CN113872769A - PUF-based device authentication method and device, computer device and storage medium - Google Patents

PUF-based device authentication method and device, computer device and storage medium Download PDF

Info

Publication number
CN113872769A
CN113872769A CN202111151330.7A CN202111151330A CN113872769A CN 113872769 A CN113872769 A CN 113872769A CN 202111151330 A CN202111151330 A CN 202111151330A CN 113872769 A CN113872769 A CN 113872769A
Authority
CN
China
Prior art keywords
puf
identification code
value
hash value
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111151330.7A
Other languages
Chinese (zh)
Other versions
CN113872769B (en
Inventor
刘鹏飞
彭昭
任勇强
李小刚
陈子阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi IoT Technology Co Ltd
Original Assignee
Tianyi IoT Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi IoT Technology Co Ltd filed Critical Tianyi IoT Technology Co Ltd
Priority to CN202111151330.7A priority Critical patent/CN113872769B/en
Publication of CN113872769A publication Critical patent/CN113872769A/en
Application granted granted Critical
Publication of CN113872769B publication Critical patent/CN113872769B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3278Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a device authentication method, a device, computer equipment and a storage medium based on PUF, wherein the method comprises the following steps: if an authentication message sent by a device end is received, analyzing the authentication message to obtain encryption information and a preset hash value, wherein the encryption information and the preset hash value are generated at the device end; decrypting the encrypted information to obtain the device identification code of the device side, and confirming the PUF value matched with the device identification code according to the device identification code; calculating the hash value of the device identification code and the PUF value to obtain a hash value to be confirmed; and judging whether the hash value to be confirmed is matched with the preset hash value or not, and sending an authentication result matched with the judgment result to the equipment terminal according to the judgment result. The invention not only realizes the authentication of the PUF equipment, but also improves the safety during the authentication.

Description

PUF-based device authentication method and device, computer device and storage medium
Technical Field
The invention relates to the technical field of Internet of things, in particular to a PUF-based equipment authentication method and device, computer equipment and a storage medium.
Background
Physical Unclonable Function (PUF) is a novel leading-edge device identification technology that uniquely identifies a device by using the internal structure of the device. However, since the PUF is generated by the internal structure of the device, there is a leakage problem during the production, transportation, integration, and the like of the device, and there is no suitable method for applying the PUF as the device identification identity to the device authentication.
Disclosure of Invention
The embodiment of the invention provides a device authentication method and device based on PUF, computer equipment and a storage medium, which not only can realize the authentication of PUF devices, but also can improve the security during authentication.
In a first aspect, an embodiment of the present invention provides a PUF-based device authentication method, where the method includes:
if an authentication message sent by an equipment end is received, analyzing the authentication message to obtain encryption information and a preset hash value, wherein the encryption information and the preset hash value are generated at the equipment end;
decrypting the encrypted information to obtain the device identification code of the device side, and confirming the PUF value matched with the device identification code according to the device identification code;
calculating the hash value of the device identification code and the PUF value to obtain a hash value to be confirmed;
and judging whether the hash value to be confirmed is matched with the preset hash value or not, and sending an authentication result matched with the judgment result to the equipment terminal according to the judgment result.
In a second aspect, an embodiment of the present invention further provides an apparatus for authenticating a device based on a PUF, where the apparatus includes:
the authentication message analysis unit is used for analyzing the authentication message to obtain encryption information and a preset hash value if the authentication message sent by the equipment terminal is received, wherein the encryption information and the preset hash value are generated at the equipment terminal;
the first confirmation unit is used for decrypting the encrypted information to obtain the device identification code of the device end, and confirming the PUF value matched with the device identification code according to the device identification code;
the first calculation unit is used for calculating the device identification code and the hash value of the PUF value to obtain a hash value to be confirmed;
and the first sending unit is used for judging whether the hash value to be confirmed is matched with the preset hash value or not and sending an authentication result matched with the judgment result to the equipment terminal according to the judgment result.
In a third aspect, an embodiment of the present invention further provides a computer device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the above method when executing the computer program.
In a fourth aspect, the present invention also provides a computer-readable storage medium, which stores a computer program, and the computer program can implement the above method when being executed by a processor.
The embodiment of the invention provides a device authentication method and device based on PUF, computer equipment and a storage medium. When an authentication message sent by a device end is received, the authentication message is analyzed to obtain encryption information and a preset hash value, the encryption information and the preset hash value are generated and packaged by the device end and are sent as the authentication message, the encryption information is decrypted to obtain a device identification code, the PUF value of the device end is confirmed according to the device identification code, then the hash value of the device identification code and the PUF value is calculated to obtain a to-be-confirmed hash value, and finally whether authentication is successful or not is judged by comparing whether the preset hash value is consistent with the to-be-confirmed hash value or not and a corresponding authentication result is returned to the device end.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1a is a schematic flowchart of a PUF-based device authentication method according to an embodiment of the present invention;
fig. 1b is an application scenario diagram of a PUF-based device authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a PUF-based device authentication method according to another embodiment of the present invention;
fig. 3 is a schematic block diagram of a PUF-based device authentication apparatus according to an embodiment of the present invention;
fig. 4 is a schematic block diagram of a PUF-based device authentication apparatus according to another embodiment of the present invention;
FIG. 5 is a schematic block diagram of a computer device provided by an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 1a, fig. 1a is a schematic flowchart of a PUF-based device authentication method according to an embodiment of the present invention. Referring to fig. 1b, the practical PUF device authentication method provided in the embodiment of the present invention is applied to an internet of things management platform, and is used for authenticating a device side, which may implement authentication of a PUF device and improve security in an authentication process. As shown in fig. 1, the method includes steps S110 to S140.
S110, if an authentication message sent by a device side is received, analyzing the authentication message to obtain encryption information and a preset hash value, wherein the encryption information and the preset hash value are generated at the device side.
In the embodiment of the invention, when the equipment end needs to be authenticated, an authentication message is sent to the Internet of things management platform, and when the Internet of things management platform receives the authentication message, the authentication message is analyzed to obtain the encryption information and the preset hash value, wherein the encryption information and the preset hash value are both generated by the equipment end.
In some embodiments, such as this embodiment, as shown in FIG. 2, the step S110 may be preceded by steps S110a-S110 e.
S110a, acquiring the device information of the device side, and generating the device identification code corresponding to the device information according to the device information;
in the embodiment of the invention, before the equipment terminal authenticates the management platform of the internet of things, the equipment terminal needs to authenticate the management platform of the internet of things. When the device side registers to the internet of things management platform, the device information of the device side needs to be acquired firstly, the device information is filled by staff, after the staff fills, the internet of things management platform acquires the device information and generates a device identification code according to the information, namely the device identification code is generated by the internet of things management platform, and the device identification code has uniqueness and is used for identifying different device sides. The device end can be provided with a safety pool, modules such as PUF, a safety chip and a safety SDK are integrated in the safety pool, the safety pool provides a uniform interface for a device computing module to call a safety pool function, the safety chip provides a basic safety computing function and comprises functions such as a random number generator, a password arithmetic unit and sensitive information storage, and the safety SDK is used for reading a PUF value in the safety pool. Meanwhile, the safety pool is also provided with a calling interface and a unified interface, the calling interface comprises a safety chip encryption interface, a decryption interface, a signature interface, a verification interface and a Hash operation interface, and the unified interface comprises a safety pool encryption interface, a decryption interface, a signature verification interface, a random number generation interface, a Hash operation interface, a safety read-write interface, a PUF interface and a Hash calculation interface for PUF values.
S110b, sending the device identification code and the platform public key to the device end so that the device end generates and sends a registration message according to the device identification code and the platform public key.
In the embodiment of the invention, after the device identification code of the device end is generated, the management platform of the internet of things sends the device identification code and the platform public key to the device end, wherein the management platform of the internet of things can transmit through a safety channel when sending the device identification code and the platform public key so as to improve the safety, and the safety channel comprises but is not limited to off-line downloading. The internet of things management platform can be preconfigured with a pair of platform private keys and a pair of platform public keys, wherein the equipment end can encrypt information through the platform public keys, and the internet of things management platform can decrypt the encrypted information of the equipment through the platform private keys. After receiving the device identification code and the platform public key, the device side encrypts the related information through the platform public key, for example, encrypts the device identification code, and sends the encrypted content serving as the content of the registration message to the internet of things management platform after encryption.
In some embodiments, for example, in this embodiment, as shown in fig. 2, the step S110b may include the following steps: acquiring the platform public key, and encrypting the device identification code and the PUF value through the platform public key to generate the registration message, wherein the registration message comprises the encrypted device identification code and the encrypted PUF value; and sending the registration message to the Internet of things management platform.
In the embodiment of the present invention, when the device generates the registration packet, the following contents are specifically included: the method comprises the steps of firstly obtaining a platform public key sent by an internet of things management platform, and encrypting a device identification code and a PUF value through the platform public key to obtain an encrypted device identification code and an encrypted PUF value, wherein the PUF value is generated by a device terminal. And finally, the encrypted equipment identification code and the encrypted PUF value are used as the content of the registration message and sent to the Internet of things management platform. In addition, the content of the registration message is specifically as follows:
{Eplatform public key(PUF value), EPlatform public key(equipment identification code) } ═ registration message
S110c, if receiving the registration message sent by the device end, analyzing the registration message to obtain the encrypted device identification code and the encrypted PUF value.
S110d, respectively decrypting the encrypted device identification code and the encrypted PUF value through a platform private key to obtain the device identification code and the PUF value.
In the embodiment of the invention, when the internet of things management platform receives the registration message sent by the equipment terminal, the encrypted equipment identification code and the encrypted PUF value are obtained by analyzing the registration message. And then, the information is decrypted through the platform private key to obtain the device identification code and the PUF value, whether the device identification code identical to the obtained device identification code exists or not can be judged in a database of the management platform of the Internet of things, and if the device identification code identical to the obtained device identification code exists, the obtained device identification code is a legal device identification code.
S110e, the device identification code and the PUF value are bound, and the PUF value is stored in a PUF database.
In the embodiment of the invention, the device identification code and the PUF value are bound to form a one-to-one relationship, and the device identification code can be confirmed through the PUF value or the PUF value can be inquired through the device identification code. And after the binding of the device identification code and the PUF value is finished, storing the PUF value into a PUF database so as to finish the registration of the device terminal, wherein the PUF database contains PUF values of different device terminals.
In some embodiments, for example, in this embodiment, the authentication packet includes the encryption information, the hash value, and a Nonce value, and the step of generating the authentication packet by the device side includes the following steps: acquiring the platform public key and the PUF value, and encrypting the equipment identification code through the platform public key to acquire the encryption information; generating the Nonce value, and performing hash calculation on the encryption information, the Nonce value and the PUF value to obtain the preset hash value; and generating the authentication message according to the encryption information, the Nonce value and the preset hash value.
In the embodiment of the invention, the equipment end needs to send the authentication message to the management platform of the internet of things during authentication, and the generation process of the authentication message is as follows: when registering, the equipment end stores a platform public key and an equipment identification code which are sent by the Internet of things management platform, so that when generating an authentication message, the platform public key and the equipment identification code can be directly obtained, and the equipment identification code is encrypted through the platform public key to generate encrypted information. A Nonce value is generated by the device side, where Nonce is an abbreviation of Number once and is an arbitrary non-repeated random Number that is used only once, and the Nonce value includes but is not limited to a timestamp, a random Number, a count value, and the like, and is mainly used to improve security and avoid repetition of an authentication packet. After the encryption information, the Nonce value and the PUF value are obtained, the hash values of the three values are calculated to generate the preset hash value, and the security in the data transmission process is improved. And finally, sending the preset hash value and the encrypted information as authentication messages to the Internet of things management platform.
The content of the authentication message comprises:
Figure BDA0003287230700000061
where Hash is Hash (device identification code | PUF value | Nonce value).
And S120, decrypting the encrypted information to obtain the device identification code of the device side, and confirming the PUF value matched with the device identification code according to the device identification code.
In the embodiment of the invention, the management platform of the internet of things decrypts the encrypted information after receiving the encrypted information to obtain the device identification code, and confirms the PUF value corresponding to the device identification code in the corresponding database according to the device identification code.
In some embodiments, for example, in this embodiment, the step S120 may include the following steps: acquiring a pre-configured platform private key, and decrypting the encrypted information through the platform private key to acquire an equipment identification code of the equipment terminal; and confirming the PUF value matched with the device identification code in the PUF database according to the device identification code.
In the embodiment of the invention, the management platform of the internet of things can decrypt the encrypted information by acquiring the preconfigured platform private key to obtain the device identification code, and confirms the PUF value matched with the device identification code in the PUF database.
S130, calculating the hash value of the device identification code and the PUF value to obtain the hash value to be confirmed.
In the embodiment of the invention, after the device identification code and the PUF value are obtained, the hash value of the device identification code and the PUF value is calculated to obtain the hash value to be confirmed. In some embodiments, if the content in the authentication message also contains other information, such as a Nonce value or a random number, a hash of the device identification code, PUF value, and other information is computed.
And S140, judging whether the hash value to be confirmed is matched with the preset hash value, and sending an authentication result matched with the judgment result to the equipment terminal according to the judgment result.
In the embodiment of the invention, the preset hash value can be generated by calculating the hash value of the device identification code, the PUF value and the Nonce value through the device side, so that when the management platform of the internet of things acquires the device identification code, the PUF value of the device identification code is firstly confirmed, the hash values of the device identification code, the PUF value and the Nonce value are calculated, and if the Nonce value does not exist, the hash values of the device identification code and the PUF value are calculated. If the hash value to be confirmed is the same as the preset hash value, the fact that the device identification code, the PUF value and the Nonce value of the management platform of the Internet of things are all consistent with the device identification code, the PUF value and the Nonce value of the device side is shown. The authentication message does not directly contain the PUF value, so that the possibility of leakage of the PUF value is avoided, and therefore the key point of comparing whether the hash value to be confirmed is consistent with the preset hash value lies in judging whether the PUF value is the same or not, and the specific formula is as follows:
Hash(Dplatform private key(EPlatform public key(device identification code)) | PUF value | Nonce value) is equal to hash
And when the hash value to be confirmed is not consistent with the preset hash value, the result that the authentication is successful is shown that the PUF value stored in the management platform of the Internet of things is not the same as the PUF value of the equipment end, and the result that the authentication is failed is returned.
In some embodiments, for example, in this embodiment, the step S140 may include the following steps: judging whether the hash value to be confirmed is matched with the preset hash value or not; if the hash value to be confirmed is matched with the preset hash value, whether the authentication message contains a timestamp is confirmed; if the authentication message contains the timestamp, returning a successful authentication result with a time limit to the equipment end; and if the hash value to be confirmed is not matched with the preset hash value, returning a result of authentication failure to the equipment end.
In the embodiment of the invention, when the hash value to be confirmed is consistent with the preset hash value, a result of successful authentication is returned to the equipment terminal, wherein if the information in the authentication message contains time stamp information, the time within which the authentication result is valid can be synchronously returned, and when the hash value to be confirmed is inconsistent with the preset hash value, a result of failed authentication is returned to the equipment terminal.
Fig. 3 is a schematic block diagram of a PUF-based device authentication apparatus 100 according to an embodiment of the present invention. As shown in fig. 3, the present invention also provides a device authentication apparatus 100 based on PUF, corresponding to the above device authentication method based on PUF. The PUF-based device authentication apparatus 100 includes means for performing the above-described PUF-based device authentication method. Specifically, referring to fig. 3, the PUF-based device authentication apparatus 100 includes an authentication packet parsing unit 110, a first confirmation unit 120, a first calculation unit 130, and a first sending unit 140.
The authentication message analyzing unit 110 is configured to, if an authentication message sent by an equipment end is received, analyze the authentication message to obtain encryption information and a preset hash value, where the encryption information and the preset hash value are generated at the equipment end; the first confirming unit 120 is configured to decrypt the encrypted information to obtain a device identifier of the device side, and confirm a PUF value matching the device identifier according to the device identifier; the first calculating unit 130 is configured to calculate a hash value of the device identification code and the PUF value to obtain a hash value to be confirmed; the first sending unit 140 is configured to determine whether the hash value to be confirmed matches the preset hash value, and send an authentication result matching the determination result to the device side according to the determination result.
Fig. 4 is a schematic block diagram of a PUF-based device authentication apparatus 100 according to another embodiment of the present invention. As shown in fig. 4, the PUF-based device authentication apparatus 100 of the present embodiment is the above-described embodiment, and further includes a first obtaining unit 110a, a second sending unit 110b, an enrollment packet parsing unit 110c, a first decryption unit 110d, and a PUF value storage unit 110 e.
The first obtaining unit 110a is configured to obtain device information of the device side, and generate the device identification code corresponding to the device information according to the device information; the second sending unit 110b is configured to send the device identifier and the platform public key to the device end, so that the device end generates and sends a registration packet according to the device identifier and the platform public key; the registration message analyzing unit 110c is configured to, if a registration message sent by the device end is received, analyze the registration message to obtain the encrypted device identifier and the encrypted PUF value; the first decryption unit 110d is configured to decrypt the encrypted device identification code and the encrypted PUF value through a platform private key to obtain the device identification code and the PUF value; the PUF value storage unit 110e is configured to bind the device identification code and the PUF value and store the PUF value in a PUF database.
In some embodiments, for example, in this embodiment, the second sending unit 110b includes a second obtaining unit and a third sending unit.
The second obtaining unit is configured to obtain the platform public key, and encrypt the device identification code and the PUF value through the platform public key to generate the registration packet, where the registration packet includes the encrypted device identification code and the encrypted PUF value; and the third sending unit is used for sending the registration message to the Internet of things management platform.
In some embodiments, for example, in this embodiment, the authentication packet includes the encryption information, the hash value, and a Nonce value, and the authentication packet parsing unit 110 includes a third obtaining unit, a second calculating unit, and an authentication packet generating unit.
The third obtaining unit is configured to obtain the platform public key and the PUF value, and encrypt the device identification code through the platform public key to obtain the encryption information; the second calculation unit is used for generating the Nonce value and carrying out hash calculation on the encryption information, the Nonce value and the PUF value so as to obtain the preset hash value; and the authentication message generating unit is used for generating the authentication message according to the encryption information, the Nonce value and the preset hash value.
In some embodiments, for example the present embodiment, the first calculation unit 130 includes a fourth obtaining unit and a PUF value confirmation unit.
The fourth obtaining unit is used for obtaining a pre-configured platform private key and decrypting the encrypted information through the platform private key to obtain the equipment identification code of the equipment terminal; and the PUF value confirming unit is used for confirming the PUF value matched with the device identification code in the PUF database according to the device identification code.
In some embodiments, for example, in this embodiment, the first sending unit 140 includes a first determining unit, a second confirming unit, a first returning unit, and a second returning unit.
The first judging unit is used for judging whether the hash value to be confirmed is matched with the preset hash value or not; the second confirmation unit is used for confirming whether the authentication message contains a timestamp or not if the hash value to be confirmed is matched with the preset hash value; the first returning unit is used for returning the successful authentication result with time limit to the equipment end if the authentication message contains the timestamp; and the second returning unit is used for returning the authentication failure result to the equipment end if the hash value to be confirmed is not matched with the preset hash value.
It should be noted that, as can be clearly understood by those skilled in the art, the specific implementation processes of the device authentication apparatus based on PUF and each unit may refer to the corresponding descriptions in the foregoing method embodiments, and for convenience and brevity of description, no further description is provided herein.
The PUF-based device authentication apparatus described above may be implemented in the form of a computer program that is executable on a computer device as shown in fig. 5.
Referring to fig. 5, fig. 5 is a schematic block diagram of a computer device according to an embodiment of the present application. The terminal can be a terminal or a server, wherein the terminal can be an electronic device with a communication function, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a personal digital assistant and a wearable device. The server may be an independent server or a server cluster composed of a plurality of servers.
Referring to fig. 5, the computer device 500 includes a processor 502, memory and interface 507 coupled by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032, when executed, may cause the processor 502 to perform a PUF-based device authentication method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for running the computer program 5032 in the non-volatile storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 may be caused to perform a PUF-based device authentication method.
The interface 505 is used to communicate with other devices. Those skilled in the art will appreciate that the configuration shown in fig. 5 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation of the computer device 500 to which the present application may be applied, and that a particular computer device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to implement the following steps:
if an authentication message sent by an equipment end is received, analyzing the authentication message to obtain encryption information and a preset hash value, wherein the encryption information and the preset hash value are generated at the equipment end;
decrypting the encrypted information to obtain the device identification code of the device side, and confirming the PUF value matched with the device identification code according to the device identification code;
calculating the hash value of the device identification code and the PUF value to obtain a hash value to be confirmed;
and judging whether the hash value to be confirmed is matched with the preset hash value or not, and sending an authentication result matched with the judgment result to the equipment terminal according to the judgment result.
In an embodiment, before implementing the step of analyzing the authentication packet to obtain the encryption information and the preset hash value if the authentication packet sent by the device end is received, the processor 502 further includes the following steps:
acquiring equipment information of the equipment end, and generating an equipment identification code corresponding to the equipment information according to the equipment information;
and sending the equipment identification code and the platform public key to the equipment end so that the equipment end generates and sends a registration message according to the equipment identification code and the platform public key.
In an embodiment, when the processor 502 implements the step of determining whether there is any managed software matching the risk software name in the managed software library, the following steps are specifically implemented:
acquiring the platform public key, and encrypting the device identification code and the PUF value through the platform public key to generate the registration message, wherein the registration message comprises the encrypted device identification code and the encrypted PUF value;
and sending the registration message to the Internet of things management platform.
In an embodiment, after implementing the step of sending the device identifier and the platform public key to the device end so that the device end generates and sends a registration packet according to the device identifier and the platform public key, the processor 502 further includes the following steps:
if a registration message sent by the equipment terminal is received, analyzing the registration message to obtain the encrypted equipment identification code and the encrypted PUF value;
respectively decrypting the encrypted device identification code and the encrypted PUF value through a platform private key to obtain the device identification code and the PUF value;
and binding the device identification code and the PUF value and storing the PUF value into a PUF database.
In an embodiment, when implementing the step of generating the authentication packet at the device side, the processor 502 specifically implements the following steps:
acquiring the platform public key and the PUF value, and encrypting the equipment identification code through the platform public key to acquire the encryption information;
generating the Nonce value, and performing hash calculation on the encryption information, the Nonce value and the PUF value to obtain the preset hash value;
and generating the authentication message according to the encryption information, the Nonce value and the preset hash value.
In an embodiment, when implementing the steps of decrypting the encrypted information to obtain the device identifier of the device side and confirming the PUF value matching the device identifier according to the device identifier, the processor 502 specifically implements the following steps:
acquiring a pre-configured platform private key, and decrypting the encrypted information through the platform private key to acquire an equipment identification code of the equipment terminal;
and confirming the PUF value matched with the device identification code in the PUF database according to the device identification code.
In an embodiment, when the processor 502 performs the steps of determining whether the hash value to be confirmed matches the preset hash value, and sending an authentication result matching the determination result to the device end according to the determination result, the following steps are specifically performed:
judging whether the hash value to be confirmed is matched with the preset hash value or not;
if the hash value to be confirmed is matched with the preset hash value, whether the authentication message contains a timestamp is confirmed;
if the authentication message contains the timestamp, returning a successful authentication result with a time limit to the equipment end;
and if the hash value to be confirmed is not matched with the preset hash value, returning a result of authentication failure to the equipment end.
It should be understood that in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general purpose processors, digital Signal processors (FSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing associated hardware. The computer program may be stored in a storage medium, which is a computer-readable storage medium. The computer program is executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program. The computer program, when executed by a processor, implements any of the embodiments of the PUF-based device authentication method described above.
The storage medium may be a usb disk, a removable hard disk, a read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, while the invention has been described with respect to the above-described embodiments, it will be understood that the invention is not limited thereto but may be embodied with various modifications and changes.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A device authentication method based on PUF is applied to an Internet of things management platform, and is characterized by comprising the following steps:
if an authentication message sent by an equipment end is received, analyzing the authentication message to obtain encryption information and a preset hash value, wherein the encryption information and the preset hash value are generated at the equipment end;
decrypting the encrypted information to obtain the device identification code of the device side, and confirming the PUF value matched with the device identification code according to the device identification code;
calculating the hash value of the device identification code and the PUF value to obtain a hash value to be confirmed;
and judging whether the hash value to be confirmed is matched with the preset hash value or not, and sending an authentication result matched with the judgment result to the equipment terminal according to the judgment result.
2. The PUF-based device authentication method according to claim 1, wherein before the step of analyzing the authentication packet to obtain the encryption information and the preset hash value, if an authentication packet sent by the device end is received, the method further includes:
acquiring equipment information of the equipment end, and generating an equipment identification code corresponding to the equipment information according to the equipment information;
and sending the equipment identification code and the platform public key to the equipment end so that the equipment end generates and sends a registration message according to the equipment identification code and the platform public key.
3. The PUF-based device authentication method according to claim 2, wherein the step of generating and sending the registration packet by the device side according to the device identification code and the platform public key includes:
acquiring the platform public key, and encrypting the device identification code and the PUF value through the platform public key to generate the registration message, wherein the registration message comprises the encrypted device identification code and the encrypted PUF value;
and sending the registration message to the Internet of things management platform.
4. The PUF-based device authentication method according to claim 3, wherein after the step of sending the device identifier and the platform public key to the device side so that the device side generates and sends the registration packet according to the device identifier and the platform public key, the method further comprises:
if a registration message sent by the equipment terminal is received, analyzing the registration message to obtain the encrypted equipment identification code and the encrypted PUF value;
respectively decrypting the encrypted device identification code and the encrypted PUF value through a platform private key to obtain the device identification code and the PUF value;
and binding the device identification code and the PUF value and storing the PUF value into a PUF database.
5. The PUF-based device authentication method according to claim 4, wherein the step of decrypting the encrypted information to obtain a device identification code of the device side, and confirming the PUF value matching the device identification code based on the device identification code includes:
acquiring a pre-configured platform private key, and decrypting the encrypted information through the platform private key to acquire an equipment identification code of the equipment terminal;
and confirming the PUF value matched with the device identification code in the PUF database according to the device identification code.
6. The PUF-based device authentication method according to claim 2, wherein the authentication packet includes the encryption information, the hash value, and a Nonce value, and the step of generating the authentication packet at the device side includes:
acquiring the platform public key and the PUF value, and encrypting the equipment identification code through the platform public key to acquire the encryption information;
generating the Nonce value, and performing hash calculation on the encryption information, the Nonce value and the PUF value to obtain the preset hash value;
and generating the authentication message according to the encryption information, the Nonce value and the preset hash value.
7. The PUF-based device authentication method according to claim 1, wherein the step of determining whether the hash value to be confirmed matches the preset hash value, and sending an authentication result matching the determination result to the device side according to the determination result includes:
judging whether the hash value to be confirmed is matched with the preset hash value or not;
if the hash value to be confirmed is matched with the preset hash value, whether the authentication message contains a timestamp is confirmed;
if the authentication message contains the timestamp, returning a successful authentication result with a time limit to the equipment end;
and if the hash value to be confirmed is not matched with the preset hash value, returning a result of authentication failure to the equipment end.
8. An apparatus for PUF-based device authentication, the apparatus comprising:
the authentication message analysis unit is used for analyzing the authentication message to obtain encryption information and a preset hash value if the authentication message sent by the equipment terminal is received, wherein the encryption information and the preset hash value are generated at the equipment terminal;
the first confirmation unit is used for decrypting the encrypted information to obtain the device identification code of the device end, and confirming the PUF value matched with the device identification code according to the device identification code;
the first calculation unit is used for calculating the device identification code and the hash value of the PUF value to obtain a hash value to be confirmed;
and the first sending unit is used for judging whether the hash value to be confirmed is matched with the preset hash value or not and sending an authentication result matched with the judgment result to the equipment terminal according to the judgment result.
9. Computer equipment is characterized in that an internet of things management platform is built on the computer equipment, and the computer equipment comprises a memory and a processor connected with the memory; the memory is used for storing a computer program; the processor is adapted to run a computer program stored in the memory to perform the steps of the method according to any of claims 1-7.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program which, when being executed by a processor, realizes the steps of the method according to any one of claims 1 to 7.
CN202111151330.7A 2021-09-29 2021-09-29 Device authentication method and device based on PUF, computer device and storage medium Active CN113872769B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111151330.7A CN113872769B (en) 2021-09-29 2021-09-29 Device authentication method and device based on PUF, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111151330.7A CN113872769B (en) 2021-09-29 2021-09-29 Device authentication method and device based on PUF, computer device and storage medium

Publications (2)

Publication Number Publication Date
CN113872769A true CN113872769A (en) 2021-12-31
CN113872769B CN113872769B (en) 2024-02-20

Family

ID=78992688

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111151330.7A Active CN113872769B (en) 2021-09-29 2021-09-29 Device authentication method and device based on PUF, computer device and storage medium

Country Status (1)

Country Link
CN (1) CN113872769B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140059485A (en) * 2012-11-08 2014-05-16 숭실대학교산학협력단 Device authentication apparatus and method using physical unclonable function
CN105229965A (en) * 2013-05-15 2016-01-06 三菱电机株式会社 Equipment identification system and equipment authenticating method
US20160110571A1 (en) * 2013-07-02 2016-04-21 Soongsil University Research Consortium Techno-Park Rfid tag authentication system
KR101756719B1 (en) * 2016-04-28 2017-07-12 주식회사 코인플러그 Method for allowing a user to log in and server using the same
US9985792B1 (en) * 2015-03-25 2018-05-29 National Technology & Engineering Solutions Of Sandia, Llc Data to hardware binding with physical unclonable functions
CN109446788A (en) * 2018-10-12 2019-03-08 广州杰赛科技股份有限公司 A kind of identity identifying method and device, computer storage medium of equipment
CN110399166A (en) * 2019-06-25 2019-11-01 苏州浪潮智能科技有限公司 Store method, device, equipment and the storage medium of ME Nonce value
US20200295954A1 (en) * 2019-03-13 2020-09-17 Arizona Board Of Regents On Behalf Of Northern Arizona University Puf-based key generation for cryptographic schemes
CN112272094A (en) * 2020-10-23 2021-01-26 国网江苏省电力有限公司信息通信分公司 Internet of things equipment identity authentication method, system and storage medium based on PUF (physical unclonable function) and CPK (compact public key) algorithm

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140059485A (en) * 2012-11-08 2014-05-16 숭실대학교산학협력단 Device authentication apparatus and method using physical unclonable function
CN105229965A (en) * 2013-05-15 2016-01-06 三菱电机株式会社 Equipment identification system and equipment authenticating method
US20160110571A1 (en) * 2013-07-02 2016-04-21 Soongsil University Research Consortium Techno-Park Rfid tag authentication system
US9985792B1 (en) * 2015-03-25 2018-05-29 National Technology & Engineering Solutions Of Sandia, Llc Data to hardware binding with physical unclonable functions
KR101756719B1 (en) * 2016-04-28 2017-07-12 주식회사 코인플러그 Method for allowing a user to log in and server using the same
CN109446788A (en) * 2018-10-12 2019-03-08 广州杰赛科技股份有限公司 A kind of identity identifying method and device, computer storage medium of equipment
US20200295954A1 (en) * 2019-03-13 2020-09-17 Arizona Board Of Regents On Behalf Of Northern Arizona University Puf-based key generation for cryptographic schemes
CN110399166A (en) * 2019-06-25 2019-11-01 苏州浪潮智能科技有限公司 Store method, device, equipment and the storage medium of ME Nonce value
CN112272094A (en) * 2020-10-23 2021-01-26 国网江苏省电力有限公司信息通信分公司 Internet of things equipment identity authentication method, system and storage medium based on PUF (physical unclonable function) and CPK (compact public key) algorithm

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王利;李二霞;纪宇晨;李小勇;: "基于PUF的抗物理克隆RFID安全认证协议", 信息网络安全, no. 08 *
秦华: "基于PUF的设备认证方法、装置、计算机设备 及存储介质", 《网络空间安全》, vol. 12, no. 2 *

Also Published As

Publication number Publication date
CN113872769B (en) 2024-02-20

Similar Documents

Publication Publication Date Title
CN111628868B (en) Digital signature generation method and device, computer equipment and storage medium
CN110086608B (en) User authentication method, device, computer equipment and computer readable storage medium
CN110493197B (en) Login processing method and related equipment
US10797879B2 (en) Methods and systems to facilitate authentication of a user
CN112737779B (en) Cryptographic machine service method, device, cryptographic machine and storage medium
US10924289B2 (en) Public-private key pair account login and key manager
CN106326763B (en) Method and device for acquiring electronic file
CN109981562B (en) Software development kit authorization method and device
US20200412554A1 (en) Id as service based on blockchain
CN108199847B (en) Digital security processing method, computer device, and storage medium
US11652647B2 (en) Authentication system and computer readable medium
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
JP2020074578A (en) Method and device to register and authenticate information
CN113836506A (en) Identity authentication method, device, system, electronic equipment and storage medium
CN114143108A (en) Session encryption method, device, equipment and storage medium
CN114760114B (en) Identity authentication method, device, equipment and medium
CN114244530A (en) Resource access method and device, electronic equipment and computer readable storage medium
CN113709115A (en) Authentication method and device
CN114168922B (en) User CA certificate generation method and system based on digital certificate
KR102157695B1 (en) Method for Establishing Anonymous Digital Identity
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN115242471B (en) Information transmission method, information transmission device, electronic equipment and computer readable storage medium
EP1879321A1 (en) Electronic signature with a trusted platform
CN114978542A (en) Full-life-cycle-oriented Internet of things equipment identity authentication method, system and storage medium
CN111404680B (en) Password management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant