Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a trusted device authentication method, a trusted device authentication device, a computer device and a storage medium.
In order to achieve the purpose, the invention adopts the following technical scheme: a trusted device authentication method, comprising:
acquiring a device request;
judging whether the equipment request is identity registration or not;
if the equipment request is identity registration, hardware factor hash information from the equipment is acquired;
issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the source non-repudiation of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID;
if the equipment request is not identity registration, acquiring interactive authentication request data initiated by the equipment through an APPID;
generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data;
encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, and sending the signature ciphertext to the terminal to enable the terminal to respond to the knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext;
and performing authentication according to the response ciphertext, and constructing data interaction and communication with the equipment when the authentication is passed.
The further technical scheme is as follows: the hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after a mainboard serial number, a central processing unit CPUID hash data, an MAC address hash data and a hard disk serial number are collected by equipment, and information formed after encryption operation is carried out by using a server public key in combination with a generated local symmetric key and a first timestamp.
The further technical scheme is as follows: the issuing of ID certificate information to equipment according to the hardware factor hash information to enable the equipment to confirm data integrity and non-repudiation of a source of the ID certificate information, and to decrypt the ID certificate information to obtain an APPID, and the storing of the APPID comprises:
decrypting the hardware factor hash information according to a private key of the hardware factor hash information to obtain mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data, hard disk serial number hash data, a local symmetric key and a first timestamp;
when the first timestamp is legal, storing the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data according to a specific storage sequence;
saving the local symmetric key;
generating an APP ID and a second timestamp;
encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a private key of the APPID and the second timestamp to generate ID certificate information;
and issuing ID certificate information to equipment to ensure that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.
The further technical scheme is as follows: the issuing of the ID certificate information to the equipment so that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypts the ID certificate information to obtain an APPID, and stores the APPID, wherein the issuing comprises the following steps:
and issuing the ID certificate information to equipment so that the equipment verifies the ID certificate information through a server public key, when the ID certificate information is verified, decrypting the ID certificate information through a local symmetric key to obtain the AppID and plaintext data of a second timestamp, judging the legality of the second timestamp, and when the second timestamp is legal, storing the AppID.
The further technical scheme is as follows: the generating of the corresponding hardware factor knowledge challenge problem for the interactive authentication request data comprises:
decrypting the interactive authentication request data through a private key of the user to obtain an APPID and a ciphertext related to a third timestamp;
determining the local symmetric key according to the APPID;
decrypting ciphertext associated with a third timestamp using the local symmetric key;
when the decryption is successful, verifying the validity of the third timestamp;
and when the third timestamp is legal, randomly selecting a plurality of hardware names from the four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm so as to generate a corresponding hardware factor knowledge challenge problem.
The further technical scheme is as follows: the encrypting the hardware factor knowledge challenge problem to form a signature ciphertext and sending the signature ciphertext to the terminal so that the terminal can perform response knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext, and the encrypting the hardware factor knowledge challenge problem comprises the following steps:
generating a one-time symmetric communication key and a fourth timestamp;
encrypting the one-time symmetric key and the hardware factor knowledge challenge problem by using the local symmetric key to obtain ciphertext contents;
performing data signature on the ciphertext content and the fourth timestamp by using a self key to obtain a signature ciphertext;
and issuing the signature ciphertext to the device to enable the device to perform signature verification operation on the signature ciphertext by using the server public key to obtain the fourth time stamp and ciphertext content, decrypting the ciphertext content by using the local symmetric key when the time stamp is legal to obtain the one-time symmetric communication key and the hardware factor knowledge challenge problem, performing challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generating a fifth time stamp, and encrypting the challenge response hash data and the fifth time stamp by using the one-time symmetric communication key to generate a response ciphertext.
The further technical scheme is as follows: and the authentication is carried out according to the response ciphertext, and when the authentication is passed, data interaction and communication with the equipment are constructed, wherein the data interaction and communication comprise:
decrypting the response ciphertext by using the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp;
performing validity verification on the fifth timestamp;
when the fifth timestamp is legal, verifying whether the challenge response hash data is consistent with an actual answer of the hardware factor knowledge challenge question;
and when the hash data of the challenge response is consistent with the actual answer of the hardware factor knowledge challenge question, determining that the equipment is legal registered equipment, and allowing the equipment to perform network access within the authentication validity period so as to construct data interaction and communication with the equipment.
The invention also provides a trusted device authentication device, comprising:
a device request acquisition unit configured to acquire a device request;
a judging unit, configured to judge whether the device request is to perform identity registration;
a hash information obtaining unit, configured to obtain hardware factor hash information from the device if the device request is to perform identity registration;
the ID processing unit is used for issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the source non-repudiation of the ID certificate information, decrypts the ID certificate information to obtain an APPID, and stores the APPID;
the authentication data acquisition unit is used for acquiring interactive authentication request data initiated by the equipment through the APPID if the equipment request is identity registration;
the problem generation unit is used for generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data;
the problem processing unit is used for encrypting the hardware factor knowledge challenge problem to form a signature ciphertext and sending the signature ciphertext to the terminal so as to enable the terminal to carry out response knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext;
and the authentication unit is used for authenticating according to the response ciphertext and constructing data interaction and communication with the equipment when the authentication is passed.
The invention also provides computer equipment which comprises a memory and a processor, wherein the memory is stored with a computer program, and the processor realizes the method when executing the computer program.
The invention also provides a storage medium storing a computer program which, when executed by a processor, implements the method described above.
Compared with the prior art, the invention has the beneficial effects that: in the invention, in the registration stage and the authentication stage, multi-factor hardware hash information is submitted by equipment as the basis of legal equipment, the server verifies the credibility of the equipment by a knowledge certification and challenge-response method, and a symmetrical password system and an asymmetrical password system are adopted in the whole process for data encryption protection, so that the confidentiality of the whole-flow data is ensured; meanwhile, signature authentication is carried out on key data by using an asymmetric cryptosystem digital signature technology, so that the integrity and non-repudiation of the data are guaranteed; a timestamp verification mechanism is introduced to effectively prevent replay attack, a problem randomization mechanism is introduced in the verification process of the knowledge proof and challenge-response method, the guessing difficulty is increased, and replay forgery is prevented; the confidentiality and integrity protection of the interaction data between the trusted device and the server, namely the host in the whole process from the registration stage to the authentication stage, is realized.
The invention is further described below with reference to the accompanying drawings and specific embodiments.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic view of an application scenario of a trusted device authentication method according to an embodiment of the present invention. Fig. 2 is a schematic flowchart of a trusted device authentication method according to an embodiment of the present invention. The trusted device authentication method is applied to a control server, namely a server side, the server and devices perform data interaction, based on SDP (Software Defined boundary) technology, hardware device factor Hash information of a host side, namely the devices is obtained and serves as a knowledge certificate to perform authentication challenge on communication requests of the devices, hardware level legality of the devices from which the information interaction requests originate is judged, and meanwhile, based on whole-process confidentiality communication algorithm design, confidentiality and integrity protection of interaction data between the host and the server in a whole process from a registration stage to an authentication stage are achieved.
The SDP technology is an emerging technical idea in a zero trust security architecture, and the technology adopts a thought design based on a zero trust system to set a core control component to evaluate, authenticate and authorize all access requests, so that the purpose of access control is achieved. SDP offers zero visibility and zero connectivity out-bound, and connections can be established only after endpoints prove that they can be trusted, allowing legitimate traffic to pass through, using this approach essentially preventing all network-based attacks. Since the rise of the zero trust security technology in 2018 in China, the technology has been widely focused and discussed, but a mature implementation algorithm for completing the technology is still lacked.
Fig. 2 is a flowchart illustrating a trusted device authentication method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S180.
And S110, acquiring a device request.
In this embodiment, the device request refers to an operation request initiated by a device to a server, and may include a registration request and an authentication request, where the registration request refers to performing identity registration, and the authentication request refers to identity authentication to construct data interaction with the server.
S120, judging whether the equipment request is identity registration or not;
s130, if the equipment request is identity registration, hardware factor hash information from the equipment is obtained.
In this embodiment, the identity registration and the identity authentication may have corresponding features in the device request, and therefore, which type of request the device request belongs to may be quickly determined.
In addition, the hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after the mainboard serial number, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data are collected by equipment, and information is formed after encryption operation is carried out by using a server public key in combination with a generated local symmetric key and a first timestamp.
The hardware factor Hash information acquisition system is realized by installing agent software on each host, and the acquired hardware factors comprise the following contents: a motherboard serial number; a central processing unit CPUID; a MAC address; hard disk serial number. agent collects the original information and respectively generates mainboard serial number hash data H1, central processing unit CPUID hash data H2, MAC address hash data H3 and hard disk serial number hash data H4 according to the collection sequence. And generating a local symmetric key Pk and a first time stamp Ts1, encrypting the hardware factor hash, the agent local symmetric key Pk and the first time stamp Ts1 by using a server public key Pubs, and transmitting the hardware factor hash information to the server.
For example: agent successfully collected the following data: mainboard sequence number: LNVNB 16121X; central processing unit CPUID: BFEBFBFF000706E 3; MAC address: 00-50-56-C0-00-0C; hard disk serial number: { D9F517E0-2009-41C1-87FB-41B85CB77E46 }; agent collects the original information and respectively generates mainboard serial number hash data H1 according to the collection sequence: a47cf540514940120eee3687934ed57e, central processor CPUID hash data H2: 6bca25821036fab866b33643c8d7301f, MAC address hash H3: 3388b51c9a63626681dcbd11dd15735b and hard disk serial number hash data H4: b901d0043a978b3d1d29e1ee2f7666e 1. Generating a local symmetric key Pk: GY4OPOchTm4t0/ye and the first timestamp Ts1, wherein the hardware factor hash, agent local symmetric key Pk and the first timestamp Ts1 are encrypted by using a server public key Pubs to form hardware factor hash information PubsEnc (H1, H2, H3, H4, Ts1 and Pk) and then transmitted to the server.
In this embodiment, the client host has installed the agent correctly, in this embodiment, the hash algorithm is md5 algorithm, the symmetric key algorithm is AES algorithm, the asymmetric key algorithm is RSA algorithm, and the authentication validity period T is 60 minutes.
The server public key Pubs is as follows:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKqL5COYbYfHWUY9NWyDn6Y++o;
44k71KccoiIovosOKYuAXsRHuNoftjPV866U5kzvBZ3qncEyw4/PlC//h7Bs+d0a;
GQcxsak7kAHLc//FXWOF8qSunCY5TlMjZo6pYeVTTmKZ/wBlQ/vrhfDTWxqY87Fo;
WMjsswFqFIBWdgQhFQIDAQAB;
-----END PUBLIC KEY-----
the server private key, i.e. the private key Pris of itself, is as follows:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIqdI5vNdzoIkCAggA;
MBQGCCqGSIb3DQMHBAh8qgIlqt0/4gSCAoBjGXY/HlIz7JQaALdAxOK1QfbMoCj1;
A8pkXS0er6Y/8Wl8oi4Oz9z38v+xR5dIgcmEtTnn7hGon2ouQSVUekyhotzyQEzx;
zmJNoYYK2piw138oqCCmhE8M0Qm7wzImSD8yxqPbBC5b8b/RW9Aashv2nbnf5v1Z;
G0OhxYix/e9Z8Qce5d8Ug3aqNXy7h/sReh4ltAB9qeeh6IvzsJpY4v4w7OYhs1jx;
SG6vQtzsoISQYbHIIQOUAtbJI2PhpOzIqT++sMxfq8yYI+af7NpHpfjc256jr2xl;
+M8N2fQiJvcoSSn3aG34FC/wzHnHAaq+jaCYQJbucQ7eFThP08gJoAd3FRfnSQ46;
BulLzFr9XmqAiBKNiu2fUS0xO41deTCh0KUh70NVHm1QwqaAuQwwDox3w4wyXepE;
7rNACFguIs+/nbf+C8sK9+Qq8XYDWBa/ZEQ4NKQDT14cSvXBMjP4M0T+kUl0BJGr;
WyP9mEmNFLqQH+d0wImP/MoNL6H7di1V/a1ZPasj89IFn6U1E72v9NQXb3tFCC5I;
w+1NFq93BzDtTx9LhXAG3hDzAT140OrVXg7ZASWKBsy6rR36FEq/CLxSwZ8u4E1k;
r2I4UVxIHSwO48IhDx9jl1+ZkeEYgBdqCOa6HUe/DjYXdCYr99P6UDhTB2Yfrwh/;
9le6nlA6BF34xCFJjLIxfqIiIeILRM/C8tHTap5GnJqG50+YacSu/dI7G69QHUC+;
Sts16h9JCTSdMo6AVSnn//5fRvqd/tu7pj8FD75kbIVHKwS6ABeRla3bgSeQBFiz;
FYG6Hu+rz7iQ/gyLIMyFY4bPnFh0VP4IS1an7pYFFTPIvWTVeecJvorO;
-----END ENCRYPTED PRIVATE KEY-----
s140, ID certificate information is issued to equipment according to the hardware factor hash information, so that the equipment confirms data integrity and source non-repudiation of the ID certificate information, decrypts the ID certificate information to obtain APPID, and stores the APPID.
In this embodiment, the ID credential refers to a content formed by encrypting the APPID and the second timestamp according to the local symmetric key and performing a digital signature operation using a private key of the ID credential.
In an embodiment, referring to fig. 3, the step S140 may include steps S141 to S146.
S141, decrypting the hardware factor hash information according to the private key of the hardware factor hash information to obtain mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data, hard disk serial number hash data, a local symmetric key and a first timestamp.
In this embodiment, after obtaining the hash information PubsEnc (H1, H2, H3, H4, Ts1, Pk) of the hardware factors uploaded by the agent, the server performs a decryption operation PrisDec (H1, H2, H3, H4, Ts1, Pk) by using its own private key Pris as follows; thereby obtaining H1-H4 as well as the local symmetric key Pk and the first timestamp Ts1 plaintext data.
And S142, when the first time stamp is legal, storing the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data according to a specific storage sequence.
In this embodiment, when the first timestamp is legal, the hash data corresponding to H1-H4 is stored in the order of "motherboard serial number, central processing unit CPUID, MAC address, and hard disk serial number", and the agent symmetric key Pk is stored.
S143, saving the local symmetric key;
s144, generating an APP ID and a second timestamp;
s145, encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a private key of the APPID to generate ID credential information.
Specifically, the server generates a unique AppID: 2SQ33EU1 and a second timestamp Ts2, and encrypt the AppID and the second timestamp Ts2 by using the local symmetric key Pk, and finally perform a digital signature operation by using the server private key Pris to form ID credential information PrisEnc (PkEnc (AppID, Ts2)), and send the ID credential information to the current agent.
S146, issuing ID certificate information to equipment to enable the equipment to confirm data integrity and source non-repudiation of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.
Specifically, the ID credential information is issued to the device, so that the device verifies the ID credential information through a server public key, when the ID credential information is verified, the ID credential information is decrypted through a local symmetric key, plaintext data of the AppID and the second timestamp are obtained, validity of the second timestamp is judged, and when the second timestamp is legal, the AppID is stored.
after agent acquires credential information PrisEnc (PkEnc (AppID, Ts2)) from the server, signature verification and decryption operations are performed as follows. PubsDec (PkDec (AppID, Ts 2)); firstly, the signature is verified through a public key Pubs of a service end, the data integrity and the source non-repudiation are confirmed, data decryption is carried out through a local symmetric key Pk, the AppID and the plaintext data of a second timestamp Ts2 are obtained, the legality of the second timestamp Ts2 is judged, and the AppID is stored to serve as an identity certificate for subsequent interactive authentication with the service end if the second timestamp Ts2 is legal.
S150, if the equipment request is not identity registration, acquiring interactive authentication request data initiated by the equipment through the APPID.
In this embodiment, the interactive authentication request data refers to that when the device where the agent is located needs to initiate a network access communication request, that is, identity authentication, a device authentication application is initiated to the server to generate a third timestamp Ts3, the third timestamp Ts3 is encrypted by using a local symmetric key to obtain an encrypted content PkEnc (Ts3), and the encrypted content and the AppID are encrypted by using a server public key Pubs to obtain a ciphertext result pubsnenc (AppID, PkEnc (Ts 3)); the device transmits the ciphertext result PubsEnc (AppID, PkEnc (Ts3)) to the server.
And S160, generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data.
In this embodiment, the problem of hardware factor knowledge challenge refers to a problem that an agent needs to submit hash data of a corresponding hardware factor according to a hardware name.
In an embodiment, referring to fig. 4, the step S160 may include steps S161 to S165.
S161, decrypting the interactive authentication request data through a private key of the server to obtain an APPID and a ciphertext related to a third timestamp;
s162, determining the local symmetric key according to the APPID;
s163, decrypting the ciphertext related to the third timestamp by using the local symmetric key;
s164, when the decryption is successful, verifying the validity of the third timestamp;
and S165, when the third timestamp is legal, randomly selecting a plurality of hardware names from the four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm so as to generate a corresponding hardware factor knowledge challenge problem.
Specifically, when the server obtains interactive authentication request data pubsEnc (AppID, PkEnc (Ts3)) initiated by the agent, the data is decrypted by a private key Pris of the server, so that AppID plaintext and ciphertext of the PkEnc (Ts3) are obtained, a local symmetric key Pk stored locally and correspondingly is searched by the AppID, the ciphertext of the PkEnc (Ts3) is decrypted by using the key, and if the plaintext of a third timestamp Ts3 is obtained successfully, the AppID is proved to be matched with the local symmetric key Pk, and the validity of the third timestamp Ts3 is verified. If the third timestamp Ts3 is legal, a Random selection algorithm Random () exists, a plurality of Random (H1-H4) items are randomly selected from four hardware names of "motherboard serial number, central processing unit CPUID, MAC address, and hard disk serial number" as the knowledge challenge problem, and an agent is required to submit hash data of corresponding hardware factors according to the hardware names. The Random selection algorithm Random () extraction knowledge item number can be manually set, and 1-3 hardware names are randomly selected by default.
For example: the method comprises the steps that a server side obtains interactive authentication request data PubsEnc (AppID, PkEnc (Ts3)) initiated by an agent, decrypts the data through a private key Pris of the server side to obtain AppID plaintext and PkEnc (Ts3) ciphertext, searches a local symmetric key Pk stored locally correspondingly through the AppID, decrypts the PkEnc (Ts3) ciphertext through the key, successfully obtains a third timestamp Ts3 plaintext through decryption, proves that the ApID is matched with the local symmetric key Pk, verifies that the third timestamp Ts3 is instant time, Ts3 is legal, randomly selects 2 main board serial numbers and MAC addresses from four hardware names of the main board serial number, the central processing unit CPUID, the MAC address and the hard disk serial number to serve as the knowledge challenge problem Random (H1-H4), and the agent needs to submit corresponding hardware hash factor data according to the hardware names.
S170, encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, sending the signature ciphertext to the terminal to enable the terminal to perform response knowledge challenge according to the signature ciphertext and provide corresponding hash certification to generate a response ciphertext.
In this embodiment, the response ciphertext refers to a ciphertext formed by performing a response knowledge challenge and generating a corresponding hash certificate according to the signature ciphertext.
In an embodiment, referring to fig. 4, the step S170 may include steps S171 to S174.
And S171, generating a one-time symmetric communication key and a fourth time stamp.
In the present embodiment, the one-time symmetric communication key refers to a key used for symmetric communication.
And S172, encrypting the one-time symmetric key and the hardware factor knowledge challenge problem by using the local symmetric key to obtain ciphertext contents.
In this embodiment, the ciphertext content is the content formed by encrypting the one-time symmetric key and the hardware factor knowledge challenge problem with the local symmetric key.
And S173, performing data signature on the ciphertext content and the fourth timestamp by using the self key to obtain a signature ciphertext.
In this embodiment, the signature ciphertext refers to a content obtained by performing a data signature on the ciphertext content and the fourth timestamp using the own key.
And S174, issuing the signature ciphertext to the device, so that the device performs signature verification operation on the signature ciphertext by using the server public key to obtain the fourth time stamp and ciphertext content, when the time stamp is legal, decrypting the ciphertext content by using the local symmetric key to obtain the one-time symmetric communication key and the hardware factor knowledge challenge problem, performing challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generating a fifth time stamp, and encrypting the challenge response hash data and the fifth time stamp by using the one-time symmetric communication key to generate a response ciphertext.
Specifically, when the hardware factor knowledge Challenge problem Random (H1-H4) selection is completed, the server generates a one-time symmetric communication key Challenge and a fourth timestamp Ts4, encrypts the one-time symmetric communication key Challenge and the hardware factor knowledge Challenge problem Random (H1-H4) by using the local symmetric key Pk of the agent, obtains a PkEnc (Challenge, Random (H1-H4)) ciphertext, digitally signs the PkEnc (Challenge, Random (H1-H4)) ciphertext) and the fourth timestamp Ts4 by using a private key Pris of the server, obtains a PrisEnc (Challenge, Random (H1-H4)), Ts4, and sends the signature ciphertext to the agent. When agent receives signature ciphertext PrisEnc (PkEnc (Challenge, Random (H1-H4)) from server, Ts4), firstly, signature verification operation is carried out on signature ciphertext PubsDec (PkEnc (Challenge, Random (H1-H4)) and Ts4) by using a server public key Pubs, plaintext of a fourth time stamp Ts4 and PkEnc (Challenge, Random (H1-H4)) ciphertext are obtained, after the legitimacy of the fourth time stamp Ts4 is confirmed, PkDec (Challenge, Random (H1-H4)) decryption operation is carried out by using a local symmetric key Pk, one-time symmetric communication key Challenge and a hardware knowledge Challenge question Random (H1-H4) are obtained, and a corresponding hardware Challenge name required by the hardware knowledge question Random (H1-H4) is prepared, and a corresponding Challenge data is generated by using a Challenge, TS5, TS 465, encrypted data are generated by using a time symmetric key, and the corresponding Challenge, TS5 is generated, and obtaining a response ciphertext ChanllengeEnc (Ans (H1-H4), Ts5), and sending the response ciphertext to the server.
In this embodiment, a one-time symmetric communication key Challenge is generated: s338j2E4 and a fourth timestamp Ts4, encrypt the one-time symmetric communication key Challenge and Random (H1-H4) with the local symmetric key Pk of the agent to obtain PkEnc (Challenge, Random (H1-H4)) ciphertext, digitally sign the ciphertext and the timestamp Ts4 with the private key Pris of the agent to obtain a signature ciphertext PrisEnc (PkEnc, Random (H1-H4)), Ts4), and send the signature ciphertext to the agent.
agent receives signature cipher text PrisEnc (PkEnc (Challenge, Random (H1-H4)), Ts4) from server, firstly uses server public key Pubs to perform PubsDec (PkEnc (Challenge, Random (H1-H4)), Ts4) signature verification operation, obtains fourth time stamp Ts4 plaintext and PkEnc (Challenge, Random (H1-H4)) cipher text, confirms fourth time stamp Ts4 as instant time, then uses symmetric key Pk to perform PkDec (Challenge, Random (H1-H4)) decryption operation, obtains disposable symmetric communication key Challenge and Random hardware name Challenge problem Random (H1-H4), and according to the hardware name required by Random (H1-H4): "serial number of main board, MAC address", prepare the Challenge response hash data "a 47cf540514940120eee3687934ed57e, 3388b51c9a63626681dcbd11dd15735 b" of the corresponding hardware as Ans (H1-H4), generate time stamp Ts5, encrypt Ans (H1-H4) and Ts5 with the one-time symmetric communication key Challenge, obtain the response ciphertext enc (Ans (H1-H4), Ts5), send the response ciphertext to the server.
And S180, authenticating according to the response ciphertext, and constructing data interaction and communication with the equipment when the authentication is passed.
In an embodiment, referring to fig. 6, the step S180 may include steps S181 to S184.
S181, decrypting the response ciphertext by using the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp;
s182, carrying out validity verification on the fifth timestamp;
s183, when the fifth time stamp is legal, verifying whether the hash data of the challenge response is consistent with the actual answer of the hardware factor knowledge challenge question;
s184, when the hash data of the challenge response is consistent with the actual answer of the hardware factor knowledge challenge question, determining that the equipment is legal registration equipment, and allowing the equipment to perform network access within the authentication validity period so as to construct data interaction and communication with the equipment.
In this embodiment, the server receives a response ciphertext challenge enc (Ans (H1-H4), Ts5) from the device, performs a challenge dec (Ans (H1-H4), Ts5) decryption operation through a one-time symmetric communication key, obtains plaintext of challenge response hash data Ans (H1-H4) and a fifth timestamp Ts5, verifies validity of the fifth timestamp Ts5, and verifies whether challenge response hash data provided by the Ans (H1-H4) matches with an actual answer of a hardware factor knowledge challenge problem Random (H1-H4), if the fifth timestamp Ts5 is valid and the challenge response data Ans (H1-H4) is correct, the device is determined to be a valid registration device, and is allowed to enter a current network for data interaction and communication within an authentication validity period T, and the authentication validity period T can be manually set to be 30 minutes by default. After the validity expires, if the device needs to continue to access the network, the authentication phase process is repeated.
For example: the server receives a response ciphertext ChanllengeEnc (Ans (H1-H4), Ts5) from the device, decrypts the response ciphertext ChanllengeDec (Ans (H1-H4), Ts5) through a one-time symmetric communication key to obtain challenge response hash data Ans (H1-H4) and a fifth timestamp Ts5 plaintext, verifies that the fifth timestamp Ts5 is a legal timestamp, and starts to verify the challenge response hash data Ans (H1-H4): whether the hash data provided by "a 47cf540514940120eee3687934ed57e, 3388b51c9a63626681dcbd11dd15735 b" is in line with the actual answer to the hardware factor knowledge challenge problem Random (H1-H4): the 'a 47cf540514940120eee3687934ed57e, 3388b51c9a63626681dcbd11dd15735 b' are matched, and finally the challenge response hash data Ans (H1-H4) is proved to be correct, the device is determined to be a legal registered device, the device is allowed to be connected to the current network within 60 minutes of the authentication validity period for data interaction and communication, and if the device needs to be continuously connected to the network for communication after 60 minutes, the authentication steps are repeated.
The client agent submits multi-factor hardware hash information as the basis of legal equipment, and the server verifies the credibility of the equipment through a knowledge certification and challenge-response method, so that the technical goal of software definition boundary is achieved, namely, a core control assembly is designed and set based on the idea of a zero trust system to evaluate, authenticate and authorize all access requests, and the purpose of access control is achieved. The whole-flow communication process adopts a symmetric cryptosystem and an asymmetric cryptosystem to carry out data encryption protection, so that the confidentiality of the whole-flow data is ensured; meanwhile, signature authentication is carried out on key data by using an asymmetric cryptosystem digital signature technology, so that the integrity and non-repudiation of the data are guaranteed; a timestamp verification mechanism is introduced in the whole communication process, replay attack is effectively prevented, a problem randomization mechanism is introduced in the verification process of the knowledge certification and challenge-response method, the guessing difficulty is increased, replay forgery is prevented, and confidentiality and integrity protection of interactive data between the whole-process host and the server from the registration stage to the authentication stage are achieved.
According to the trusted device authentication method, the device submits the multi-factor hardware hash information as the basis of the legal device in the registration stage and the authentication stage, the server verifies the credibility of the device through the knowledge certification and the challenge-response method, and the whole process adopts the symmetric cryptosystem and the asymmetric cryptosystem to carry out data encryption protection, so that the confidentiality of the full-flow data is ensured; meanwhile, signature authentication is carried out on key data by using an asymmetric cryptosystem digital signature technology, so that the integrity and non-repudiation of the data are guaranteed; a timestamp verification mechanism is introduced to effectively prevent replay attack, a problem randomization mechanism is introduced in the verification process of the knowledge proof and challenge-response method, the guessing difficulty is increased, and replay forgery is prevented; the confidentiality and integrity protection of the interaction data between the trusted device and the server, namely the host in the whole process from the registration stage to the authentication stage, is realized.
Fig. 7 is a schematic block diagram of an apparatus 300 for authenticating a trusted device according to an embodiment of the present invention. As shown in fig. 7, the present invention further provides a trusted device authentication apparatus 300 corresponding to the above trusted device authentication method. The trusted device authentication apparatus 300 includes means for executing the above-described trusted device authentication method, and may be configured in a server. Specifically, referring to fig. 7, the trusted device authentication apparatus 300 includes a device request acquisition unit 301, a determination unit 302, a hash information acquisition unit 303, an ID processing unit 304, an authentication data acquisition unit 305, a question generation unit 306, a question processing unit 307, and an authentication unit 308.
A device request obtaining unit 301, configured to obtain a device request; a determining unit 302, configured to determine whether the device request is to perform identity registration; a hash information obtaining unit 303, configured to obtain hardware factor hash information from the device if the device request is to perform identity registration; the ID processing unit 304 is configured to issue ID credential information to a device according to the hardware factor hash information, so that the device confirms data integrity and non-repudiation of a source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and stores the APPID; an authentication data obtaining unit 305, configured to obtain, if the device request is to perform identity registration, interactive authentication request data initiated by the device through an APPID; a problem generation unit 306, configured to generate a corresponding hardware factor knowledge challenge problem for the interactive authentication request data; the problem processing unit 307 is configured to encrypt the hardware factor knowledge challenge problem to form a signature ciphertext, and send the signature ciphertext to enable the terminal to perform a response knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext; and the authentication unit 308 is configured to perform authentication according to the response ciphertext, and construct data interaction and communication with the device when the authentication is passed.
In an embodiment, as shown in fig. 8, the ID processing unit 304 includes a hash information decryption sub-unit 3041, a hash data storage sub-unit 3042, a key holding sub-unit 3043, a first generation sub-unit 3044, a first encryption sub-unit 3045, and a first issuing sub-unit 3046.
A hash information decryption subunit 3041, configured to decrypt the hardware factor hash information according to a private key of the hardware factor hash unit, so as to obtain motherboard serial number hash data, central processing unit CPUID hash data, MAC address hash data, hard disk serial number hash data, a local symmetric key, and a first timestamp; a hash data storage subunit 3042, configured to store, when the first timestamp is legal, the motherboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data, and the hard disk serial number hash data according to a specific storage order; a key holding subunit 3043 configured to hold the local symmetric key; a first generating subunit 3044 configured to generate an APP ID and a second timestamp; a first encryption subunit 3045, configured to encrypt the APPID and the second timestamp according to the local symmetric key, and perform a digital signature operation using a private key of the first encryption subunit to generate ID credential information; the first issuing subunit 3046 is configured to issue ID credential information to a device, so that the device confirms data integrity and non-repudiation of a source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and stores the APPID.
In an embodiment, the first issuing subunit 3046 is configured to issue the ID credential information to a device, so that the device verifies the ID credential information through a server public key, when the ID credential information is verified, decrypt the ID credential information through a local symmetric key to obtain an AppID and plaintext data of a second timestamp, and determine validity of the second timestamp, and when the second timestamp is legal, store the AppID.
In one embodiment, as shown in FIG. 9, the question generation unit 306 includes a first decryption subunit 3061, a key determination subunit 3062, a second decryption subunit 3063, a first authentication subunit 3064, and a selection subunit 3065.
A first decryption subunit 3061, configured to decrypt the interactive authentication request data through a private key of the first decryption subunit to obtain an APPID and a ciphertext associated with the third timestamp; a key determination subunit 3062, configured to determine the local symmetric key from the APPID; a second decryption subunit 3063, configured to decrypt the ciphertext associated with the third timestamp using the local symmetric key; a first authentication subunit 3064, configured to, when the decryption is successful, authenticate the validity of the third timestamp; and the selecting subunit 3065 is used for randomly selecting a plurality of items from four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm when the third timestamp is legal so as to generate a corresponding hardware factor knowledge challenge problem.
In an embodiment, as shown in fig. 10, the problem processing unit 307 includes a second generating sub-unit 3071, a second encrypting sub-unit 3072, a first signing sub-unit 3073, and a second issuing sub-unit 3074.
A second generating subunit 3071, configured to generate a one-time symmetric communication key and a fourth timestamp; the second encryption subunit 3072 is configured to encrypt the one-time symmetric key and the hardware factor knowledge challenge problem with the local symmetric key to obtain ciphertext content; the first signature subunit 3073 is configured to perform data signature on the ciphertext content and the fourth timestamp by using a self key to obtain a signature ciphertext; the second issuing subunit 3074 is configured to issue the signature ciphertext to the device, so that the device performs signature verification operation on the signature ciphertext by using the server public key to obtain the fourth time stamp and ciphertext content, when the time stamp is legal, decrypts the ciphertext content by using the local symmetric key to obtain the one-time symmetric communication key and the hardware factor knowledge challenge problem, performs challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generates a fifth time stamp, and encrypts the challenge response hash data and the fifth time stamp by using the one-time symmetric communication key to generate a response ciphertext.
In one embodiment, as shown in fig. 11, the authentication unit 308 includes a third decryption subunit 3081, a second verification subunit 3082, a third verification subunit 3083 and a determination subunit 3084.
A third decryption subunit 3081, configured to decrypt the response ciphertext with the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp; a second verifying subunit 3082, configured to perform validity verification on the fifth timestamp; a third verifying sub-unit 3083, configured to verify, when the fifth timestamp is legal, whether the challenge response hash data matches with an actual answer to the hardware factor knowledge challenge question; the determining subunit 3084 is configured to, when the challenge response hash data matches the actual answer to the hardware factor knowledge challenge question, determine that the device is a legitimate registered device, and allow the device to perform network access within the authentication validity period, so as to construct data interaction and communication with the device.
It should be noted that, as can be clearly understood by those skilled in the art, for the specific implementation processes of the above trusted device authentication apparatus 300 and each unit, reference may be made to the corresponding descriptions in the foregoing method embodiments, and for convenience and brevity of description, no further description is provided herein.
The above-described trusted device authentication apparatus 300 may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 12.
Referring to fig. 12, fig. 12 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, wherein the server may be an independent server or a server cluster composed of a plurality of servers.
Referring to fig. 12, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer programs 5032 include program instructions that, when executed, cause the processor 502 to perform a trusted device authentication method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of the computer program 5032 in the non-volatile storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 may be caused to perform a trusted device authentication method.
The network interface 505 is used for network communication with other devices. Those skilled in the art will appreciate that the configuration shown in fig. 12 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation of the computer device 500 to which the present application may be applied, and that a particular computer device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to implement the following steps:
acquiring a device request; judging whether the equipment request is identity registration or not; if the equipment request is identity registration, hardware factor hash information from the equipment is acquired; issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the source non-repudiation of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID; if the equipment request is not identity registration, acquiring interactive authentication request data initiated by the equipment through an APPID; generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data; encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, and sending the signature ciphertext to the terminal to enable the terminal to respond to the knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext; and performing authentication according to the response ciphertext, and constructing data interaction and communication with the equipment when the authentication is passed.
The hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after a mainboard serial number, a central processing unit CPUID hash data, an MAC address hash data and a hard disk serial number are collected by equipment, and information is formed after encryption operation is carried out by using a server public key in combination with a generated local symmetric key and a first timestamp.
In an embodiment, the processor 502 implements the step of issuing the ID credential information to the device according to the hardware factor hash information, so that the device confirms the data integrity and the non-repudiation of the source of the ID credential information, and decrypts the ID credential information to obtain the APPID, and when the step of storing the APPID is implemented, the following steps are specifically implemented:
decrypting the hardware factor hash information according to a private key of the hardware factor hash information to obtain mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data, hard disk serial number hash data, a local symmetric key and a first timestamp; when the first timestamp is legal, storing the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data according to a specific storage sequence; saving the local symmetric key; generating an APP ID and a second timestamp; encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a private key of the APPID and the second timestamp to generate ID certificate information; and issuing ID certificate information to equipment to ensure that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.
In an embodiment, the processor 502 implements the step of issuing the ID credential information to the device, so that the device confirms data integrity and non-repudiation of the source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and when the step of storing the APPID is implemented, the following steps are specifically implemented:
and issuing the ID certificate information to equipment so that the equipment verifies the ID certificate information through a server public key, when the ID certificate information is verified, decrypting the ID certificate information through a local symmetric key to obtain the AppID and plaintext data of a second timestamp, judging the legality of the second timestamp, and when the second timestamp is legal, storing the AppID.
In an embodiment, when implementing the step of generating the hardware factor knowledge challenge question corresponding to the interactive authentication request data, the processor 502 specifically implements the following steps:
decrypting the interactive authentication request data through a private key of the user to obtain an APPID and a ciphertext related to a third timestamp; determining the local symmetric key according to the APPID; decrypting ciphertext associated with a third timestamp using the local symmetric key; when the decryption is successful, verifying the validity of the third timestamp; and when the third timestamp is legal, randomly selecting a plurality of hardware names from the four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm so as to generate a corresponding hardware factor knowledge challenge problem.
In an embodiment, when the processor 502 implements the steps of encrypting the hardware factor knowledge challenge problem to form a signature ciphertext and sending the signature ciphertext to the terminal to perform a response knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext, the following steps are specifically implemented:
generating a one-time symmetric communication key and a fourth timestamp; encrypting the one-time symmetric key and the hardware factor knowledge challenge problem by using the local symmetric key to obtain ciphertext contents; performing data signature on the ciphertext content and the fourth timestamp by using a self key to obtain a signature ciphertext; and issuing the signature ciphertext to the device to enable the device to perform signature verification operation on the signature ciphertext by using the server public key to obtain the fourth time stamp and ciphertext content, decrypting the ciphertext content by using the local symmetric key when the time stamp is legal to obtain the one-time symmetric communication key and the hardware factor knowledge challenge problem, performing challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generating a fifth time stamp, and encrypting the challenge response hash data and the fifth time stamp by using the one-time symmetric communication key to generate a response ciphertext.
In an embodiment, when implementing the authentication according to the response ciphertext and establishing the data interaction and communication step with the device when the authentication is passed, the processor 502 specifically implements the following steps:
decrypting the response ciphertext by using the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp; performing validity verification on the fifth timestamp; when the fifth timestamp is legal, verifying whether the challenge response hash data is consistent with an actual answer of the hardware factor knowledge challenge question; and when the hash data of the challenge response is consistent with the actual answer of the hardware factor knowledge challenge question, determining that the equipment is legal registered equipment, and allowing the equipment to perform network access within the authentication validity period so as to construct data interaction and communication with the equipment.
It should be understood that in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing associated hardware. The computer program includes program instructions, and the computer program may be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the steps of:
acquiring a device request; judging whether the equipment request is identity registration or not; if the equipment request is identity registration, hardware factor hash information from the equipment is acquired; issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the source non-repudiation of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID; if the equipment request is not identity registration, acquiring interactive authentication request data initiated by the equipment through an APPID; generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data; encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, sending the signature ciphertext to the terminal to perform response knowledge challenge according to the signature ciphertext, providing a corresponding hash certificate to generate a response ciphertext to perform authentication according to the response ciphertext, and constructing data interaction and communication with equipment when the authentication is passed.
The hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after a mainboard serial number, a central processing unit CPUID hash data, an MAC address hash data and a hard disk serial number are collected by equipment, and information is formed after encryption operation is carried out by using a server public key in combination with a generated local symmetric key and a first timestamp.
In an embodiment, the processor implements the sending of the ID credential information to the device according to the hardware factor hash information by executing the computer program, so that the device confirms data integrity and non-repudiation of a source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and when the step of storing the APPID is implemented, the following steps are specifically implemented:
decrypting the hardware factor hash information according to a private key of the hardware factor hash information to obtain mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data, hard disk serial number hash data, a local symmetric key and a first timestamp; when the first timestamp is legal, storing the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data according to a specific storage sequence; saving the local symmetric key; generating an APP ID and a second timestamp; encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a private key of the APPID and the second timestamp to generate ID certificate information; and issuing ID certificate information to equipment to ensure that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.
In an embodiment, the processor executes the computer program to implement the issuing of the ID credential information to the device, so that the device confirms data integrity and non-repudiation of a source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and stores the APPID, wherein the following steps are specifically implemented when the step is performed:
and issuing the ID certificate information to equipment so that the equipment verifies the ID certificate information through a server public key, when the ID certificate information is verified, decrypting the ID certificate information through a local symmetric key to obtain the AppID and plaintext data of a second timestamp, judging the legality of the second timestamp, and when the second timestamp is legal, storing the AppID.
In an embodiment, when the processor executes the computer program to implement the step of generating the hardware factor knowledge challenge question corresponding to the interactive authentication request data, the following steps are specifically implemented:
decrypting the interactive authentication request data through a private key of the user to obtain an APPID and a ciphertext related to a third timestamp; determining the local symmetric key according to the APPID; decrypting ciphertext associated with a third timestamp using the local symmetric key; when the decryption is successful, verifying the validity of the third timestamp; and when the third timestamp is legal, randomly selecting a plurality of hardware names from the four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm so as to generate a corresponding hardware factor knowledge challenge problem.
In an embodiment, when the processor executes the computer program to implement the step of encrypting the hardware factor knowledge challenge problem to form a signature ciphertext and sends the signature ciphertext to enable the terminal to perform a response knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext, the following steps are specifically implemented:
generating a one-time symmetric communication key and a fourth timestamp; encrypting the one-time symmetric key and the hardware factor knowledge challenge problem by using the local symmetric key to obtain ciphertext contents; performing data signature on the ciphertext content and the fourth timestamp by using a self key to obtain a signature ciphertext; and issuing the signature ciphertext to the device to enable the device to perform signature verification operation on the signature ciphertext by using the server public key to obtain the fourth time stamp and ciphertext content, decrypting the ciphertext content by using the local symmetric key when the time stamp is legal to obtain the one-time symmetric communication key and the hardware factor knowledge challenge problem, performing challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generating a fifth time stamp, and encrypting the challenge response hash data and the fifth time stamp by using the one-time symmetric communication key to generate a response ciphertext.
In an embodiment, the processor implements the authentication according to the response ciphertext when executing the computer program, and specifically implements the following steps when constructing the data interaction and communication step with the device when the authentication passes:
decrypting the response ciphertext by using the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp; performing validity verification on the fifth timestamp; when the fifth timestamp is legal, verifying whether the challenge response hash data is consistent with an actual answer of the hardware factor knowledge challenge question; and when the hash data of the challenge response is consistent with the actual answer of the hardware factor knowledge challenge question, determining that the equipment is legal registered equipment, and allowing the equipment to perform network access within the authentication validity period so as to construct data interaction and communication with the equipment.
The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.