect of poor safety performance of a mechanical coded lock, and becomes a masterforce on the market, and the electronic lock is mainly used in two modes, namely an electronic lock networking mode and an electronic lock non-networking mode. The electronic lock is in a non-networking mode, mainly aiming at common residential users, the mobile communication end is provided with an unlocking APP, the electronic lock end is connected with the mobile communication end through a network, the mobile communication end is communicated with a service server end through a network, when the electronic lock is initially installed, the electronic lock is bound with the mobile communication end APP and distributes keys, binding and resetting are performed at each time, the keys are updated through a background, the electronic lock is always in a passive response state, protocol interaction is not actively initiated, only interaction is performed with the mobile communication end, and the electronic lock end is not directly interacted with the service server end. The electronic lock networking mode mainly aims at high-end users and industry users such as entrance guard and vehicle entrance guard, and under the mode, the electronic lock can interact with a mobile communication terminal on one hand, and can directly interact with a business server terminal on the other hand. When the electronic lock is not networked or in a networking mode, the operation of the mobile communication terminal is the same.
The unlocking function of the mobile communication APP is realized based on near field communication, high use convenience is provided for users, but the mobile communication APP also faces security threats in two aspects, namely, due to the openness of a wireless channel, unlocking information is stolen, copied, counterfeited and the like; secondly, after the mobile communication equipment is lost, the unlocking information stored in the mobile communication equipment cannot be destroyed in time, and serious threats can be caused to the personal and property safety of users. At present, the electronic lock and the mobile communication terminal APP adopt public algorithms such as AES, RSA and the like to realize simple identity authentication and encryption functions, but the electronic lock is weaker in safety capability and has no functions of tamper resistance and replay resistance, and unlocking passwords stored in the electronic lock and the mobile communication device are not subjected to safety protection and are easy to attack.
Therefore, it is an urgent problem to establish a complete set of electronic lock security system and binding method.
Disclosure of Invention
The invention aims to provide an electronic lock safety system and a binding authentication method thereof. The one-to-one correspondence between the electronic lock and the mobile communication terminal is ensured, and the safety of the electronic lock is improved.
The above object of the present invention is achieved by the following technical solutions:
a binding authentication method for an electronic lock security system comprises an electronic lock end and a mobile communication end; the electronic lock end generates a first binding random number, the first binding random number is encrypted by adopting a mobile communication end public key, data generated based on the first binding random number and the second binding random number are decrypted by utilizing a first component of a mobile communication end private key and an electronic lock security chip private key to obtain a first binding random number copy, and authentication of the mobile communication end is realized by comparing the first binding random number with the first binding random number copy.
The invention is further configured to: the binding of the electronic lock end comprises the following steps:
a1, connecting a mobile communication terminal through a network;
a2, receiving the relevant binding information of the mobile communication terminal and a first binding hash value;
a3, obtaining a public key of the mobile communication terminal from the relevant binding information of the mobile communication terminal, generating and encrypting a first binding random number to obtain a first binding encrypted random number, wherein the first binding encrypted random number and the electronic lock security chip certificate form a first binding array which is sent to the mobile communication terminal together with a second binding hash value;
a4, receiving a third binding hash value of the mobile communication terminal and a second binding array of the decrypted first binding encrypted random number;
a5, decrypting the second binding array according to the first component of the private key of the mobile communication terminal to obtain a third binding array, and sending the third binding array and the fourth binding hash value to the mobile communication terminal;
a6, receiving a fourth binding array and a fifth binding hash value of the mobile communication terminal, wherein the fourth binding array contains data generated based on the first binding random number and the second binding random number;
a7, obtaining a first binding random number copy and second binding random mirror image data from a fourth binding array according to the private key of the electronic lock security chip, and judging that the mobile communication terminal is legal when the first binding random number copy is equal to the first binding random number; encrypting the ID of the electronic lock security chip and the second binding random mirror image data to form a fifth binding array, and sending the fifth binding array and the sixth binding hash value to the mobile communication terminal;
a8, receiving a sixth binding array and a seventh binding hash value of the mobile communication terminal, wherein the sixth binding array comprises successful authentication information of the mobile communication terminal and encrypted number information of the mobile communication terminal; generating a master key according to the first binding random number and the second binding random number, storing, decrypting and recording the number of the mobile communication terminal, and recording the corresponding relation of the number of the mobile communication terminal, the public key of the mobile communication terminal and the master key; and sending the first binding success information and the eighth binding hash value to the mobile communication terminal.
The invention is further configured to: step a3 includes verifying the first binding hash value and the mobile communication terminal certificate, and encrypting the first binding random number according to the public key of the mobile communication terminal to obtain a first binding encrypted random number.
The invention is further configured to: step a7 includes the following steps:
b1, verifying the fifth binding hash value;
b2, decrypting the fourth binding array by using the private key of the electronic lock security chip to obtain a first binding random number copy and second binding random mirror image data;
b3, comparing whether the first binding random number copy data is equal to the first binding random number, if so, entering the next step, if not, judging that the mobile communication terminal is illegal, and sending binding failure information to the mobile communication terminal;
b4, judging that the mobile communication terminal is legal;
b5, obtaining a sixth binding hash value by adopting a hash algorithm, and encrypting the ID of the electronic lock security chip and the second binding random mirror image data according to the first binding random number to obtain a fifth binding array;
and B6, sending the fifth binding array and the sixth binding hash value to the mobile communication terminal.
The invention is further configured to: step A8 includes the following steps:
c1, verifying the seventh binding hash value sent by the mobile communication terminal;
c2, generating a master key by the first binding random number and the second binding random number, encrypting and storing the master key;
c3, decrypting the number information of the mobile communication terminal;
c4, recording the corresponding relation between the number of the mobile communication terminal, the public key of the mobile communication terminal and the master key;
and C5, encrypting the master key and sending the binding success information to the mobile communication terminal.
The above object of the present invention is also achieved by the following technical solutions:
a binding authentication method for an electronic lock security system comprises an electronic lock end and a mobile communication end; the mobile communication terminal sends the mobile communication terminal certificate and the first binding hash value to the electronic lock terminal, decrypts the first binding array sent by the electronic lock terminal, and sends the second binding array to the electronic lock terminal; decrypting a third binding array sent by the electronic lock end to obtain first binding random mirror image data, generating a second binding random number, and encrypting the first binding random mirror image data and the second binding random number to obtain a fourth binding random array; sending the fourth binding random array and the fifth binding hash value to the electronic lock end; and receiving and decrypting the fifth binding array sent by the electronic lock terminal to obtain the ID of the electronic lock security chip and the second binding random number copy, and comparing the second binding random number with the second binding random number copy to realize the authentication of the electronic lock.
The invention is further configured to: the binding of the mobile communication terminal comprises the following steps:
d1, connecting the electronic lock end through the network;
d2, sending the certificate of the mobile communication terminal and the first binding hash value to the electronic lock terminal;
d3, receiving a second binding hash value, an electronic lock security chip certificate and first binding encryption random number information sent by the electronic lock terminal;
d4, decrypting the first binding encrypted random number by adopting the second component of the private key of the mobile communication terminal to obtain a second binding array, and sending the second binding array and the third binding hash value to the electronic lock terminal;
d5, receiving a third binding array and a fourth binding hash value sent by the electronic lock end; decrypting the third binding array to obtain first binding random mirror image data; generating a second binding random number, encrypting the first binding random mirror image data and the second binding random number by adopting a public key of the electronic lock security chip to obtain a fourth binding array, and sending the fourth binding array and the fifth binding hash value to the electronic lock end;
d6, receiving a fifth binding array sent by the electronic lock terminal, decrypting the fifth binding array by using the first binding random number to obtain a second binding random number copy, and judging that the electronic lock is legal when the second binding random number copy is equal to the second binding random number; encrypting the number of the mobile communication terminal to obtain a sixth binding array, and sending the sixth binding array, the seventh binding hash value and the authentication success information to the electronic lock terminal;
d7, generating a master key according to the first binding random number and the second binding random number, and encrypting and storing; recording the corresponding relation between the ID and the address of the electronic lock security chip, the public key of the electronic lock security chip and the master key;
d8, receiving first binding success information and an eighth binding hash value of the electronic lock end;
d9, sending the second binding success information to the service server, and receiving the unlocking key and the electronic lock address information sent by the service server.
The invention is further configured to: step D5 includes the following steps:
e1, verifying the fourth binding hash value;
e2, decrypting the third binding array by using the second binding component of the private key of the mobile communication terminal to obtain first binding random mirror image data;
e3, verifying the electronic lock security chip certificate, and acquiring the electronic lock security chip public key from the electronic lock security chip certificate;
e4, generating a second binding random number, and encrypting the second binding random number and the first binding random mirror image data by using the public key of the electronic lock security chip to obtain a fourth binding array.
E5, sending the fourth binding array and the fifth binding hash value to the electronic lock terminal.
The invention is further configured to: step D6 includes the following steps:
r1, verifying the sixth binding hash value;
r2, decrypting a fifth binding array by using the first binding random number to obtain a second binding random data copy, wherein the fifth binding array comprises the ID of the electronic lock security chip and second binding random mirror image data;
r3, comparing whether the second binding random number copy is equal to the second binding random number, if so, entering the next step, if not, judging that the electronic lock is illegal, and prompting at the mobile communication terminal;
r4, judging whether the electronic lock is legal;
r5, encrypting the mobile communication terminal number by the first binding random number;
and R6, sending the authentication success information, the mobile communication terminal number encryption information and the seventh binding hash value to the electronic lock terminal.
The invention is further configured to: step D8 includes the following steps:
q1, receiving first binding success information and an eighth binding hash value of the electronic lock end;
q2, decrypting the first binding success information by using the master key to obtain second binding success information;
q3, sending the second binding success information to the service server;
and Q4, receiving unlocking key and electronic lock address information sent by the service server.
The above object of the present invention is also achieved by the following technical solutions:
an electronic lock security system comprises an electronic lock end, a mobile communication end and a service server end; the electronic lock end comprises an electronic lock memory, an electronic lock controller and an electronic lock security chip, wherein the electronic lock memory stores a computer program of an electronic lock end working method which can be loaded and executed by the electronic lock controller and the electronic lock security chip; the mobile communication terminal comprises a mobile communication memory and a mobile communication controller, wherein the mobile communication memory stores a computer program of a mobile communication terminal working method which can be loaded and executed by the mobile communication controller; the business service end comprises a business service memory and a business service controller, wherein the business service memory stores a computer program which can be loaded and executed by the business service controller and is used for receiving the binding success information sent by the mobile communication end and sending the unlocking key and the electronic lock address information to the mobile communication end.
Compared with the prior art, the invention has the beneficial technical effects that:
1. the electronic lock terminal decrypts data generated based on the first binding random number by adopting a first component of a private key of the mobile communication terminal, decrypts the data generated based on the first binding random number and the second binding random number by using a private key of a security chip of the electronic lock, judges whether a copy of the first binding random number obtained after decryption is the same as the first binding random number, and realizes authentication of the mobile communication terminal;
2. the mobile communication terminal decrypts the data generated based on the first binding random number by adopting the second component of the private key of the mobile communication terminal, decrypts the data generated based on the first binding random number and the second binding random number by using the first binding random number, and judges whether the copy of the second binding random number obtained after decryption is the same as the second binding random number, thereby realizing the authentication of the electronic lock terminal; the one-to-one correspondence relationship between the electronic lock and the mobile communication terminal is ensured, the rapid data encryption is realized based on the symmetric encryption algorithm SM4, the real-time property of data transmission is ensured, the one-time pad of the encryption key is also realized, and the data transmission safety is ensured.
Drawings
Fig. 1 is a schematic diagram illustrating a key distribution process of a mobile communication terminal according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a binding process between a mobile communication terminal and an electronic lock terminal according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating an unlocking process of the mobile communication terminal according to an embodiment of the present invention;
FIG. 4 is a flow diagram of an authorized third party of an embodiment of the present invention;
fig. 5 is a schematic diagram of a third party unlocking process according to an embodiment of the invention;
FIG. 6 is a schematic diagram of a process for obtaining an access key according to an embodiment of the present invention;
fig. 7 is a schematic view of a process of unlocking the door lock according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
The network comprises various forms, the specification describes that a mobile communication end is connected with an electronic lock end through Bluetooth, the mobile communication end is connected with a service server end and a crypto-tube center end through a 3G/4G/5G network, and the rest forms of network connection modes are analogized in the same way.
Detailed description of the invention
The invention relates to an electronic lock security system, which is additionally provided with a security component on the basis of an electronic lock system. The electronic lock comprises an electronic lock end, a mobile communication end, a service server end and a crypto-control center end, wherein the electronic lock end comprises an electronic lock control circuit and an electronic lock safety circuit which are connected with each other, the electronic lock control circuit is used for executing the locking and unlocking actions of an electronic lock according to an electronic lock control program, and the electronic lock safety circuit is used for executing the electronic lock safety control program; the mobile communication terminal executes instruction sending and receiving for an electronic lock unlocking APP and a safety suite control module based on a control circuit of mobile communication equipment, and the safety suite control module and the electronic lock unlocking APP are combined together; the close management center end comprises a close management control circuit which manages the electronic lock end and the mobile communication end based on a close management program.
The electronic lock safety circuit comprises an electronic lock safety memory and an electronic lock safety controller, wherein the electronic lock safety memory stores a computer program of electronic lock safety control which can be loaded and executed by the electronic lock safety controller, and the computer program comprises key distribution, binding, electronic lock unlocking, entrance guard unlocking and third party unlocking.
The mobile communication terminal comprises a mobile memory and a mobile controller, wherein the mobile memory stores a mobile communication terminal security control computer program which can be loaded and executed by the mobile controller, and the mobile communication terminal security control computer program comprises key distribution, binding, unlocking and authorized third party unlocking.
The central end of the dense management comprises a dense management central memory and a dense management central controller, wherein the dense management central memory stores a dense management central end computer program which can be loaded and executed by the dense management central controller and comprises secret key distribution and entrance guard unlocking.
The electronic lock end realizes communication with the mobile communication end through Bluetooth, the mobile communication end communicates with the confidential management center end and the service server end through a network, and the electronic lock end does not directly communicate with the confidential management center and the service server end.
The service server is deployed at the Ali cloud side and is communicated with the mobile communication end and the close management center through the Ali cloud and the network.
The business server comprises a business server memory and a business server mobile controller, wherein the business server memory stores a business server computer program which can be loaded and executed by the business server and comprises key distribution, binding, unlocking and authorized third party unlocking.
In the safety system, the safety protection of the safety system of the electronic lock is realized by using a hardware cipher machine, an SSL VPN safety gateway and disaster recovery service provided by Aliskiu, and the local storage data is protected by using the hardware cipher machine provided by Aliskiu; the SSL VPN security gateway provided by Aliskiu is utilized to realize security protection; disaster recovery deployment is carried out by using disaster recovery service provided by Aliyun.
The central end of the crypto-control system utilizes the data encryption function provided by the Ali cloud to protect the user identity information and realize the report of the state information of the electronic lock and the safety of the operation and maintenance management information.
In the security system, the encryption protection is carried out on the transmission and storage of information by adopting the SM2/SM3/SM4 algorithm.
The electronic lock safety circuit comprises an electronic lock safety chip, an electronic lock safety program is applied, and a national secret SM2/SM3/SM4 algorithm is adopted, so that identity authentication, information encryption and integrity protection are provided for data interaction when the APP at the mobile communication terminal is unlocked. While protecting the stored local data.
The electronic lock safety chip is arranged in the electronic lock.
The mobile communication terminal safety suite control module is embedded in a mobile communication terminal unlocking APP and can be applied to an android system or an ISO system, so that on one hand, the control module is used for realizing identity authentication, information encryption and integrity protection in the unlocking process and protecting the unlocking safety of an electronic lock; on the other hand, the network is connected with the service server, the SSL VPN safety protocol is adopted to realize the unlocking state information reporting and the management data receiving function, and the communication safety of the network and the service server is protected. The security suite can provide authentication, encryption, integrity protection, and anti-replay mechanisms for information transmitted over all wireless channels, while encrypting and storing local data.
The national cryptographic algorithm of the security suite module is realized based on software, and the SM2 algorithm private key is stored in a split mode, so that the security is high.
The service server side is deployed on the Alice cloud, performs data transmission with the mobile communication side through an international standard SSL VPN (secure socket layer virtual private network) secure channel, and calls a data encryption service of the Alice cloud to store and encrypt key data; the security and reliability of system user data are protected by adopting a dual-computer hot standby mode; the unlocking information and the key in the lost mobile communication equipment can be destroyed by remote control.
The crypto-tube center is deployed at the network side and performs key or certificate management on all the cryptographic devices in the system, so as to realize key management such as generation, initial installation, distribution and the like of the key or certificate.
And in the data interaction between the confidential management center end and the service server end, SSL VPN encryption protection is adopted.
The crypto-tube center uniformly injects the generated electronic lock certificate into the electronic lock security chip in an off-line mode; distributing and managing the generated mobile communication terminal certificate and private key by grouping domain channels in an online mode; and sending a destroying instruction, and carrying out remote control destroying on the key and the key data stored in the out-of-control mobile communication equipment.
Detailed description of the invention
The difference between the electronic lock security system and the first embodiment is that the service server is not deployed on the Alice cloud, but communicates with the crypto-tube center and the mobile communication terminal through the security gateway.
The mobile communication terminal is communicated with the electronic lock on one hand and the operation and maintenance management system of the electronic lock on the other hand.
The electronic lock operation and maintenance management system is used for reporting unlocking state information and managing the safety of the operation and maintenance information and comprises a crypto-control center end, a security gateway, a service server host, a service server standby machine and a host crypto machine; one side of the service server host and one side of the service server standby machine are connected with the security gateway and are connected with the host cipher machine back to back, and meanwhile, the service server host and the service server standby machine are also connected with each other.
The central end of the crypto-control obtains user data from the service server end through the network, and the data transmission adopts SSL VPN encryption protection.
The security gateway meets the national password standard, supports the national password SSL VPN security protocol and the national password SM2/SM3/SM4 algorithm, is deployed at the front end of the service server, and provides encryption and decryption protection for unlocking information reported by the mobile communication terminal unlocking APP and management data issued by the service server. The network is connected with a mobile communication terminal security suite, and the unlocking state information reporting and management data sending and receiving functions are realized by adopting a national secret SSL VPN security protocol.
The host cipher machine provides storage encryption support for key data of the service server.
And the safety and reliability of system user data are ensured by adopting the service servers of the host and the standby machine.
The main functions of the security gateway include: the method supports the technical specification of the national secret SSL VPN, the bidirectional identity authentication with a mobile communication end, the establishment and management of a network security tunnel, the encryption storage of keys and key data, the filtration of data packets, the blocking of abnormal data flow and the national secret algorithm.
The main functions of the host crypto machine include: and the encryption storage and the national encryption algorithm of the key data of the user are supported.
Detailed description of the invention
The invention relates to an electronic lock safety system.A secret management center comprises a secret management control circuit, the secret management control circuit comprises a safety module, a secret management server, a display and a key injection adapter, and an interface of the secret management server is respectively connected with the safety module, the secret management server, the display and the key injection adapter.
The safety module comprises a PCI-E card and a USB key.
The close management server is provided with a PCI-E interface, a USB interface, a network interface, a VGA interface and an optical disk drive, wherein the VGA interface is used for connecting a display, and the PCI-E interface is used for connecting a PCI-E card; the USB interface is used for connecting a USB key and a key injection adapter.
The encrypted management server comprises a Raid controller which is used for partitioning a Raid5 of the hard disk and providing guarantee for data reliability storage through disk mirroring.
In a specific embodiment of the present application, the PCI-E crypto card is embedded in the crypto-pipe server, implementing the cryptographic algorithm required by the system, and various keys are generated by means of a noise source chip in the crypto card.
In one embodiment of the present application, the electronic lock security system is provided with a dual noise code source connected to two PCI-E combination cards, which are divided into a master card and a backup card.
When the secret management server is connected with the key injection adapter, the key management functions of certificate of the electronic lock security chip, primary installation of the private key and the like are realized.
The secure management server imports and exports data through the optical disk drive. And online management is realized through a network interface. Through the USB interface, an access control function is provided.
The secure management center adopts a CENT OS 7 operating system platform and comprises a secure management application layer, a secure management protocol layer and an equipment API interface.
The confidential management application layer comprises a human-computer interaction interface, a setting guide, user management, audit management, certificate/key management, storage management, a cryptographic algorithm and system parameter configuration; the man-machine interaction interface is used for providing man-machine interaction with functions of equipment management, user management, system management, log management and the like. The set-up wizard is used for key fob initialization, system parameter setting, hypervisor initialization, user password setting, etc., and the device software is initialized through the set-up wizard when first activated. User management is used to implement end user management functions. And the audit management is used for realizing daily behavior statistics and audit of the close management center system. The certificate/key management is used for realizing certificate/key management functions such as certificate/key generation, distribution, replacement, encrypted storage, destruction and the like; and the certificate and the key management of the electronic lock end and the mobile communication end are realized by calling a key management protocol interface of a cryptographic management protocol layer. Storage management is used to implement encrypted storage of sensitive data such as local keys. The cryptographic algorithm is used for realizing the packaging of a cryptographic algorithm interface and a key generation interface by calling a PCI-E cryptographic card drive. And the system parameter configuration is used for realizing the parameter setting of the system in the close management center.
The crypto protocol layer comprises a data communication protocol and a certificate/key management protocol. The data communication protocol is used for realizing a data transceiving interface based on the TCP protocol specification. The certificate/key management protocol is used for realizing the certificate/key management protocol between the secret management system and the electronic lock, between the mobile communication terminal and the storage device, wherein the storage device comprises a USB key card.
The API interface of the encryption management equipment comprises an API interface driven by a password card, an API interface driven by a storage driver and an API interface driven by a key injection adapter. The API interface driven by the password card is used for communicating with the password card to realize the encryption and decryption functions; the API interface of the storage driver is used for communicating with the storage equipment; and the API interface of the key injection adapter driver is used for realizing the identification of the key injection adapter by the operating system and operating the key injection adapter.
And the API (application programming interface) of the close-pipe equipment is packaged and used for being called by an upper layer.
The main functions of the central end of the dense pipe comprise: the generation, storage, import, injection of the password equipment and replacement of the key or/and the certificate are supported; the method supports user identity authentication, remote distribution of a mobile communication terminal certificate and a private key, administrator identity authentication and a national encryption algorithm; local destruction of the key and key data inside the device in emergency is supported; and the functions of logging, inquiring and auditing are supported.
Detailed description of the invention
The electronic lock safety system comprises an electronic lock control circuit and an electronic lock safety circuit which are connected with each other, wherein the electronic lock safety circuit adopts a state secret algorithm and provides authentication, information encryption and storage for data interaction during unlocking of a mobile communication terminal.
The electronic lock safety circuit adopts a COS embedded operation system, comprises an electronic lock application layer, an electronic lock COS system layer and an electronic lock communication layer, and provides cryptographic algorithm calling and safety data storage.
The electronic lock control circuit realizes the integral function of the electronic lock safety circuit by calling different application COS commands.
The electronic lock application layer comprises a state encryption algorithm module, a data storage module, an access control module and a power consumption management module; the functions of cryptographic algorithm, data storage, access control and power consumption management are realized, and the software is the core of the software. The national secret algorithm module is used for executing the national secret SM2/SM3/SM4 algorithm program.
The electronic lock COS system layer comprises a COS command analysis/packaging module and a file management module.
The electronic lock communication layer comprises a communication interface.
The electronic lock safety chip comprises at least one of A3 of a national core, CIU98M25 with large electro-China, IS8U192A of great communication in China and Z8D256U of national technology, and supports the SM2/SM3/SM4 algorithm.
The main functions of the safety chip end of the electronic lock comprise: supporting a state cryptographic algorithm; the encryption storage of the key and the key data is supported, and the USB2.0 high-speed interface, the SPI and the UART serial port are supported.
Detailed description of the invention
According to the electronic lock safety system, the mobile communication terminal safety kit module is embedded into the unlocking APP and comprises a plurality of software modules such as the cryptographic algorithm library, the key management module, the safety communication module, the encryption storage module and the safety sandbox module, and each software module supports independent modification or/and updating, so that the framework and the performance of the whole software cannot be influenced, and the electronic lock safety system is convenient to maintain and upgrade.
The main functions of the security suite module include: the bidirectional identity authentication with the electronic lock is realized; confidentiality, integrity and anti-replay protection of information exchanged with the electronic lock; the method comprises the steps of safely communicating with a security gateway in an SSL VPN working mode; distributing the certificate and the private key on line; splitting and storing the private key components; executing remote control destroying key indication of the service server; encrypting the storage key and the key data; supporting an android operating system or an ISO operating system; and a safe sandbox and a national secret algorithm are supported.
And correspondingly, the mobile communication terminal security suite is adopted for different mobile communication operating systems.
For a mobile communication terminal based on an android operating system, the android operating system is based on a LINUX kernel, a safety mechanism of the LINUX kernel is integrated, an application sandbox mechanism is provided, an only UID is distributed by the operating system when an application program is installed, access control of application resource calling is realized by utilizing the safety mechanism of the LINUX kernel, each application can only access a private file of the application program or can be set as a globally readable and writable file by other applications, and each application runs in a DALVIK virtual machine instance corresponding to the UID of the application program and is isolated from each other.
The security suite module comprises security communication, key management, encryption storage, a cryptographic algorithm API and a cryptographic algorithm library. And an API (application program interface) is provided for unlocking application of the mobile communication terminal in an SDK (software development kit) mode by adopting a client side, so that the integration of a safety function is realized, and the functions of data safety communication, data encryption storage, key management, national secret algorithm operation and the like are realized. The safety suite is arranged on an application layer of an android operating system, and the safety suite and the unlocking application software are arranged on the sandbox and are in communication with each other.
The safety function API is used for providing a safety function calling interface for unlocking application; the safety communication module is used for realizing mutual authentication between the mobile communication terminal and the electronic lock and finishing the binding and unlocking functions; the key management module is used for realizing the function of managing the related keys of the mobile communication terminal; the encryption storage module is used for realizing the local encryption storage function of key data and a secret key of the mobile communication terminal; the cipher algorithm library module is used for realizing a national cipher algorithm.
For the mobile communication terminal based on the ISO operating system, the security suite module is arranged on an application layer of the ISO operating system. The security suite module comprises security communication, key management, encryption storage, a cryptographic algorithm API and a cryptographic algorithm library. And an API (application program interface) is provided for unlocking application of the mobile communication terminal by adopting a client side SDK (software development kit) mode, the integration of a safety function is realized, and the functions of data safety communication, data encryption storage, key management, national secret algorithm operation and the like are realized.
The safety function API is used for providing a safety function calling interface for unlocking application; the safety communication module is used for realizing safety protocol processing between the network module and the electronic lock and encrypting a service communication function; the key management module is used for realizing the function of managing the related keys of the mobile communication terminal; the encryption storage module is used for realizing the local encryption storage function of key data and a secret key of the mobile communication terminal; the cipher algorithm library module is used for realizing a national cipher algorithm.
Detailed description of the invention
According to the electronic lock security system, the electronic lock end, the mobile communication end and the secret management center end adopt SM2/SM3/SM4 cryptographic algorithm to obtain related data.
Wherein, SM2 cryptographic algorithm is used for signature/signature verification and data encryption; SM3 cryptographic algorithm: for data integrity protection and temporary key derivation; the SM4 cryptographic algorithm is used for service information encryption, key distribution encryption and data storage encryption.
Specifically, an SM2 algorithm is adopted for signature and encryption at an electronic lock end, a mobile communication end and a crypto-tube center end respectively, and signature, signature verification and certificate signature, identity authentication and key agreement data protection of 256 bytes of identity authentication data are generated; generating 256-byte hash operation and key derivation operation by adopting SM3 algorithm; the SM4 algorithm is adopted to work in a CBC mode, and 128 bytes of service information encryption protection and key data storage protection are generated.
The key includes: the system comprises a temporary communication key TK, a master key MK, an unlocking encryption key EK, an electronic lock security chip public key or certificate L-PK, an electronic lock security chip private key L-SK, a mobile communication end public key or certificate M-PK, a mobile communication end private key first component M-SK-D1, a mobile communication end private key first component M-SK-D2, a crypto center public key or certificate C-PK, a crypto center private key C-SK and a storage encryption key BK.
The temporary communication key TK comprises 16 bytes and is temporarily set by a user, the temporary key TK is generated through SM3 operation, and the temporary communication key is matched with an SM4 algorithm and used for protecting a public key or a certificate and a private key of a mobile communication terminal, is used when the electronic lock is communicated with the mobile communication terminal, and is destroyed after being used up. And a one-time pad updating mode is adopted, and the playback is not carried out.
The main key MK comprises 16 bytes, is generated when the electronic lock is bound with the mobile communication terminal through a key negotiation mechanism by an electronic lock security chip, a mobile communication terminal security suite and CBC mode operation in an SM4 algorithm, sets a binding period, and is changed after the main key is bound again for protecting the unlocking encryption key.
The unlocking encryption key EK comprises 16 bytes, is temporarily generated during unlocking by a mobile communication terminal security suite and CBC mode operation in an adapted SM4 algorithm, and is destroyed after being used up for protecting unlocking information.
The electronic lock safety chip public key or certificate L-PK, the mobile communication terminal public key or certificate M-PK and the secret management center public key or certificate C-PK respectively comprise 64 bytes, are generated by a secret management center matched with an SM2 algorithm, are effective for a long time and are used for data encryption and signature verification.
The electronic lock security chip private key L-SK, the mobile communication end private key first component M-SK-D1 and second component M-SK-D1, and the crypto-center private key C-SK are 32 bytes respectively, are generated by the crypto-center through an SM2 algorithm, are effective for a long time, and are used for data decryption and signature.
The storage encryption key BK comprises 16 bytes, is automatically generated by an electronic lock security chip, a mobile communication end security suite and a crypto tube center end by adopting CBC mode operation in SM4 algorithm, is provided with an expiration date, is manually and periodically replaced, and is used for encrypting and protecting key data stored by each device.
In one particular embodiment of the present application, the validity period is set to one year.
The public key or certificate of the electronic lock end, the public key or certificate of the private key/mobile communication end and the private key are generated by a PCI-E password card physical noise source of the crypto-administration center in a unified mode.
The public key or the certificate and the private key of the electronic lock end are injected by the crypto-tube center off line; and the public key or the certificate of the mobile communication terminal and the private key are distributed online by a crypto-control center, wherein the first component of the private key is stored in the electronic lock security chip, and the second component of the private key is stored in a mobile communication terminal memory.
All the password equipment or modules encrypt the locally stored key by using the mobile communication terminal and then store the encrypted key. The system comprises an electronic lock end, a mobile communication end and a crypto-control center end, wherein the electronic lock end, the mobile communication end and the crypto-control center end have a local user key destroying function, and the mobile communication end can destroy keys according to a remote key destroying instruction initiated by a service server; and under the out-of-control state of the mobile communication terminal, the unlocking key corresponding to the out-of-control mobile communication terminal is destroyed by operating the electronic lock pin.
Detailed description of the invention
The electronic lock security system needs to distribute the secret key, and at the beginning, the electronic lock end stores an electronic lock public key, an electronic lock private key and a crypto-control center end certificate; the central end of the confidential pipe stores a confidential pipe central public key, a confidential pipe central private key, an electronic lock public key and an electronic lock private key.
When the mobile communication terminal initially installs the unlocking APP, no certificate or public key and private key data exist, the mobile communication terminal needs to apply online to the crypto-control center through a network, and the mobile communication terminal private key components are respectively stored in the mobile communication terminal and the electronic lock terminal in a partitioning manner, and a key distribution process is realized, as shown in fig. 1.
The electronic lock end generates a temporary communication key according to manually input data, obtains a mobile communication end number after decrypting the temporary communication key, encrypts and signs the ID of the electronic lock security chip and the ID of the electronic lock by using a public key of a crypto-tube center, and verifies the signature of the mobile communication end; and decrypting the private key by using the private key of the electronic lock security chip to obtain the private key of the mobile communication terminal, and encrypting the second component of the private key of the mobile communication terminal by using the temporary communication key.
The method comprises the following steps:
s1, establishing network connection with the mobile communication terminal;
s2, generating a temporary communication key by adopting a national cryptographic algorithm based on the temporary communication password;
and receiving N-bit data manually input by a user as a temporary communication password, and generating a temporary communication key by the electronic lock security chip according to the temporary communication password by adopting an SM3 algorithm.
At this time, the mobile communication terminal also receives the N-bit data manually input by the user, generates a temporary communication key by using the SM3 algorithm, and encrypts the mobile communication terminal number with the temporary communication key.
S3, receiving request distribution information and a first distribution hash value sent by a mobile communication terminal, and requesting to send a mobile communication terminal certificate and mobile communication terminal private key information to the mobile communication terminal;
s4, decrypting by adopting the temporary communication key to obtain a mobile communication terminal number, encrypting the electronic lock ID, the electronic lock security chip ID and the mobile communication terminal number according to the public key of the crypto-tube center to obtain first distribution encryption information, and performing first distribution signature to obtain first distribution data;
s5, sending the first distribution data to the mobile communication terminal;
and the secret management center terminal generates second distribution data according to the first distribution data sent by the mobile communication terminal and sends the second distribution data to the electronic lock terminal through the mobile communication terminal.
S6, receiving second distribution data sent by the mobile communication terminal, wherein the second distribution data comprises mobile communication terminal certificate information, private key information and second distribution signature information;
s7, verifying the second distribution signature, decrypting the second distribution data to obtain the private key of the mobile communication terminal, encrypting the second component of the private key of the mobile communication terminal, sending the second component together with the encrypted management certificate, the mobile phone certificate and the second distribution hash value to the mobile communication terminal,
and S8, receiving the distribution success signal of the mobile communication terminal.
Specifically, step S4 includes the following steps:
a1, verifying the first distribution hash value;
a2, adopting SM4 algorithm, decrypting the request information of the mobile communication terminal according to the temporary communication key, and obtaining the number of the mobile communication terminal;
a3, adopting SM2 algorithm, encrypting the ID of the electronic lock, the ID of the electronic lock security chip and the number of the mobile communication terminal by using the public key of the crypto-tube center to obtain first distribution encryption information;
a4, adopting SM2 algorithm to carry out first distribution signature;
and A5, sending the first distribution encryption information and the first distribution signature information to the mobile communication terminal.
In step S7, the method includes the steps of:
b1, verifying the second distribution signature information according to the public key of the crypto-tube center by adopting an SM2 algorithm;
b2, decrypting the second distribution data by using the private key of the electronic lock security chip by adopting an SM2 algorithm to obtain a private key of the mobile communication terminal;
b3, encrypting a second component in the private key of the mobile communication terminal by using the temporary communication key by adopting an SM4 algorithm to obtain a second distribution encryption component of the private key of the mobile communication terminal;
and B4, sending the confidential control center certificate, the mobile communication terminal certificate, the second distribution encrypted component of the mobile communication terminal private key and the second distribution hash value as third distribution data to the mobile communication terminal.
The mobile communication terminal generates a temporary communication key according to a temporary communication password which is manually input, encrypts a number of the mobile communication terminal by using the temporary communication key, sends a request for applying a certificate and a private key of the mobile communication terminal to the electronic lock terminal, forwards first distribution data of the electronic lock to the crypto-tube center terminal, forwards second distribution data of the crypto-tube center to the electronic lock terminal, decrypts third distribution data sent by the electronic lock terminal by using the temporary communication key, obtains and encrypts and stores a second component of the private key of the mobile communication terminal, and verifies the certificate of the crypto-tube center and the certificate of the mobile communication terminal.
The method comprises the following steps:
c1, establishing network connection with the electronic lock end;
c2, generating a temporary communication key by adopting a national cryptographic algorithm based on the temporary communication password;
the temporary communication key is generated by using the SM3 algorithm as a temporary communication password from the N-bit data manually input by the user.
C3, encrypting the number of the mobile communication terminal by using the temporary communication key;
c4, sending an application to the electronic lock terminal, requesting to obtain a mobile communication terminal certificate and a mobile communication terminal private key, and sending the encrypted mobile communication terminal number and the first distribution hash value to the electronic lock terminal;
c5, receiving first distribution data sent by the electronic lock end, and forwarding the first distribution data to the confidential control center end;
c6, receiving second distribution data sent by the confidential pipe center end, and forwarding the second distribution data to the electronic lock end;
c7, receiving and decrypting third distribution data sent by the electronic lock end to obtain a crypto-control center certificate, a mobile communication end certificate and a second component of a mobile communication end private key, and encrypting and storing the second component of the mobile communication end private key;
and C8, sending distribution success information to the electronic lock end and the encrypted management center end respectively.
Specifically, step C7 includes the following steps:
d1, verifying the second distribution hash value;
d2, decrypting the third distribution data by using the temporary communication key to obtain a second component of the private key of the mobile communication terminal;
d3, verifying the certificate of the crypto-control center and the certificate of the mobile communication terminal;
d4, encrypting and storing the second component of the private key of the mobile communication terminal.
The method comprises the steps that a crypto-control center end decrypts first distribution data through a crypto-control center private key to obtain an electronic lock ID, an electronic lock security chip ID and a mobile communication end number, a corresponding electronic lock security chip public key is searched based on the electronic lock security chip ID, a first distribution signature of the electronic lock end is verified, a certificate and a private key corresponding to the mobile communication end number are generated, the mobile communication end private key is encrypted through the electronic lock security chip public key and signed to obtain a second distribution signature, and the mobile communication end certificate, the encrypted private key and the second distribution signature are used as second distribution data to be sent to the mobile communication end.
The method comprises the following steps:
w1, receiving first distribution data sent by the mobile communication terminal;
w2, decrypting the first distribution data by using a secret key of a crypto-control center to obtain an electronic lock ID, an electronic lock security chip ID and a mobile communication terminal number;
w3, searching the public key of the electronic lock security chip according to the ID of the electronic lock security chip;
w4, adopting SM2 algorithm, and verifying the first distribution signature information by using the public key of the electronic lock security chip;
w5, generating a mobile communication terminal certificate and a private key corresponding to the mobile communication terminal number;
w6, adopting SM2 algorithm, encrypting the private key of the mobile communication terminal by using the public key of the electronic lock security chip to obtain the encrypted private key of the mobile communication terminal, and signing to obtain second distributed signature information;
w7, sending second distribution data consisting of a mobile communication terminal certificate, a mobile communication terminal encryption private key and second distribution signature information to the mobile communication terminal;
w8, receiving the distribution success information sent by the mobile communication terminal.
An artificially entered N-digit number, N being a positive integer greater than 1.
The mobile communication terminal private key comprises a first component of the mobile communication terminal private key and a second component of the mobile communication terminal private key, and the first component and the second component are encrypted respectively to obtain a first distribution encryption component and a second distribution encryption component.
After the distribution process is completed, the electronic lock end stores an electronic lock public key, an electronic lock private key, a crypto-control center end certificate and a first component of a mobile communication end private key, the crypto-control center end stores a crypto-control center public key, a crypto-control center private key, an electronic lock public key, an electronic lock private key, a mobile communication end public key and a mobile communication end private key, and the mobile communication end stores a mobile communication end public key, a mobile communication end private key second component and a crypto-control center end certificate.
Detailed description of the invention
According to the electronic lock security system, the mobile communication terminal needs to be bound with the electronic lock terminal to realize identity authentication and user registration of both parties, and a flow chart of binding the mobile communication terminal and the electronic lock terminal is shown in fig. 2.
In the binding process, the electronic lock end generates a binding first random number, encrypts the first binding random number by adopting a public key of the mobile communication end and then sends the first binding random number to the mobile communication end; receiving second binding data which is sent by the mobile communication terminal and generated based on the first binding random number, decrypting the second binding data by utilizing the first component of the private key of the mobile communication terminal, and sending the second binding data to the mobile communication terminal; and receiving fourth binding data which is sent by the mobile communication terminal and generated based on the first binding random number and the second binding random number, decrypting the fourth binding data by using a private key of the electronic lock security chip to obtain a first binding random number copy, and authenticating the mobile communication terminal by comparing the first binding random number with the first binding random number copy. And generating a master key based on the first binding random number and the second binding random number, and recording the corresponding relation between the mobile communication terminal number, the mobile communication terminal public key and the master key.
The binding of the electronic lock end comprises the following steps:
a11, connecting a mobile communication terminal through a network;
a12, receiving the relevant binding information and the first binding hash value of the mobile communication terminal;
a13, obtaining a public key of the mobile communication terminal from the relevant binding information of the mobile communication terminal, generating and encrypting a first binding random number to obtain a first binding encrypted random number, wherein the first binding encrypted random number and the electronic lock security chip certificate form a first binding array which is sent to the mobile communication terminal together with a second binding hash value;
a14, receiving a second binding array and a third binding hash value of the mobile communication terminal after decryption based on the first binding encryption random number;
a15, decrypting the second binding array according to the first component of the private key of the mobile communication terminal to obtain a third binding array, and sending the third binding array and the fourth binding hash value to the mobile communication terminal;
a16, receiving a fourth binding array and a fifth binding hash value of the mobile communication terminal, wherein the fourth binding array contains data generated based on the first binding random number and the second binding random number;
a17, obtaining a first binding random number copy and second random mirror image data from a fourth binding array according to the private key of the electronic lock security chip, and judging that the mobile communication terminal is legal when the first binding random number copy is equal to the first binding random number; encrypting the ID of the electronic lock security chip and the second binding random mirror image data to form a fifth binding array, and sending the fifth binding array and the sixth binding hash value to the mobile communication terminal;
a18, receiving a sixth binding array and a seventh binding hash value of the mobile communication terminal, wherein the sixth binding array comprises successful authentication information of the mobile communication terminal and encrypted number information of the mobile communication terminal; generating a master key according to the first binding random number and the second binding random number, storing, decrypting and recording the number of the mobile communication terminal, and recording the corresponding relation of the number of the mobile communication terminal, the public key of the mobile communication terminal and the master key; and sending the first binding success information and the eighth binding hash value to the mobile communication terminal.
Step A13 includes verifying the first binding hash value and the mobile communication terminal certificate, and encrypting the first binding random number according to the mobile communication terminal public key by using SM2 algorithm to obtain a first binding encrypted random number.
Step a17 includes the following steps:
b11, verifying the fifth binding hash value;
b12, decrypting the fourth binding array by using the private key of the electronic lock security chip to obtain a first binding random number copy and second binding random mirror image data;
b13, comparing whether the first binding random number copy is equal to the first binding random number, if so, entering the next step, if not, judging that the mobile communication terminal is illegal, and sending binding failure information to the mobile communication terminal;
b14, judging that the mobile communication terminal is legal;
b15, obtaining a sixth binding hash value by adopting a hash algorithm, and encrypting the ID of the electronic lock security chip and the second binding random mirror image data by using an SM4 algorithm according to the first binding random number to obtain a fifth binding array;
and B16, sending the fifth binding array and the sixth binding hash value to the mobile communication terminal.
Step a18 includes the following steps:
c11, receiving a sixth binding array and a seventh binding hash value of the mobile communication terminal;
c12, verifying the seventh binding hash value;
c13, generating a master key by the first binding random number and the second binding random number, encrypting and storing the master key;
c14, decrypting the number information of the mobile communication terminal;
c15, recording the corresponding relation between the number of the mobile communication terminal, the public key of the mobile communication terminal and the master key;
and C16, encrypting the master key and sending the binding success information to the mobile communication terminal.
And step C16, according to the master key, using SM4 algorithm to encrypt the binding success information, and sending the binding success information and the eighth binding hash value to the mobile communication terminal.
The mobile communication terminal sends the mobile communication terminal certificate and the first binding hash value to the electronic lock terminal, decrypts the first binding array sent by the electronic lock terminal, obtains a second binding array and sends the second binding array to the electronic lock terminal; decrypting a third binding array sent by the electronic lock end to obtain first binding random mirror image data, generating a second binding random number, and encrypting the first binding random mirror image data and the second binding random number to obtain a fourth binding random array; sending the fourth binding random array and the fifth binding hash value to the electronic lock end; receiving and decrypting the fifth binding array sent by the electronic lock terminal to obtain the ID of the electronic lock security chip and a copy of the second binding random number, when the second binding random number is the same as the copy of the second binding random number, determining that the electronic lock is legal, and sending the information of successful encryption and authentication of the number of the mobile communication terminal to the electronic lock terminal; and generating a master key based on the first binding random number and the second binding random number, recording the corresponding relation between the ID/address of the electronic lock security chip, the electronic lock security core public key and the master key, and receiving unlocking key and electronic lock address information issued by the service server.
The binding of the mobile communication terminal comprises the following steps:
d11, connecting the electronic lock end through the network;
d12, sending the certificate of the mobile communication terminal and the first binding hash value to the electronic lock terminal;
d13, receiving a second binding hash value, an electronic lock security chip certificate and first binding encryption random number information sent by the electronic lock terminal;
d14, decrypting the first encrypted random number by adopting the second component of the private key of the mobile communication terminal to obtain a second binding array, and sending the second binding array and the third binding hash value to the electronic lock terminal;
d15, receiving a third binding array and a fourth binding hash value sent by the electronic lock end; decrypting the third binding array to obtain first random mirror image data; generating a second binding random number, encrypting the first random mirror image data and the second binding random number by adopting a public key of the electronic lock security chip to obtain a fourth binding array, and sending the fourth binding array and the fifth binding hash value to the electronic lock end;
d16, receiving a fifth binding array sent by the electronic lock terminal, decrypting the fifth binding array by using the first binding random number to obtain a second binding random number copy, and judging that the electronic lock is legal when the second binding random number copy is equal to the second binding random number; encrypting the number of the mobile communication terminal to obtain a sixth binding array, and sending the sixth binding array, the seventh binding hash value and the authentication success information to the electronic lock terminal;
d17, generating a master key according to the first binding random number and the second binding random number, and encrypting and storing; recording the corresponding relation between the ID or/and the address of the electronic lock security chip, the public key of the electronic lock security chip and the master key;
d18, receiving first binding success information and an eighth binding hash value of the electronic lock end;
d19, sending the second binding success information to the service server, and receiving the unlocking key and the electronic lock address information sent by the service server.
Step D15 includes the following steps:
e11, verifying the fourth binding hash value;
e12, decrypting the third binding array by using the second component of the private key of the mobile communication terminal to obtain first random mirror image data;
e13, verifying the electronic lock security chip certificate, and acquiring the electronic lock security chip public key from the electronic lock security chip certificate;
and E14, generating a second binding random number, and encrypting the second binding random number and the first random mirror image data by using the public key of the electronic lock security chip to obtain a fourth binding array.
E15, sending the fourth binding array and the fifth binding hash value to the electronic lock terminal.
Step D16 includes the following steps:
r11, receiving a fifth binding array and a sixth binding hash value sent by the electronic lock end;
r12, verifying the sixth hash value;
r13, decrypting a fifth binding array by using the first binding random number to obtain a second random data copy, wherein the fifth binding array comprises the ID of the electronic lock security chip and second binding random mirror image data;
r14, comparing whether the second binding random number copy is equal to the second binding random number, if so, entering the next step, if not, judging that the electronic lock is illegal, and prompting at the mobile communication terminal;
r15, judging whether the electronic lock is legal;
r16, encrypting the mobile communication terminal number by the first binding random number;
and R17, sending the authentication success information, the mobile communication terminal number encryption information and the seventh binding hash value to the electronic lock terminal.
Step D18 includes the following steps:
q11, receiving first binding success information and an eighth binding hash value of the electronic lock end;
q12, decrypting the first binding success information by using the master key to obtain second binding success information;
q13, sending the second binding success information to the service server;
and Q14, receiving unlocking keys and electronic lock address information corresponding to the electronic lock ID issued by the service server.
Detailed description of the invention
According to the electronic lock safety system, the mobile communication terminal unlocks, the corresponding main key is searched based on the Bluetooth address of the electronic lock, an unlocking random number and a timestamp are generated, data after the unlocking random number is encrypted based on the main key, and the unlocking key is encrypted, as shown in fig. 3.
The method comprises the following steps:
s21, connecting the electronic lock based on the network;
s22, generating an unlocking encryption key, an unlocking random number and a timestamp to form a first unlocking array;
s23, sending unlocking request information to the electronic lock;
and S24, receiving the unlocking success information of the electronic lock and the second unlocking hash value, and decrypting.
Specifically, step S22 includes the following steps:
a21, searching a corresponding master key based on the Bluetooth address of the electronic lock;
a22, generating unlocking random numbers;
a23, encrypting the unlocking random number by using the master key to obtain a key encryption key;
a24, encrypting the unlocking key by using the key encryption key to obtain the unlocking encryption key;
and A25, generating a time stamp.
In step S23, the unlocking request information includes the mobile communication terminal number, the unlocking encryption key, the unlocking random number and timestamp, and the first unlocking hash value.
And after the unlocking is successful, reporting the unlocking success information to the service server side.
And the electronic lock end verifies the timestamp, searches a corresponding main key based on the number of the mobile communication end, encrypts data generated after unlocking the random number by using the main key, decrypts the unlocking encrypted key to obtain an unlocking key, and performs unlocking or non-unlocking operation according to the attribute of the unlocking key.
The method comprises the following steps:
q21, based on network, connecting with mobile communication terminal;
q22, receiving unlocking request information sent by the mobile communication terminal;
q23, according to the unlocking request information, obtaining the number of the mobile communication terminal, and decrypting the unlocking encryption key to obtain the unlocking key;
q24, corresponding operation is carried out according to the attribute of the unlocking key;
q25, after the unlocking is successful, sending unlocking success information to the mobile communication terminal.
Specifically, the step Q23 includes the following steps:
b21, verifying the first unlocking hash value in the unlocking request information;
b22, verifying the timestamp in the unlocking request information;
b23, based on the number of the mobile communication terminal in the unlocking request information, finding out the corresponding master key;
b24, encrypting the unlocking random number in the unlocking request information by using the master key to obtain a key encryption key;
b25, decrypting the unlocking encryption key by using the key encryption key to obtain the unlocking key.
In step Q24, the attributes of the unlock key include key authority and key validity period.
In step Q25, the unlocking success information includes a second unlocking hash value.
The hash ensures integrity. The time stamp is prevented from being replayed, MK of the device binding negotiation is prevented from being counterfeited, the encryption ensures the confidentiality of the KEY, and the unlocking information encryption KEY is randomly generated.
Detailed description of the preferred embodiment
The invention discloses an electronic lock security system, as shown in fig. 4 and 5, a mobile communication terminal authorizes a third party to unlock, the mobile communication terminal sends a third party unlocking request to a service server terminal to obtain a temporary unlocking key, generates a third party unlocking random number, encrypts data generated after the third party unlocking random number by using a main key corresponding to an electronic lock ID, encrypts the temporary unlocking key again to obtain a temporary unlocking encryption key, and sends the temporary unlocking encryption key to the service server terminal for authorization.
In the figure, PNA represents the number of the mobile communication terminal, PNB represents the number of the third party, and in this embodiment, the mobile communication terminal and the third party are both mobile phones.
The method comprises the following steps:
s31, the mobile communication terminal sends an authorized third party unlocking request message to the service server terminal;
s32, receiving a temporary unlocking key sent by the service server;
s33, generating a third party unlocking random number, and encrypting the temporary unlocking key to obtain a temporary unlocking encryption key;
s34, sending the third party unlocking random number and the temporary unlocking encryption key to the service server;
and S35, receiving the offline notification information of the service server.
Specifically, the third party unlocking request information includes a third party number, and the temporary unlocking key is used for unlocking the corresponding electronic lock ID by the third party number.
In step S33, the method includes the steps of: a31, encrypting a third party unlocking random number by the mobile communication terminal according to a main key corresponding to the ID of the electronic lock to obtain a third party key encryption key; and A32, encrypting the temporary unlocking key by using the key encryption key to obtain the temporary unlocking encryption key.
The service server receives an authorized third party unlocking request of the mobile communication terminal, generates a temporary unlocking key which is based on a third party number and is used for corresponding to the ID of the electronic lock, sends the temporary unlocking key to the mobile communication terminal, and receives a third party unlocking random number and temporary unlocking encryption key information which are generated by the mobile communication terminal; after receiving the login information of the third party by the account of the mobile communication terminal, informing the mobile communication terminal of off-line; and receiving an unlocking key request information number of a third party, obtaining an electronic lock address according to the ID of the electronic lock, and sending the unlocking random number of the third party, the temporary unlocking encryption key and the electronic lock address to the third party.
The method comprises the following steps: b31, receiving authorized third party unlocking request information sent by the mobile communication terminal;
b32, generating a temporary unlocking key for a third party corresponding to the electronic lock ID; b33, issuing the temporary unlocking key to the mobile communication terminal; b34, receiving a third party unlocking random number and a temporary unlocking encryption key sent by the mobile communication terminal; b35, receiving the account login information of the mobile communication terminal for the third party, and establishing communication with the third party; b36, sending a offline notification message to the mobile communication terminal; b37, receiving a request of a third party for issuing an unlocking key; b38, acquiring the Bluetooth address of the electronic lock according to the ID of the electronic lock; b39, sending the random number, the temporary unlocking encryption key and the electronic lock Bluetooth address to a third party; and B310, receiving the successful unlocking information of the third party.
The third party receives and stores the third party unlocking random number, the third party temporary unlocking key encryption information and the electronic lock Bluetooth address in the authorization process; in the unlocking process, after the third-party Bluetooth address is matched with the electronic lock Bluetooth address, connection with the electronic lock is completed, the corresponding mobile communication terminal number and the temporary unlocking encryption key are searched according to the lock Bluetooth address, a timestamp is generated, the unlocking request related information is sent to the electronic lock, and the unlocking success information of the electronic lock is received.
The third party comprises the following steps in the authorization process:
c31, adopting the account of the mobile communication terminal to log in, and establishing communication with the service server; c32, sending a door lock key request to the service server; c33, receiving third party unlocking random numbers, temporary unlocking encryption keys and electronic lock Bluetooth address information sent by the service server side; c34, storing random numbers, temporarily unlocking the encryption key and the electronic lock Bluetooth address.
The third party comprises the following steps in the unlocking process:
d31, connecting the electronic lock based on the Bluetooth network, confirming the information of the electronic lock, matching and then completing connection with the electronic lock; d32, searching the corresponding mobile communication terminal number and the temporary unlocking encryption key according to the electronic lock address; d33, generating a time stamp; forming a first array of third party unlocking by the third party unlocking random number, the temporary unlocking encryption key, the mobile communication terminal number and the timestamp; d34, sending the first array for unlocking by the third party and the unlocking request information to the electronic lock terminal; d35, receiving unlocking success information of the electronic lock end;
d36, sending unlocking success information to the service server.
Specifically, in step D31, the third party receives the electronic lock address information sent by the electronic lock terminal, and matches the received electronic lock address information with the electronic lock address saved by the third party.
The unlocking request information comprises a first hash value for unlocking by the third party.
And in the unlocking process, the electronic lock is matched with an address stored by a third party in the connection process of the electronic lock and the third party, an unlocking request and related information sent by the third party are received, verification is carried out, a main key is obtained based on the number of the mobile communication terminal, the related information is decrypted to obtain a temporary unlocking key, corresponding operation is carried out according to the attribute of the temporary unlocking key, and unlocking success information is sent to the third party after unlocking is successful.
The method comprises the following steps:
e31, realizing connection with a third party based on Bluetooth; e32, receiving unlocking request information of a third party and unlocking a first array by the third party; e33, decrypting the temporary unlocking encryption key to obtain a temporary unlocking key; e34, performing corresponding operation according to the attribute and the validity period of the temporary unlocking key; e35, after unlocking successfully, sending unlocking successfully information to the mobile communication terminal.
Specifically, in step E32, the unlocking request information of the third party includes the third party unlocking first hash value.
The first array for unlocking by the third party comprises a random number for unlocking by the third party, a temporary unlocking encryption key, a mobile communication terminal number and a timestamp.
In step E33, the method includes the following steps: f31, verifying the third party unlocking first hash value in the third party unlocking request information; f32, verifying the timestamp in the first array for unlocking by the third party; f33, unlocking the mobile communication terminal number in the first array based on the third party, and searching the corresponding master key; f34, encrypting the third party unlocking random number in the third party unlocking first array by using the master key to obtain a key encryption key; and F35, decrypting the temporary unlocking encryption key in the first array by using the key encryption key to obtain the temporary unlocking key.
The unlocking success information comprises a third party unlocking second hash value.
Detailed description of the invention
The invention relates to an electronic lock security system, which is applied to access control and comprises an access control end, a mobile communication end, a service server end and a confidential management center end. The two processes of access key acquisition and access key unlocking are divided, as shown in fig. 6 and 7.
The mobile communication terminal, the service server terminal and the dense management center terminal participate in the process of acquiring the access control key, and the mobile communication terminal and the access control participate in the process of unlocking the access control.
And the mobile communication terminal sends an access control key request to the service server terminal in the process of acquiring the access control key, and receives and stores the access control address, the access control encryption key and the signature information.
The in-process of unblanking, after mobile communication end and entrance guard's bluetooth address match, accomplish being connected with the entrance guard, according to entrance guard's bluetooth address look for corresponding interim entrance guard encryption key, generate the timestamp, send for the entrance guard end, receive entrance guard end information of unblanking success.
Obtain entrance guard's key, include the following step: s41, the mobile communication terminal sends an entrance guard key application to the service server terminal through the network; s42, receiving entrance guard unlocking information sent from the business server, wherein the entrance guard unlocking information comprises an entrance guard address, an entrance guard encryption key and signature information; and S43, storing the door access unlocking information.
Utilize key to open entrance guard, include the following steps: a41, matching with the entrance guard according to the entrance guard address based on the network, and completing the connection with the entrance guard; a42, searching a corresponding access control encryption key according to an access control address; a43, generating a time stamp; a44, sending the relevant information of door control unlocking to a door control terminal; a45, receiving door opening and closing success information and a second hash value sent by a door closing device; and A46, reporting the successful door opening prohibition information to the service server side.
Specifically, the entrance guard unlocking related information comprises an entrance guard encryption key, a timestamp, signature information and a first hash value.
And the network connection between the mobile communication terminal and the entrance guard comprises Bluetooth, WIFI and the like.
Step a46 is an optional item, that is, reporting information or not reporting information does not affect unlocking.
The business server receives the access control key request information of the mobile communication terminal in the process of acquiring the access control key, searches for the corresponding access control unlocking key according to the applied access control ID, sends the access control unlocking key to the crypto-tube central terminal, receives the access control encryption key and the first access control signature sent by the crypto-tube central terminal, obtains an access control Bluetooth address according to the access control ID, and sends the access control Bluetooth address, the access control unlocking encryption key and the first access control signature information to the mobile communication terminal.
The method comprises the following steps: b41, receiving an access key issuing application sent by the mobile communication terminal; b42, searching for an entrance guard unlocking key according to the application entrance guard ID;
b43, sending the entrance guard ID and the entrance guard unlocking key information to a crypto tube center; b44, receiving the access control encryption key and the signature information sent by the crypto-control center; b45, obtaining an entrance guard Bluetooth address according to the entrance guard ID; b46, sending the entrance guard Bluetooth address, the entrance guard encryption key and the signature information to the mobile communication terminal.
And the confidential management center end receives the entrance guard ID and the entrance guard key information of the service server end, searches a corresponding entrance guard security chip public key according to the entrance guard ID, encrypts the entrance guard key by using the entrance guard security chip public key to obtain an entrance guard encryption key, signs the entrance guard encryption key, and sends the entrance guard encryption key to the service server end.
The method comprises the following steps:
c41, receiving the entrance guard ID and the entrance guard key information sent by the service server side; c42, searching a public key of a corresponding entrance guard safety chip according to the entrance guard ID; c43, encrypting the entrance guard unlocking key by using the entrance guard security chip public key to obtain an entrance guard encryption key; c44, signing the access control encryption key;
and C45, sending the access control encryption key and the signature information to the service server.
The entrance guard end is connected the back with the mobile communication end, receives the relevant information of unblanking that the mobile communication end sent, and the relevant information of unblanking includes entrance guard encryption key, signature, timestamp and entrance guard and unblanks first hash value, verifies, utilizes the decryption of entrance guard private key to obtain the key of unblanking, carries out corresponding operation according to the key attribute.
The method comprises the following steps: d41, completing the connection with the mobile communication terminal based on the network; d42, receiving unlocking related information sent by the mobile communication terminal; d43, decrypting the access control encryption key to obtain an access control unlocking key; d44, performing corresponding operation according to the attribute of the door access unlocking key; d45, after the unlocking is successful, the unlocking success information is sent to the mobile communication terminal.
Specifically, in step D43, the unlocking related information includes an access encryption key, a timestamp, signature information, and a first hash value.
Step D43 includes the following steps: e41, verifying the first hash value; e42, verifying the timestamp; e43, verifying the signature by using the public key of the crypto-tube center; e44, decrypting the access control encryption key by using the access control private key to obtain an access control unlocking key.
The embodiments of the present invention are preferred embodiments of the present invention, and the scope of the present invention is not limited by these embodiments, so: all equivalent changes made according to the structure, shape and principle of the invention are covered by the protection scope of the invention.
Claims (11)
1. A binding authentication method for an electronic lock security system is characterized in that: the electronic lock safety system comprises an electronic lock end and a mobile communication end; the electronic lock end generates a first binding random number, the first binding random number is encrypted by adopting a mobile communication end public key, data generated based on the first binding random number and the second binding random number are decrypted by utilizing a first component of a mobile communication end private key and an electronic lock security chip private key to obtain a first binding random number copy, and authentication of the mobile communication end is realized by comparing the first binding random number with the first binding random number copy.
2. The binding authentication method of an electronic lock security system according to claim 1, wherein: the binding of the electronic lock end comprises the following steps:
a1, connecting a mobile communication terminal through a network;
a2, receiving the relevant binding information of the mobile communication terminal and a first binding hash value;
a3, obtaining a public key of the mobile communication terminal from the relevant binding information of the mobile communication terminal, generating and encrypting a first binding random number to obtain a first binding encrypted random number, wherein the first binding encrypted random number and the electronic lock security chip certificate form a first binding array which is sent to the mobile communication terminal together with a second binding hash value;
a4, receiving a third binding hash value of the mobile communication terminal and a second binding array of the decrypted first binding encrypted random number;
a5, decrypting the second binding array according to the first component of the private key of the mobile communication terminal to obtain a third binding array, and sending the third binding array and the fourth binding hash value to the mobile communication terminal;
a6, receiving a fourth binding array and a fifth binding hash value of the mobile communication terminal, wherein the fourth binding array contains data generated based on the first binding random number and the second binding random number;
a7, obtaining a first binding random number copy and second binding random mirror image data from a fourth binding array according to the private key of the electronic lock security chip, and judging that the mobile communication terminal is legal when the first binding random number copy is equal to the first binding random number; encrypting the ID of the electronic lock security chip and the second binding random mirror image data to form a fifth binding array, and sending the fifth binding array and the sixth binding hash value to the mobile communication terminal;
a8, receiving a sixth binding array and a seventh binding hash value of the mobile communication terminal, wherein the sixth binding array comprises successful authentication information of the mobile communication terminal and encrypted number information of the mobile communication terminal; generating a master key according to the first binding random number and the second binding random number, storing, decrypting and recording the number of the mobile communication terminal, and recording the corresponding relation of the number of the mobile communication terminal, the public key of the mobile communication terminal and the master key; and sending the first binding success information and the eighth binding hash value to the mobile communication terminal.
3. The binding authentication method of an electronic lock security system according to claim 2, wherein: step a3 includes verifying the first binding hash value and the mobile communication terminal certificate, and encrypting the first binding random number according to the public key of the mobile communication terminal to obtain a first binding encrypted random number.
4. The binding authentication method of an electronic lock security system according to claim 2, wherein: step a7 includes the following steps:
b1, verifying the fifth binding hash value;
b2, decrypting the fourth binding array by using the private key of the electronic lock security chip to obtain a first binding random number copy and second binding random mirror image data;
b3, comparing whether the first binding random number copy data is equal to the first binding random number, if so, entering the next step, if not, judging that the mobile communication terminal is illegal, and sending binding failure information to the mobile communication terminal;
b4, judging that the mobile communication terminal is legal;
b5, obtaining a sixth binding hash value by adopting a hash algorithm, and encrypting the ID of the electronic lock security chip and the second binding random mirror image data according to the first binding random number to obtain a fifth binding array;
and B6, sending the fifth binding array and the sixth binding hash value to the mobile communication terminal.
5. The binding authentication method of an electronic lock security system according to claim 2, wherein: step A8 includes the following steps:
c1, verifying the seventh binding hash value sent by the mobile communication terminal;
c2, generating a master key by the first binding random number and the second binding random number, encrypting and storing the master key;
c3, decrypting the number information of the mobile communication terminal;
c4, recording the corresponding relation between the number of the mobile communication terminal, the public key of the mobile communication terminal and the master key;
and C5, encrypting the master key and sending the binding success information to the mobile communication terminal.
6. A binding authentication method for an electronic lock security system is characterized in that: the electronic lock safety system comprises an electronic lock end and a mobile communication end; the mobile communication terminal sends the mobile communication terminal certificate and the first binding hash value to the electronic lock terminal, decrypts the first binding array sent by the electronic lock terminal, and sends the second binding array to the electronic lock terminal; decrypting a third binding array sent by the electronic lock end to obtain first binding random mirror image data, generating a second binding random number, and encrypting the first binding random mirror image data and the second binding random number to obtain a fourth binding random array; sending the fourth binding random array and the fifth binding hash value to the electronic lock end; and receiving and decrypting the fifth binding array sent by the electronic lock terminal to obtain the ID of the electronic lock security chip and the second binding random number copy, and comparing the second binding random number with the second binding random number copy to realize the authentication of the electronic lock.
7. The binding authentication method of an electronic lock security system according to claim 6, wherein: the binding of the mobile communication terminal comprises the following steps:
d1, connecting the electronic lock end through the network;
d2, sending the certificate of the mobile communication terminal and the first binding hash value to the electronic lock terminal;
d3, receiving a second binding hash value, an electronic lock security chip certificate and first binding encryption random number information sent by the electronic lock terminal;
d4, decrypting the first binding encrypted random number by adopting the second component of the private key of the mobile communication terminal to obtain a second binding array, and sending the second binding array and the third binding hash value to the electronic lock terminal;
d5, receiving a third binding array and a fourth binding hash value sent by the electronic lock end; decrypting the third binding array to obtain first binding random mirror image data; generating a second binding random number, encrypting the first binding random mirror image data and the second binding random number by adopting a public key of the electronic lock security chip to obtain a fourth binding array, and sending the fourth binding array and the fifth binding hash value to the electronic lock end;
d6, receiving a fifth binding array sent by the electronic lock terminal, decrypting the fifth binding array by using the first binding random number to obtain a second binding random number copy, and judging that the electronic lock is legal when the second binding random number copy is equal to the second binding random number; encrypting the number of the mobile communication terminal to obtain a sixth binding array, and sending the sixth binding array, the seventh binding hash value and the authentication success information to the electronic lock terminal;
d7, generating a master key according to the first binding random number and the second binding random number, and encrypting and storing; recording the corresponding relation between the ID and the address of the electronic lock security chip, the public key of the electronic lock security chip and the master key;
d8, receiving first binding success information and an eighth binding hash value of the electronic lock end;
d9, sending the second binding success information to the service server, and receiving the unlocking key and the electronic lock address information sent by the service server.
8. The binding authentication method of an electronic lock security system according to claim 6, wherein: step D5 includes the following steps:
e1, verifying the fourth binding hash value;
e2, decrypting the third binding array by using the second binding component of the private key of the mobile communication terminal to obtain first binding random mirror image data;
e3, verifying the electronic lock security chip certificate, and acquiring the electronic lock security chip public key from the electronic lock security chip certificate;
e4, generating a second binding random number, and encrypting the second binding random number and the first binding random mirror image data by using the public key of the electronic lock security chip to obtain a fourth binding array;
e5, sending the fourth binding array and the fifth binding hash value to the electronic lock terminal.
9. The binding authentication method of an electronic lock security system according to claim 6, wherein: step D6 includes the following steps:
r1, verifying the sixth binding hash value;
r2, decrypting a fifth binding array by using the first binding random number to obtain a second binding random data copy, wherein the fifth binding array comprises the ID of the electronic lock security chip and second binding random mirror image data;
r3, comparing whether the second binding random number copy is equal to the second binding random number, if so, entering the next step, if not, judging that the electronic lock is illegal, and prompting at the mobile communication terminal;
r4, judging whether the electronic lock is legal;
r5, encrypting the mobile communication terminal number by the first binding random number;
and R6, sending the authentication success information, the mobile communication terminal number encryption information and the seventh binding hash value to the electronic lock terminal.
10. The binding authentication method of an electronic lock security system according to claim 6, wherein: step D8 includes the following steps:
q1, receiving first binding success information and an eighth binding hash value of the electronic lock end;
q2, decrypting the first binding success information by using the master key to obtain second binding success information;
q3, sending the second binding success information to the service server;
and Q4, receiving unlocking key and electronic lock address information sent by the service server.
11. An electronic lock security system, characterized by: the system comprises an electronic lock end, a mobile communication end and a service server end; the electronic lock terminal comprises an electronic lock memory, an electronic lock controller and an electronic lock security chip, wherein the electronic lock memory stores a computer program of the method according to any one of claims 1 to 5, which can be loaded and executed by the electronic lock controller and the electronic lock security chip; the mobile communication terminal comprises a mobile communication memory and a mobile communication controller, wherein the mobile communication memory stores a computer program which can be loaded and executed by the mobile communication controller and is used for the method according to any one of claims 6 to 10; the business service end comprises a business service memory and a business service controller, wherein the business service memory stores a computer program which can be loaded and executed by the business service controller and is used for receiving the binding success information sent by the mobile communication end and sending the unlocking key and the electronic lock address information to the mobile communication end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010576085.3A CN111815814B (en) | 2020-06-22 | 2020-06-22 | Electronic lock security system and binding authentication method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010576085.3A CN111815814B (en) | 2020-06-22 | 2020-06-22 | Electronic lock security system and binding authentication method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111815814A true CN111815814A (en) | 2020-10-23 |
| CN111815814B CN111815814B (en) | 2022-06-10 |
Family
ID=72845659
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010576085.3A Active CN111815814B (en) | 2020-06-22 | 2020-06-22 | Electronic lock security system and binding authentication method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111815814B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112564894A (en) * | 2020-11-11 | 2021-03-26 | 杭州浙程科技有限公司 | Method for unlocking passive lock by intelligent key dynamic secret key |
| CN112995137A (en) * | 2021-02-03 | 2021-06-18 | 深圳市凯迪仕智能科技有限公司 | Binding method of intelligent lock and intelligent lock system |
| CN113808303A (en) * | 2021-08-24 | 2021-12-17 | 珠海市安科电子有限公司 | Composite encryption method, door lock system and storage medium |
| CN114333110A (en) * | 2021-12-17 | 2022-04-12 | 北京国泰网信科技有限公司 | Method for SM2 bidirectional identity authentication by using built-in password chip of lock |
| CN114520727A (en) * | 2022-04-15 | 2022-05-20 | 广州万协通信息技术有限公司 | Security chip data protection method and system |
| CN116248280A (en) * | 2023-05-09 | 2023-06-09 | 北京智芯微电子科技有限公司 | Anti-theft method for security module without key issue, security module and device |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2006303697A (en) * | 2005-04-18 | 2006-11-02 | Toshiba Corp | Information terminal unit |
| US20080163338A1 (en) * | 1995-10-02 | 2008-07-03 | Silvio Micali | Efficient certificate revocation |
| CN102647279A (en) * | 2011-08-15 | 2012-08-22 | 华为终端有限公司 | Encryption method, encryption card, terminal equipment and machine-card interlocking device |
| CN103491094A (en) * | 2013-09-26 | 2014-01-01 | 成都三零瑞通移动通信有限公司 | Rapid identity authentication method based on C/S mode |
| CN104813336A (en) * | 2012-12-19 | 2015-07-29 | 英特尔公司 | Platform-hardened digital rights management key provisioning |
| CN106487502A (en) * | 2015-09-02 | 2017-03-08 | 国网智能电网研究院 | A kind of lightweight key negotiation method based on password |
| CN107786550A (en) * | 2017-10-17 | 2018-03-09 | 中电长城(长沙)信息技术有限公司 | A kind of safety communicating method of self-service device, safe communication system and self-service device |
| CN107886600A (en) * | 2016-09-30 | 2018-04-06 | 凯健企业股份有限公司 | Lock system, electronic lock, portable unit and matching method with authentication function |
| CN109639680A (en) * | 2018-12-14 | 2019-04-16 | 杭州安司源科技有限公司 | A kind of instant messaging authentication of ternary peer and authority control method |
| CN109889669A (en) * | 2019-03-07 | 2019-06-14 | 广东汇泰龙科技有限公司 | A kind of unlocked by mobile telephone method and system based on secure cryptographic algorithm |
| CN111130777A (en) * | 2019-12-31 | 2020-05-08 | 北京数字认证股份有限公司 | Issuing management method and system for short-lived certificate |
-
2020
- 2020-06-22 CN CN202010576085.3A patent/CN111815814B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080163338A1 (en) * | 1995-10-02 | 2008-07-03 | Silvio Micali | Efficient certificate revocation |
| JP2006303697A (en) * | 2005-04-18 | 2006-11-02 | Toshiba Corp | Information terminal unit |
| CN102647279A (en) * | 2011-08-15 | 2012-08-22 | 华为终端有限公司 | Encryption method, encryption card, terminal equipment and machine-card interlocking device |
| CN104813336A (en) * | 2012-12-19 | 2015-07-29 | 英特尔公司 | Platform-hardened digital rights management key provisioning |
| CN103491094A (en) * | 2013-09-26 | 2014-01-01 | 成都三零瑞通移动通信有限公司 | Rapid identity authentication method based on C/S mode |
| CN106487502A (en) * | 2015-09-02 | 2017-03-08 | 国网智能电网研究院 | A kind of lightweight key negotiation method based on password |
| CN107886600A (en) * | 2016-09-30 | 2018-04-06 | 凯健企业股份有限公司 | Lock system, electronic lock, portable unit and matching method with authentication function |
| CN107786550A (en) * | 2017-10-17 | 2018-03-09 | 中电长城(长沙)信息技术有限公司 | A kind of safety communicating method of self-service device, safe communication system and self-service device |
| CN109639680A (en) * | 2018-12-14 | 2019-04-16 | 杭州安司源科技有限公司 | A kind of instant messaging authentication of ternary peer and authority control method |
| CN109889669A (en) * | 2019-03-07 | 2019-06-14 | 广东汇泰龙科技有限公司 | A kind of unlocked by mobile telephone method and system based on secure cryptographic algorithm |
| CN111130777A (en) * | 2019-12-31 | 2020-05-08 | 北京数字认证股份有限公司 | Issuing management method and system for short-lived certificate |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112564894A (en) * | 2020-11-11 | 2021-03-26 | 杭州浙程科技有限公司 | Method for unlocking passive lock by intelligent key dynamic secret key |
| CN112995137A (en) * | 2021-02-03 | 2021-06-18 | 深圳市凯迪仕智能科技有限公司 | Binding method of intelligent lock and intelligent lock system |
| CN113808303A (en) * | 2021-08-24 | 2021-12-17 | 珠海市安科电子有限公司 | Composite encryption method, door lock system and storage medium |
| CN114333110A (en) * | 2021-12-17 | 2022-04-12 | 北京国泰网信科技有限公司 | Method for SM2 bidirectional identity authentication by using built-in password chip of lock |
| CN114520727A (en) * | 2022-04-15 | 2022-05-20 | 广州万协通信息技术有限公司 | Security chip data protection method and system |
| CN114520727B (en) * | 2022-04-15 | 2022-06-21 | 广州万协通信息技术有限公司 | Security chip data protection method and system |
| CN116248280A (en) * | 2023-05-09 | 2023-06-09 | 北京智芯微电子科技有限公司 | Anti-theft method for security module without key issue, security module and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111815814B (en) | 2022-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111815814B (en) | Electronic lock security system and binding authentication method thereof | |
| CN111815816B (en) | Electronic lock security system and key distribution method thereof | |
| CN111815812B (en) | Third-party unlocking control method and system for electronic lock | |
| EP3605475A1 (en) | Secure communication method based on smart door lock system and smart door lock system thereof | |
| US7205883B2 (en) | Tamper detection and secure power failure recovery circuit | |
| CN106888084B (en) | Quantum fort machine system and authentication method thereof | |
| US20160283723A1 (en) | Data security with a security module | |
| CN111815817A (en) | Access control safety control method and system | |
| CN109361668A (en) | A kind of data trusted transmission method | |
| US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
| US9053313B2 (en) | Method and system for providing continued access to authentication and encryption services | |
| CN104639516A (en) | Method, equipment and system for authenticating identities | |
| CN102271037A (en) | Key protectors based on online keys | |
| CN106936588B (en) | Hosting method, device and system of hardware control lock | |
| CN111159684B (en) | Safety protection system and method based on browser | |
| CN104756127A (en) | Secure data handling by a virtual machine | |
| CN111815810A (en) | Safe unlocking method and device for electronic lock | |
| TW201333749A (en) | Method of securing a computing device | |
| US9215070B2 (en) | Method for the cryptographic protection of an application | |
| CN111954211B (en) | Novel authentication key negotiation system of mobile terminal | |
| CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
| CN113472793A (en) | Personal data protection system based on hardware password equipment | |
| CN111815815B (en) | Electronic lock safety system | |
| CN110996319A (en) | System and method for performing activation authorization management on software service | |
| CN111815813A (en) | Electronic lock safety system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 230001 China (Anhui) pilot Free Trade Zone, Hefei, Anhui Province a3-14, floor 14, block a, building J1, phase II, innovation industrial park, No. 2800, innovation Avenue, high tech Zone, Hefei Applicant after: Hefei Zhihui Space Technology Co.,Ltd. Address before: 100020 room 801, 8th floor, building 2, courtyard 16, Guangshun North Street, Chaoyang District, Beijing Applicant before: BEIJING ZHIHUI SPACE TECHNOLOGY CO.,LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |