CN112468305B - Internet of things security authentication method and equipment - Google Patents

Internet of things security authentication method and equipment Download PDF

Info

Publication number
CN112468305B
CN112468305B CN202011475632.5A CN202011475632A CN112468305B CN 112468305 B CN112468305 B CN 112468305B CN 202011475632 A CN202011475632 A CN 202011475632A CN 112468305 B CN112468305 B CN 112468305B
Authority
CN
China
Prior art keywords
internet
things
equipment
platform
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011475632.5A
Other languages
Chinese (zh)
Other versions
CN112468305A (en
Inventor
金辉
陈晓波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Jetlink Technology Co ltd
Original Assignee
Shenzhen Jetlink Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Jetlink Technology Co ltd filed Critical Shenzhen Jetlink Technology Co ltd
Priority to CN202011475632.5A priority Critical patent/CN112468305B/en
Publication of CN112468305A publication Critical patent/CN112468305A/en
Application granted granted Critical
Publication of CN112468305B publication Critical patent/CN112468305B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The embodiment of the invention provides a method and equipment for security authentication of an Internet of things, wherein the method comprises the following steps: sending a platform authentication request message to an Internet of things cloud platform; receiving a platform certificate and a platform root certificate of the Internet of things cloud platform sent by the Internet of things cloud platform; judging whether the platform root certificate is the same as a certificate issuing authority of an equipment root certificate or not through a first application running in the eUICC, if so, verifying the platform certificate by using the equipment root certificate, and if the verification is passed, determining that the Internet of things cloud platform is a trusted platform; and sending an equipment authentication request message to the Internet of things cloud platform, wherein the equipment authentication request message is used for requesting the Internet of things cloud platform to authenticate the Internet of things equipment, so that bidirectional security authentication between the Internet of things equipment and the Internet of things cloud platform is realized, a trust chain of certificates is formed, the credible sources of the Internet of things cloud platform and the Internet of things equipment are greatly guaranteed, and the security is improved.

Description

Internet of things security authentication method and equipment
Technical Field
The invention relates to the technical field of Internet of things, in particular to a method and equipment for security authentication of the Internet of things.
Background
The Internet of things (IoT) is the third wave of development of the world information industry after computers and the Internet, is an important component of a new generation of information technology, and is the Internet connected with technical constructs such as pervasive computing and the like through intelligent sensing and recognition technology. The internet of things devices rely on wireless cellular networks provided by mobile operators for interconnection. With the development of embedded Universal Integrated Circuit Card (eUICC) technology, an eUICC supporting remote code number (Profile) downloading and network authentication functions, that is, an embedded Subscriber Identity Module (eSIM), has been gradually applied to internet of things devices.
With the continuous improvement of the safety awareness of users, the safety requirements of more and more application scenes of the internet of things are higher and higher. For example, in application scenarios such as smart homes, smart door locks, and car networking, the internet of things device should not only support eSIM, but also be capable of completing security authentication. At present, the internet of things equipment utilizes an interface of an open encryption and decryption algorithm of the eUICC to perform security authentication between the internet of things equipment and the internet of things cloud platform, but the credible sources of the internet of things cloud platform and the internet of things equipment cannot be verified, and the security needs to be improved.
Disclosure of Invention
The embodiment of the invention provides a method and equipment for security authentication of an internet of things, which are used for solving the problem of low security caused by the fact that the existing method for security authentication of the internet of things cannot verify the credible sources of a cloud platform of the internet of things and equipment of the internet of things.
According to a first aspect, an embodiment of the present invention provides an internet of things security authentication method, which is applied to an internet of things device, where the internet of things device includes an embedded universal integrated circuit card eUICC, a security storage area of the eUICC includes a first storage area and a second storage area that are isolated from each other, an application layer of the eUICC includes a first application and a second application that are isolated from each other, the first storage area is used to store a device certificate and a device private key of the internet of things device, the first application is used to perform security authentication according to the device certificate and the device private key stored in the first storage area, the second storage area is used to store embedded subscriber identity module eSIM related information, and the second application is used to connect to a network according to the eSIM related information stored in the second storage area;
the method comprises the following steps:
sending a platform authentication request message to an internet of things cloud platform, wherein the platform authentication request message is used for requesting the internet of things equipment to authenticate the internet of things cloud platform;
receiving a platform certificate and a platform root certificate of the Internet of things cloud platform sent by the Internet of things cloud platform;
judging whether the certificate issuing authorities of the platform root certificate and the equipment root certificate are the same or not through a first application running in the eUICC, if not, terminating the authentication process, if so, verifying the platform certificate through the equipment root certificate, if not, terminating the authentication process, and if so, determining that the Internet of things cloud platform is a trusted platform;
sending an equipment authentication request message to the Internet of things cloud platform, wherein the equipment authentication request message comprises an equipment certificate of the Internet of things equipment, and the equipment authentication request message is used for requesting the Internet of things cloud platform to authenticate the Internet of things equipment.
Optionally, the method further includes:
receiving a session request message sent by the Internet of things cloud platform, wherein the session request message comprises a random number ciphertext;
generating an equipment side session key by a first application running in the eUICC according to the equipment private key and a platform public key by adopting a key negotiation algorithm, decrypting the random number ciphertext by adopting the equipment side session key to obtain a random number plaintext, splicing the random number plaintext with identification information of the Internet of things equipment, encrypting spliced information by adopting the equipment side session key to generate an identification information ciphertext, wherein the platform public key is obtained from the platform certificate which passes verification;
and sending a session response message to the Internet of things cloud platform, wherein the session response message comprises the identification information ciphertext.
Optionally, the method further includes: and encrypting data to be transmitted by adopting the equipment side session key, and sending the encrypted data to the Internet of things cloud platform.
Optionally, the key agreement algorithm includes an elliptic curve key agreement algorithm and an RSA algorithm.
According to a second aspect, the embodiment of the invention provides an internet of things security authentication method, which is applied to an internet of things cloud platform, wherein the internet of things cloud platform is used as a certificate issuing authority and is used for issuing a platform certificate and an equipment certificate;
the method comprises the following steps:
receiving a platform authentication request message sent by an Internet of things device, wherein the platform authentication request message is used for requesting the Internet of things device to authenticate the Internet of things cloud platform;
sending a platform certificate and a platform root certificate of the Internet of things cloud platform to the Internet of things equipment according to the platform authentication request message;
receiving a device authentication request message sent by the Internet of things device, wherein the device authentication request message includes a device certificate of the Internet of things device, and the device authentication request message is used for requesting the Internet of things cloud platform to authenticate the Internet of things device;
and judging whether the platform root certificate is the same as the certificate issuing authority of the equipment certificate, if not, terminating the authentication process, if so, verifying the equipment certificate by using the platform root certificate, if not, terminating the authentication process, and if so, determining that the equipment of the Internet of things is trusted equipment.
Optionally, after determining that the internet of things device is a trusted device, the method further includes:
generating a platform side session key by adopting a key negotiation algorithm according to a platform private key of the cloud platform of the internet of things and an equipment public key of the equipment of the internet of things, wherein the equipment public key is obtained from the equipment certificate which passes the verification;
generating a random number, and encrypting the random number by adopting the platform side session key to generate a random number ciphertext;
sending a session request message to the Internet of things equipment, wherein the session request message comprises the random number ciphertext;
receiving a session response message sent by the Internet of things equipment, wherein the session response message comprises an identification information ciphertext;
decrypting the identification information ciphertext by using the platform side session key to obtain a random number and identification information carried by the identification information ciphertext;
and if the random number carried by the identification information ciphertext is the same as the random number generated by the Internet of things cloud platform and the identification information carried by the identification information ciphertext is matched with the equipment identification information imported by the Internet of things cloud platform, completing the safety certification of the Internet of things equipment.
Optionally, the method further includes: and encrypting the data to be transmitted by adopting the platform side session key, and sending the encrypted data to the Internet of things equipment.
In a third aspect, an embodiment of the present invention provides an internet of things device, including: the system comprises an embedded universal integrated circuit card (eUICC), at least one processor and a memory;
the secure storage area of the eUICC includes a first storage area and a second storage area that are isolated from each other, an application layer of the eUICC includes a first application and a second application that are isolated from each other, the first storage area is used for storing a device certificate and a device private key of the internet of things device, the first application is used for performing secure authentication according to the device certificate and the device private key stored in the first storage area, the second storage area is used for storing embedded subscriber identity module eSIM related information, and the second application is used for connecting to a network according to the eSIM related information stored in the second storage area;
the memory stores computer execution instructions;
the at least one processor executes computer-executable instructions stored by the memory, so that the at least one processor performs the internet of things security authentication method according to any one of the first aspect.
In a fourth aspect, an embodiment of the present invention provides an internet of things cloud platform, including: at least one processor and memory;
the memory stores computer execution instructions;
the at least one processor executes the computer-executable instructions stored by the memory, so that the at least one processor performs the internet of things security authentication method according to any one of the second aspect.
In a fifth aspect, the embodiment of the present invention provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, the method for security authentication of the internet of things according to any one of the first aspect and the second aspect is implemented.
According to the method and the equipment for the security authentication of the Internet of things, provided by the embodiment of the invention, the equipment of the Internet of things comprises an embedded universal integrated circuit card (eUICC), a security storage area of the eUICC comprises a first storage area and a second storage area which are isolated from each other, and an application layer of the eUICC comprises a first application and a second application which are isolated from each other; since the first storage area and the second storage area isolate the device information of the internet of things device from the related information of the eSIM, the first application and the second application are isolated from each other when being calculated according to the information stored in the first storage area and the second storage area respectively, so that the safety and reliability can be effectively enhanced; and whether the certificate issuing authority of the platform root certificate is the same as that of the equipment root certificate is judged through a first application running in the eUICC, the platform certificate is verified through the equipment root certificate, whether the verification is passed is judged, and after the Internet of things cloud platform is determined to be a trusted platform, an equipment authentication request message is sent to the Internet of things cloud platform and used for requesting the Internet of things cloud platform to authenticate the Internet of things equipment, so that the bidirectional security authentication between the Internet of things equipment and the Internet of things cloud platform is realized, a trust chain of the certificate is formed, the trusted sources of the Internet of things cloud platform and the Internet of things equipment are greatly guaranteed, and the security is improved.
Drawings
Fig. 1 is a schematic diagram of an architecture of an eUICC according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a first embodiment of a method for authenticating security of an internet of things according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a second embodiment of a security authentication method for the internet of things according to the embodiment of the present invention;
fig. 4 is a schematic flow chart of a third embodiment of the internet of things security authentication method provided by the embodiment of the invention.
Detailed Description
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings. Wherein like elements in different embodiments are numbered with like associated elements. In the following description, numerous specific details are set forth in order to provide a better understanding of the present application. However, those skilled in the art will readily recognize that some of the features may be omitted or replaced with other elements, materials, methods in different instances. In some instances, certain operations related to the present application have not been shown or described in detail in order to avoid obscuring the core of the present application from excessive description, and it is not necessary for those skilled in the art to describe these operations in detail, so that they may be fully understood from the description in the specification and the general knowledge in the art.
Furthermore, the described features, operations, or characteristics may be combined in any suitable manner to form various embodiments. Also, the various steps or actions in the description of the methods may be transposed or transposed in order, as will be apparent to a person skilled in the art. Thus, the various sequences in the specification and drawings are for the purpose of describing certain embodiments only and are not intended to imply a required sequence unless otherwise indicated where such sequence must be followed.
The numbering of the components as such, e.g., "first", "second", etc., is used herein only to distinguish the objects as described, and does not have any sequential or technical meaning. The term "connected" and "coupled" when used in this application, unless otherwise indicated, includes both direct and indirect connections (couplings).
At present, the internet of things equipment can perform security authentication between the internet of things equipment and an internet of things cloud platform by using an interface of an encryption and decryption algorithm opened by an eUICC, that is, the encryption and decryption algorithm interface based on the opened part of the eUICC is matched with the outside to realize security authentication, and the specific process is as follows:
step 1: and importing the unique identification (eUICC ID, EID) of the eUICC card embedded in the Internet of things equipment and the equipment information of the Internet of things equipment into the Internet of things cloud platform, and generating an EID equipment access identification key approved by the Internet of things cloud platform by adopting a specific distributed encryption algorithm according to the initial root key and the EID of the Internet of things equipment.
Step 2: the method comprises the steps of realizing a private external interface based on the eUICC, opening a key pair generation interface, generating an asymmetric key to perform encryption and decryption operation on application on the Internet of things equipment, obtaining equipment information of the Internet of things equipment from the outside, calling an algorithm which is the same as that of an Internet of things cloud platform in the eUICC card to generate an equipment access identification key, and encrypting the equipment information of the Internet of things equipment.
And 3, step 3: and (3) the Internet of things equipment reports the encrypted access information, the Internet of things cloud platform adopts the scheme in the step (1) to calculate and verify, if the results (equipment access identification keys) are the same, the Internet of things equipment is considered to be legal, the Internet of things equipment is allowed to access, and the safety verification function is completed.
However, the above method for implementing security authentication based on the interface of the eUICC open encryption and decryption algorithm in cooperation with the outside cannot solve the security verification problem in terms of physical security, key isolation, and root device trust. Once the eSIM is compromised, the security verification will be compromised because the coupling with the original eSIM is too strong. Meanwhile, in the method, the security verification is realized based on some pure asymmetric encryption and decryption algorithms, the risk of replay attack exists, and the credible sources of the Internet of things platform and the Internet of things equipment cannot be verified, so that the security strength is low.
In order to improve security, in the prior art, a mode of using the eUICC and an additional chip for implementing a security authentication function in combination may also be adopted to implement a function of the eSIM and a function of the security authentication. Specifically, two security chips can be welded inside the internet of things device, one of the two security chips independently realizes an eSIM function (namely, an eUICC card is embedded), and the other security chip independently realizes a security authentication function. However, the above method has the following problems: the two safety chips are high in cost, the hardware of the Internet of things equipment occupies a large space, the requirement of the smaller physical space of the Internet of things equipment cannot be met, and the modification cost of hardware design is high.
In order to solve the above problems in the prior art, an embodiment of the present invention provides an eUICC, so that a function of an eSIM and a function of a security authentication can be simultaneously implemented on one chip. Fig. 1 is a schematic architecture diagram of an eUICC according to an embodiment of the present invention, as shown in fig. 1, a secure storage area of the eUICC includes a first storage area and a second storage area that are isolated from each other, an application layer of the eUICC includes a first application and a second application that are isolated from each other, the first storage area is configured to store a device certificate and a device private key of an internet-of-things device, the first application is configured to perform security authentication according to the device certificate and the device private key stored in the first storage area, the second storage area is configured to store embedded subscriber identity module eSIM related information, and the second application is configured to connect to a network according to the eSIM related information stored in the second storage area. Specifically, in a factory production link of an eUICC card of the internet of things device, a device certificate and a device private key of the internet of things device are written into the first storage area.
Through the hardware structure of the eUICC, the capability of a chip can be reused to the maximum extent, the cost is reduced, and the space occupation of equipment is reduced. In addition, the first storage area and the second storage area isolate the device information of the internet of things device from the eSIM related information, and the first application and the second application are isolated from each other when the first application and the second application respectively calculate according to the information stored in the first storage area and the second storage area, so that the safety and the reliability can be effectively enhanced.
Different eUICC chips can be used in specific applications, and different specifications and packaging forms are adopted. Here, the description may be made by taking an example of applying a huada 98M25 chip in the smart door lock communication module remote EC 20: a communication module is reserved with a 5 x 6mm pin of a Quad Flat No-leads Package (QFN) and is used for connecting a huada 98M25 chip, the chip can adopt a structure shown in fig. 1 and simultaneously support the function and the safety authentication function of an eSIM, and terminal application realizes that a Modem (Modem) interface is used for transceiving an Application Protocol Data Unit (APDU) in module and card communication; the eSIM in the chip provides network connection, the chip supports the certificate bidirectional verification between the terminal and the platform side, and the terminal application is responsible for data forwarding and packaging for the card and platform side security verification; the space division of the Huada 98M25 chip is supported on the physical access address level, different applications are dispatched according to an operating system to limit access to different physical addresses, and meanwhile, the chip is in different security domain spaces on the application layer and is isolated from one another.
Fig. 2 is a flowchart illustrating a first embodiment of a method for security authentication of an internet of things according to an embodiment of the present invention, where an execution main body of the embodiment of the present invention is an internet of things device including the eUICC card shown in fig. 1, and as shown in fig. 2, the method according to the embodiment may include:
s101, sending a platform authentication request message to the Internet of things cloud platform.
The platform authentication request message is used for requesting the internet of things equipment to authenticate the internet of things cloud platform. The internet of things equipment authenticates the internet of things cloud platform, and the internet of things equipment verifies whether the internet of things cloud platform is a trusted platform.
During specific implementation, because the second application included in the eUICC card embedded in the internet of things device can be connected to the network according to the eSIM-related information stored in the second storage area, that is, the internet of things device and the internet of things cloud platform can establish communication connection through the eSIM card, the internet of things device can send a message to the internet of things cloud platform through the communication connection.
S102, receiving a platform certificate and a platform root certificate of the Internet of things cloud platform sent by the Internet of things cloud platform.
Specifically, the internet of things cloud platform can serve as a certificate issuing authority of the internet of things cloud platform to issue a platform certificate.
S103, judging whether the certificate issuing authority of the platform root certificate is the same as that of the equipment root certificate or not through the first application running in the eUICC.
If yes, executing S104; if not, go to S105.
Specifically, the internet of things device sends the received data to the interior of the eUICC card, and the eUICC card selects the first application to judge whether the platform root certificate is the same as the certificate issuing authority of the device root certificate. If the platform root certificate is the same as the certificate issuing authority of the equipment root certificate, the fact that the Internet of things equipment and the Internet of things cloud platform belong to the same root certificate issuing authority is indicated.
And S104, verifying the platform certificate by using the equipment root certificate through the first application running in the eUICC, and judging whether the verification is passed.
If yes, executing S106; if not, go to S105.
S105, the authentication process is terminated.
S106, determining that the Internet of things cloud platform is a trusted platform, and sending a device authentication request message to the Internet of things cloud platform.
The device authentication request message may include a device certificate of the internet of things device. Specifically, the equipment certificate of the equipment in the internet of things is issued by the cloud platform in the internet of things as a root certificate authority, and is written into the equipment certificate of the equipment in the internet of things in the factory production link of the eUICC card of the equipment in the internet of things.
The equipment authentication request message is used for requesting the internet of things cloud platform to authenticate the internet of things equipment, and the internet of things cloud platform authenticates the internet of things equipment, namely the internet of things cloud platform checks whether the internet of things equipment is credible equipment.
In a specific implementation, the certificate verification may use a signature and verification algorithm defined by the X509 standard.
The Internet of things security authentication method provided by the embodiment of the invention is applied to Internet of things equipment comprising an embedded universal integrated circuit card (eUICC), wherein a security storage area of the eUICC comprises a first storage area and a second storage area which are isolated from each other, and an application layer of the eUICC comprises a first application and a second application which are isolated from each other; since the first storage area and the second storage area isolate the device information of the internet of things device from the related information of the eSIM, the first application and the second application are isolated from each other when being calculated according to the information stored in the first storage area and the second storage area respectively, so that the safety and reliability can be effectively enhanced; and whether the certificate issuing authority of the platform root certificate is the same as that of the equipment root certificate is judged through a first application running in the eUICC, the platform certificate is verified through the equipment root certificate, whether the verification is passed is judged, and after the Internet of things cloud platform is determined to be a trusted platform, an equipment authentication request message is sent to the Internet of things cloud platform and used for requesting the Internet of things cloud platform to authenticate the Internet of things equipment, so that the bidirectional security authentication between the Internet of things equipment and the Internet of things cloud platform is realized, a trust chain of the certificate is formed, the trusted sources of the Internet of things cloud platform and the Internet of things equipment are greatly guaranteed, and the security is improved.
Fig. 3 is a schematic flowchart of a second embodiment of the security authentication method for the internet of things according to the embodiment of the present invention, where an execution subject of the embodiment of the present invention is an internet of things cloud platform, and the internet of things cloud platform serves as a certificate issuing authority for issuing a platform certificate and an apparatus certificate, for example, if an apparatus certificate of an apparatus a is desired to be obtained, the apparatus a should first apply for the certificate issuing authority, and after the certificate issuing authority identifies the identity of the apparatus a, a public key is allocated to the apparatus a, and the certificate issuing authority binds the public key with the identity information of the apparatus a and signs the public key, and then forms a certificate to issue to the apparatus a. As shown in fig. 3, the method of this embodiment may include:
s201, receiving a platform authentication request message sent by the Internet of things equipment.
The platform authentication request message is used for requesting the internet of things equipment to authenticate the internet of things cloud platform.
S202, the platform certificate and the platform root certificate of the Internet of things cloud platform are sent to the Internet of things equipment according to the platform authentication request message.
S203, receiving a device authentication request message sent by the Internet of things device.
The equipment authentication request message comprises an equipment certificate of the Internet of things equipment, and the equipment authentication request message is used for requesting the Internet of things cloud platform to authenticate the Internet of things equipment.
S204, judging whether the platform root certificate is the same as the certificate issuing organization of the equipment certificate.
If yes, go to S205; if not, go to S206.
If the platform root certificate is the same as the certificate issuing authority of the equipment root certificate, the fact that the Internet of things equipment and the Internet of things cloud platform belong to the same root certificate issuing authority is indicated.
S205, the platform root certificate is used for verifying the equipment certificate, and whether the verification is passed or not is judged.
If yes, executing S207; if not, go to step S206.
S206, the authentication process is terminated.
And S207, determining that the Internet of things equipment is trusted equipment.
In a specific implementation, the certificate verification uses a signature and signature verification algorithm defined by the X509 standard.
According to the Internet of things security authentication method provided by the embodiment of the invention, the Internet of things cloud platform receives the platform authentication request message sent by the Internet of things equipment, sends the platform certificate and the platform root certificate of the Internet of things cloud platform to the Internet of things equipment according to the platform authentication request message, receives the equipment authentication request message sent by the Internet of things equipment, judges whether the platform root certificate is the same as the certificate signing and issuing organization of the equipment certificate, and verifies the equipment certificate by using the platform root certificate, so that the two-way security authentication between the Internet of things equipment and the Internet of things cloud platform is realized, the trust chain of the certificate is formed, the credible sources of the Internet of things cloud platform and the Internet of things equipment are greatly ensured, and the security is improved.
The internet of things cloud platform is authenticated through the internet of things equipment in the first embodiment, the internet of things cloud platform is determined to be a trusted platform, the internet of things equipment is authenticated through the internet of things cloud platform in the second embodiment, the internet of things equipment is determined to be trusted equipment, and therefore the bidirectional certificate check between the internet of things equipment and the internet of things cloud platform is completed. On the basis, the internet of things equipment and the internet of things cloud platform can establish a secure data channel through the method shown in fig. 4. Fig. 4 is a schematic flowchart of a third embodiment of a security authentication method for the internet of things according to the embodiment of the present invention, and as shown in fig. 4, the method according to the embodiment may include:
s301, the Internet of things cloud platform generates a platform side session key by adopting a key negotiation algorithm according to a platform private key of the Internet of things cloud platform and an equipment public key of the Internet of things equipment.
The device public key may be obtained from the device certificate that passes the verification in the first embodiment.
In a specific implementation, the key agreement algorithm may include an Elliptic Curve key agreement (ECDH) algorithm and an RSA algorithm.
S302, the cloud platform of the Internet of things generates a random number, the platform side session key is adopted to encrypt the random number, and a random number cipher text is generated.
And S303, the Internet of things cloud platform sends a session request message to the Internet of things equipment.
Wherein, the session request message includes a random number cipher text.
S304, the Internet of things equipment receives the session request message sent by the Internet of things cloud platform, and generates an equipment side session key by a first application running in the eUICC according to an equipment private key and a platform public key through a key negotiation algorithm, decrypts the random number ciphertext through the equipment side session key to obtain a random number plaintext, splices the random number plaintext with the identification information of the Internet of things equipment, encrypts the spliced information through the equipment side session key, and generates an identification information ciphertext.
The platform public key may be obtained from the platform certificate that passes the verification.
S305, the Internet of things equipment sends a session response message to the Internet of things cloud platform.
Wherein, the session response message includes an identification information ciphertext.
S306, the Internet of things cloud platform receives the session response message sent by the Internet of things equipment, decrypts the identification information ciphertext by adopting the platform side session key, and obtains the random number and the identification information carried by the identification information ciphertext.
And S307, if the random number carried by the identification information ciphertext is the same as the random number generated by the Internet of things cloud platform, and the identification information carried by the identification information ciphertext is matched with the equipment identification information imported by the Internet of things cloud platform, completing the safety certification of the Internet of things equipment.
Because the equipment certificate of the equipment of the Internet of things is signed and issued by the cloud platform of the Internet of things as a root certificate authority, the cloud platform of the Internet of things stores the equipment identification information of the equipment of the Internet of things. The identification information carried by the identification information ciphertext is matched with the equipment identification information imported by the Internet of things cloud platform, namely whether the prestored equipment identification information is the same as the identification information carried by the identification information ciphertext is judged, and if the prestored equipment identification information is the same as the identification information carried by the Internet of things cloud platform, the safety of the Internet of things equipment is determined.
In a specific implementation, the encryption and decryption process of the data can use an algorithm defined by the X509 standard.
According to the Internet of things security authentication method provided by the embodiment of the invention, the security of establishing a data channel between the Internet of things equipment and the Internet of things cloud platform is enhanced through the key agreement algorithm, the dynamic session key exchange and other mechanisms, and the problems of information cloning, replay attack and the like can be effectively avoided.
The internet of things cloud platform is authenticated through the internet of things equipment in the first embodiment, the internet of things cloud platform is determined to be a trusted platform, the internet of things equipment is authenticated through the internet of things cloud platform in the second embodiment, the internet of things equipment is determined to be trusted equipment, and therefore the bidirectional certificate check between the internet of things equipment and the internet of things cloud platform is completed. On the basis, the internet of things equipment and the internet of things cloud platform establish a safety data channel by the method in the third embodiment. At this time, the internet of things device and the internet of things cloud platform may be normally accessed and communicated with each other, and as a specific implementation manner, on the basis of the third embodiment, after the secure data channel is established, the method may further include: the Internet of things equipment can encrypt data to be transmitted by adopting an equipment side session key and send the encrypted data to the Internet of things cloud platform; meanwhile, the internet of things cloud platform can also encrypt data to be transmitted by adopting a platform side session key, and send the encrypted data to the internet of things equipment. The encryption protection of the communication data between the Internet of things equipment and the Internet of things cloud platform can be realized, and therefore the safety of data transmission is improved.
In addition, corresponding to the method for authenticating security of the internet of things provided in the foregoing embodiment, an embodiment of the present invention further provides an internet of things device, where the internet of things device may include: the system comprises an embedded universal integrated circuit card (eUICC), at least one processor and a memory; the secure storage area of the eUICC includes a first storage area and a second storage area that are isolated from each other, an application layer of the eUICC includes a first application and a second application that are isolated from each other, the first storage area is used for storing a device certificate and a device private key of the internet of things device, the first application is used for performing secure authentication according to the device certificate and the device private key stored in the first storage area, the second storage area is used for storing embedded subscriber identity module eSIM related information, and the second application is used for connecting to a network according to the eSIM related information stored in the second storage area; the memory stores computer-executable instructions; the at least one processor executes the computer-executable instructions stored in the memory, so that the at least one processor executes all the steps of the internet of things security authentication method of the embodiment of the invention.
In addition, corresponding to the internet of things security authentication method provided in the above embodiment, an embodiment of the present invention further provides an internet of things cloud platform, where the internet of things cloud platform may include: at least one processor and a memory; the memory stores computer-executable instructions; the at least one processor executes the computer execution instructions stored in the memory, so that the at least one processor executes all the steps of the internet of things cloud platform as the execution subject of the internet of things security authentication method of the embodiment of the invention.
In addition, corresponding to the internet of things security authentication method provided in the foregoing embodiment, an embodiment of the present invention further provides a computer-readable storage medium, where a computer execution instruction is stored in the computer-readable storage medium, and when the computer execution instruction is executed by a processor, the computer-readable storage medium is used to implement the internet of things security authentication method according to the embodiment of the present invention.
Those skilled in the art will appreciate that all or part of the functions of the various methods in the above embodiments may be implemented by hardware, or may be implemented by computer programs. When all or part of the functions of the above embodiments are implemented by a computer program, the program may be stored in a computer-readable storage medium, and the storage medium may include: a read only memory, a random access memory, a magnetic disk, an optical disk, a hard disk, etc., and the program is executed by a computer to realize the above functions. For example, the program may be stored in a memory of the device, and when the program in the memory is executed by the processor, all or part of the functions described above may be implemented. In addition, when all or part of the functions in the above embodiments are implemented by a computer program, the program may be stored in a storage medium such as a server, another computer, a magnetic disk, an optical disk, a flash disk, or a removable hard disk, and may be downloaded or copied to a memory of a local device, or may be version-updated in a system of the local device, and when the program in the memory is executed by a processor, all or part of the functions in the above embodiments may be implemented.
The present invention has been described in terms of specific examples, which are provided to aid understanding of the invention and are not intended to be limiting. Numerous simple deductions, modifications or substitutions may also be made by those skilled in the art in light of the present teachings.

Claims (8)

1. An internet of things security authentication method is applied to internet of things equipment, and is characterized in that the internet of things equipment comprises an embedded universal integrated circuit card (eUICC), a security storage area of the eUICC comprises a first storage area and a second storage area which are isolated from each other, an application layer of the eUICC comprises a first application and a second application which are isolated from each other, the first storage area is used for storing an equipment certificate and an equipment private key of the internet of things equipment, the first application is used for performing security authentication according to the equipment certificate and the equipment private key stored in the first storage area, the second storage area is used for storing embedded subscriber identity module (eSIM) related information, and the second application is used for connecting a network according to the eSIM related information stored in the second storage area;
the method comprises the following steps:
sending a platform authentication request message to an internet of things cloud platform, wherein the platform authentication request message is used for requesting the internet of things equipment to authenticate the internet of things cloud platform;
receiving a platform certificate and a platform root certificate of the Internet of things cloud platform sent by the Internet of things cloud platform;
judging whether the certificate issuing organizations of the platform root certificate and the equipment root certificate are the same or not through a first application running in the eUICC, if not, terminating the authentication process, if so, using the equipment root certificate to verify the platform certificate, if not, terminating the authentication process, and if so, determining that the Internet of things cloud platform is a trusted platform;
sending a device authentication request message to the internet of things cloud platform, wherein the device authentication request message includes a device certificate of the internet of things device, and the device authentication request message is used for requesting the internet of things cloud platform to authenticate the internet of things device;
the method further comprises the following steps:
receiving a session request message sent by the cloud platform of the Internet of things, wherein the session request message comprises a random number ciphertext;
generating an equipment side session key by a first application running in the eUICC according to the equipment private key and a platform public key by adopting a key negotiation algorithm, decrypting the random number ciphertext by adopting the equipment side session key to obtain a random number plaintext, splicing the random number plaintext and the identification information of the Internet of things equipment, encrypting the spliced information by adopting the equipment side session key to generate an identification information ciphertext, and obtaining the platform public key from the platform certificate which passes the verification;
and sending a session response message to the Internet of things cloud platform, wherein the session response message comprises the identification information ciphertext.
2. The method of claim 1, wherein the method further comprises:
and encrypting the data to be transmitted by adopting the equipment side session key, and sending the encrypted data to the Internet of things cloud platform.
3. The method according to any one of claims 1 or 2, wherein the key agreement algorithm comprises an elliptic curve key agreement algorithm and an RSA algorithm.
4. An Internet of things security authentication method is applied to an Internet of things cloud platform, and is characterized in that the Internet of things cloud platform serves as a certificate issuing authority and is used for issuing a platform certificate and an equipment certificate;
the method comprises the following steps:
receiving a platform authentication request message sent by an Internet of things device, wherein the platform authentication request message is used for requesting the Internet of things device to authenticate the Internet of things cloud platform;
sending a platform certificate and a platform root certificate of the Internet of things cloud platform to the Internet of things equipment according to the platform authentication request message;
receiving a device authentication request message sent by the internet of things device, wherein the device authentication request message includes a device certificate of the internet of things device, and the device authentication request message is used for requesting the internet of things cloud platform to authenticate the internet of things device;
judging whether the platform root certificate is the same as the certificate issuing authority of the equipment certificate, if not, terminating the authentication process, if so, verifying the equipment certificate by using the platform root certificate, if not, terminating the authentication process, and if so, determining that the equipment of the internet of things is trusted equipment;
after the internet of things equipment is determined to be trusted equipment, generating a platform side session key by adopting a key negotiation algorithm according to a platform private key of the internet of things cloud platform and an equipment public key of the internet of things equipment, wherein the equipment public key is obtained from the equipment certificate which passes verification;
generating a random number, and encrypting the random number by adopting the platform side session key to generate a random number ciphertext;
sending a session request message to the Internet of things equipment, wherein the session request message comprises the random number ciphertext;
receiving a session response message sent by the Internet of things equipment, wherein the session response message comprises an identification information ciphertext;
decrypting the identification information ciphertext by using the platform side session key to obtain a random number and identification information carried by the identification information ciphertext;
and if the random number carried by the identification information ciphertext is the same as the random number generated by the Internet of things cloud platform, and the identification information carried by the identification information ciphertext is matched with the equipment identification information imported by the Internet of things cloud platform, completing the safety certification of the Internet of things equipment.
5. The method of claim 4, wherein the method further comprises:
and encrypting the data to be transmitted by adopting the platform side session key, and sending the encrypted data to the Internet of things equipment.
6. An internet of things device, comprising: the system comprises an embedded universal integrated circuit card (eUICC), at least one processor and a memory;
the secure storage area of the eUICC includes a first storage area and a second storage area that are isolated from each other, an application layer of the eUICC includes a first application and a second application that are isolated from each other, the first storage area is used for storing a device certificate and a device private key of the internet of things device, the first application is used for performing secure authentication according to the device certificate and the device private key stored in the first storage area, the second storage area is used for storing embedded subscriber identity module eSIM related information, and the second application is used for connecting to a network according to the eSIM related information stored in the second storage area;
the memory stores computer execution instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method for internet of things security authentication as recited in any one of claims 1-3.
7. An internet of things cloud platform, comprising: at least one processor and a memory;
the memory stores computer execution instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method for internet of things security authentication as recited in any one of claims 4-5.
8. A computer-readable storage medium, wherein computer-executable instructions are stored in the computer-readable storage medium, and when executed by a processor, the computer-executable instructions are used for implementing the internet of things security authentication method according to any one of claims 1 to 5.
CN202011475632.5A 2020-12-15 2020-12-15 Internet of things security authentication method and equipment Active CN112468305B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011475632.5A CN112468305B (en) 2020-12-15 2020-12-15 Internet of things security authentication method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011475632.5A CN112468305B (en) 2020-12-15 2020-12-15 Internet of things security authentication method and equipment

Publications (2)

Publication Number Publication Date
CN112468305A CN112468305A (en) 2021-03-09
CN112468305B true CN112468305B (en) 2023-04-07

Family

ID=74804298

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011475632.5A Active CN112468305B (en) 2020-12-15 2020-12-15 Internet of things security authentication method and equipment

Country Status (1)

Country Link
CN (1) CN112468305B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111901119B (en) * 2020-06-21 2022-08-16 苏州浪潮智能科技有限公司 Security domain isolation method, system and device based on trusted root
CN113472547B (en) * 2021-09-06 2021-11-16 湖南和信安华区块链科技有限公司 Safety monitoring system based on block chain
CN114172687A (en) * 2021-11-03 2022-03-11 杭州涂鸦信息技术有限公司 Cloud connection method, method for auxiliary equipment to be connected with cloud and electronic equipment
CN114666155B (en) * 2022-04-08 2024-04-16 深圳市欧瑞博科技股份有限公司 Equipment access method, system, device, internet of things equipment and gateway equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274684A (en) * 2018-10-31 2019-01-25 中国—东盟信息港股份有限公司 The internet-of-things terminal system and its implementation being integrated based on eSIM communication with navigation Service
JP6499367B1 (en) * 2018-12-14 2019-04-10 日本通信株式会社 Online service provision system
CN110679166A (en) * 2017-06-07 2020-01-10 华为技术有限公司 Method for updating eUICC firmware version by authentication and related device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110679166A (en) * 2017-06-07 2020-01-10 华为技术有限公司 Method for updating eUICC firmware version by authentication and related device
CN109274684A (en) * 2018-10-31 2019-01-25 中国—东盟信息港股份有限公司 The internet-of-things terminal system and its implementation being integrated based on eSIM communication with navigation Service
JP6499367B1 (en) * 2018-12-14 2019-04-10 日本通信株式会社 Online service provision system

Also Published As

Publication number Publication date
CN112468305A (en) 2021-03-09

Similar Documents

Publication Publication Date Title
CN112468305B (en) Internet of things security authentication method and equipment
CN108512846B (en) Bidirectional authentication method and device between terminal and server
CN111245870B (en) Identity authentication method based on mobile terminal and related device
KR101904177B1 (en) Data processing method and apparatus
CN101828357B (en) Credential provisioning method and device
CN108566381A (en) A kind of security upgrading method, device, server, equipment and medium
WO2018127081A1 (en) Method and system for obtaining encryption key
KR20010108150A (en) Authentication enforcement using decryption and authentication in a single transaction in a secure microprocessor
WO2017150270A1 (en) Communication system, hardware security module, terminal device, communication method, and program
Dewanta et al. A mutual authentication scheme for secure fog computing service handover in vehicular network environment
CN107743067A (en) Awarding method, system, terminal and the storage medium of digital certificate
CN109218263A (en) A kind of control method and device
CN112532393A (en) Verification method of cross-link transaction, relay link node equipment and medium
CN105282179A (en) Family Internet of things security control method based on CPK
KR20140023799A (en) Method for guarantying the confidentiality and integrity of a data in controller area networks
CN112396735B (en) Internet automobile digital key safety authentication method and device
CN105635062A (en) Network access equipment verification method and device
CN101296083A (en) Enciphered data transmission method and system
CN106550359B (en) Authentication method and system for terminal and SIM card
WO2021120924A1 (en) Method and device for certificate application
CN112311543B (en) GBA key generation method, terminal and NAF network element
CN104579687A (en) CSP implementation based on USBKEY
CN104243452A (en) Method and system for cloud computing access control
WO2017020530A1 (en) Enhanced wlan certificate authentication method, device and system
WO2022041151A1 (en) Device verification method, device, and cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant