CN114257419B - Device authentication method, device, computer device and storage medium - Google Patents

Device authentication method, device, computer device and storage medium Download PDF

Info

Publication number
CN114257419B
CN114257419B CN202111436807.6A CN202111436807A CN114257419B CN 114257419 B CN114257419 B CN 114257419B CN 202111436807 A CN202111436807 A CN 202111436807A CN 114257419 B CN114257419 B CN 114257419B
Authority
CN
China
Prior art keywords
server
information
equipment
authentication
registered
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111436807.6A
Other languages
Chinese (zh)
Other versions
CN114257419A (en
Inventor
钱正浩
刘鑫
刘晔
伍江瑶
温柏坚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Southern Power Grid Digital Grid Research Institute Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN202111436807.6A priority Critical patent/CN114257419B/en
Publication of CN114257419A publication Critical patent/CN114257419A/en
Application granted granted Critical
Publication of CN114257419B publication Critical patent/CN114257419B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The application relates to a device authentication method, a device authentication apparatus, a computer device and a storage medium. The method comprises the steps that device registration information containing a first public key of a device to be registered is sent to a second server through a first server, the second server generates response information and sends the response information to the first server through a blockchain, a corresponding digital signature is generated through the device to be registered, authentication request information is generated according to the digital signature and the device information and sent to the first server, the first server sends the authentication request information to a blockchain of the second server, and therefore the second server receives the authentication request information through the blockchain and performs identity authentication on the digital signature and the device information in the authentication request information based on the first public key through the blockchain. Compared with the traditional authentication mode lacking industrial equipment facing the inner and outer networks, the scheme utilizes the blockchain to realize the authentication of the industrial equipment of the outer network under the condition that the inner and outer network servers are isolated by the network, and improves the convenience of equipment authentication.

Description

Device authentication method, device, computer device and storage medium
Technical Field
The present disclosure relates to the field of identity authentication technologies, and in particular, to a device authentication method, apparatus, computer device, and storage medium.
Background
The industrial equipment identity authentication is a precondition for ensuring that industrial tasks can be executed correctly and safely, and aims to confirm that operators have legality and can access and use certain resources, further ensure that equipment has a certain access strategy and operation behavior is legal, and if an identity authentication mechanism is invalid, behavior messages such as identity impersonation, illegal access, operation behavior violation and the like are easy to appear, so that normal execution of the industrial tasks is threatened, and therefore, a strict identity authentication mechanism must be established. In order to ensure the safety of data and prevent information leakage in enterprises, the existing enterprises adopt an environment with internal and external network isolation, and the mode can prevent information leakage caused by mixed use of the internal and external networks to a certain extent, but also brings certain difficulty to equipment identity authentication.
Therefore, the current device authentication method facing the inside and outside networks has the defect of inconvenient authentication.
Disclosure of Invention
In view of the above, it is desirable to provide a device authentication method, a device, a computer device, and a storage medium that can improve the convenience of device authentication when the device is stored in an intranet or an extranet.
An equipment authentication method is applied to a second server, the second server is arranged in an intranet, and a blockchain is arranged in the second server, and the method comprises the following steps:
receiving equipment registration information sent by a first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered, which is arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and equipment information of the equipment to be registered, and sending the authentication request information to a blockchain of a second server through the first server;
and receiving the authentication request information through the blockchain, and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain.
In one embodiment, the device registration information includes a first generation time of the device registration request and a second generation time of the device registration information;
after receiving the device registration information sent by the first server, the method further includes:
detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, if yes, executing the step of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain.
In one embodiment, the device registration information further includes a device identification;
the generating corresponding response information according to the device registration information includes:
generating a second public key and a second private key corresponding to the second server according to an elliptic encryption algorithm;
and generating the response information according to the second public key, the equipment identifier of the equipment to be registered and the current time.
In one embodiment, after the authenticating the digital signature and the device information in the authentication request information according to the first public key through the blockchain, the method further includes:
If the identity authentication is passed, generating authentication passing information corresponding to the equipment information through the blockchain;
adding the digital signature of the second server to the authentication passing information, and sending the authentication passing information after adding the digital signature of the second server to the first server; the first server is used for generating a first session secret key according to the authentication passing information and sending the authentication passing information to the equipment to be registered, the equipment to be registered is used for generating a second session secret key according to the authentication passing information, so that the equipment to be registered communicates with the first server through the second session secret key, and the first server communicates with the second server through the first session secret key.
A device authentication method applied to a first server, the first server being disposed on an external network, the method comprising:
acquiring an equipment registration request sent by equipment to be registered, which is arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
generating corresponding equipment registration information according to the first public key, and sending the equipment registration information to a second server; the second server is provided with a blockchain; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain;
Transmitting the response information to the equipment to be registered; the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to the first server;
sending the authentication request information to a blockchain of the second server; the second server is used for receiving the authentication request information through the blockchain, and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain.
In one embodiment, the first server stores a second public key of the second server, and a third public key and a third private key of the first server; the first private key of the equipment to be registered and the third public key of the first server are stored in the equipment to be registered;
after sending the authentication request information to the blockchain of the second server, the method further includes:
acquiring authentication passing information returned by the second server; the authentication passing information comprises the equipment information and a digital signature of the second server;
Verifying the authentication passing information according to the second public key, and generating a first session key according to the third private key and the first public key if the authentication passes so as to communicate with the second server through the first session key;
adding the third private key in the authentication passing information, and sending the authentication passing information after adding the third private key to the equipment to be registered; and the equipment to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passes, a second session secret key is generated according to the first private key of the equipment to be registered and the third public key so as to communicate with the first server through the second session secret key.
A device authentication system, the system comprising: the device to be registered, a first server and a second server; the equipment to be registered and the first server are arranged on an external network, the second server is arranged on an internal network, and a blockchain is arranged in the second server;
the device to be registered is used for sending a device registration request to the first server; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
The first server is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to the second server;
the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain;
the first server is used for sending the response information to the equipment to be registered;
the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and equipment information of the equipment to be registered, and sending the authentication request information to the first server;
the first server is used for sending the authentication request information to the blockchain of the second server;
the second server is configured to receive the authentication request information through the blockchain, and perform identity authentication on the digital signature and the device information in the authentication request information according to the first public key through the blockchain.
A device authentication apparatus applied to a second server, the second server being disposed in an intranet, and a blockchain being disposed in the second server, the apparatus comprising:
The receiving module is used for receiving the equipment registration information sent by the first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered, which is arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
the response module is used for generating corresponding response information according to the equipment registration information and sending the corresponding response information to the first server through the blockchain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and equipment information of the equipment to be registered, and sending the authentication request information to a blockchain of a second server through the first server;
and the authentication module is used for receiving the authentication request information through the blockchain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain.
A device authentication apparatus applied to a first server, the first server being provided in an external network, the apparatus comprising:
The acquisition module is used for acquiring an equipment registration request sent by equipment to be registered, which is arranged on an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
the first sending module is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to a second server; the second server is provided with a blockchain; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain;
the second sending module is used for sending the response information to the equipment to be registered; the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to the first server;
the third sending module is used for sending the authentication request information to the blockchain of the second server; the second server is used for receiving the authentication request information through the blockchain, and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method described above when the processor executes the computer program.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method described above.
According to the device authentication method, the device, the computer device and the storage medium, the first server generates device registration information according to the first public key of the device to be registered, the device registration information is sent to the second server, the second server generates corresponding response information according to the device registration information and sends the response information to the first server through the blockchain, the device to be registered generates a corresponding digital signature based on the response information forwarded by the first server, generates authentication request information according to the digital signature and the device information, sends the authentication request information to the first server, and sends the authentication request information to the blockchain of the second server, so that the second server receives the authentication request information through the blockchain, and performs identity authentication on the digital signature in the authentication request information and the device information based on the first public key through the blockchain. Compared with the traditional authentication mode lacking industrial equipment facing the inner and outer networks, the scheme utilizes the blockchain to realize the authentication of the industrial equipment of the outer network under the condition that the inner and outer network servers are isolated by the network, and improves the convenience of equipment authentication.
Drawings
FIG. 1 is an application environment diagram of a device authentication method in one embodiment;
FIG. 2 is an application environment diagram of a device authentication method in another embodiment;
FIG. 3 is a flow diagram of a device authentication method in one embodiment;
FIG. 4 is a flow chart of a device authentication method according to another embodiment;
FIG. 5 is a flow chart of a device authentication method according to yet another embodiment;
FIG. 6 is a block diagram of the device authentication apparatus in one embodiment;
FIG. 7 is a block diagram showing the structure of a device authentication apparatus according to another embodiment;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The device authentication method provided by the application can be applied to an application environment shown in fig. 1. Wherein the first server 102 may communicate with the second server 104 and the device, respectively. The second server 104 may be provided with a blockchain, and the second server 104 may receive the device registration information sent by the first server 102, so that the second server 104 may start a registration process for the device based on the device registration information and return response information to the first server 102, and after receiving the response information, the first server 102 may receive authentication information generated by the device and initiate an authentication request to the second server, so that the second server 104 receives the authentication request through the blockchain and performs identity authentication on the device. Fig. 2 is an application environment diagram of a device authentication method according to another embodiment, as shown in fig. 2. The first server 102 may be an external network server, the second server 104 may be an internal network server, a blockchain is arranged in the internal network server, the internal network server and the external network server have network isolation, but can communicate through the blockchain, and the external network server can also be in communication connection with various industrial devices. The first server 102 and the second server 104 may each be implemented as a separate server or as a server cluster composed of a plurality of servers.
In one embodiment, as shown in fig. 3, a device authentication method is provided, and the method is applied to the second server in fig. 1 for illustration, and includes the following steps:
step S202, receiving equipment registration information sent by a first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered, which is arranged in an external network; the device registration request includes a first public key corresponding to the device to be registered.
The first server 102 may be an external network server, and the external network server may be disposed in a public network, and pushes the application to an intranet according to an identity registration and an identity authentication application submitted by the device, and after the intranet completes registration and device authentication of the device, forwards a message to the device. The second server 104 may be disposed in an intranet and is responsible for completing registration and authentication of the device. And the second server 104 may have a blockchain disposed therein, the blockchain in the second server 104 may be a blockchain: and receiving equipment registration and authentication information from the external network, and verifying the legitimacy of equipment identity authentication by utilizing an intelligent contract to verify the freshness of the information, preventing the equipment from repeated authentication and verifying the signature of the equipment. The device to be registered can be various industrial devices, and the device to be registered can communicate with the intranet only by completing identity recognition and validity verification.
The second server 104 may receive device registration information sent from the first server 102, where the registration information may be generated by the first server 102 according to a device registration request sent by a device to be registered that is set in the external network, and the device registration request may be a request generated by the device to be registered based on a first public key thereof, and the device to be registered may send the device registration request to the first server 102, that is, the device registration information includes the first public key of the device to be registered. So that the second server 104 may initiate a registration procedure for the device to be registered after receiving the device registration request sent by the first server 102.
The second server 104 may further verify the validity of the device registration information after receiving the device registration information. For example, in one embodiment, after receiving the device registration information sent by the first server, the method further includes: detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, if so, executing the step of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain. In this embodiment, the device registration information includes a first generation time for setting a registration request and a second generation time for setting the device registration information; the second server 104 may receive the device registration information from the external network server, i.e., the first server 102, through a blockchain provided in the second server 104, and verify freshness of the device authentication information, i.e., validity of the device registration information, through a blockchain call. The second server 104 may detect whether the difference between the second generation time and the first generation time is less than or equal to a preset time difference threshold by using the blockchain, if so, determine that the device registration information is valid, and continue to perform the step of responding according to the device registration information; if not, it is indicated that the device registration information has lost validity, and at this time, the second server 104 may end the flow of device registration. The above-described process of verifying validity may prevent the device from repeating the verification. Wherein the first generation time in the device registration information may be T 1 The second generation time in the device registration information may be T 2 The second server 104 may be T-based 1 And T 2 The difference of (a) determines the validity of the device registration information. For example, the second server 104 may verify |T through the blockchain 2 -T 1 If not, terminating the session, and if not, entering a step of responding to the device registration information. In addition, the above device registration information may further include a first public key of the device to be registered, and the second server 104 may store the first public key P of the device in the device registration information de,x Stored on the blockchain.
Step S204, corresponding response information is generated according to the equipment registration information and is sent to the first server through the block chain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to a blockchain of the second server through the first server.
The second server 104 may respond to the received device registration information, and if the second server 104 determines that the device registration information is valid, the second server may generate corresponding response information according to the received device registration information, and send the response information to the first server 102 through a blockchain. For example, the second server 104 may generate a public-private key pair corresponding to the current registration, thereby generating corresponding response information based on the public key of the second server 104. After receiving the response information, the first server 102 may perform related processing on the response information and then send the response information to the device to be registered, so that the device to be registered may generate a corresponding digital signature according to the response information, and generate authentication request information according to the digital signature and device information of the device to be registered, and the device to be registered may send the authentication request information to the first server 102, so that the first server 102 may send the authentication request information to a blockchain of the second server to perform identity authentication.
Step S206, receiving the authentication request information through the block chain, and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
The second server 104 may receive the authentication request information sent by the first server 102 through the blockchain, and perform identity authentication on the digital signature and the device information in the authentication request information by using the first public key of the device to be registered in the blockchain. For example, the blockchain in the second server 104 may receive authentication request information using the stored first public key P de,x Verifying the signature of the device to be registered, verifying the identity of the device to be registered, if the verification is successful, the blockchain can forward the verification success information to the second server 104, and the message format can be<Auth_verified,KeyInfo>The KeyInfo may be key information of the device to be registered, for example, device information of the device to be registered, and the auth_verify may be information of successful verification. The second server 104 receives the verification success message of the blockchain, can save the key information of the device to be registered, and returns the authentication passing information containing the signature of the second server 104 to the first server 102, wherein the format of the authentication passing information can be that <Auth_comfirm_ins>The method comprises the steps of carrying out a first treatment on the surface of the So that the authenticated device of the first server 102 can perform corresponding processing based on the authentication-passing information to achieve communication with the second server 104.
According to the equipment authentication method, equipment registration information is generated through the first server according to the first public key of equipment to be registered, the equipment registration information is sent to the second server, corresponding response information is generated through the second server according to the equipment registration information and is sent to the first server through the blockchain, a corresponding digital signature is generated through the equipment to be registered based on the response information forwarded by the first server, authentication request information is generated according to the digital signature and the equipment information, the authentication request information is sent to the first server, the first server sends the authentication request information to the blockchain of the second server, and therefore the second server receives the authentication request information through the blockchain and performs identity authentication on the digital signature and the equipment information in the authentication request information based on the first public key through the blockchain. Compared with the traditional authentication mode lacking industrial equipment facing the inner and outer networks, the scheme utilizes the blockchain to realize the authentication of the industrial equipment of the outer network under the condition that the inner and outer network servers are isolated by the network, and improves the convenience of equipment authentication.
In one embodiment, generating corresponding response information from the device registration information includes: generating a second public key and a second private key corresponding to the second server according to an elliptic encryption algorithm; and generating response information according to the second public key, the equipment identification of the equipment to be registered and the current time.
In this embodiment, the information of the device to be registered includes a device identifier. After the second server 104 receives the device registration information sent by the first server 102, an elliptic encryption algorithm may be used to generate a second public key and a second private key corresponding to the second server 104, and the second server 104 may also generate corresponding response information according to the second public key, the device identifier of the device to be registered, and the current time. Wherein the second public key and the second private key may be generated based on random numbers. For example, after the second server 104 receives the device registration information from the first server 102, a pair of public and private key pairs may be generated for the registration, and the second server 104 generates a random number k, and the second server 104 may generate a public and private key pair including the second private key S using an elliptic encryption algorithm de,k And a second public key P de,k The method comprises the steps of carrying out a first treatment on the surface of the And returns response information to the first server 102 via the blockchain, the response information being in the form of <register_agr,ID,T 3 ,P de,k >Wherein the ID is the equipment identification of the equipment to be registered, T 3 For the current timestamp, the response may characterize that the second server 104 agrees to enter the registration procedure with the device to be registered. In addition, the block chain can also store the response to want to be up-chain because the response information passes through the block chain.
Through the embodiment, the second server 104 can generate the response information corresponding to the device registration information based on the generated public key and the device related information, so that the device can be informed to enter the device registration process, and the convenience of registering the external network device in the intranet is improved.
In one embodiment, after the identity of the digital signature and the device information in the authentication request information is authenticated according to the first public key through the blockchain, the method further includes: if the identity authentication is passed, generating authentication passing information corresponding to the equipment information through the block chain; adding a digital signature of the second server to the authentication passing information, and sending the authentication passing information after adding the digital signature of the second server to the first server; the first server is used for generating a first session secret key according to the authentication passing information and sending the authentication passing information to the equipment to be registered, and the equipment to be registered is used for generating a second session secret key according to the authentication passing information so that the equipment to be registered can communicate with the first server through the second session secret key and the first server can communicate with the second server through the first session secret key.
In this embodiment, the second server 104 may authenticate the authentication request information sent by the first server 102 through the blockchain, and after the authentication is passed, the corresponding confirmation passing information may also be returned to the first server 102. The second server 104 may generate authentication passing information corresponding to the device information through the blockchain when confirming that the device authentication passes, and after receiving the authentication passing information of the blockchain, add a digital signature of the second server 104 to the authentication passing information, and send the authentication passing information to which the digital signature of the second server 104 is added to the first server 102. When the first server 102 receives the authentication passing information to which the digital signature of the second server 104 is added, a first session key may be generated according to the authentication passing information, and the first server 102 may also transmit the received authentication passing information to the device that is registered, so that the device that is authenticated may generate a corresponding second session key according to the authentication passing information. Thus, the first server 102 may communicate with the second server 104 according to the first session key, and the device to be registered that is successfully registered may communicate with the first server 102 through the second session key, that is, the device that is successfully registered may communicate with the second server 104 of the intranet through the first server 102. The authentication passing information generated by the blockchain may be < auth_verify, keyyInfo >; the authentication passing information sent by the second server 104 to the first server 102 after adding the digital signature of the second server 104 may be < auth_verify >, keyInfo >.
Through the embodiment, after the device to be registered passes the authentication, the second server 104 may send authentication passing information including the digital signature of the device to be registered, so that the authenticated device may communicate with the second server 104 of the intranet based on the first server 102, thereby improving the convenience of identity authentication of the external network device in the intranet.
In one embodiment, as shown in fig. 4, a device authentication method is provided, and the method is applied to the first server in fig. 1 for illustration, and includes the following steps:
step S302, obtaining a device registration request sent by a device to be registered, which is arranged on an external network; the device registration request contains a first public key corresponding to the device to be registered.
The device to be registered may be various industrial devices disposed in an external network, and the first server 102 may be a server disposed in the external network. The device to be registered may generate a device registration request based on the first public key thereof and send the device registration request to the first server 102, and the first server 102 may obtain the device registration request sent by the device to be registered, thereby starting a device registration authentication procedure for the device to be registered. Wherein, the first public key may be generated by the device to be registered based on a random number. For example, when the device to be registered needs to be authenticated, the device may generate a random number x, and further generate its public and private keys including a first private key S by using an elliptic encryption algorithm de,x And a first public key P de,x The device then initiates a device registration request to the extranet server, i.e., the first server 102 described above. The request message is in the form of<register,ID,T 1 ,P de,x >Wherein the ID refers to the identity of the device, T 1 Representing the current timestamp.
Step S304, corresponding device registration information is generated according to the first public key, and the device registration information is sent to a second server; the second server is provided with a block chain; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain
The first public key may be a public key generated by the device to be registered, and the first server 102 may generate device registration information including the first public key and send the device registration information to the second server 104 in the intranet, so that the second server 104 may receive the device registration information, generate corresponding response information according to the device registration information, and send the response information to the first server 102 through the blockchain. Wherein, the first server 102 may be an external network server, and the device registration information may be sent to the second server 104 through the external network server. For example, after receiving registration information sent by the device, the external network server generates a pair of registration public-private key pairs for the device, specifically, the external network server generates a random number S, and then generates an external network public-private key pair including a third private key S by using an elliptic encryption algorithm de,s And a third public key P de,s And forwards the registration information to the second server 104 of the intranet, wherein the message format of the device registration information is that<register,ID,T 1 ,P de,x ,T 2 >Wherein T is 2 Representing the current timestamp.
Step S306, response information is sent to the equipment to be registered; the device to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the device information of the device to be registered, and sending the authentication request information to the first server.
The second server 104 may generate corresponding response information after receiving the device registration information of the first server 102, and return the response information to the first server 102, where the response information includes the second public key of the second server 104, the device identifier of the device to be registered, and the generation time of the response information. After receiving the response information, the first server 102 may send the response information to the device to be registered, so that the device to be registered may generate a corresponding digital signature according to the response information, generate an authentication request according to the digital signature and device information of the device to be registered, and send the authentication request information to the first server 102.
After receiving the response information, the first server 102 may perform corresponding processing and then send the response information to the device to be registered. For example, after receiving the response information of the second server 104 of the intranet, the first server 102 may save the second public key given by the second server 104, attach the generated third public key information of the first server 102 of the extranet to the message, send the third public key information to the device, and format the message to be <register_agr,ID,T 3 ,P de,k ,T 4 ,P de,s >The method comprises the steps of carrying out a first treatment on the surface of the Wherein, ID is a device identifier, T 3 P for responding to the time of message generation de,s For the third public key, T4 is the time the message was generated, P de,k Is the second public key. The equipment receives the response message from the external network server<register_agr,ID,T 3 ,P de,k ,T 4 ,P de,s >First verify the timestamp |T 4 -T 3 If not, terminating the session is not established, otherwise calculating a digital signature α=sig (ID Type attri T) for the key information using the first private key of the device itself 5 ). In addition, the device to be registered can also encrypt the public key by using the public key of the external network generated by the external network server, namely the third public key, so as to obtain the message
Figure BDA0003381765910000131
Wherein KeyInfo is represented as key information comprising<ID,Type,Attribute>Etc., the ID refers to the identity of the device, the Type identifies the Type of device, and Attribute indicates the Attribute of the device, such as size, etc., T 5 The generation time of the digital signature is calculated for the information based on the first private key. The device may then send an authentication request message to the external web server in the form of<Auth,β>。
Step S308, sending the authentication request information to a block chain of a second server; the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
The authentication request information may be information sent by the device to be registered, and the first server 102 may send the authentication request information to a blockchain of the second server 104, so that after the second server 104 receives the authentication request information based on the blockchain, the digital signature in the authentication request information and the device information may be authenticated in the blockchain by using the first public key. The first server 102 may be an extranet server, the authentication request may also be information in encrypted form, and the first server 102 may decrypt the information in encrypted form and upload the decrypted information to the blockchain of the second server 104. For example, after the first server 102 receives the authentication information sent by the device, the generated private key of the external network, such as the third private key S, may be used de,s Decrypting beta to obtain key information KeyInfo and device signature alpha, and then obtaining the current timestamp T of the system 6 Verify |T 6 -T 5 If the delta T is not more than deltaT, the first server 102 can initiate signature authentication, namely the authentication request information, to the blockchain located in the intranet, if the delta T is successful, the message format is that<Auth,KeyInfo,α>。
According to the equipment authentication method, equipment registration information is generated through the first server according to the first public key of equipment to be registered, the equipment registration information is sent to the second server, corresponding response information is generated through the second server according to the equipment registration information and is sent to the first server through the blockchain, a corresponding digital signature is generated through the equipment to be registered based on the response information forwarded by the first server, authentication request information is generated according to the digital signature and the equipment information, the authentication request information is sent to the first server, the first server sends the authentication request information to the blockchain of the second server, and therefore the second server receives the authentication request information through the blockchain and performs identity authentication on the digital signature and the equipment information in the authentication request information based on the first public key through the blockchain. Compared with the traditional authentication mode lacking industrial equipment facing the inner and outer networks, the scheme utilizes the blockchain to realize the authentication of the industrial equipment of the outer network under the condition that the inner and outer network servers are isolated by the network, and improves the convenience of equipment authentication.
In one embodiment, after sending the authentication request information to the blockchain of the second server, the method further includes: acquiring authentication passing information returned by the second server; the authentication passing information comprises equipment information and a digital signature of the second server; verifying the authentication passing information according to the second public key, and generating a first session key according to the third private key and the first public key if the authentication passes so as to communicate with the second server through the first session key; adding a third private key into the authentication passing information, and sending the authentication passing information added with the third private key to the equipment to be registered; the device to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passes, a second session key is generated according to the first private key and the third public key of the device to be registered so as to communicate with the first server through the second session key.
In this embodiment, the first server 102 stores the second public key P of the second server 104 de,k And a third public key P of the first server 102 de,s And a third private key S de,s The method comprises the steps of carrying out a first treatment on the surface of the The first private key S of the device to be registered is stored in the device to be registered de,x Third public key P of first server 102 de,s . The second server 104 may return authentication pass information containing device information and a digital signature of the second server 104 to the first server 102 after the identity of the device passes. The first server 102 may verify the authentication passing information based on the second public key, and determine whether the authentication passing information is from the second server 104, and if the authentication passing information is passed, the first server 102 may generate a first session key according to the third private key and the first public key, so that the first server 102 may communicate with the second server 104 through the first session key. The first server 102 may also send the verification information to the device to be registered after the authentication passing information passes verification, so that the device may verify the authentication passing information based on the third public key, determine that the authentication passing information is sent by the first server 102, and if the authentication passing information passes verification, generate a second session key according to the first private key and the third public key, so that the device Communication with the first server 102 may be via a second session key.
The first server 102 may process the authentication passing information and then transmit the processed authentication passing information to the device. For example, the first server 102 verifies the message with the second public key of the second server 104 of the intranet, and if the verification is truly from the second server 104 of the intranet, the first server 102 of the external network starts to calculate the session key to generate the session key sk, where sk=h ((S) de,s *PK de,x ) I x s), and the first server 102 may send the confirmation message described above, that is, the authentication passing information is signed by the third private key of the external network and sent to the equipment in the format of<Auth_comfirm_out>Otherwise, discarding the authentication. The device receives an authentication confirm message from the first server 102 of the external network<Auth_comfirm_out>Thereafter, the signature is verified with the third public key of the external network, and the message is guaranteed to be sent by the first server 102 of the external network, and if the verification is successful, the device may calculate the session key sk 'based on the third public key and the first private key, and the corresponding random number, where sk' =h ((S) de,x *PK de,s ) I x s), otherwise the device may discard the authentication.
Through the embodiment, the first server 102 may communicate with the second server 104 through the first session key generated by itself, and the device may communicate with the first server 102 through the second session key generated by itself, so as to implement the communication between the authenticated device and the second server 104 of the intranet through the first server 102. The efficiency of equipment authentication and communication is improved.
In one embodiment, as shown in fig. 5, fig. 5 is a flow chart of a device authentication method in another embodiment. The device may be the device to be registered, the first server 102 may be an extranet server, the second server 104 may be an intranet server, and the blockchain may be set in the intranet server.
The method comprises the following steps:
step one: the equipment generates a random number x and further generates a public and private key S by using an elliptic encryption algorithm de,s ,P de,x The device then initiates a device registration request to the foreign network server. The request message is in the form of<register,ID,T 1 ,P de,x >Wherein the ID refers to the identity of the device, T 1 Representing the current timestamp.
Step two: after receiving the registration information sent by the device, the external network server generates a pair of registration public and private key pairs for the device, specifically, the external network server generates a random number S, and then generates an external network public and private key pair S by using an elliptic encryption algorithm de,s And P de,s And forwards the registration information to an intranet server in the form of<register,ID,T 1 ,P de,x ,T 2 >Where T2 represents the current timestamp.
Step three: after the intranet server receives the request from the extranet server through the blockchain, firstly, the blockchain invokes the intelligent contract to verify the freshness of the equipment authentication information, so that the equipment can be prevented from being authenticated repeatedly; for example, intranet server verifies |T in blockchain 2 -T 1 If not, terminating the session, otherwise, entering a step four; in addition, the intranet server can also use the public key P of the device in the message de,x Stored on the blockchain.
Step four: the intranet server receives the registration information from the extranet server, and generates a pair of registration public and private key pairs for the registration, for example, generates a public and private key pair S by using an elliptic encryption algorithm de,k ,P de,k Returning response information to the external network server, wherein the response information is that<register_agr,ID,T 3 ,P de,k >Where T3 represents the current timestamp.
Step five: block chain responds information of intranet server<register_agr,ID,T 3 ,P de,k >The upper chain is in existence.
Step six: after the external network server receives the response information of the internal network server, the public key P given by the internal network server is stored de,k The public key information P of the generated external network server is attached to the message de,s Is sent to the device in the form of a message<register_agr,ID,T 3 ,P de,k ,T 4 ,P de,s >。
Step seven: the device receives the response message from the external network server, and first verifies the timestamp |T 4 -T 3 If not, terminating the session is not established, otherwise calculating a digital signature α=sig (ID Type attri T) for the key information using its own private key 5 ) Public key encryption is carried out by using an external network public key generated by an external network server to obtain a message
Figure BDA0003381765910000161
Wherein KeyInfo is represented as key information comprising<ID,Type,Attribute>Etc., the ID refers to the identity of the device, the Type identifies the Type of device, and Attribute represents a property of the device, such as size, etc. The device may then send an authentication request message to the external web server in the form of<Auth,β>。
Step eight: the external network server receives the authentication request message from the equipment and uses the generated external network private key S de,s Decrypting beta to obtain key information KeyInfo and device signature alpha, then obtaining the current time stamp T6 of the system, and verifying |T 6 -T 5 If not more than deltat is successful, signature authentication is initiated to the blockchain located in the intranet, and the message format is that<Auth,KeyInfo,α>。
Step nine: blockchain utilizes device public key P maintained during registration phase de,x Signature verification of equipment, verification of identity of the equipment, if verification is successful, forwarding verification success information to an intranet server, wherein the information format is that<Auth_verified,KeyInfo>Otherwise, ending the authentication process.
Step ten: the intranet server receives the verification success information from the blockchain, then saves the key information of the device, and returns an authentication confirmation message containing the digital signature of the intranet server in the format < auth_confirm_ins >.
Step eleven: public key P of intranet server for extranet server de,k The message is validated, which is indeed from the intranet server, the extranet server starts to calculate the session key generating session key sk, where sk=h ((S) de,s *PK de,x ) I x I S), and uses the confirmation message with the private key S of the external network de,s Signature, issued to device in the form of<Auth_comfirm_out>Otherwise, discarding the authentication.
Step twelve: after the equipment receives the identity authentication confirmation message from the external network server, the external network public key P is used de,s Verifying the signature, ensuring that the message is sent by the external network, and if the verification is successful, calculating a session key sk ', wherein sk' =h ((S) de,x *PK de,s ) I x s), otherwise discard the authentication.
Through the above embodiment, the second server 104 uses the blockchain to authenticate the industrial equipment of the external network under the condition that the internal and external network servers have network isolation, so that the convenience of equipment authentication is improved. And a session key can be created, and through interaction between the external network and the internal network, the identity authentication of the equipment and the internal network and the communication between the equipment and the internal network and the external network are realized. The trust degree between the intranet and the external network can be increased by utilizing the blockchain technology, the blockchain is used as an intermediary, the external network sends authentication information to the blockchain, the identity of equipment is verified on the blockchain, then a verification result is confirmed for the intranet, the intranet is returned to the external network after being confirmed, the interconnection of the intranet and the external network is realized, the information is not leaked in the authentication process, and the trace traceability of the authentication process can be further guaranteed.
It should be understood that, although the steps in the flowcharts of fig. 3 to 5 are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a portion of the steps of fig. 3-5 may include steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the steps or stages are performed necessarily occur sequentially, but may be performed alternately or alternately with other steps or at least a portion of the steps or stages in other steps.
In one embodiment, there is provided a device authentication system comprising: the device to be registered, a first server and a second server; the device to be registered and the first server are arranged on an external network, the second server is arranged on an internal network, and a block chain is arranged in the second server;
the device to be registered is used for sending a device registration request to the first server; the equipment registration request comprises a first public key corresponding to equipment to be registered;
The first server is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to the second server;
the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain;
the first server is used for sending the response information to the equipment to be registered;
the device to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the device information of the device to be registered, and sending the authentication request information to the first server;
the first server is used for sending the authentication request information to a blockchain of the second server;
and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
Regarding the specific limitations and beneficial effects of each device authentication system, reference may be made to the above limitations for the corresponding respective device authentication method, and no further description is given here.
In one embodiment, as shown in fig. 6, there is provided a device authentication apparatus including: a receiving module 500, a responding module 502, and an authenticating module 504, wherein:
A receiving module 500, configured to receive device registration information sent by a first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered, which is arranged in an external network; the device registration request includes a first public key corresponding to the device to be registered.
The response module 502 is configured to generate corresponding response information according to the device registration information and send the response information to the first server through the blockchain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to a blockchain of the second server through the first server.
The authentication module 504 is configured to receive the authentication request information through the blockchain, and perform identity authentication on the digital signature and the device information in the authentication request information according to the first public key through the blockchain.
In one embodiment, the apparatus further comprises: and the verification module is used for detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, and if so, executing the steps of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain.
In one embodiment, the response module 502 is specifically configured to generate a second public key and a second private key corresponding to the second server according to an elliptic encryption algorithm; and generating response information according to the second public key, the equipment identification of the equipment to be registered and the current time.
In one embodiment, the apparatus further comprises: the confirmation module is used for generating authentication passing information corresponding to the equipment information through the block chain if the identity authentication passes; adding a digital signature of the second server to the authentication passing information, and sending the authentication passing information after adding the digital signature of the second server to the first server; the first server is used for generating a first session secret key according to the authentication passing information and sending the authentication passing information to the equipment to be registered, and the equipment to be registered is used for generating a second session secret key according to the authentication passing information so that the equipment to be registered can communicate with the first server through the second session secret key and the first server can communicate with the second server through the first session secret key.
In one embodiment, as shown in fig. 7, there is provided a device authentication apparatus including: an acquisition module 600, a first transmission module 602, a second transmission module 604, and a third transmission module 606, wherein:
An obtaining module 600, configured to obtain a device registration request sent by a device to be registered that is disposed on an external network; the device registration request contains a first public key corresponding to the device to be registered.
A first sending module 602, configured to generate corresponding device registration information according to the first public key, and send the device registration information to the second server; the second server is provided with a block chain; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain.
A second sending module 604, configured to send response information to the device to be registered; the device to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the device information of the device to be registered, and sending the authentication request information to the first server.
A third sending module 606, configured to send the authentication request information to a blockchain of the second server; the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
In one embodiment, the apparatus further comprises: the communication module is used for acquiring authentication passing information returned by the second server; the authentication passing information comprises equipment information and a digital signature of the second server; verifying the authentication passing information according to the second public key, and generating a first session key according to the third private key and the first public key if the authentication passes so as to communicate with the second server through the first session key; adding a third private key into the authentication passing information, and sending the authentication passing information added with the third private key to the equipment to be registered; the device to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passes, a second session key is generated according to the first private key and the third public key of the device to be registered so as to communicate with the first server through the second session key.
For specific limitations of each device authentication apparatus, reference may be made to the above limitation of the corresponding device authentication method, and no further description is given here. The respective modules in the above-described device authentication apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing authentication data and the like transmitted by the device. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a device authentication method.
It will be appreciated by those skilled in the art that the structure shown in fig. 8 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided that includes a memory having a computer program stored therein and a processor that implements the device authentication method described above when the computer program is executed.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor implements the device authentication method described above.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims (10)

1. The device authentication method is applied to a second server, the second server is arranged in an intranet, and a blockchain is arranged in the second server, and the method comprises the following steps:
receiving equipment registration information sent by a first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered, which is arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
Generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and equipment information of the equipment to be registered, and sending the authentication request information to a blockchain of a second server through the first server;
receiving the authentication request information through the blockchain, and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain;
further comprises:
if the identity authentication is passed, generating authentication passing information corresponding to the equipment information through the blockchain;
adding the digital signature of the second server to the authentication passing information, and sending the authentication passing information after adding the digital signature of the second server to the first server; the first server is used for generating a first session secret key according to the authentication passing information and sending the authentication passing information to the equipment to be registered, the equipment to be registered is used for generating a second session secret key according to the authentication passing information, so that the equipment to be registered communicates with the first server through the second session secret key, and the first server communicates with the second server through the first session secret key.
2. The method of claim 1, wherein the device registration information includes a first generation time of the device registration request and a second generation time of the device registration information;
after receiving the device registration information sent by the first server, the method further includes:
detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, if yes, executing the step of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain.
3. The method of claim 1, wherein the device registration information further comprises a device identification;
the generating corresponding response information according to the device registration information includes:
generating a second public key and a second private key corresponding to the second server according to an elliptic encryption algorithm;
and generating the response information according to the second public key, the equipment identifier of the equipment to be registered and the current time.
4. A device authentication method, applied to a first server, where the first server is disposed on an external network, the method comprising:
Acquiring an equipment registration request sent by equipment to be registered, which is arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
generating corresponding equipment registration information according to the first public key, and sending the equipment registration information to a second server; the second server is provided with a blockchain; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain; the first server stores a second public key of the second server, and a third public key and a third private key of the first server; the first private key of the equipment to be registered and the third public key of the first server are stored in the equipment to be registered;
transmitting the response information to the equipment to be registered; the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to the first server;
Sending the authentication request information to a blockchain of the second server; the second server is used for receiving the authentication request information through the blockchain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain;
further comprises:
acquiring authentication passing information returned by the second server; the authentication passing information comprises the equipment information and a digital signature of the second server;
verifying the authentication passing information according to the second public key, and generating a first session key according to the third private key and the first public key if the authentication passes so as to communicate with the second server through the first session key;
adding the third private key in the authentication passing information, and sending the authentication passing information after adding the third private key to the equipment to be registered; and the equipment to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passes, a second session secret key is generated according to the first private key of the equipment to be registered and the third public key so as to communicate with the first server through the second session secret key.
5. A device authentication system, the system comprising: the device to be registered, a first server and a second server; the equipment to be registered and the first server are arranged on an external network, the second server is arranged on an internal network, and a blockchain is arranged in the second server; the first server stores a second public key of the second server, and a third public key and a third private key of the first server; the first private key of the equipment to be registered and the third public key of the first server are stored in the equipment to be registered;
the device to be registered is used for sending a device registration request to the first server; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
the first server is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to the second server;
the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain;
the first server is used for sending the response information to the equipment to be registered;
The equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and equipment information of the equipment to be registered, and sending the authentication request information to the first server;
the first server is used for sending the authentication request information to the blockchain of the second server;
the second server is used for receiving the authentication request information through the blockchain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain;
the second server is used for generating authentication passing information corresponding to the equipment information through the blockchain if the identity authentication passes; adding the digital signature of the second server to the authentication passing information, and sending the authentication passing information after adding the digital signature of the second server to the first server;
the first server is used for acquiring authentication passing information returned by the second server; the authentication passing information comprises the equipment information and a digital signature of the second server; verifying the authentication passing information according to the second public key, and generating a first session key according to the third private key and the first public key if the authentication passes so as to communicate with the second server through the first session key; adding the third private key in the authentication passing information, and sending the authentication passing information after adding the third private key to the equipment to be registered;
And the equipment to be registered is used for verifying the authentication passing information according to the third public key, and generating a second session secret key according to the first private key of the equipment to be registered and the third public key if the authentication passes so as to communicate with the first server through the second session secret key.
6. A device authentication apparatus, applied to a second server, the second server being disposed in an intranet, and a blockchain being disposed in the second server, the apparatus comprising:
the receiving module is used for receiving the equipment registration information sent by the first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered, which is arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
the response module is used for generating corresponding response information according to the equipment registration information and sending the corresponding response information to the first server through the blockchain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and equipment information of the equipment to be registered, and sending the authentication request information to a blockchain of a second server through the first server;
The authentication module is used for receiving the authentication request information through the blockchain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain;
further comprises: the confirmation module is used for generating authentication passing information corresponding to the equipment information through the block chain if the identity authentication passes; adding the digital signature of the second server to the authentication passing information, and sending the authentication passing information after adding the digital signature of the second server to the first server; the first server is used for generating a first session secret key according to the authentication passing information and sending the authentication passing information to the equipment to be registered, the equipment to be registered is used for generating a second session secret key according to the authentication passing information, so that the equipment to be registered communicates with the first server through the second session secret key, and the first server communicates with the second server through the first session secret key.
7. The apparatus of claim 6, wherein the device registration information comprises a first generation time of the device registration request and a second generation time of the device registration information;
The apparatus further comprises: the verification module is used for:
detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, if yes, executing the step of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain.
8. A device authentication apparatus, applied to a first server, the first server being disposed on an external network, the apparatus comprising:
the acquisition module is used for acquiring an equipment registration request sent by equipment to be registered, which is arranged on an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
the first sending module is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to a second server; the second server is provided with a blockchain; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the blockchain;
the second sending module is used for sending the response information to the equipment to be registered; the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to the first server; the first server stores a second public key of the second server, and a third public key and a third private key of the first server; the first private key of the equipment to be registered and the third public key of the first server are stored in the equipment to be registered;
The third sending module is used for sending the authentication request information to the blockchain of the second server; the second server is used for receiving the authentication request information through the blockchain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the blockchain;
further comprises: the communication module is used for acquiring authentication passing information returned by the second server; the authentication passing information comprises the equipment information and a digital signature of the second server; verifying the authentication passing information according to the second public key, and generating a first session key according to the third private key and the first public key if the authentication passes so as to communicate with the second server through the first session key; adding the third private key in the authentication passing information, and sending the authentication passing information after adding the third private key to the equipment to be registered; and the equipment to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passes, a second session secret key is generated according to the first private key of the equipment to be registered and the third public key so as to communicate with the first server through the second session secret key.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 5 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 5.
CN202111436807.6A 2021-11-29 2021-11-29 Device authentication method, device, computer device and storage medium Active CN114257419B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111436807.6A CN114257419B (en) 2021-11-29 2021-11-29 Device authentication method, device, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111436807.6A CN114257419B (en) 2021-11-29 2021-11-29 Device authentication method, device, computer device and storage medium

Publications (2)

Publication Number Publication Date
CN114257419A CN114257419A (en) 2022-03-29
CN114257419B true CN114257419B (en) 2023-06-30

Family

ID=80793561

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111436807.6A Active CN114257419B (en) 2021-11-29 2021-11-29 Device authentication method, device, computer device and storage medium

Country Status (1)

Country Link
CN (1) CN114257419B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580415B (en) * 2022-12-12 2023-03-31 南方电网数字电网研究院有限公司 Data interaction authentication method, device and system in block chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981633A (en) * 2019-03-19 2019-07-05 全链通有限公司 Access method, equipment and the computer readable storage medium of server
CN110493237A (en) * 2019-08-26 2019-11-22 深圳前海环融联易信息科技服务有限公司 Identity management method, device, computer equipment and storage medium
CN112039848A (en) * 2020-08-05 2020-12-04 北京链飞未来科技有限公司 Web authentication method, system and device based on block chain public key digital signature

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981633A (en) * 2019-03-19 2019-07-05 全链通有限公司 Access method, equipment and the computer readable storage medium of server
CN110493237A (en) * 2019-08-26 2019-11-22 深圳前海环融联易信息科技服务有限公司 Identity management method, device, computer equipment and storage medium
CN112039848A (en) * 2020-08-05 2020-12-04 北京链飞未来科技有限公司 Web authentication method, system and device based on block chain public key digital signature

Also Published As

Publication number Publication date
CN114257419A (en) 2022-03-29

Similar Documents

Publication Publication Date Title
US20210367753A1 (en) Trusted measurement and control network authentication method based on double cryptographic values and chaotic encryption
US8646104B2 (en) Stateless challenge-response broadcast protocol
US8555069B2 (en) Fast-reconnection of negotiable authentication network clients
US7620824B2 (en) Data communicating apparatus, data communicating method, and program
CN109302412B (en) VoIP communication processing method based on CPK, terminal, server and storage medium
CN111614621B (en) Internet of things communication method and system
CN114070559B (en) Industrial Internet of things session key negotiation method based on multiple factors
US20210167963A1 (en) Decentralised Authentication
US20220245631A1 (en) Authentication method and apparatus of biometric payment device, computer device, and storage medium
CN112039848A (en) Web authentication method, system and device based on block chain public key digital signature
CN112383395A (en) Key agreement method and device
KR102591826B1 (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
CN111654481B (en) Identity authentication method, identity authentication device and storage medium
CN115022868A (en) Satellite terminal entity authentication method, system and storage medium
Vangala et al. Provably secure signature‐based anonymous user authentication protocol in an Internet of Things‐enabled intelligent precision agricultural environment
CN114257419B (en) Device authentication method, device, computer device and storage medium
Khan et al. Resource efficient authentication and session key establishment procedure for low-resource IoT devices
Hussain et al. An improved authentication scheme for digital rights management system
US11240661B2 (en) Secure simultaneous authentication of equals anti-clogging mechanism
CN112769568B (en) Security authentication communication system and method in fog computing environment and Internet of things equipment
CN112733129A (en) Trusted access method for out-of-band management of server
CN113872986B (en) Power distribution terminal authentication method and device and computer equipment
CN116961911A (en) Information processing method and device and communication equipment
CN113261255B (en) Device authentication by quarantine and verification
JP2004274134A (en) Communication method, communication system using the communication method, server and client

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant