CN112600860B - Method and device for authenticating equipment identity - Google Patents
Method and device for authenticating equipment identity Download PDFInfo
- Publication number
- CN112600860B CN112600860B CN202110226998.7A CN202110226998A CN112600860B CN 112600860 B CN112600860 B CN 112600860B CN 202110226998 A CN202110226998 A CN 202110226998A CN 112600860 B CN112600860 B CN 112600860B
- Authority
- CN
- China
- Prior art keywords
- token information
- equipment
- identifier
- data
- sram
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The application discloses a method and a device for equipment identity authentication, and relates to the technical field of data processing. The method comprises the following steps: obtaining SRAM data of a device, wherein the SRAM data comprises an SRAM initial value at a first moment of power-on of the device and a device identifier of the device; sending the SRAM data to a server, so that the server generates token information of the equipment according to the SRAM data, and recording a mapping relation between the token information and the equipment identification; receiving the token information returned by the server; and sending a service request of the equipment, wherein the service request carries the token information so as to carry out equipment identity authentication by combining the mapping relation during the processing of the service request. The method and the device can improve the use safety of the device and reduce the abuse of the device.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method and an apparatus for authenticating an identity of a device.
Background
The Internet of Things (IoT) is used as an extension and extension of the Internet, and establishes communication between objects. The security issues in the internet of things are more complex than in traditional internet network security. The communication of the internet of things network not only covers the exchange of data and information under various conditions in the internet, but also the sensing layer of the internet of things comprises a sensor with huge data volume, so that how to ensure the integrity and authenticity of information between objects and people and between objects is one of important research contents of the internet of things network security technology.
Currently, in a conventional network, the device identity of the terminal is typically configured in a preconfigured way. And then the pre-configured equipment identification is used for equipment identity authentication of the terminal. For example, for a mobile terminal, user identification information provided by an operator to the terminal and identification information written into the terminal at the time of factory are calculated to generate an identification of the terminal for authentication of the mobile terminal.
However, in practice, since different manufacturers may possibly adopt different pre-configuration modes, the types, specifications, and the like of the identifiers configured for the terminals by different manufacturers may be different. In addition, there may be a situation where different manufacturers configure the same identifier for different terminals. This can lead to the problem of the generated device identification being too simple to be identity stolen. When the device is stolen or illegally invaded, the device identification is limited to be too simple, and the device can be counterfeited successfully easily. As an important ring of security management, how to perform trusted authentication on a device, how to generate a unique device identifier, so as to facilitate management, simplify a configuration process, and improve the security and usability of an overall scheme for obtaining a device identifier becomes a technical problem to be solved urgently at present.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for device identity authentication, and mainly aims to solve the technical problem that in the prior art, the accuracy of device identity authentication is affected because device identification is easily counterfeited.
According to an aspect of the present application, there is provided a method for device identity authentication, applicable to a client side, the method including:
obtaining Static Random-Access Memory (SRAM) data of a device, wherein the SRAM data includes an SRAM initial value at a first time when the device is powered on and a device identifier of the device;
sending the SRAM data to a server, so that the server generates token information of the equipment according to the SRAM data, and recording a mapping relation between the token information and the equipment identification;
receiving the token information returned by the server;
and sending a service request of the equipment, wherein the service request carries the token information so as to carry out equipment identity authentication by combining the mapping relation during the processing of the service request.
According to another aspect of the present application, another method for authenticating device identity is provided, which is applicable to a server side, and the method includes:
receiving SRAM data of a device, wherein the SRAM data comprises an SRAM initial value at a first moment of power-on of the device and a device identifier of the device;
generating token information of the equipment according to the SRAM data;
recording the mapping relation between the token information and the equipment identification;
and returning the token information to the equipment, wherein the token information is used for carrying out equipment identity authentication by combining the mapping relation when processing the service request of the equipment.
According to another aspect of the present application, there is provided an apparatus for authenticating device identity, which is applicable to a client side, the apparatus including:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring SRAM data of a device, and the SRAM data comprises an SRAM initial value at a first moment of power-on of the device and a device identifier of the device;
a sending module, configured to send the SRAM data to a server, so that the server generates token information of the device according to the SRAM data, and records a mapping relationship between the token information and the device identifier;
the receiving module is used for receiving the token information returned by the server;
the sending module is further configured to send a service request of the device, where the service request carries the token information, so as to perform device identity authentication in combination with the mapping relationship when processing the service request.
According to still another aspect of the present application, there is provided an apparatus for authenticating an equipment identity, which is applicable to a server side, the apparatus including:
the device comprises a receiving module, a judging module and a processing module, wherein the receiving module is used for receiving SRAM data of a device, and the SRAM data comprises an SRAM initial value at a first moment of powering on the device and a device identifier of the device;
the generation module is used for generating the token information of the equipment according to the SRAM data;
the recording module is used for recording the mapping relation between the token information and the equipment identification;
and the sending module is used for returning the token information to the equipment, and the token information is used for carrying out equipment identity authentication by combining the mapping relation when processing the service request of the equipment.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the method of device identity authentication described above.
According to yet another aspect of the present application, an electronic device, which may be specifically a client device or a server device, is provided, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, where the processor implements the method for authenticating the device identity when executing the program.
By means of the technical scheme, compared with the prior art, the method, the device and the electronic equipment for equipment identity authentication provided by the application are based on the SRAM initial value of the equipment at the first moment of power-on, and the unique identifier of the hardware equipment is obtained for equipment identity authentication. The method comprises the steps of firstly sending an SRAM initial value and an equipment identifier of equipment to a server as SRAM to obtain token information, subsequently carrying the token information in a service request of the sending equipment, further carrying out equipment identity authentication through the server, and obtaining a corresponding service request result after the authentication is passed. Due to the random deviation of the SRAM manufacturing, the symmetrical transistors in the design of the cell actually have a slight difference, which finally shows that the power-on initial values of different SRAMs are completely different. Because of the influence of environmental noise, the power-on values of the same SRAM are not identical and show certain randomness, and the factors are unpredictable and uncontrollable, so that the copying or cloning of the structure is almost impossible. Therefore, the equipment identity authentication method provided by the application can be used for safely and credibly authenticating the equipment, improves the accuracy of equipment identity authentication, generates a unique equipment identifier so as to facilitate management, simplifies the configuration flow, can improve the safety of equipment use and reduces the occurrence of abused equipment.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a method for authenticating an identity of a device according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another method for authenticating an identity of a device according to an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating an example application scenario provided by an embodiment of the present application;
fig. 4 is a schematic structural diagram illustrating an apparatus identity authentication device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram illustrating another apparatus identity authentication device provided in an embodiment of the present application;
fig. 6 shows a schematic structural diagram of an apparatus identity authentication system provided in an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
The method aims to solve the technical problem that the equipment identity authentication accuracy is influenced because the equipment identification is easy to counterfeit in the prior art. The embodiment provides a method for device identity authentication, as shown in fig. 1, which is applicable to a client side configured on a hardware device, and the method includes:
The SRAM data includes an SRAM initial value at a first time when the device is powered on and a device identifier (e.g., a device name, an ID number, etc.) of the device. The device in this embodiment may be an embedded device, such as a printer, a cash box, etc. in the take-out industry.
SRAM is a type of random access memory. The memory is composed of a crystal diode, and the data stored in the memory can be constantly kept as long as the memory is powered on. In the SRAM widely existing in the embedded hardware device chip, due to the random deviation of the manufacturing, symmetrical transistors are designed in the cell, and actually, a slight difference exists, which is finally shown that the power supply initial values of different SRAMs are completely different. Because of the influence of environmental noise, the power-on values of the same SRAM are not identical and show certain randomness, and the factors are unpredictable and uncontrollable, so that the copying or cloning of the structure is almost impossible.
In the method, the unique identifier of the hardware equipment is obtained by utilizing the hardware characteristic of the SRAM, and the characteristics of unique identifier of the equipment and safety reinforcement of identity authentication can be realized by performing a simple Over-the-Air Technology (OTA) on the hardware equipment by a software means; for a brand-new hardware device leaving factory, a brand-new hardware device management method can be designed completely based on the embodiment.
In this embodiment, an SRAM initial value of a certain number of bytes may be obtained at a predetermined time point. The preset time point is generally the first time point when the device is powered on, that is, under the condition that the SRAM is not initialized, otherwise the SRAM value may be cleared, and the obtaining of the SRAM initial value in this embodiment needs to be completed before the clearing.
And step 102, the client sends the SRAM data of the equipment to the server.
Furthermore, the server generates token information of the device according to the SRAM data of the device, and records the mapping relation between the token information and the device identification.
Token (Token) information is used in device authentication to represent an object of the right to perform certain operations.
For example, the server establishes a mapping relationship as shown in table 1 according to the SRAM data sent by each device:
TABLE 1
| Device identification | Token information |
| Device 1 | Token A |
| Device 2 | Token B |
| Device 3 | Token C |
| … | … |
And step 103, the client receives the token information returned by the server.
The token information is a certificate for authenticating the identity of the equipment before processing the service request of the equipment, and whether the service request is processed depends on whether the equipment identity authentication is passed or not, so that the client can be stored on the equipment side after receiving the token information.
And step 104, sending a service request of the equipment, wherein the service request carries token information received by the client, so that equipment identity authentication is carried out by combining the mapping relation recorded in the server when the service request is processed.
For example, the device a sends a service request to the target platform system, where the service request carries token information sent by the server 1 (which may be different from the server 2 in the target platform system) and an identifier (such as a device number or other ID number) of the device a. After receiving the service request, the target platform system queries the mapping relation record recorded in the server 1, if the token information has a corresponding mapping relation record in the server 1 (if the token information in the service request is matched with the token information corresponding to the device a in the mapping relation record), it is determined that the device identity authentication is successful, the target platform system can continue to process the service request, and then returns the result of the service request to the device; if the token information does not have a corresponding mapping relation record in the server (for example, the mapping relation record of the token information in the service request does not exist, or the token information in the service request is not matched with the token information corresponding to the device a in the mapping relation record), it is determined that the device identity authentication fails, and the target platform system can refuse to process the service request and return corresponding response information to the device.
Compared with the prior art, the method for authenticating the equipment identity provided by this embodiment obtains the unique identifier of the hardware equipment based on the SRAM initial value at the first time of powering on the equipment to authenticate the equipment identity. The method comprises the steps of firstly sending an SRAM initial value and an equipment identifier of equipment to a server as SRAM to obtain token information, subsequently carrying the token information in a service request of the sending equipment, further carrying out equipment identity authentication through the server, and obtaining a corresponding service request result after the authentication is passed. The equipment identity authentication method provided by the embodiment can be used for safely and trustfully authenticating the equipment, the accuracy of equipment identity authentication is improved, and a unique equipment identifier is generated, so that the management is facilitated, the configuration flow is simplified, the use safety of the equipment can be improved, and the occurrence of abusing the equipment is reduced.
Further, as a refinement and an extension of the specific implementation of the foregoing embodiment, optionally, the mapping relationship recorded in the server may further include a Physical Unclonable Function (PUF) identifier generated according to the SRAM data of the device, where the PUF is a Physical Unclonable Function, and is a "digital fingerprint" used as a unique identity of the semiconductor device (e.g., a microprocessor); in the embodiment, the identity identification and authentication method of the hardware equipment in the internet of things is designed based on the PUF, compared with the traditional identification and authentication method, the PUF derives the secret information from the complex physical characteristics of the entity, the secret information does not need to be stored, and the secret information can be effectively prevented from being acquired. In addition, the PUF is determined by the random difference of physical manufacture on the chip, cannot be reproduced on other equipment and has uniqueness; any attempt to tamper with the device will affect the PUF, destroying the original PUF and having the property of being non-tamperable.
After sending the SRAM data to the server, the method of this embodiment further includes: the client receives the PUF identification returned by the server; correspondingly, step 104 may specifically include: and sending a service request of the equipment, wherein the service request carries token information and the PUF identifier so as to carry out equipment identity authentication by combining the recorded mapping relation during service request processing. For example, if the token information and the PUF identifier have corresponding mapping relationship records in the server, it is determined that the device identity authentication is successful, the service request can be continuously processed, and then a result of the service request is returned to the device; and if the token information and the PUF identification do not have corresponding mapping relation records in the server, determining that the equipment identity authentication fails, refusing to process the service request, and returning response information to the equipment.
In order to further ensure the security of the device identity authentication, optionally, the mapping relationship recorded in the server may further include a generation timestamp of the Token information, where the Token information has an expiration date, i.e., Token life cycle. In order to ensure that the client side can have valid token information for a long time, correspondingly, after step 103, the method of this embodiment further includes: triggering to start timing according to the received token information; and if the timed duration is greater than or equal to the critical threshold of the Token information validity period (Token life cycle), sending the SRAM data of the equipment to the server to acquire new valid Token information. And the expired token information is deleted, so that the storage space resource is saved.
When the last token information is about to expire and a next new token information needs to be requested, the device may be restarted during the time, so to request to obtain the new token information, optionally, the sending the SRAM data of the device to the server to obtain new valid token information may specifically include: and if the equipment is restarted, obtaining the SRAM data of the equipment at the first moment of powering on again and sending the SRAM data to the server so as to obtain new effective token information. The server will also update the corresponding mapping relation record. Through the optional mode, the equipment can be ensured to carry effective Token information (unexpired Token) when sending the service request, and the equipment is ensured to acquire the service smoothly. In addition, the method of the embodiment makes the whole equipment identification and identity authentication independent of the existing identity authentication mechanism of the hardware equipment, and performs the reinforcement and the abnormal detection of the identity authentication process from the bypass, thereby basically not influencing the existing service.
The device identification and authentication method based on the SRAM PUF technology provided by the embodiment has no hardware condition requirement, and provides a hardware device identification and identity authentication safety capability for a wide range of embedded devices with the SRAM based on the PUF technology. Under the condition that the stock equipment does not have strong identification and authentication capabilities, a simple method for uniquely identifying the equipment and carrying out safe identity authentication is provided. The method can work on a data service trunk of hardware equipment, and can also work on equipment identification, safety certification and the like on a side road under the condition of not interfering the existing service. The method has stronger non-forgery and repudiation; the method can realize the unique identification and authentication security reinforcement of the equipment only by updating part of software contents of the on-line OTA.
The content of the foregoing embodiment is a process of device identity authentication described at a client side, and further, to fully illustrate an implementation manner of this embodiment, this embodiment further provides another method of device identity authentication, which can be applied to a server side, as shown in fig. 2, where the method includes:
The SRAM data comprises an SRAM initial value at the first moment when the equipment is powered on and equipment identification of the equipment.
Optionally, step 202 may specifically include: firstly, extracting a data abstract of SRAM data; and then generating token information of the equipment according to the data abstract, the current timestamp, the preset salt data and the equipment identification of the equipment. The specific generation algorithm can be preset according to actual requirements, and combined with data summary information of the SRAM (the data is unique to hardware devices, and each device is different), and combined with other data such as time information (timestamp for generating Token), custom salt data, MAC address (device identifier), and the like. And then combining the several parts of data to encrypt and generate a Token.
For example, the generating token information according to the data digest, the current timestamp, the preset salt data, and the device identifier of the device may specifically include: splicing the data abstract, the current timestamp, the preset salt data and the equipment identification; and carrying out encryption calculation on the field data obtained after splicing to obtain token information. For example, the token information is obtained by performing hash calculation on field data obtained by splicing the data digest, the current timestamp, the preset salt data and the device identifier.
Optionally, the Token information has an expiration date (Token life cycle); correspondingly, step 203 may specifically include: and recording the mapping relation among the token information, the equipment identification and the current timestamp, wherein the mapping relation is used for subsequent equipment identity authentication.
And step 204, the server returns the generated token information to the equipment, wherein the token information is used for carrying out equipment identity authentication by combining the recorded mapping relation when the service request of the equipment is processed.
Optionally, after step 204, the method of this embodiment may further include: the server receives a request for identity authentication of a target device (which may be the same device as the device in steps 201 to 203 or a different device), where the request carries target token information; then, according to the target token information, and by combining the recorded mapping relation, equipment identity authentication is carried out; and returning the identity authentication result of the target equipment.
Illustratively, the performing the device identity authentication according to the target token information and by combining the recorded mapping relationship may specifically include: firstly, judging whether a mapping relation record of target token information exists or not; if the mapping relation record of the target token information does not exist, judging that the identity authentication of the target equipment fails; if the mapping relation record of the target token information exists, acquiring a timestamp when the target token information is generated through the mapping relation record; then, judging whether the validity period (Token life cycle) of the target Token information is expired or not according to the acquired timestamp; if the validity period of the target token information is expired, determining that the identity authentication of the target equipment fails; if the validity period of the target token information is not expired, judging whether the identity authentication frequency of the target equipment is abnormal or not; if the identity authentication frequency of the target equipment is abnormal, judging that the identity authentication of the target equipment fails; and if the identity authentication frequency of the target equipment is not abnormal, judging that the identity authentication of the target equipment is successful. If identity authentication is frequently performed, it can be considered that the authentication frequency is abnormal, and the like.
Through the optional mode, accurate equipment identity authentication can be achieved, the safety of equipment use is guaranteed, and the occurrence of equipment abuse is reduced.
Optionally, in order to further improve the accuracy of the device identity authentication and improve the security of the device usage, before step 203, the method in this embodiment may further include: generating a PUF identifier of the equipment according to the SRAM data of the equipment; correspondingly, step 203 may specifically include: and recording the mapping relation among the PUF identification, the token information and the device identification. Correspondingly, step 204 may specifically include: and returning the PUF identifier and the token information to the equipment, wherein the received PUF identifier and the token information are carried in a service request subsequently sent by the equipment so as to carry out equipment identity authentication by combining the mapping relation recorded in the server during service request processing.
For example, if the token information and the PUF identifier have corresponding mapping relationship records in the server, it is determined that the device identity authentication is successful, the service request can be continuously processed, and then a result of the service request is returned to the device; and if the token information and the PUF identification do not have corresponding mapping relation records in the server, determining that the equipment identity authentication fails, refusing to process the service request, and returning response information to the equipment.
In order to illustrate the specific implementation process of the above embodiments, the following application scenarios are given, but not limited to:
at present, in order to realize the identity authentication of equipment, unique uncopyable chip information can be obtained through a PUF (physical unclonable function) module in a password chip, and unique characteristics of the equipment are extracted through the chip information and are used in a public and private key signature process so as to ensure the unique, uncopyable, repudiatable and other characteristics of the equipment. However, this approach depends on implementation with PUF modules in cryptographic chips, and has great limitations. And the method is strongly applied to the authentication process of the whole hardware equipment and is not flexible enough.
The method of the embodiment obtains the unique identifier of the hardware equipment by utilizing the hardware characteristic of the SRAM, and the unique identifier of the equipment and the safety reinforcement characteristic of identity authentication can be realized by carrying out simple software OTA on the hardware equipment in stock through a software means; for a brand-new hardware device leaving factory, a brand-new hardware device management method can be designed completely based on the embodiment.
As shown in fig. 3, the implementation process of the device identification and authentication security enforcement method for hardware devices includes:
(1) at a preset time point, an SRAM initial value with a certain byte number is obtained, and an equipment identifier carrying hardware equipment is reported to a server A as SRAM data.
The preset time point is generally the first time point when the device is powered on, that is, under the condition that the SRAM is not initialized, otherwise the SRAM value may be cleared, and the obtaining of the SRAM initial value in this embodiment needs to be completed before the clearing.
(2) The server A extracts an abstract from the received SRAM data, combines the data abstract, the timestamp, the salt data and the equipment identification of the hardware equipment to generate a Token through an algorithm, and returns the Token to the hardware equipment.
(3) And the server A synchronizes the data to the server B and acquires the generated unique equipment identifier PUFID for returning.
(4) And the server A generates mapping table records of the PUFID, the equipment identifier of the hardware equipment, the generation timestamp, the current Token and other data.
(5) And after the hardware equipment acquires the Token, carrying the Token field to perform service data interaction with the server C.
The server C may be a service server, so that the hardware device may completely transmit data according to its own service implementation when interacting.
(6) Before service data interaction, the server C transmits effective data (Token field) to the server A to perform equipment identity authentication query.
The recording of hardware equipment information, PUFID, Token and other full information is completed in the previous steps on the server A, the server C can synchronously and asynchronously inquire the identity on the server when transmitting data, and the Token server can inquire a mapping table to complete the authentication of whether the identity is legal or not, for example, the Token is expired; for example, Token records are not recorded in server a; the server a also records information such as the time of the last authentication, and determines whether the authentication frequency is abnormal or not.
(7) And the hardware equipment requests for the effective Token again before the effective time of the preset Token life cycle is over.
(8) The server A identifies whether the data is forged or not and whether the hardware equipment is cloned or not when receiving equipment identity authentication inquiry, PUFID inquiry and other occasions each time.
By applying the scheme, the method has the following advantages:
a. different from the traditional device identification method, the embodiment ensures uniqueness, impossibility of counterfeiting and falsification through physical unclonable characteristics.
b. Different from a traditional device identity authentication mode, the PUF module depending on a password chip is needed, and the embodiment only depends on the SRAM basically provided by the hardware device of the Internet of things.
c. Different from the traditional equipment identity authentication mode, the embodiment makes the whole equipment identification and identity authentication independent of the existing identity authentication mechanism of the stock equipment, and performs identity authentication process reinforcement and abnormality detection from the bypass, so that the existing service is not affected basically.
d. Compared with the traditional equipment identity authentication mode in which the implementation proportion of hardware equipment is large, the embodiment has more identifications and safety authentication work on back-end service, and is more flexible and simple.
In addition, for incremental new factory equipment, the method of the embodiment can be completely used for realizing safety guarantee work such as equipment identification and identity authentication.
Further, as a specific implementation of the method shown in fig. 1, this embodiment provides an apparatus applicable to device identity authentication on a client side, as shown in fig. 4, the apparatus includes: an acquisition module 31, a transmission module 32, and a reception module 33 of the client-side device.
An obtaining module 31 of the client side apparatus, configured to obtain SRAM data of a static random access memory of a device, where the SRAM data includes an SRAM initial value at a first time when the device is powered on and a device identifier of the device;
a sending module 32 of the client side device, which is referred to as the client sending module 32 for short, is configured to send the SRAM data to a server, so that the server generates token information of the device according to the SRAM data, and records a mapping relationship between the token information and the device identifier;
a receiving module 33 of the client-side device, referred to as the client receiving module 33 for short, configured to receive the token information returned by the server;
the client sending module 32 is further configured to send a service request of the device, where the service request carries the token information, so as to perform device identity authentication in combination with the mapping relationship when processing the service request.
In a specific application scenario, the mapping relationship further includes a Physical Unclonable Function (PUF) identifier generated according to the SRAM data;
the client receiving module 33 is further configured to receive the PUF identifier returned by the server;
the client sending module 32 is specifically configured to send a service request of the device, where the service request carries the token information and the PUF identifier, so as to perform device identity authentication in combination with the mapping relationship when processing the service request.
In a specific application scenario, the mapping relationship further includes a generation timestamp of the token information, and the token information has an expiration date;
the client sending module 32 is further configured to trigger to start timing according to the received token information; and if the timed duration is greater than or equal to the critical threshold of the validity period, sending the SRAM data of the equipment to the server to acquire new valid token information.
In a specific application scenario, the client sending module 32 is further specifically configured to, if the device is restarted, obtain the SRAM data at the first time when the device is powered on again and send the SRAM data to the server, so as to obtain new valid token information.
It should be noted that other corresponding descriptions of the functional units related to the apparatus for authenticating the device identity at the client side provided in this embodiment may refer to the corresponding descriptions in fig. 1, and are not described herein again.
Further, as a specific implementation of the method shown in fig. 2, an embodiment of the present application provides an apparatus applicable to device identity authentication on a server side, as shown in fig. 5, the apparatus includes: a receiving module 41, a generating module 42, a recording module 43, and a transmitting module 44 of the server-side device.
A receiving module 41 of the server-side device, referred to as the server receiving module 41 for short, configured to receive static random access memory SRAM data of a device, where the SRAM data includes an SRAM initial value at a first time when the device is powered on and a device identifier of the device;
a generating module 42 of the server side device, configured to generate token information of the device according to the SRAM data;
a recording module 43 of the server-side device, configured to record a mapping relationship between the token information and the device identifier;
a sending module 44 of the server-side device, referred to as the server sending module 44 for short, is configured to return the token information to the device, where the token information is used to perform device identity authentication in combination with the mapping relationship when processing the service request of the device.
In a specific application scenario, the generating module 42 is specifically configured to extract a data summary of the SRAM data; and generating the token information according to the data abstract, the current timestamp, preset salt data and the equipment identifier of the equipment.
In a specific application scenario, the generating module 42 is further configured to specifically splice the data summary, the current timestamp, the preset salt data, and the device identifier; and carrying out encryption calculation on the field data obtained after splicing to obtain the token information.
In a specific application scenario, the token information has an expiration date;
the recording module 43 is specifically configured to record a mapping relationship between the token information, the device identifier, and the current timestamp.
In a specific application scenario, the apparatus further comprises: an authentication module;
the server receiving module 41 is further configured to receive a request for performing identity authentication on a target device, where the request carries target token information;
the authentication module is used for carrying out equipment identity authentication according to the target token information and by combining the recorded mapping relation;
the server sending module 44 is further configured to return an identity authentication result of the target device.
In a specific application scenario, the authentication module is specifically configured to determine whether a mapping relationship record of the target token information exists; if the mapping relation record of the target token information does not exist, judging that the identity authentication of the target equipment fails; if the mapping relation record of the target token information exists, acquiring a timestamp when the target token information is generated through the mapping relation record; judging whether the valid period of the target token information is expired or not according to the timestamp; if the validity period of the target token information is expired, determining that the identity authentication of the target equipment fails; if the validity period of the target token information is not expired, judging whether the identity authentication frequency of the target equipment is abnormal or not; if the identity authentication frequency of the target equipment is abnormal, judging that the identity authentication of the target equipment fails; and if the identity authentication frequency of the target equipment is not abnormal, judging that the identity authentication of the target equipment is successful.
In a specific application scenario, the generating module 42 is further configured to generate a Physical Unclonable Function (PUF) identifier of the device according to the SRAM data;
the recording module 43 is further configured to record a mapping relationship among the PUF identifier, the token information, and the device identifier;
the server sending module 44 is further specifically configured to return the PUF identifier and the token information to the device, where a service request sent by the device subsequently carries the PUF identifier and the token information, so as to perform device identity authentication in combination with the mapping relationship when the service request is processed.
It should be noted that other corresponding descriptions of the functional units related to the apparatus for authenticating an equipment identity, which is applicable to the server side and provided by this embodiment, may refer to the corresponding descriptions of the method in fig. 2, and are not described herein again.
Based on the method shown in fig. 1, correspondingly, the present application further provides a storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method shown in fig. 2. Based on the method shown in fig. 2, another storage medium is provided, on which a computer program is stored, and the computer program is executed by a processor to implement the method shown in fig. 2.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method of the embodiments of the present application.
Based on the method shown in fig. 1 and the virtual device embodiment shown in fig. 4, in order to achieve the above object, an embodiment of the present application further provides a client device, which may specifically be a personal computer, a printer, a tablet computer, a smart phone, or other network devices, and the client device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program for implementing the above-described method as shown in fig. 1.
Based on the method shown in fig. 2 and the virtual device embodiment shown in fig. 5, in order to achieve the above object, the present application embodiment further provides a server device, which may specifically be a server, a computer device, a printer management device, or other network devices. The apparatus includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program for implementing the above-described method as shown in fig. 2.
Optionally, both the two entity devices may further include a user interface, a network interface, a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WI-FI module, and the like. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
Those skilled in the art will appreciate that the physical device structure of the client device and the server device provided in the present embodiment does not constitute a limitation to the two physical devices, and may include more or less components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program that manages the hardware and software resources of the two physical devices described above, supporting the operation of the information processing program as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and communication with other hardware and software in the information processing entity device.
Based on the above, further, the embodiment of the present application also provides a system for device identity authentication, as shown in fig. 6, the system includes a server device 51 and a client device 52.
Therein, the client device 52 may be used to execute the method as shown in fig. 1, and the server device 51 may be used to execute the method as shown in fig. 2.
The client device 52 may be configured to obtain SRAM data of a device, where the SRAM data includes an SRAM initial value at a first time when the device is powered on and a device identifier of the device; sending the SRAM data to the server apparatus 51;
the server device 51 may further be configured to receive 52 SRAM data of a device, where the SRAM data includes an SRAM initial value at a first time when the device is powered on and a device identifier of the device; generating token information of the equipment according to the SRAM data; recording the mapping relation between the token information and the equipment identification; and returning the token information to 52, wherein the token information is used for carrying out equipment identity authentication by combining the mapping relation when processing the service request of the equipment.
The client device 52 is further configured to receive the token information returned by the server device 51; and sending a service request of the equipment, wherein the service request carries the token information so as to carry out equipment identity authentication by combining the mapping relation during the processing of the service request.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the device identification and authentication method based on the SRAM PUF technology provided by the embodiment, the hardware condition requirement is avoided, and the safety capability of hardware device identification and identity authentication is provided for wide embedded devices with SRAMs based on the PUF technology. Under the condition that the stock equipment does not have strong identification and authentication capabilities, a simple method for uniquely identifying the equipment and carrying out safe identity authentication is provided. The method can work on a data service trunk of hardware equipment, and can also work on equipment identification, safety certification and the like on a side road under the condition of not interfering the existing service. The method has stronger non-forgery and repudiation; the method can realize the unique identification and authentication security reinforcement of the equipment only by updating part of software contents of the on-line OTA.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (10)
1. A method of device identity authentication, comprising:
obtaining SRAM data of a static random access memory of a device, wherein the SRAM data comprises an SRAM initial value of a first time when the device is powered on and a device identifier of the device;
sending the SRAM data to a server, so that the server generates token information and a Physical Unclonable Function (PUF) identifier of the equipment according to the SRAM data, and records the mapping relation among the token information, the PUF identifier and the equipment identifier;
receiving the token information and the PUF identification returned by the server;
and sending a service request of the equipment, wherein the service request carries the token information and the PUF identifier so as to carry out equipment identity authentication by combining the mapping relation during the processing of the service request.
2. The method of claim 1, wherein the mapping further comprises a generation timestamp of the token information, wherein the token information has an expiration date;
after receiving the token information returned by the server, the method further comprises:
triggering to start timing according to the received token information;
and if the timed duration is greater than or equal to the critical threshold of the validity period, sending the SRAM data of the equipment to the server to acquire new valid token information.
3. The method according to claim 2, wherein the sending the SRAM data of the device to the server to obtain new valid token information specifically comprises:
and if the equipment is restarted, obtaining SRAM data of the equipment at the first moment of powering on again and sending the SRAM data to the server so as to obtain new effective token information.
4. A method of device identity authentication, comprising:
receiving Static Random Access Memory (SRAM) data of a device, wherein the SRAM data comprise an SRAM initial value at a first moment of power-on of the device and a device identification of the device;
generating token information and a Physical Unclonable Function (PUF) identifier of the equipment according to the SRAM data;
recording the mapping relation among the token information, the PUF identification and the device identification;
returning the token information and the PUF identification to the equipment, wherein the token information and the PUF identification are used for carrying out equipment identity authentication by combining the mapping relation when processing the service request of the equipment; the service request carries the token information and the PUF identifier.
5. The method of claim 4, wherein generating token information for the device according to the SRAM data specifically comprises:
extracting a data abstract of the SRAM data;
and generating the token information according to the data abstract, the current timestamp, preset salt data and the equipment identifier of the equipment.
6. The method according to claim 5, wherein the generating the token information according to the data digest, the current timestamp, the preset salt data, and the device identifier of the device specifically includes:
splicing the data abstract, the current timestamp, the preset salt data and the equipment identification;
and carrying out encryption calculation on the field data obtained after splicing to obtain the token information.
7. The method of claim 4, wherein the token information has an expiration date;
the recording of the mapping relationship among the token information, the PUF identifier, and the device identifier specifically includes:
recording the mapping relation among the token information, the PUF identification, the equipment identification and the current time stamp;
after the returning the token information and the PUF identification to the device, the method further comprises:
receiving a request for identity authentication of target equipment, wherein the request carries target token information and a PUF (physical unclonable function) identifier;
performing equipment identity authentication according to the target token information and the PUF identification and by combining the recorded mapping relation;
and returning the identity authentication result of the target equipment.
8. The method according to claim 7, wherein the performing device identity authentication according to the target token information and the PUF identifier and in combination with the recorded mapping relationship specifically includes:
judging whether a mapping relation record of the target token information exists or not;
if the mapping relation record of the target token information does not exist, judging that the identity authentication of the target equipment fails;
if the mapping relation record of the target token information exists, acquiring a timestamp when the target token information is generated through the mapping relation record;
judging whether the valid period of the target token information is expired or not according to the timestamp;
if the validity period of the target token information is expired, determining that the identity authentication of the target equipment fails;
if the validity period of the target token information is not expired, judging whether the identity authentication frequency of the target equipment is abnormal or not;
if the identity authentication frequency of the target equipment is abnormal, judging that the identity authentication of the target equipment fails;
and if the identity authentication frequency of the target equipment is not abnormal, judging that the identity authentication of the target equipment is successful.
9. An apparatus for authenticating a device, comprising:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring Static Random Access Memory (SRAM) data of a device, and the SRAM data comprises an SRAM initial value at a first moment of power-on of the device and a device identifier of the device;
a sending module, configured to send the SRAM data to a server, so that the server generates token information and a Physical Unclonable Function (PUF) identifier of the device according to the SRAM data, and records a mapping relationship between the token information, the PUF identifier, and the device identifier;
a receiving module, configured to receive the token information and the PUF identifier returned by the server;
the sending module is further configured to send a service request of the device, where the service request carries the token information and the PUF identifier, so as to perform device identity authentication in combination with the mapping relationship when the service request is processed.
10. An apparatus for authenticating a device, comprising:
the device comprises a receiving module, a judging module and a judging module, wherein the receiving module is used for receiving Static Random Access Memory (SRAM) data of the device, and the SRAM data comprises an SRAM initial value at a first moment of powering on the device and a device identification of the device;
the generation module is used for generating token information and a Physical Unclonable Function (PUF) identifier of the equipment according to the SRAM data;
the recording module is used for recording the mapping relation among the token information, the PUF identification and the equipment identification;
a sending module, configured to return the token information and the PUF identifier to the device, where the token information and the PUF identifier are used to perform device identity authentication in combination with the mapping relationship when processing a service request of the device; the service request carries the token information and the PUF identifier.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110226998.7A CN112600860B (en) | 2021-03-02 | 2021-03-02 | Method and device for authenticating equipment identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110226998.7A CN112600860B (en) | 2021-03-02 | 2021-03-02 | Method and device for authenticating equipment identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112600860A CN112600860A (en) | 2021-04-02 |
| CN112600860B true CN112600860B (en) | 2021-06-18 |
Family
ID=75207831
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110226998.7A Active CN112600860B (en) | 2021-03-02 | 2021-03-02 | Method and device for authenticating equipment identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112600860B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112804678B (en) * | 2021-04-15 | 2021-07-20 | 浙江口碑网络技术有限公司 | Device registration, authentication and data transmission method and device |
| CN112968977B (en) * | 2021-05-14 | 2021-08-13 | 浙江口碑网络技术有限公司 | Information interaction method and device |
| CN115242506B (en) * | 2022-07-21 | 2024-04-12 | 深圳市汇顶科技股份有限公司 | Electronic equipment identity verification method, device, system, equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107493572A (en) * | 2016-06-13 | 2017-12-19 | 上海复旦微电子集团股份有限公司 | A kind of wireless radios, certificate server and authentication method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9489504B2 (en) * | 2013-10-03 | 2016-11-08 | Qualcomm Incorporated | Physically unclonable function pattern matching for device identification |
| US10067701B2 (en) * | 2016-03-24 | 2018-09-04 | Taiwan Semiconductor Manufacturing Co., Ltd. | SRAM-based authentication circuit |
| CN109120573B (en) * | 2017-06-22 | 2021-06-04 | 武汉大学 | Transmission key generation method, terminal and server |
| CN109756337B (en) * | 2017-11-06 | 2022-01-07 | 北京京东尚科信息技术有限公司 | Secure access method and device for service interface |
-
2021
- 2021-03-02 CN CN202110226998.7A patent/CN112600860B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107493572A (en) * | 2016-06-13 | 2017-12-19 | 上海复旦微电子集团股份有限公司 | A kind of wireless radios, certificate server and authentication method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112600860A (en) | 2021-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112600860B (en) | Method and device for authenticating equipment identity | |
| US10979231B2 (en) | Cross-chain authentication method, system, server, and computer-readable storage medium | |
| CN110581860B (en) | Identity authentication method, device, storage medium and equipment based on block chain | |
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| CN101444063B (en) | Secure time functionality for a wireless device | |
| CN106790156B (en) | Intelligent device binding method and device | |
| US9117324B2 (en) | System and method for binding a smartcard and a smartcard reader | |
| CN109361669B (en) | Identity authentication method, device and equipment of communication equipment | |
| US9762567B2 (en) | Wireless communication of a user identifier and encrypted time-sensitive data | |
| JP2018521417A (en) | Safety verification method based on biometric features, client terminal, and server | |
| CN112673600B (en) | Multiple security authentication system and method between mobile phone terminal and internet of things (IoT) device based on blockchain | |
| CN108243176B (en) | Data transmission method and device | |
| CA2417770A1 (en) | Trusted authentication digital signature (tads) system | |
| CN112565265B (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
| JP5355685B2 (en) | Wireless tag authentication method using radio wave reader | |
| CN104753674A (en) | Application identity authentication method and device | |
| CN113221128B (en) | Account and password storage method and registration management system | |
| CN111461720A (en) | Identity verification method and device based on block chain, storage medium and electronic equipment | |
| CN108702606B (en) | Wireless communication handshake method and equipment | |
| Rossudowski et al. | A security privacy aware architecture and protocol for a single smart card used for multiple services | |
| CN112039857A (en) | Calling method and device of public basic module | |
| CN110971609A (en) | Anti-cloning method of DRM client certificate, storage medium and electronic equipment | |
| CN101493967A (en) | Smart card and method for invoking server certificate or certificate chain therein | |
| Chen et al. | An efficient authentication and access control scheme using smart cards | |
| JP3660306B2 (en) | User authentication system, user authentication method, user authentication program, and computer-readable recording medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |