CN114205082A - Bidirectional identity authentication method and device for reader-writer and electronic tag - Google Patents
Bidirectional identity authentication method and device for reader-writer and electronic tag Download PDFInfo
- Publication number
- CN114205082A CN114205082A CN202111501201.6A CN202111501201A CN114205082A CN 114205082 A CN114205082 A CN 114205082A CN 202111501201 A CN202111501201 A CN 202111501201A CN 114205082 A CN114205082 A CN 114205082A
- Authority
- CN
- China
- Prior art keywords
- key
- electronic tag
- reader
- kec
- writer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000002457 bidirectional effect Effects 0.000 title claims abstract description 38
- 238000012795 verification Methods 0.000 claims description 17
- 239000006185 dispersion Substances 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 239000000126 substance Substances 0.000 claims description 3
- 238000004891 communication Methods 0.000 abstract description 7
- 238000004364 calculation method Methods 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K17/00—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
- G06K17/0022—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisious for transferring data to distant stations, e.g. from a sensing device
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The embodiment of the specification discloses a bidirectional identity authentication method and device for a reader-writer and an electronic tag, which comprises the following steps: a reader generates a public and private key pair, and a Certificate Authority (CA) is used for issuing a certificate; a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage; a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key to a Key Escrow Center (KEC); and the Key Escrow Center (KEC) replaces the electronic tag to complete bidirectional identity authentication with the reader-writer based on an identity identification algorithm. The invention uses the key escrow center KEC to replace the electronic tag with limited calculation and storage capacity to realize bidirectional identity authentication with the reader-writer with rich calculation resources, thereby ensuring the identity credibility of both communication parties.
Description
Technical Field
The present application relates to the field of wireless communication technologies, and in particular, to a bidirectional identity authentication method and device for a reader and an electronic tag.
Background
In the application scenario of ultrahigh frequency radio frequency identification acquisition of a high security level network, especially in a cross-domain environment, how to realize bidirectional identity authentication between a reader-writer with severely asymmetric computing capability and an electronic tag is the most challenging, so that it is ensured that a legal reader-writer reads and writes a legal electronic tag.
Due to the limitation of storage and operation capabilities of ultrahigh frequency passive electronic tag chips, the traditional identity authentication protocol (including public key certificate or identity certificate algorithm) based on asymmetric cryptographic algorithm cannot complete operation on the tags. Although manufacturers propose that an ultrahigh frequency passive electronic tag chip adopting a symmetric cryptographic algorithm can realize identity authentication and data protection between a reader and a tag in a key pre-sharing manner, the chip is not popularized, and the key pre-sharing manner faces management challenges of cross-department and cross-domain key intercommunication.
Therefore, a safe and reliable authentication algorithm is urgently needed in the ultrahigh frequency radio frequency identification acquisition application scene of the high-security-level network, particularly in the cross-domain environment, and bidirectional identity authentication between the reader and the mass electronic tags is realized.
Disclosure of Invention
In view of this, embodiments of the present application provide a bidirectional identity authentication method and device for a reader and an electronic tag, which are used to solve the problem of bidirectional identity authentication between an internet-of-things reader and a mass of electronic tags.
In order to solve the above technical problem, the embodiments of the present specification are implemented as follows:
in one aspect, a bidirectional identity authentication method for a reader and an electronic tag provided in an embodiment of the present specification includes:
a reader generates a public and private key pair, and a Certificate Authority (CA) is used for issuing a certificate;
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key to a Key Escrow Center (KEC);
and the Key Escrow Center (KEC) replaces the electronic tag to complete bidirectional identity authentication with the reader-writer based on an identity identification algorithm.
Optionally, the reader public key certificate and the electronic tag identity certificate are generated based on two certificate generation algorithms, namely PKI and IBC.
Optionally, the reader generates a public and private key pair, and issues a certificate by using a Certificate Authority (CA), which specifically includes:
the reader generates a public and private key pair locally, and submits a certificate application to a Certificate Authority (CA) or a digital certificate registration center (RA);
and the Certificate Authority (CA) checks the certificate application and signs and issues the certificate after checking that the certificate application is correct.
Optionally, the Key Management Center (KMC) generates a public-private key pair of the electronic tag by using an identification cryptographic algorithm, which specifically includes:
the Key Management Center (KMC) uses the unique tag identification number TID of the electronic tag as a public key of the electronic tag by using an identification cryptographic algorithm, and generates a private key corresponding to the electronic tag.
Optionally, the Key Management Center (KMC) generates an encryption and decryption key of the electronic tag, which specifically includes:
and a Key Management Center (KMC) establishes a root key of a symmetric key system, performs gradual dispersion on the symmetric key by using the TID of the electronic tag, and performs confidentiality and integrity protection on the key by using the HMAC.
Optionally, before the Key Management Center (KMC) generates the encryption and decryption keys of the electronic tag and stores the encryption and decryption keys to the Key Escrow Center (KEC), the method further includes:
the RFID card making terminal generates a public and private key pair locally by using an asymmetric algorithm and issues a certificate by using a Certificate Authority (CA);
reading TID information of the electronic tag by the card making terminal, encrypting card making data by using a symmetric algorithm, and writing the encrypted card making data into a storage area of the electronic tag in a ciphertext mode;
and the card making terminal sends the read TID identification of the electronic tag to a Key Management Center (KMC).
Optionally, the Key Escrow Center (KEC) completes bidirectional identity authentication with the reader-writer by replacing the electronic tag based on an identity algorithm, and specifically includes:
a public key algorithm of an identification cipher algorithm is utilized between a Key Escrow Center (KEC) and a reader-writer to obtain mutual public key certificates, the validity of certificate signatures is verified, the validity period of the certificates is verified, the public keys of the certificates are extracted, and the identities of the two parties are verified by adopting an authentication protocol of a challenge/response mode;
the Key Escrow Center (KEC) and the reader-writer generate random numbers according to a pre-negotiated signature verification algorithm, and the Key Escrow Center (KEC) performs digital signature by using a private key of the electronic tag;
and the reader-writer performs operation according to the certificate identification and the public parameter of the issuer to obtain a verification result.
Optionally, the Key Escrow Center (KEC) completes bidirectional identity authentication with the reader-writer by replacing the electronic tag based on an identity algorithm, and specifically includes:
reading the TID of the electronic tag and the stored tag data ciphertext by the reader-writer;
the reader sends the TID of the electronic tag and requests a Key Escrow Center (KEC) to verify the identity of the electronic tag;
the Key Escrow Center (KEC) and the reader-writer perform verification based on an identity algorithm, the key escrow center performs signature by using a private key of the electronic tag, and the reader-writer performs identity verification by using the TID;
the Key Escrow Center (KEC) and the reader-writer perform verification based on a PKI public key algorithm;
and the Key Escrow Center (KEC) and the reader-writer negotiate a session key, the reader-writer sends ciphertext data read from the electronic tag to the (KEC), and the (KEC) decrypts the ciphertext data by using the symmetric key of the electronic tag and sends the data back to the reader-writer.
Optionally, the Key Escrow Center (KEC) and the reader/writer perform verification based on a PKI public key algorithm, which specifically includes:
and the Key Escrow Center (KEC) replaces the electronic tag to verify the identity of the reader-writer, the two parties verify based on a public key algorithm, the reader-writer is signed by a private key, and the Key Escrow Center (KEC) verifies by using the public key to determine the identity of the reader-writer.
On the other hand, an embodiment of the present specification provides a bidirectional identity authentication device for a reader and an electronic tag, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
a reader generates a public and private key pair, and a Certificate Authority (CA) is used for issuing a certificate;
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key to a Key Escrow Center (KEC);
and the Key Escrow Center (KEC) replaces the electronic tag to complete bidirectional identity authentication with the reader-writer based on an identity identification algorithm.
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:
1. the key escrow center KEC is used for replacing an electronic tag with limited computing and storage capacities to realize bidirectional identity authentication with a reader-writer with rich computing resources, and identity credibility of both communication parties is guaranteed.
2. Based on the characteristic that the electronic tag has the globally unique TID, the identity certificate is generated for the electronic tag by adopting an identification key algorithm, so that the identity authentication of the electronic tag is realized.
3. The method solves the key leakage problem faced by adopting a pre-shared key authentication mode, and the key negotiation, distribution, management and other problems under a cross-domain environment, and plays an important role in the identification link in a large-scale Internet of things application scene.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart of a bidirectional identity authentication method for a reader/writer and an electronic tag according to an embodiment;
fig. 2 is a schematic flowchart of a bidirectional identity authentication method between a reader and an electronic tag according to a second embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The English full name and Chinese of the English abbreviation related to the invention are explained as follows:
TID (tag identifier): tag identification number
Pki (public Key infrastructure): public key infrastructure
IBC (Identity-Based cryptography): identification code
Ca (certificateauthority): certificate authority
Kmc (key Management center): key management center
KEC (Key Escrow center): key escrow center
Sk (session key): session key
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Example one
Fig. 1 is a schematic flowchart of a bidirectional identity authentication method between a reader and an electronic tag according to an embodiment. From the viewpoint of a program, the execution subject of the flow may be a program installed in an application server or an application client.
As shown in fig. 1, the process may include the following steps:
step 102: a reader generates a public and private key pair, and a Certificate Authority (CA) is used for issuing a certificate;
step 104: a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
step 106: a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key to a Key Escrow Center (KEC);
step 108: and the Key Escrow Center (KEC) replaces the electronic tag to complete bidirectional identity authentication with the reader-writer based on an identity identification algorithm.
Specifically, the method comprises the following steps:
(1) the reader generates a public key certificate. And the reader generates a corresponding public and private key pair, and issues a certificate by using a Certificate Authority (CA).
(2) Electronic tag encryption and decryption key escrow. And the key management center KMC generates an encryption and decryption key of the electronic tag data and stores the encryption and decryption key to the key escrow center KEC, so that the key uniform safety management of the whole system is realized.
(3) And establishing and hosting an electronic tag identity certificate. And the key management center KMC uses the unique tag identification number TID of the ultrahigh frequency passive electronic tag as a public key of the electronic tag by using an identification cryptographic algorithm, generates a private key corresponding to the unique tag identification number TID, and safely hosts the private key to the key hosting center KEC for storage.
(4) And bidirectional identity authentication is carried out between the key escrow center KEC and the reader-writer. The KEC and the reader-writer complete the bidirectional identity authentication by using a public key algorithm negotiated by the KEC and the reader-writer.
(5) And bidirectional identity authentication is completed between the reader-writer and the electronic tag. The reader-writer interacts with the electronic tag to obtain the TID of the electronic tag and the encrypted data stored in the TID, and then sends the identity certificate of the electronic tag to be verified to the key escrow center KEC, and the key escrow center KEC replaces the electronic tag to complete bidirectional identity authentication with the reader-writer.
(6) And the electronic tag data is decrypted and then sent to the reader-writer. And the key escrow center KEC decrypts the electronic tag encrypted data sent by the reader-writer by using the stored electronic tag decryption key and then returns the electronic tag encrypted data to the reader-writer.
When the bidirectional identity authentication between the reader-writer and the massive electronic tags is realized in the cross-domain environment, the key escrow center KEC is used for replacing the electronic tags with limited calculation and storage capacities to realize the bidirectional identity authentication of the reader-writer with relatively rich calculation resources, so that the identity credibility of both communication parties is ensured; based on the characteristic that the electronic tag has the globally unique TID, the identity certificate is generated for the electronic tag by adopting an identification key algorithm, so that the identity authentication of the electronic tag is realized. Meanwhile, the method solves the problems of key leakage caused by adopting a pre-shared key authentication mode and key negotiation, distribution, management and the like under a cross-domain environment, and plays an important role in the identification link in a large-scale Internet of things application scene.
Example two
Fig. 2 is a schematic flowchart of a bidirectional identity authentication method between a reader and an electronic tag according to a second embodiment. As shown in fig. 2, the method includes:
(1) the reader generates a public key certificate.
The reader generates a corresponding public and private key pair, and issues a certificate by using a Certificate Authority (CA). In specific implementation, a conventional certificate generation and issuing manner may be adopted. The method comprises the steps that a reader generates a public and private key pair locally, submits a certificate application to a (CA) or a digital certificate registration center (RA), and performs verification and check on a certificate, signing and issuing on the certificate and other links.
(2) Electronic tag encryption and decryption key escrow.
And the Key Management Center (KMC) generates an encryption and decryption key of the electronic tag data and stores the encryption and decryption key into a Key Escrow Center (KEC), so that the key uniform security management of the whole system is realized. In specific implementation, the encryption and decryption keys of the electronic tag can be generated according to a conventional key generation algorithm, including (KMC) establishing a root key of a symmetric key system, performing gradual dispersion of the symmetric keys by using TIDs of the tags, and performing confidentiality and integrity protection of the keys by using HMAC.
(3) And writing the data of the electronic tag.
And the card making terminal reads the TID information of the electronic tag, encrypts card making data by using a symmetric algorithm and writes the encrypted card making data into a storage area of the electronic tag in a ciphertext mode. In specific implementation, the card making terminal and the electronic tag follow the ultrahigh frequency air interface protocol instruction to complete the information and data interaction process; the card making terminal calculates an encryption key of the electronic tag by using a distributed key sent by a Key Management Center (KMC) and the TID of the electronic tag according to a key distribution algorithm; and the card making terminal encrypts the data by using the encryption key of the electronic tag through a symmetric encryption algorithm and writes the encrypted data into the data storage area of the electronic tag.
(4) And transmitting the identity information of the electronic tag.
And the card making terminal sends the read TID identification of the electronic tag to a Key Management Center (KMC). In particular, it may be implemented according to a conventional data communication protocol.
(5) And establishing an identity certificate of the electronic tag.
And the Key Management Center (KMC) uses the unique tag identification number TID of the ultrahigh frequency passive electronic tag as a public key of the electronic tag by using an identification cryptographic algorithm, generates a private key corresponding to the tag, and safely hosts the private key to the key hosting center (KEC) for storage. In specific implementation, the identity certificate of the electronic tag can be generated and distributed in a conventional manner, including (KMC) applying for an identity certificate by using the TID number of the electronic tag as user identity information; (KMC) generating a user private key matching the electronic tag identity information; and responding, generating and issuing an identity identification certificate containing the information of the electronic tag public key and the user private key by using a certificate management system, and issuing the identity identification certificate to a Key Escrow Center (KEC) for storage.
(6) The reader-writer obtains the identity information of the electronic tag and the storage data.
And the reader reads the TID identification of the electronic tag and the stored tag data ciphertext. In specific implementation, the reader-writer and the electronic tag follow the ultrahigh frequency air interface protocol instruction to complete the information and data interaction process.
(7) The reader requires verification of the identity of the electronic tag.
The reader sends the TID of the electronic tag and requests a Key Escrow Center (KEC) to verify the identity of the electronic tag. In specific implementation, the reader sends TID information of the electronic tag to be verified as a public key of an identification certificate of the electronic tag to a Key Escrow Center (KEC) according to a conventional data communication protocol.
(8) And the Key Escrow Center (KEC) replaces the electronic tag for identity authentication.
And (4) verifying the Key Escrow Center (KEC) and the reader based on an identity identification algorithm, signing the KEC by using a private key of the electronic tag, and verifying the identity of the reader by using the TID of the KEC. In specific implementation, a Key Escrow Center (KEC) can replace an electronic tag to complete bidirectional identity authentication with a reader-writer according to a conventional identity certificate verification mode, wherein the Key Escrow Center (KEC) and the reader-writer generate random numbers according to a pre-negotiated signature verification algorithm, and the Key Escrow Center (KEC) utilizes a private key of the electronic tag to perform digital signature; the reader-writer performs operation according to the certificate identifier and the public parameter of the issuer to obtain a verification result; after the verification is passed, a Key Escrow Center (KEC) and the reader-writer negotiate a session key SK for subsequent operation; and the reader-writer securely transmits the obtained electronic tag encrypted data to a Key Escrow Center (KEC).
(9) And the Key Escrow Center (KEC) is used for verifying the identity of the reader-writer instead of the electronic tag.
The Key Escrow Center (KEC) and the reader/writer perform authentication based on a PKI public key algorithm. In specific implementation, the bidirectional identity authentication between the Key Escrow Center (KEC) and the reader/writer can be completed according to a conventional public key certificate authentication manner, including negotiating an authentication algorithm, obtaining mutual public key certificates, verifying the validity of certificate signatures, verifying the validity period of the certificates, extracting the public keys of the certificates, verifying the identities of both parties by using an authentication protocol in a challenge/response mode, and the like.
(10) And the Key Escrow Center (KEC) decrypts the encrypted data of the electronic tag and returns the decrypted data to the reader-writer.
And the Key Escrow Center (KEC) and the reader-writer negotiate a session key SK, the reader-writer sends ciphertext data read from the electronic tag to the (KEC), and the (KEC) decrypts by using the symmetric key of the electronic tag and sends the data back to the reader-writer. In specific implementation, the method may be performed according to a conventional key distribution manner, and includes that a Key Escrow Center (KEC) decrypts the electronic tag encrypted data obtained in step 7 by using the electronic tag encryption and decryption key obtained in step 2, and securely transmits the decrypted electronic tag data to the reader/writer by using the session key SK negotiated in step 8.
EXAMPLE III
An embodiment provides a bidirectional identity authentication device of a reader and an electronic tag, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
a reader generates a public and private key pair, and a Certificate Authority (CA) is used for issuing a certificate;
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key to a Key Escrow Center (KEC);
and the Key Escrow Center (KEC) replaces the electronic tag to complete bidirectional identity authentication with the reader-writer based on an identity identification algorithm.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A bidirectional identity authentication method for a reader-writer and an electronic tag is characterized by comprising the following steps:
a reader generates a public and private key pair, and a Certificate Authority (CA) is used for issuing a certificate;
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key to a Key Escrow Center (KEC);
and the Key Escrow Center (KEC) replaces the electronic tag to complete bidirectional identity authentication with the reader-writer based on an identity identification algorithm.
2. The method of claim 1, wherein the reader public key certificate and the electronic tag identification certificate are generated based on two certificate generation algorithms of PKI and IBC.
3. The method of claim 1, wherein the reader generates a public-private key pair, and issues certificates using a Certificate Authority (CA), and the method specifically comprises:
the reader generates a public and private key pair locally, and submits a certificate application to a Certificate Authority (CA) or a digital certificate registration center (RA);
and the Certificate Authority (CA) checks the certificate application and signs and issues the certificate after checking that the certificate application is correct.
4. The method as claimed in claim 1, wherein the Key Management Center (KMC) generates a public-private key pair of the electronic tag using a signature cryptographic algorithm, comprising in particular:
the Key Management Center (KMC) uses the unique tag identification number TID of the electronic tag as a public key of the electronic tag by using an identification cryptographic algorithm, and generates a private key corresponding to the electronic tag.
5. The method as claimed in claim 1, wherein a Key Management Center (KMC) generates the encryption and decryption keys of the electronic tag, specifically comprising:
and a Key Management Center (KMC) establishes a root key of a symmetric key system, performs gradual dispersion on the symmetric key by using the TID of the electronic tag, and performs confidentiality and integrity protection on the key by using the HMAC.
6. The key generation method of claim 1, wherein before the Key Management Center (KMC) generates and deposits the encryption and decryption keys of the electronic tag to the Key Escrow Center (KEC), the method further comprises:
the RFID card making terminal generates a public and private key pair locally by using an asymmetric algorithm and issues a certificate by using a Certificate Authority (CA);
reading TID information of the electronic tag by the card making terminal, encrypting card making data by using a symmetric algorithm, and writing the encrypted card making data into a storage area of the electronic tag in a ciphertext mode;
and the card making terminal sends the read TID identification of the electronic tag to a Key Management Center (KMC).
7. The method of claim 1, wherein the Key Escrow Center (KEC) performs bidirectional identity authentication with the reader in place of the electronic tag based on an identity algorithm, specifically including:
a public key algorithm of an identification cipher algorithm is utilized between a Key Escrow Center (KEC) and a reader-writer to obtain mutual public key certificates, the validity of certificate signatures is verified, the validity period of the certificates is verified, the public keys of the certificates are extracted, and the identities of the two parties are verified by adopting an authentication protocol of a challenge/response mode;
the Key Escrow Center (KEC) and the reader-writer generate random numbers according to a pre-negotiated signature verification algorithm, and the Key Escrow Center (KEC) performs digital signature by using a private key of the electronic tag;
and the reader-writer performs operation according to the certificate identification and the public parameter of the issuer to obtain a verification result.
8. The method of claim 1, wherein the Key Escrow Center (KEC) performs bidirectional identity authentication with the reader in place of the electronic tag based on an identity algorithm, specifically including:
reading the TID of the electronic tag and the stored tag data ciphertext by the reader-writer;
the reader sends the TID of the electronic tag and requests a Key Escrow Center (KEC) to verify the identity of the electronic tag;
the Key Escrow Center (KEC) and the reader-writer perform verification based on an identity algorithm, the key escrow center performs signature by using a private key of the electronic tag, and the reader-writer performs identity verification by using the TID;
the Key Escrow Center (KEC) and the reader-writer perform verification based on a PKI public key algorithm;
and the Key Escrow Center (KEC) and the reader-writer negotiate a session key, the reader-writer sends ciphertext data read from the electronic tag to the (KEC), and the (KEC) decrypts the ciphertext data by using the symmetric key of the electronic tag and sends the data back to the reader-writer.
9. The method according to claim 8, wherein the Key Escrow Center (KEC) and the reader/writer perform authentication based on a PKI public key algorithm, specifically comprising:
and the Key Escrow Center (KEC) replaces the electronic tag to verify the identity of the reader-writer, the two parties verify based on a public key algorithm, the reader-writer is signed by a private key, and the Key Escrow Center (KEC) verifies by using the public key to determine the identity of the reader-writer.
10. A bidirectional identity authentication device of a reader and an electronic tag comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
a reader generates a public and private key pair, and a Certificate Authority (CA) is used for issuing a certificate;
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key to a Key Escrow Center (KEC);
and the Key Escrow Center (KEC) replaces the electronic tag to complete bidirectional identity authentication with the reader-writer based on an identity identification algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111501201.6A CN114205082B (en) | 2021-12-09 | 2021-12-09 | Bidirectional identity authentication method and equipment for reader-writer and electronic tag |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111501201.6A CN114205082B (en) | 2021-12-09 | 2021-12-09 | Bidirectional identity authentication method and equipment for reader-writer and electronic tag |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114205082A true CN114205082A (en) | 2022-03-18 |
| CN114205082B CN114205082B (en) | 2024-01-26 |
Family
ID=80651781
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111501201.6A Active CN114205082B (en) | 2021-12-09 | 2021-12-09 | Bidirectional identity authentication method and equipment for reader-writer and electronic tag |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114205082B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844687A (en) * | 2022-04-15 | 2022-08-02 | 深圳汇辰软件有限公司 | Authentication method, electronic equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1949250A (en) * | 2006-07-10 | 2007-04-18 | 王耀 | System and method of identifying electronic tag using mobile communication equipment |
| CN101814991A (en) * | 2010-03-12 | 2010-08-25 | 西安西电捷通无线网络通信股份有限公司 | Mutual authentication method and system based on identity |
| KR20110074441A (en) * | 2009-12-24 | 2011-06-30 | 삼성테크윈 주식회사 | Method for mutual authentication between tag and reader in radio frequency identification system |
| CN102646203A (en) * | 2012-02-29 | 2012-08-22 | 电子科技大学 | RFID (Radio Frequency Identification Device) data transmission and authentication system and method |
| CN103078744A (en) * | 2013-01-25 | 2013-05-01 | 西安电子科技大学 | Public key-based bidirectional radio frequency identification authorization method |
| CN104113414A (en) * | 2014-06-10 | 2014-10-22 | 电子科技大学 | Untraceable RFID label authentication method |
| CN106992861A (en) * | 2017-05-24 | 2017-07-28 | 广东工业大学 | A kind of wireless generation method of RFID keys and system with EPC labels |
| CN108600230A (en) * | 2018-04-26 | 2018-09-28 | 深圳市盛路物联通讯技术有限公司 | A kind of radio-frequency identification method and system |
| US20200059363A1 (en) * | 2018-08-17 | 2020-02-20 | Walmart Apollo, Llc | Systems and methods of authenticating items |
-
2021
- 2021-12-09 CN CN202111501201.6A patent/CN114205082B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1949250A (en) * | 2006-07-10 | 2007-04-18 | 王耀 | System and method of identifying electronic tag using mobile communication equipment |
| KR20110074441A (en) * | 2009-12-24 | 2011-06-30 | 삼성테크윈 주식회사 | Method for mutual authentication between tag and reader in radio frequency identification system |
| CN101814991A (en) * | 2010-03-12 | 2010-08-25 | 西安西电捷通无线网络通信股份有限公司 | Mutual authentication method and system based on identity |
| CN102646203A (en) * | 2012-02-29 | 2012-08-22 | 电子科技大学 | RFID (Radio Frequency Identification Device) data transmission and authentication system and method |
| CN103078744A (en) * | 2013-01-25 | 2013-05-01 | 西安电子科技大学 | Public key-based bidirectional radio frequency identification authorization method |
| CN104113414A (en) * | 2014-06-10 | 2014-10-22 | 电子科技大学 | Untraceable RFID label authentication method |
| CN106992861A (en) * | 2017-05-24 | 2017-07-28 | 广东工业大学 | A kind of wireless generation method of RFID keys and system with EPC labels |
| CN108600230A (en) * | 2018-04-26 | 2018-09-28 | 深圳市盛路物联通讯技术有限公司 | A kind of radio-frequency identification method and system |
| US20200059363A1 (en) * | 2018-08-17 | 2020-02-20 | Walmart Apollo, Llc | Systems and methods of authenticating items |
Non-Patent Citations (1)
| Title |
|---|
| 张兵;秦志光;万国根;: "基于PKI和CPK的RFID系统混合密钥管理机制研究", 电子科技大学学报, no. 03 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844687A (en) * | 2022-04-15 | 2022-08-02 | 深圳汇辰软件有限公司 | Authentication method, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114205082B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11323276B2 (en) | Mutual authentication of confidential communication | |
| CN110535628B (en) | Method and device for performing multi-party security calculation through certificate signing and issuing | |
| CN111585749B (en) | Data transmission method, device, system and equipment | |
| CN106789042B (en) | Authentication key negotiation method for user in IBC domain to access resources in PKI domain | |
| CN101212293B (en) | Identity authentication method and system | |
| CN105049434B (en) | Identity identifying method and encryption communication method under a kind of peer to peer environment | |
| US10044684B2 (en) | Server for authenticating smart chip and method thereof | |
| US11228450B2 (en) | Method and apparatus for performing multi-party secure computing based-on issuing certificate | |
| US10887110B2 (en) | Method for digital signing with multiple devices operating multiparty computation with a split key | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| CN104424446A (en) | Safety verification and transmission method and system | |
| CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
| CN103905388A (en) | Authentication method, authentication device, smart card, and server | |
| CN114331456A (en) | Communication method, device, system and readable storage medium | |
| CN114205082B (en) | Bidirectional identity authentication method and equipment for reader-writer and electronic tag | |
| KR100456624B1 (en) | Authentication and key agreement scheme for mobile network | |
| CN108933659A (en) | A kind of authentication system and verification method of smart grid | |
| CN116132986A (en) | Data transmission method, electronic equipment and storage medium | |
| CN113676330B (en) | Digital certificate application system and method based on secondary secret key | |
| CN114186292A (en) | Card type certificate secret key initialization method, cipher module, initialization device and system | |
| EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
| CN114070570A (en) | Safe communication method of power Internet of things | |
| CN117278330B (en) | Lightweight networking and secure communication method for electric power Internet of things equipment network | |
| CN114095150B (en) | Identity authentication method, device, equipment and readable storage medium | |
| CN110225515B (en) | Authentication management system, method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |