CN112866236B - Internet of things identity authentication system based on simplified digital certificate - Google Patents

Internet of things identity authentication system based on simplified digital certificate Download PDF

Info

Publication number
CN112866236B
CN112866236B CN202110052317.XA CN202110052317A CN112866236B CN 112866236 B CN112866236 B CN 112866236B CN 202110052317 A CN202110052317 A CN 202110052317A CN 112866236 B CN112866236 B CN 112866236B
Authority
CN
China
Prior art keywords
certificate
signature
internet
terminal
things
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110052317.XA
Other languages
Chinese (zh)
Other versions
CN112866236A (en
Inventor
杨家全
冯勇
李响
李踔
王禹
李浩涛
罗恩博
栾思平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of Yunnan Power Grid Co Ltd
Original Assignee
Electric Power Research Institute of Yunnan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Research Institute of Yunnan Power Grid Co Ltd filed Critical Electric Power Research Institute of Yunnan Power Grid Co Ltd
Priority to CN202110052317.XA priority Critical patent/CN112866236B/en
Publication of CN112866236A publication Critical patent/CN112866236A/en
Application granted granted Critical
Publication of CN112866236B publication Critical patent/CN112866236B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The application provides an Internet of things identity authentication system based on simplified digital certificates, which comprises Internet of things terminal equipment, an application server and a certificate management center. The certificate authority is configured to: issuing a terminal certificate, a server certificate and an issuer certificate. The internet of things terminal device is configured to: and sending an authentication request, wherein the authentication request comprises a terminal random number sequence. The application server is configured to: and responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence to obtain a first signature value. The internet of things terminal device is further configured to: and authenticating the application server through the first signature value, the server certificate and the signer certificate, and if the authentication is successful, signing the terminal random number sequence and the server random number sequence to obtain a second signature value. The application server is further configured to: and authenticating the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate. The method and the device simplify the authentication process and reduce the time delay.

Description

Internet of things identity authentication system based on simplified digital certificate
Technical Field
The application relates to the field of Internet of things security, in particular to an Internet of things identity authentication system based on a simplified digital certificate.
Background
The internet of things refers to the connection of any object with a network through information sensing equipment according to an agreed protocol. The objects exchange and communicate information through information transmission media to realize functions of intelligent identification, positioning, tracking, supervision and the like, and the functions comprise a perception layer, a network transmission layer and an application layer. In practical application, if communication is required to be established, identity authentication between the terminal equipment of the internet of things and the application server in the internet of things is required.
A general authentication method employs digital certificate authentication. The format of the current digital certificate generally adopts the international x.509v3 standard, and a standard x.509 digital certificate contains the following contents: version information, serial number, signature algorithm, issuer, validity period, holder public key, issuer unique identifier, holder unique identifier, extension, and signature of certificate issuer to certificate. In the authentication process, the content contained in the digital certificate needs to be subjected to multi-stage authentication among the internet of things terminal, the application server and the digital certificate mark sending end.
However, the digital certificate contains more redundant information useless for authentication, the redundant information occupies a large amount of storage space of the terminal equipment of the internet of things in the authentication process, and the multi-stage authentication mode brings great delay to the terminal of the internet of things. Therefore, such an authentication method is not suitable for the terminal device of the internet of things.
Disclosure of Invention
The application provides an Internet of things identity authentication system based on simplified digital certificates, and aims to solve the problem that a traditional authentication mode is not suitable for terminal equipment of the Internet of things.
The application provides an thing networking authentication system based on simplify digital certificate includes: the system comprises the Internet of things terminal equipment, an application server and a certificate management center;
the certificate authority configured to: signing a terminal certificate for the terminal equipment of the Internet of things; issuing a server certificate for the application server; and issuing an identity certificate for the user; the terminal certificate, the server certificate and the issuer certificate are simplified digital certificates;
the internet of things terminal device is configured to: sending an authentication request to the application server, wherein the authentication request comprises a terminal random number sequence;
the application server is configured to: responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a first signature value; sending the first signature value and the server certificate to the terminal equipment of the Internet of things;
the internet of things terminal device is further configured to: authenticating the identity of the application server through the first signature value, the server certificate and the issuer certificate, if the identity authentication of the application server is successful, signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a second signature value, and sending the second signature value and the terminal certificate to the application server;
the application server is further configured to: and authenticating the identity of the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate, and if the identity authentication of the terminal equipment of the Internet of things is successful, sending a notification message to the terminal equipment of the Internet of things so as to notify that the authentication of the terminal equipment of the Internet of things is successful.
Optionally, the terminal device further includes a hardware cryptographic module, and the internet of things terminal device is further configured to: storing the terminal certificate and the issuer certificate; storing the identity signature and the signature private key of the user; the application server is further configured to: storing the server certificate and the issuer certificate; the hardware cryptographic module is configured to: and storing the identity signature and the signature private key of the application server.
Optionally, the simplified digital certificate includes an issuer unique identifier, a holder signature public key, an encryption public key, a validity period, a signature algorithm, and an issuer signature of the certificate.
Optionally, the terminal device of the internet of things is further configured to: verifying the validity period of the server certificate, if the validity period is in a valid state, the validity period passes verification, and performing digital signature verification operation on the signature of the signer to the certificate in the server certificate by using a signature public key in the signer certificate and a signature algorithm specified in the server certificate; if the validity period is in a non-valid state or a invalid state, the validity period verification fails, and the identity authentication of the application server fails.
Optionally, the terminal device of the internet of things is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is valid, the server certificate passes the verification, and the digital signature verification operation is performed on the first signature value by using a signature public key in the server certificate and a signature algorithm specified in the server certificate; if the digital signature verification operation result of the signature of the signer on the certificate shows that the signature of the server certificate is invalid, the server certificate verification fails, and the identity authentication of the application server fails.
Optionally, the terminal device of the internet of things is further configured to: if the digital signature verification operation result of the first signature value shows that the first signature value is valid, the first signature value passes verification, and the identity authentication of the application server is successful; and if the digital signature verification operation result of the first signature value indicates that the first signature value is invalid, the first signature value fails to be verified, and the identity authentication of the application server fails.
Optionally, the application server is further configured to: verifying the validity period of the terminal certificate, if the validity period is in a valid state, the validity period passes verification, and performing digital signature verification operation on the signature of the signer to the certificate in the terminal certificate by using a signature public key in the signer certificate and a signature algorithm specified in the terminal certificate; if the validity period is in a non-effective or invalid state, the validity period verification fails, and the identity authentication of the terminal equipment of the Internet of things fails.
Optionally, the application server is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the terminal certificate is valid, the terminal certificate passes verification, and the state of the terminal certificate is inquired from the certificate management center; if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the terminal certificate is invalid, the terminal certificate verification fails, and the identity authentication of the terminal equipment of the internet of things fails.
Optionally, the application server is further configured to: if the inquired state of the terminal certificate is valid, performing digital signature verification operation on the second signature value by using a signature public key in the terminal certificate and a signature algorithm specified by the terminal certificate; and if the inquired terminal certificate is in a revoke state, the identity authentication of the terminal equipment of the Internet of things fails.
Optionally, the application server is further configured to: if the digital signature verification operation result of the second signature value indicates that the second signature value is valid, the second signature value passes verification, and the identity authentication of the terminal equipment of the Internet of things is successful; and if the digital signature verification operation result of the second signature value indicates that the second signature value is invalid, the verification of the second signature value fails, and the identity authentication of the terminal equipment of the Internet of things fails.
According to the technical scheme, the identity authentication system based on the Internet of things with the simplified digital certificate comprises the terminal equipment of the Internet of things, the application server and the certificate management center. The certificate authority is configured to: issuing a terminal certificate, a server certificate and an issuer certificate. The terminal device of the internet of things is configured to: and sending an authentication request, wherein the authentication request comprises a terminal random number sequence. The application server is configured to: and responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence to obtain a first signature value. The internet of things terminal device is further configured to: and authenticating the application server through the first signature value, the server certificate and the signer certificate, and if the authentication is successful, signing the terminal random number sequence and the server random number sequence to obtain a second signature value. The application server is further configured to: and authenticating the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate. The method and the device simplify the authentication process and reduce the time delay.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments are briefly described below, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an identity authentication system of the internet of things based on a simplified digital certificate according to the present application;
FIG. 2 is a schematic diagram of an application server identity authentication method according to the present application;
fig. 3 is a schematic diagram of identity authentication of terminal equipment in the internet of things.
Detailed Description
Reference will now be made in detail to embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following examples do not represent all embodiments consistent with the present application. But merely as exemplifications of systems and methods consistent with certain aspects of the application, as recited in the claims.
Fig. 1 is a schematic structural diagram of an identity authentication system of the internet of things based on a simplified digital certificate according to the present application. As can be seen from fig. 1, the system comprises: the system comprises the terminal equipment of the Internet of things, an application server and a certificate management center. The certificate authority configured to: signing and issuing terminal certificate Cert for terminal equipment of Internet of things T (ii) a Issuing a server certificate Cert for the application server S (ii) a And issuing an identity certificate for the user; the terminal certificate Cert T Server certificate Cert S And issuer certificates as reduced numbersA word certificate.
In practical application, the terminal device of the internet of things is a device which is connected with a sensing network layer and a transmission network layer in the internet of things and realizes data acquisition and data transmission to the network layer. The method has the functions of data acquisition, preliminary processing, encryption, transmission and the like. In order to improve the security of the internet of things, identity authentication is required when data interaction and other actions are performed between the terminal equipment of the internet of things and the application server. The certificate management center plays a role in signing and issuing digital certificates for the terminal equipment of the Internet of things and the application server, and mutual identity authentication between the terminal equipment of the Internet of things and the application server is achieved through the digital certificates.
Further, the simplified digital certificate may include an issuer unique identification, a holder signature public key, an encryption public key, a validity period, a signature algorithm, and an issuer signature for the certificate. The unique identifier of the issuer is the identifier of the certificate management center. The unique identifier of the holder is marked as the identifier of the party which is issued the certificate, and in the embodiment of the application, the holder is the terminal equipment of the internet of things and the application server. The validity period is the valid time of the digital certificate, the digital certificate is valid only when the digital certificate is in the validity period, otherwise, the digital certificate is not valid or is invalid. In particular, the simplified digital certificate can be described in a format based on the asn.1 abstract syntax notation. Asn.1 Abstract Syntax Notation (Abstract Syntax Notation One) describes a data format for representing, encoding, transmitting and decoding data.
Certificate::=SEQUENCE{
issuerUniqueID BIT STRING,
subjectUniqueID BIT STRING,
signPublicKey BIT STRING,
encPublicKey BIT STRING,
notBeforeTime GeneralizedTime,
notAfterTime GeneralizedTime,
signAlgorithm OBJECT IDENTIFIER,
signatureValue BIT STRING}
Wherein issuerUniqueID represents the unique identifier of the issuer; the subjectUniqueID represents the holder unique identification; signpublic Key represents the holder signature public key; encPublicKey represents an encryption public key; the notbepotetime and notAfterTime indicate the validity period, that is, the validity period is determined by the notbepotetime and notAfterTime; signAlgorithm denotes a signature algorithm; signatureValue represents the signer's signature on the certificate.
In practical application, the simplified digital certificate can be stronger in applicability to the Internet of things, and excessive storage space occupation is avoided. Moreover, identity authentication in the Internet of things is carried out by relying on the simplified digital certificate, so that the large time delay can be avoided, and the consumed calculation performance is low. Meanwhile, the simplified digital certificate simultaneously comprises a holder signature public key and an encryption public key, and a double-key system is realized in one certificate.
With continued reference to fig. 1, the internet of things terminal device is configured to: sending an authentication request to the application server, wherein the authentication request comprises a terminal random number sequence R T
In practical applications, the authentication request may further include a device identification DevID. The authentication request is used for establishing the contact between the terminal equipment of the Internet of things and the application server.
The application server may be configured to: generating a server random number sequence R in response to the authentication request S Using self signature private key to carry out random number sequence R on the terminal T And the server random number sequence R S Signing to obtain a first signature value; the first signature value and the server certificate Cert are combined S And sending the information to the terminal equipment of the Internet of things.
In this embodiment, the application server may be further configured to: verifying whether the device identification DevID complies with a predetermined identification rule in response to the authentication request, and if so, continuing to generate a server random number sequence R S . The first signature value may be a random number sequence R to the terminal T And the server random number sequence R S Signature obtained by signing formed combined sequenceThe name results.
Further, the internet of things terminal device performs identity authentication on the application server, specifically, the first signature value and the server certificate Cert are utilized S And (6) carrying out verification.
The internet of things terminal device may be further configured to: by the first signature value, the server certificate Cert S And the signer certificate authenticates the identity of the application server, if the identity authentication of the application server is successful, the terminal random number sequence and the server random number sequence are signed by using a self signature private key to obtain a second signature value, and the second signature value and the terminal certificate Cert are used for carrying out signature on the terminal random number sequence and the server random number sequence T And sending the information to the application server.
In this embodiment, the second signature value may be a random number sequence R to the terminal T And the server random number sequence R S And the formed combined sequence is signed to obtain a signature result.
Fig. 2 is a schematic diagram of the identity authentication of the application server according to the present application. As can be seen from fig. 2:
the internet of things terminal device is further configured to: for the server certificate Cert S If the validity period is in a valid state, the validity period passes the verification, and the signature public key in the signer certificate and the server certificate Cert are used S To the server certificate Cert S The signer in the system carries out digital signature verification operation on the signature of the certificate; if the validity period is in a non-valid state or a invalid state, the validity period verification fails, and the identity authentication of the application server fails.
In this embodiment, if the server certificate Cert S Is in the valid period, and can also describe the server certificate Cert S In the valid state, if the server certificate Cert S Not within the validity period, the server certificate Cert can be described S In a stale or non-operative state. Expired or non-validated server certificate Cert S Disabling the application serverAnd the identity authentication of the terminal equipment of the Internet of things is passed, namely the identity authentication of the application server fails.
The internet of things terminal device is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer shows the server certificate Cert S Is valid, server certificate Cert S Authentication is passed using the server certificate Cert S And the server certificate Cert S The signature algorithm specified in (1) performs digital signature verification operation on the first signature value; if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is invalid, the server certificate Cert S And if the verification fails, the identity authentication of the application server fails.
In this embodiment, the digital signature verification is to perform signature verification operation on a digital signature of data or a message by using a public signature key corresponding to a private signature key, where the public signature key is a public signature key stored in a digital certificate. And the operation result shows whether the digital signature is generated by a signature private key corresponding to the certificate. The server certificate Cert S The signature of the signer to the certificate is included, namely the certificate management center signs the server certificate Cert S The signature of (2).
The internet of things terminal device may be further configured to: if the digital signature verification operation result of the first signature value shows that the first signature value is valid, the first signature value passes verification, and the identity authentication of the application server is successful; and if the digital signature verification operation result of the first signature value indicates that the first signature value is invalid, the first signature value fails to be verified, and the identity authentication of the application server fails.
In the technical scheme of the application, after the identity authentication of the terminal equipment of the internet of things to the application server is successful, the identity authentication of the terminal equipment of the internet of things by the application server should be carried out.
The application server may be further configured to: through the second signature value and the terminal certificate Cert T And the signer certificate authenticates the identity of the terminal equipment of the Internet of things, if the terminal equipment of the Internet of things is providedAnd sending a notification message to the terminal equipment of the Internet of things to notify the terminal equipment of the Internet of things that the authentication is successful.
Referring to fig. 3, a schematic diagram of identity authentication of terminal equipment in the internet of things is shown. As can be seen from the figure 3 of the drawings,
the application server is further configured to: for the terminal certificate Cert T If the validity period is in a valid state, the validity period passes the verification, and the terminal certificate Cert is verified by using the signature public key in the issuer certificate and the signature algorithm specified in the terminal certificate T The signer in the system carries out digital signature verification operation on the signature of the certificate; if the validity period is in a non-effective or invalid state, the validity period verification fails, and the identity authentication of the terminal equipment of the Internet of things fails.
In this embodiment, if the terminal certificate Cert T Is in the valid period, and can also explain the terminal certificate Cert T In the effective state, if the terminal certificate Cert T Not within the validity period, the terminal certificate Cert can be described T In a stale or non-operative state. Terminal certificate Cert that is invalid or not validated T And the terminal equipment of the internet of things can not pass the identity authentication of the application server, namely the identity authentication of the terminal equipment of the internet of things fails.
The application server may be further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer shows that the signature of the terminal certificate is valid, the terminal certificate Cert T The certificate management center inquires the terminal certificate Cert after passing the verification T The state of (2); if the digital signature verification operation result of the signature of the certificate by the issuer shows that the signature of the terminal certificate is invalid, the terminal certificate Cert T And if the verification fails, the identity authentication of the terminal equipment of the Internet of things fails.
In this embodiment, the terminal certificate Cert T The signature of the signer to the certificate is included, namely the certificate management center signs the terminal certificate Cert T The signature of (2).
The application server alsoIs configured to: if the inquired terminal certificate Cert T Is in effect, using the terminal certificate Cert T The signature public key in the second signature value and a signature algorithm specified by the terminal certificate carry out digital signature verification operation on the second signature value; if the inquired terminal certificate Cert T The state of (2) is the lifting pin, and the identity authentication of the terminal equipment of the Internet of things fails.
In this embodiment, there is a case where the terminal certificate is revoked, and when there is an illegal operation of the terminal device of the internet of things, the certificate management center may be configured to revoke the terminal certificate Cert T And recording the terminal certificate Cert T The state of (1). The application server may be configured to query the certificate management center for the terminal certificate Cert T The state of (1). Revoked terminal certificate Cert T The authentication of the application server cannot be passed, that is, the terminal equipment of the internet of things cannot pass the identity authentication.
The application server is further configured to: if the digital signature verification operation result of the second signature value indicates that the second signature value is valid, the second signature value passes verification, and the identity authentication of the terminal equipment of the Internet of things is successful; and if the digital signature verification operation result of the second signature value indicates that the second signature value is invalid, the verification of the second signature value fails, and the identity authentication of the terminal equipment of the Internet of things fails.
In the technical solution of the present application, the terminal device may further include a hardware cryptographic module, and the internet of things terminal device is further configured to: storing the terminal certificate Cert T And the issuer certificate; storing the identity signature and the signature private key of the user; the application server is further configured to: storing the server certificate Cert S And the issuer certificate; the hardware cryptographic module is configured to: and storing the identity signature and the signature private key of the application server.
In practical application, the identity signature and the signature private key of the application server are stored in the hardware password module, so that the signature private key can be ensured not to be leaked, and the server certificate Cert can not appear S A situation where the private key is compromised. IntoAnd one step, the verification of the terminal equipment of the Internet of things on the certificate state of the server is avoided, the steps are simplified, and the efficiency of identity authentication is improved.
According to the technical scheme, the application provides an internet of things identity authentication system based on simplified digital certificates, and the system comprises: the system comprises the Internet of things terminal equipment, an application server and a certificate management center; the certificate authority configured to: issuing a terminal certificate for the terminal equipment of the Internet of things; issuing a server certificate for the application server; and issuing an identity certificate for the user; the terminal certificate, the server certificate and the issuer certificate are simplified digital certificates; the internet of things terminal device is configured to: sending an authentication request to the application server, wherein the authentication request comprises a terminal random number sequence; the application server is configured to: responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a first signature value; sending the first signature value and the server certificate to the terminal equipment of the Internet of things; the internet of things terminal device is further configured to: authenticating the identity of the application server through the first signature value, the server certificate and the issuer certificate, if the identity authentication of the application server is successful, signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a second signature value, and sending the second signature value and the terminal certificate to the application server; the application server is further configured to: and authenticating the identity of the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate, and if the identity authentication of the terminal equipment of the Internet of things is successful, sending a notification message to the terminal equipment of the Internet of things so as to notify that the authentication of the terminal equipment of the Internet of things is successful. According to the technical scheme, a single-layer certificate issuing system is adopted, and complex certificate chain verification is not needed. The terminal equipment of the Internet of things does not need to inquire and verify the state of the server certificate, so that the authentication process is simplified, and the communication delay is reduced.
The embodiments provided in the present application are only a few examples of the general concept of the present application, and do not limit the scope of the present application. Any other embodiments extended according to the scheme of the present application without inventive efforts will be within the scope of protection of the present application for a person skilled in the art.

Claims (9)

1. An internet of things identity authentication system based on a simplified digital certificate is characterized by comprising: the system comprises the Internet of things terminal equipment, an application server and a certificate management center;
the certificate management center is configured to: issuing a terminal certificate for the terminal equipment of the Internet of things; issuing a server certificate for the application server; and issuing an issuer certificate for itself; the terminal certificate, the server certificate and the issuer certificate are simplified digital certificates; the simplified digital certificate comprises an issuer unique identifier, a holder signature public key, an encryption public key, a validity period, a signature algorithm and a signature of an issuer to the certificate;
the internet of things terminal device is configured to: sending an authentication request to the application server, wherein the authentication request comprises a terminal random number sequence;
the application server is configured to: responding to the authentication request, generating a server random number sequence, and signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a first signature value; sending the first signature value and the server certificate to the terminal equipment of the Internet of things;
the internet of things terminal device is further configured to: authenticating the identity of the application server through the first signature value, the server certificate and the issuer certificate, if the identity authentication of the application server is successful, signing the terminal random number sequence and the server random number sequence by using a self signature private key to obtain a second signature value, and sending the second signature value and the terminal certificate to the application server;
the application server is further configured to: and authenticating the identity of the terminal equipment of the Internet of things through the second signature value, the terminal certificate and the signer certificate, and if the identity of the terminal equipment of the Internet of things is successfully authenticated, sending a notification message to the terminal equipment of the Internet of things to notify that the authentication of the terminal equipment of the Internet of things is successful.
2. The identity authentication system of the internet of things based on the simplified digital certificate of claim 1, further comprising a hardware cryptographic module, wherein the terminal device of the internet of things is further configured to: storing the terminal certificate and the issuer certificate; storing the identity signature and the signature private key of the user; the application server is further configured to: storing the server certificate and the issuer certificate; the hardware cryptographic module is configured to: and storing the identity signature and the signature private key of the application server.
3. The system of claim 1, wherein the terminal device is further configured to: verifying the validity period of the server certificate, if the validity period is in a valid state, the validity period passes verification, and performing digital signature verification operation on the signature of the signer to the certificate in the server certificate by using a signature public key in the signer certificate and a signature algorithm specified in the server certificate; if the validity period is in a non-valid state or a invalid state, the validity period verification fails, and the identity authentication of the application server fails.
4. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 3, wherein the internet of things terminal device is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is valid, the server certificate passes the verification, and the digital signature verification operation is performed on the first signature value by using a signature public key in the server certificate and a signature algorithm specified in the server certificate; and if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the server certificate is invalid, the server certificate verification fails, and the identity authentication of the application server fails.
5. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 4, wherein the internet of things terminal device is further configured to: if the digital signature verification operation result of the first signature value shows that the first signature value is valid, the first signature value passes verification, and the identity authentication of the application server is successful; and if the digital signature verification operation result of the first signature value indicates that the first signature value is invalid, the first signature value fails to be verified, and the identity authentication of the application server fails.
6. The system of claim 1, wherein the application server is further configured to: verifying the validity period of the terminal certificate, if the validity period is in a valid state, the validity period passes verification, and performing digital signature verification operation on the signature of the signer to the certificate in the terminal certificate by using a signature public key in the signer certificate and a signature algorithm specified in the terminal certificate; if the validity period is in a non-effective or invalid state, the validity period verification fails, and the identity authentication of the terminal equipment of the Internet of things fails.
7. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 6, wherein the application server is further configured to: if the digital signature verification operation result of the signature of the certificate by the issuer indicates that the signature of the terminal certificate is valid, the terminal certificate passes verification, and the state of the terminal certificate is inquired from the certificate management center; if the digital signature verification operation result of the signature of the certificate by the issuer shows that the signature of the terminal certificate is invalid, the terminal certificate verification fails, and the identity authentication of the terminal equipment of the Internet of things fails.
8. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 7, wherein the application server is further configured to: if the inquired state of the terminal certificate is valid, performing digital signature verification operation on the second signature value by using a signature public key in the terminal certificate and a signature algorithm specified by the terminal certificate; and if the inquired terminal certificate is in a revoke state, the identity authentication of the terminal equipment of the Internet of things fails.
9. The internet of things identity authentication system based on the simplified digital certificate as claimed in claim 8, wherein the application server is further configured to: if the digital signature verification operation result of the second signature value indicates that the second signature value is valid, the second signature value passes verification, and the identity authentication of the terminal equipment of the Internet of things is successful; and if the digital signature verification operation result of the second signature value indicates that the second signature value is invalid, the verification of the second signature value fails, and the identity authentication of the terminal equipment of the Internet of things fails.
CN202110052317.XA 2021-01-15 2021-01-15 Internet of things identity authentication system based on simplified digital certificate Active CN112866236B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110052317.XA CN112866236B (en) 2021-01-15 2021-01-15 Internet of things identity authentication system based on simplified digital certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110052317.XA CN112866236B (en) 2021-01-15 2021-01-15 Internet of things identity authentication system based on simplified digital certificate

Publications (2)

Publication Number Publication Date
CN112866236A CN112866236A (en) 2021-05-28
CN112866236B true CN112866236B (en) 2023-03-31

Family

ID=76005786

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110052317.XA Active CN112866236B (en) 2021-01-15 2021-01-15 Internet of things identity authentication system based on simplified digital certificate

Country Status (1)

Country Link
CN (1) CN112866236B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640467A (en) * 2022-03-15 2022-06-17 微位(深圳)网络科技有限公司 Service-based digital certificate query method and system
CN114666155B (en) * 2022-04-08 2024-04-16 深圳市欧瑞博科技股份有限公司 Equipment access method, system, device, internet of things equipment and gateway equipment
CN114710289B (en) * 2022-06-02 2022-09-02 确信信息股份有限公司 Internet of things terminal security registration and access method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
CN110879879A (en) * 2018-09-05 2020-03-13 航天信息股份有限公司 Internet of things identity authentication method and device, electronic equipment, system and storage medium
CN111083131A (en) * 2019-12-10 2020-04-28 南瑞集团有限公司 Lightweight identity authentication method for power Internet of things sensing terminal
CN112187808A (en) * 2020-09-30 2021-01-05 徐凌魁 Electronic traffic authentication platform and authentication method
CN112202721A (en) * 2020-09-08 2021-01-08 辽宁丰沃新能源有限公司 Intelligent safety system of power enterprise internet of things terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487511B (en) * 2015-08-27 2020-02-04 阿里巴巴集团控股有限公司 Identity authentication method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
CN110879879A (en) * 2018-09-05 2020-03-13 航天信息股份有限公司 Internet of things identity authentication method and device, electronic equipment, system and storage medium
CN111083131A (en) * 2019-12-10 2020-04-28 南瑞集团有限公司 Lightweight identity authentication method for power Internet of things sensing terminal
CN112202721A (en) * 2020-09-08 2021-01-08 辽宁丰沃新能源有限公司 Intelligent safety system of power enterprise internet of things terminal
CN112187808A (en) * 2020-09-30 2021-01-05 徐凌魁 Electronic traffic authentication platform and authentication method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种基于AAA 证书和身份签名的混合认证方法;蒲志强;《四川师范大学学报(自然科学版)》;20170331;全文 *
泛在电力物联网信息安全综述;廖会敏;《电力信息与通信技术》;20190831;全文 *

Also Published As

Publication number Publication date
CN112866236A (en) 2021-05-28

Similar Documents

Publication Publication Date Title
CN112866236B (en) Internet of things identity authentication system based on simplified digital certificate
CN112953727B (en) Internet of things-oriented equipment anonymous identity authentication method and system
CN1777096B (en) Password protection method and device
US7020778B1 (en) Method for issuing an electronic identity
CN108696358B (en) Digital certificate management method and device, readable storage medium and service terminal
US20090240936A1 (en) System and method for storing client-side certificate credentials
US20030212888A1 (en) System and method of looking up and validating a digital certificate in one pass
CN112583596B (en) Complete cross-domain identity authentication method based on block chain technology
Toorani et al. LPKI-a lightweight public key infrastructure for the mobile environments
WO2008009183A1 (en) Password remotely authentication method based on the intelligent card and an intelligent card, a server and system thereof
CN110958209B (en) Bidirectional authentication method, system and terminal based on shared secret key
CN113301022B (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
CN111262692A (en) Key distribution system and method based on block chain
CN107454077A (en) A kind of single-point logging method based on IKI ID authentications
CN114125773A (en) Vehicle networking identity management system and management method based on block chain and identification password
WO2008095382A1 (en) A method, system and apparatus for establishing transport layer security connection
CN108632037B (en) Public key processing method and device of public key infrastructure
CN110929231A (en) Digital asset authorization method and device and server
CN111224784A (en) Role separation distributed authentication and authorization method based on hardware trusted root
CN112132581B (en) PKI identity authentication system and method based on IOTA
EP2359525B1 (en) Method for enabling limitation of service access
CN114710289B (en) Internet of things terminal security registration and access method and system
KR101256114B1 (en) Message authentication code test method and system of many mac testserver
CN113221188B (en) AIS data evidence storage method, evidence obtaining method, device and storage medium
CN109302425A (en) Identity identifying method and terminal device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant