CN114374522B

CN114374522B - Trusted device authentication method and device, computer device and storage medium

Info

Publication number: CN114374522B
Application number: CN202210282480.XA
Authority: CN
Inventors: 刘隽良; 王月兵; 柳遵梁; 覃锦端; 刘聪
Original assignee: Hangzhou Meichuang Technology Co ltd
Current assignee: Hangzhou Meichuang Technology Co ltd
Priority date: 2022-03-22
Filing date: 2022-03-22
Publication date: 2022-06-28
Anticipated expiration: 2042-03-22
Also published as: CN114374522A

Abstract

The embodiment of the invention discloses a trusted device authentication method and device, computer equipment and a storage medium. The method comprises the following steps: acquiring a device request; judging whether the equipment requests identity registration or not; if yes, hardware factor hash information is obtained; issuing the ID certificate information to the equipment so that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID; if not, acquiring interactive authentication request data initiated by the equipment through the APPID; generating a hardware factor knowledge challenge problem for the interactive authentication request data; encrypting to form a signature ciphertext, sending the signature ciphertext to a terminal to challenge the response knowledge according to the signature ciphertext, and providing a corresponding hash certificate to generate a response ciphertext; and authenticating according to the response ciphertext. The method of the embodiment of the invention can realize the confidentiality and integrity protection of the interactive data between the full-flow host and the server from the registration stage to the authentication stage.

Description

Trusted device authentication method and device, computer device and storage medium

Technical Field

The present invention relates to the field of host security analysis technologies, and in particular, to a trusted device authentication method and apparatus, a computer device, and a storage medium.

Background

Mobile devices are now quite popular, but there is a growing need to consider the security of devices in various scenarios, especially for access to servers. How to ensure that the terminal equipment which is legal and trusted accesses the server is the basis for ensuring that the equipment provides services to the outside, and the credibility authentication of the equipment is particularly important.

Many current security architecture implementations are based on OS + SE (secure chip hardware) to ensure the storage security of data on a device, and implement secure encrypted communication. However, this solution is less practical. Another way is to select device fingerprint information, set the device fingerprint information collected by the mobile terminal as an identification public key in combination with an identification cryptosystem, generate a corresponding private key, and verify the encrypted authentication data of the mobile device during login. The equipment fingerprint information used in the method refers to the equipment unique identification in the manufacturing and production process of the mobile terminal equipment; however, the device fingerprint information is used as a public key by using an identification password technology, and the device fingerprint information refers to a unique device identification in the device manufacturing process, belongs to hardware information, is insufficient in universality in practical application, and is easy to forge, so that the identification of the trusted device fails.

Therefore, it is necessary to design a new method to achieve the security and integrity protection of the data interaction between the host, i.e. the trusted device and the server, in the whole process from the registration phase to the authentication phase.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provides a trusted device authentication method, a trusted device authentication device, a computer device and a storage medium.

In order to realize the purpose, the invention adopts the following technical scheme: a trusted device authentication method, comprising:

acquiring a device request;

judging whether the equipment request is identity registration or not;

if the equipment request is identity registration, hardware factor hash information from the equipment is acquired;

issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the source non-repudiation of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID;

if the equipment request is not identity registration, acquiring interactive authentication request data initiated by the equipment through an APPID;

generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data;

Encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, and sending the signature ciphertext to enable the equipment to perform knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext;

and performing authentication according to the response ciphertext, and constructing data interaction and communication with the equipment when the authentication is passed.

The further technical scheme is as follows: the hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after a mainboard serial number, a central processing unit CPUID hash data, an MAC address hash data and a hard disk serial number are collected by equipment, and information formed after encryption operation is carried out by using a server public key in combination with a generated local symmetric key and a first timestamp.

The further technical scheme is as follows: the issuing of ID certificate information to equipment according to the hardware factor hash information to enable the equipment to confirm data integrity and non-repudiation of a source of the ID certificate information, and to decrypt the ID certificate information to obtain an APPID, and the storing of the APPID comprises:

Decrypting the hardware factor hash information according to a private key of the hardware factor hash information to obtain mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data, hard disk serial number hash data, a local symmetric key and a first timestamp;

when the first timestamp is legal, storing the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data according to a specific storage sequence;

saving the local symmetric key;

generating an APP ID and a second timestamp;

encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a private key of the APPID to generate ID certificate information;

and issuing ID certificate information to equipment to ensure that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.

The further technical scheme is as follows: the issuing of the ID certificate information to the equipment so that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypts the ID certificate information to obtain an APPID, and stores the APPID, wherein the issuing comprises the following steps:

And issuing the ID certificate information to equipment so that the equipment verifies the ID certificate information through a server public key, when the ID certificate information is verified, decrypting the ID certificate information through a local symmetric key to obtain the AppID and plaintext data of a second timestamp, judging the legality of the second timestamp, and when the second timestamp is legal, storing the AppID.

The further technical scheme is as follows: the generating of the corresponding hardware factor knowledge challenge problem for the interactive authentication request data comprises:

decrypting the interactive authentication request data through a private key of the user to obtain an APPID and a ciphertext related to a third timestamp;

determining the local symmetric key according to the APPID;

decrypting ciphertext associated with a third timestamp using the local symmetric key;

when the decryption is successful, verifying the validity of the third timestamp;

and when the third timestamp is legal, randomly selecting a plurality of hardware names from the four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm so as to generate a corresponding hardware factor knowledge challenge problem.

The further technical scheme is as follows: the encrypting the hardware factor knowledge challenge problem to form a signature ciphertext and sending the signature ciphertext to enable the device to perform a response knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext, including:

Generating a one-time symmetric communication key and a fourth timestamp;

encrypting the one-time symmetric communication key and the hardware factor knowledge challenge problem by using the local symmetric key to obtain ciphertext content;

performing data signature on the ciphertext content and the fourth timestamp by using a self key to obtain a signature ciphertext;

and issuing the signature ciphertext to the device to enable the device to perform signature verification operation on the signature ciphertext by using the server public key to obtain the fourth time stamp and ciphertext content, decrypting the ciphertext content by using the local symmetric key when the time stamp is legal to obtain the one-time symmetric communication key and the hardware factor knowledge challenge problem, performing challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generating a fifth time stamp, and encrypting the challenge response hash data and the fifth time stamp by using the one-time symmetric communication key to generate a response ciphertext.

The further technical scheme is as follows: and the authentication is carried out according to the response ciphertext, and when the authentication is passed, data interaction and communication with the equipment are established, wherein the authentication comprises the following steps:

Decrypting the response ciphertext by using the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp;

performing validity verification on the fifth timestamp;

when the fifth timestamp is legal, verifying whether the challenge response hash data is consistent with an actual answer of the hardware factor knowledge challenge question;

and when the hash data of the challenge response is consistent with the actual answer of the hardware factor knowledge challenge question, determining that the equipment is legal registered equipment, and allowing the equipment to perform network access within the authentication validity period so as to construct data interaction and communication with the equipment.

The invention also provides a trusted device authentication device, which comprises:

a device request acquisition unit configured to acquire a device request;

a judging unit, configured to judge whether the device request is to perform identity registration;

a hash information obtaining unit, configured to obtain hardware factor hash information from the device if the device request is to perform identity registration;

the ID processing unit is used for issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the source non-repudiation of the ID certificate information, decrypts the ID certificate information to obtain an APPID, and stores the APPID;

The authentication data acquisition unit is used for acquiring interactive authentication request data initiated by the equipment through an APPID if the equipment request is identity registration;

the problem generation unit is used for generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data;

the problem processing unit is used for encrypting the hardware factor knowledge challenge problem to form a signature ciphertext and sending the signature ciphertext so as to enable the equipment to perform response knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext;

and the authentication unit is used for performing authentication according to the response ciphertext and establishing data interaction and communication with the equipment when the authentication is passed.

The invention also provides computer equipment which comprises a memory and a processor, wherein the memory is stored with a computer program, and the processor realizes the method when executing the computer program.

The invention also provides a storage medium storing a computer program which, when executed by a processor, implements the method described above.

Compared with the prior art, the invention has the beneficial effects that: in the invention, in the registration stage and the authentication stage, multi-factor hardware hash information is submitted by equipment as the basis of legal equipment, the server verifies the credibility of the equipment by a knowledge certification and challenge-response method, and a symmetrical password system and an asymmetrical password system are adopted in the whole process for data encryption protection, so that the confidentiality of the whole-flow data is ensured; meanwhile, signature authentication is carried out on key data by using an asymmetric cryptosystem digital signature technology, so that the integrity and non-repudiation of the data are guaranteed; a timestamp verification mechanism is introduced to effectively prevent replay attack, a problem randomization mechanism is introduced in the verification process of the knowledge proof and challenge-response method, the guessing difficulty is increased, and replay forgery is prevented; the confidentiality and integrity protection of the interaction data between the trusted device and the server, namely the host in the whole process from the registration stage to the authentication stage, is realized.

The invention is further described below with reference to the figures and the specific embodiments.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic view of an application scenario of a trusted device authentication method according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of a trusted device authentication method according to an embodiment of the present invention;

fig. 3 is a schematic sub-flow diagram of a trusted device authentication method according to an embodiment of the present invention;

fig. 4 is a sub-flow diagram of a trusted device authentication method according to an embodiment of the present invention;

fig. 5 is a schematic sub-flow diagram of a trusted device authentication method according to an embodiment of the present invention;

fig. 6 is a schematic sub-flow diagram of a trusted device authentication method according to an embodiment of the present invention;

fig. 7 is a schematic block diagram of an authentication apparatus for a trusted device according to an embodiment of the present invention;

fig. 8 is a schematic block diagram of an ID processing unit of the trusted device authentication apparatus according to an embodiment of the present invention;

Fig. 9 is a schematic block diagram of a problem generation unit of a trusted device authentication apparatus according to an embodiment of the present invention;

fig. 10 is a schematic block diagram of a problem processing unit of a trusted device authentication apparatus according to an embodiment of the present invention;

fig. 11 is a schematic block diagram of an authentication unit of a trusted device authentication apparatus according to an embodiment of the present invention;

fig. 12 is a schematic block diagram of a computer device provided by an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.

It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

It should be further understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items and includes such combinations.

Referring to fig. 1 and fig. 2, fig. 1 is a schematic view of an application scenario of a trusted device authentication method according to an embodiment of the present invention. Fig. 2 is a schematic flowchart of a trusted device authentication method according to an embodiment of the present invention. The trusted device authentication method is applied to a control server, namely a server side, the server and devices perform data interaction, based on SDP (Software Defined boundary) technology, hardware device factor Hash information of a host side, namely the devices is obtained and serves as a knowledge certificate to perform authentication challenge on communication requests of the devices, hardware level legality of the devices from which the information interaction requests originate is judged, and meanwhile, based on whole-process confidentiality communication algorithm design, confidentiality and integrity protection of interaction data between the host and the server in a whole process from a registration stage to an authentication stage are achieved.

The SDP technology is an emerging technical idea in a zero trust security architecture, and adopts the idea based on a zero trust system to design and set a core control component to evaluate, authenticate and authorize all access requests, so that the purpose of access control is achieved. SDP provides zero visibility and zero connectivity out-side, and connections can be established only after endpoints prove they can be trusted, allowing legitimate traffic to pass through, using this approach essentially all network-based attacks can be prevented. Since the rise of the zero trust security technology in 2018 in China, the technology has been widely focused and discussed, but a mature implementation algorithm for completing the technology is still lacked.

Fig. 2 is a schematic flowchart of a trusted device authentication method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S180.

And S110, acquiring the equipment request.

In this embodiment, the device request refers to an operation request initiated by the device to the server, and may include a registration request and an authentication request, where the registration request refers to performing identity registration, and the authentication request refers to identity authentication to construct data interaction with the server.

S120, judging whether the equipment request is identity registration;

S130, if the equipment request is identity registration, acquiring hardware factor hash information from the equipment.

In this embodiment, the identity registration and the identity authentication may have corresponding features in the device request, and therefore, which type of request the device request belongs to may be quickly determined.

In addition, the hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after the mainboard serial number, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data are collected by equipment, and information is formed after encryption operation is carried out by using a server public key in combination with a generated local symmetric key and a first timestamp.

The hardware factor hash information acquisition system is realized by installing agent software on each host, and the acquired hardware factors comprise the following contents: a mainboard serial number; a central processing unit CPUID; a MAC address; hard disk serial number. The agent collects the original information and respectively generates mainboard serial number hash data H1, central processing unit CPUID hash data H2, MAC address hash data H3 and hard disk serial number hash data H4 according to the collection sequence. And generating a local symmetric key Pk and a first time stamp Ts1, encrypting the hardware factor hash, the agent local symmetric key Pk and the first time stamp Ts1 by using a server public key Pubs, and transmitting the hardware factor hash information to the server.

For example: agent successfully collects the data as follows: mainboard sequence number: LNVNB 16121X; central processing unit CPUID: BFEBFBFF000706E 3; MAC address: 00-50-56-C0-00-0C; hard disk serial number: { D9F517E0-2009-41C1-87FB-41B85CB77E46 }; agent collects the original information and respectively generates mainboard serial number hash data H1 according to the collection sequence: a47cf540514940120eee3687934ed57e, central processor CPUID hash data H2: 6bca25821036fab866b33643c8d7301f, MAC address hash H3: 3388b51c9a63626681dcbd11dd15735b and hard disk serial number hash H4: b901d0043a978b3d1d29e1ee2f7666e 1. Generating a local symmetric key Pk: GY4OPOchTm4t0/ye and the first timestamp Ts1, wherein the hardware factor hash, agent local symmetric key Pk and the first timestamp Ts1 are encrypted by using a server public key Pubs to form hardware factor hash information PubsEnc (H1, H2, H3, H4, Ts1 and Pk) and then transmitted to the server.

In this embodiment, the client host has installed the agent correctly, in this embodiment, the hash algorithm is md5 algorithm, the symmetric key algorithm is AES algorithm, the asymmetric key algorithm is RSA algorithm, and the authentication validity period T is 60 minutes.

The server public key Pubs is as follows:

-----BEGIN PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKqL5COYbYfHWUY9NWyDn6Y++o；

44k71KccoiIovosOKYuAXsRHuNoftjPV866U5kzvBZ3qncEyw4/PlC//h7Bs+d0a；

GQcxsak7kAHLc//FXWOF8qSunCY5TlMjZo6pYeVTTmKZ/wBlQ/vrhfDTWxqY87Fo；

WMjsswFqFIBWdgQhFQIDAQAB；

-----END PUBLIC KEY-----

the server private key, i.e. the private key Pris of itself, is as follows:

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIqdI5vNdzoIkCAggA；

MBQGCCqGSIb3DQMHBAh8qgIlqt0/4gSCAoBjGXY/HlIz7JQaALdAxOK1QfbMoCj1；

A8pkXS0er6Y/8Wl8oi4Oz9z38v+xR5dIgcmEtTnn7hGon2ouQSVUekyhotzyQEzx；

zmJNoYYK2piw138oqCCmhE8M0Qm7wzImSD8yxqPbBC5b8b/RW9Aashv2nbnf5v1Z；

G0OhxYix/e9Z8Qce5d8Ug3aqNXy7h/sReh4ltAB9qeeh6IvzsJpY4v4w7OYhs1jx；

SG6vQtzsoISQYbHIIQOUAtbJI2PhpOzIqT++sMxfq8yYI+af7NpHpfjc256jr2xl；

+M8N2fQiJvcoSSn3aG34FC/wzHnHAaq+jaCYQJbucQ7eFThP08gJoAd3FRfnSQ46；

BulLzFr9XmqAiBKNiu2fUS0xO41deTCh0KUh70NVHm1QwqaAuQwwDox3w4wyXepE；

7rNACFguIs+/nbf+C8sK9+Qq8XYDWBa/ZEQ4NKQDT14cSvXBMjP4M0T+kUl0BJGr；

WyP9mEmNFLqQH+d0wImP/MoNL6H7di1V/a1ZPasj89IFn6U1E72v9NQXb3tFCC5I；

w+1NFq93BzDtTx9LhXAG3hDzAT140OrVXg7ZASWKBsy6rR36FEq/CLxSwZ8u4E1k；

r2I4UVxIHSwO48IhDx9jl1+ZkeEYgBdqCOa6HUe/DjYXdCYr99P6UDhTB2Yfrwh/；

9le6nlA6BF34xCFJjLIxfqIiIeILRM/C8tHTap5GnJqG50+YacSu/dI7G69QHUC+；

Sts16h9JCTSdMo6AVSnn//5fRvqd/tu7pj8FD75kbIVHKwS6ABeRla3bgSeQBFiz；

FYG6Hu+rz7iQ/gyLIMyFY4bPnFh0VP4IS1an7pYFFTPIvWTVeecJvorO；

-----END ENCRYPTED PRIVATE KEY-----

and S140, sending ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.

In this embodiment, the ID credential refers to content that is formed by encrypting the APPID and the second timestamp according to the local symmetric key and performing a digital signature operation using a private key of the ID credential.

In an embodiment, referring to fig. 3, the step S140 may include steps S141 to S146.

S141, the hardware factor hash information is decrypted according to the private key of the hardware factor hash information, and therefore the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data, the hard disk serial number hash data, the local symmetric key and the first timestamp are obtained.

In this embodiment, after the server obtains the hash information PubsEnc (H1, H2, H3, H4, Ts1, Pk) of the hardware factors uploaded by the agent, it performs decryption operation PrisDec (H1, H2, H3, H4, Ts1, Pk) by its own private key Pris as follows; thereby obtaining H1-H4 as well as the local symmetric key Pk and the first timestamp Ts1 clear data.

And S142, when the first time stamp is legal, storing the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data according to a specific storage sequence.

In this embodiment, when the first timestamp is legal, the hash data corresponding to H1-H4 is stored in the order of "motherboard serial number, central processing unit CPUID, MAC address, and hard disk serial number", and the agent symmetric key Pk is stored.

S143, saving the local symmetric key;

s144, generating an APP ID and a second timestamp;

s145, encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a self private key to generate ID credential information.

Specifically, the server generates a unique AppID: 2SQ33EU1 and a second timestamp Ts2, and encrypts the AppID and the second timestamp Ts2 through a local symmetric key Pk, and finally performs a digital signature operation by using a server private key Pris to form ID credential information PrisEnc (PkEnc (AppID, Ts2)), and sends the ID credential information to the current agent.

And S146, issuing the ID certificate information to the equipment so that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.

Specifically, the ID credential information is issued to the device so that the device verifies the ID credential information through a server public key, when the ID credential information is verified, the ID credential information is decrypted through a local symmetric key to obtain the AppID and plaintext data of the second timestamp, the validity of the second timestamp is judged, and when the second timestamp is legal, the AppID is stored.

after agent acquires credential information PrisEnc (PkEnc (AppID, Ts2)) from the server ID, signature verification and decryption operations are performed as follows. PubsDec (PkDec (AppID, Ts 2)); firstly, the signature is verified through a public key Pubs of the service end, the integrity of data and the non-repudiation of a source are confirmed, the data are decrypted through a local symmetric key Pk, the AppID and the plaintext data of a second time stamp Ts2 are obtained, the legitimacy of the second time stamp Ts2 is judged, and if the second time stamp Ts2 is legal, the AppID is stored and serves as an identity credential for subsequent interactive authentication with the service end.

S150, if the equipment request is not identity registration, acquiring interactive authentication request data initiated by the equipment through an APPID.

In this embodiment, the interactive authentication request data refers to that when the device where the agent is located needs to initiate a network access communication request, that is, identity authentication, a device authentication application is initiated to the server to generate a third timestamp Ts3, the third timestamp Ts3 is encrypted by using a local symmetric key to obtain encrypted content PkEnc (Ts3), and the encrypted content and the AppID are encrypted by using a server public key Pubs to obtain a ciphertext result pubsnenc (AppID, PkEnc (Ts 3)); the device transmits the ciphertext result PubsEnc (AppID, PkEnc (Ts3)) to the server.

And S160, generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data.

In this embodiment, the hardware factor knowledge challenge problem refers to a problem that an agent is required to submit hash data of a corresponding hardware factor according to a hardware name.

In an embodiment, referring to fig. 4, the step S160 may include steps S161 to S165.

S161, decrypting the interactive authentication request data through a private key of the server to obtain an APPID and a ciphertext related to a third timestamp;

s162, determining the local symmetric key according to the APPID;

s163, decrypting the ciphertext related to the third timestamp by using the local symmetric key;

s164, when the decryption is successful, verifying the validity of the third timestamp;

and S165, when the third time stamp is legal, randomly selecting a plurality of hardware names from the four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm so as to generate a corresponding hardware factor knowledge challenge problem.

Specifically, when the server obtains interactive authentication request data pubsEnc (AppID, PkEnc (Ts3)) initiated by the agent, the data is decrypted by a private key Pris of the server, so that AppID plaintext and ciphertext of the PkEnc (Ts3) are obtained, a local symmetric key Pk stored locally and correspondingly is searched by the AppID, the ciphertext of the PkEnc (Ts3) is decrypted by using the key, if the plaintext of a third timestamp Ts3 is obtained successfully, the AppID is proved to be matched with the local symmetric key Pk, and the validity of the third timestamp Ts3 is verified. If the third timestamp Ts3 is legal, a Random selection algorithm Random () exists, and several Random (H1-H4) names are randomly selected from four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number as the knowledge challenge problem, so that an agent needs to submit hash data of corresponding hardware factors according to the hardware names. The Random selection algorithm Random () extraction knowledge item number can be manually set, and 1-3 hardware names are randomly selected by default.

For example: the method comprises the steps that a server side obtains interactive authentication request data PubsEnc (AppID, PkEnc (Ts3)) initiated by an agent, decrypts the data through a private key Pris of the server side to obtain AppID plaintext and PkEnc (Ts3) ciphertext, searches a local symmetric key Pk stored locally correspondingly through the AppID, decrypts the PkEnc (Ts3) ciphertext through the key, successfully obtains a third timestamp Ts3 plaintext through decryption, proves that the ApID is matched with the local symmetric key Pk, verifies that the third timestamp Ts3 is instant time, Ts3 is legal, and randomly selects a Random selection algorithm Random () to randomly select 2 main board serial numbers and MAC addresses from four hardware names of the main board serial number, the central processing unit CPUID, the MAC address and the hard disk serial number to serve as the knowledge challenge problem Random (H1-H4), and the agent needs to submit corresponding hardware hash factor data according to the hardware name.

S170, encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, sending the signature ciphertext to enable the equipment to perform response knowledge challenge according to the signature ciphertext, and providing a corresponding hash certificate to generate a response ciphertext.

In this embodiment, the response ciphertext refers to a ciphertext formed by performing a response knowledge challenge and generating a corresponding hash certificate according to the signature ciphertext.

In an embodiment, referring to fig. 4, the step S170 may include steps S171 to S174.

And S171, generating a one-time symmetric communication key and a fourth timestamp.

In the present embodiment, the one-time symmetric communication key refers to a key used for symmetric communication.

S172, encrypting the one-time symmetric communication key and the hardware factor knowledge challenge problem by using the local symmetric key to obtain ciphertext contents.

In this embodiment, the ciphertext content is the content formed by encrypting the one-time symmetric key and the hardware factor knowledge challenge problem with the local symmetric key.

And S173, performing data signature on the ciphertext content and the fourth timestamp by using the self key to obtain a signature ciphertext.

In this embodiment, the signature ciphertext refers to a content obtained by performing data signature on the ciphertext content and the fourth timestamp by using a self key.

And S174, issuing the signature ciphertext to the device to enable the device to perform signature verification operation on the signature ciphertext by using the server public key to obtain the fourth time stamp and ciphertext content, decrypting the ciphertext content by using the local symmetric key when the time stamp is legal to obtain the disposable symmetric communication key and the hardware factor knowledge challenge problem, performing challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generating a fifth time stamp, and encrypting the challenge response hash data and the fifth time stamp by using the disposable symmetric communication key to generate a response ciphertext.

Specifically, when the hardware factor knowledge Challenge problem Random (H1-H4) selection is completed, the server generates a one-time symmetric communication key Challenge and a fourth timestamp Ts4, encrypts the one-time symmetric communication key Challenge and the hardware factor knowledge Challenge problem Random (H1-H4) by using the local symmetric key Pk of the agent, obtains PkEnc (Challenge, Random (H1-H4)) ciphertext, and digitally signs the PkEnc (Challenge, Random (H1-H4)) ciphertext and the fourth timestamp Ts4 by using the private key Pris of the server, obtains the pricenc (PkEnc (Challenge, Random (H1-H4)), Ts4), and sends the signature to the agent. agent receives signature ciphertext PrisEnc (PkEnc (Challenge, Random (H1-H4)), Ts4) from server, first performs signature verification operation using server public key Pubs to sign ciphertext PubsDec (PkEnc (Challenge, Random (H1-H4)), Ts4, obtains plaintext of fourth timestamp Ts4 and PkEnc (Challenge, Random (H1-H4)) ciphertext, confirms validity of fourth timestamp Ts4, performs decryption operation using local symmetric key Pk to perform PkDec (Challenge, Random (H1-H4)), obtains one-time symmetric communication key Challenge (H1-H4) and hardware knowledge Challenge question Random (H1-H4), and generates a corresponding hash Challenge data according to hardware name required by hardware Challenge Random (H1-H9), prepares corresponding hash Challenge data for TS Challenge, TS 8656-H867, and generates a fifth response data using TS 82 1-H867, and obtaining response ciphertext (Ans (H1-H4), Ts5) and sending the response ciphertext to the server.

In this embodiment, a one-time symmetric communication key Challenge is generated: s338j2E4 and a fourth timestamp Ts4, and encrypt the disposable symmetric communication keys Challenge and Random (H1-H4) with the local symmetric key Pk of the agent to obtain PkEnc (Challenge, Random (H1-H4)) ciphertext, and digitally sign the ciphertext and the timestamp Ts4 with the own private key Pris to obtain signature ciphertext PrisEnc (PkEnc (Challenge, Random (H1-H4)), Ts4), and send the signature ciphertext to the agent.

agent receives signature cipher text PrisEnc (PkEnc (Challenge, Random (H1-H4)), Ts4) from server, firstly uses server public key Pubs to perform PubsDec (PkEnc (Challenge, Random (H1-H4)), Ts4) signature verification operation, obtains fourth time stamp Ts4 plaintext and PkEnc (Challenge, Random (H1-H4)) cipher text, confirms fourth time stamp Ts4 as instant time, then uses symmetric key Pk to perform PkDec (Challenge, Random (H1-H4)) decryption operation, obtains disposable symmetric communication key Challenge and Random hardware name Challenge problem Random (H1-H4), and according to the hardware name required by Random (H1-H4): "serial number of main board, MAC address", prepare the Challenge response hash data "a 47cf540514940120eee3687934ed57e, 3388b51c9a63626681dcbd11dd15735 b" of the corresponding hardware as Ans (H1-H4), generate a timestamp Ts5, encrypt Ans (H1-H4) and Ts5 with the disposable symmetric communication keys Challenge, obtain a response ciphertext enc (Ans (H1-H4), Ts5), and send the response ciphertext to the server.

And S180, authenticating according to the response ciphertext, and constructing data interaction and communication with the equipment when the authentication is passed.

In an embodiment, referring to fig. 6, the step S180 may include steps S181 to S184.

S181, decrypting the response ciphertext by using the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp;

s182, verifying the validity of the fifth timestamp;

s183, when the fifth time stamp is legal, verifying whether the challenge response hash data is consistent with an actual answer of the hardware factor knowledge challenge question or not;

s184, when the challenge response hash data is consistent with the actual answer of the hardware factor knowledge challenge question, determining that the equipment is legal registered equipment, and allowing the equipment to perform network access within the authentication validity period so as to construct data interaction and communication with the equipment.

In this embodiment, the server receives a response ciphertext challenge enc (Ans (H1-H4), Ts5) from the device, performs challenge dec (Ans (H1-H4), Ts5) decryption operation through a one-time symmetric communication key, obtains plaintext of challenge response hash data Ans (H1-H4) and a fifth timestamp Ts5, verifies validity of the fifth timestamp Ts5, and verifies whether challenge response hash data provided by Ans (H1-H4) matches an actual answer to a hardware factor knowledge challenge question Random (H1-H4), if the fifth timestamp Ts5 is valid and the challenge response data Ans (H1-H4) is correct, the device is determined to be a valid registration device, and is allowed to enter a current network for data interaction and communication within a validity period T of authentication, Ts may be manually set, and the hash period T is set to be 30 minutes as default. After the validity period expires, if the device needs to continue to access the network, the authentication stage process is repeated.

For example: the server receives a response ciphertext ChanllengeEnc (Ans (H1-H4), Ts5) from the device, decrypts the response ciphertext ChanllengeDec (Ans (H1-H4), Ts5) through a one-time symmetric communication key to obtain challenge response hash data Ans (H1-H4) and a fifth timestamp Ts5 plaintext, verifies that the fifth timestamp Ts5 is a legal timestamp, and starts to verify the challenge response hash data Ans (H1-H4): whether the hash data provided by "a 47cf540514940120eee3687934ed57e, 3388b51c9a63626681dcbd11dd15735 b" is the actual answer to the hardware factor knowledge challenge question Random (H1-H4): the 'a 47cf540514940120eee3687934ed57e, 3388b51c9a63626681dcbd11dd15735 b' are matched, and finally, the challenge response hash data Ans (H1-H4) is proved to be correct, the device is determined to be a legal registered device, the device is allowed to be connected to the current network within 60 minutes of the authentication validity period for data interaction and communication, and if the device needs to be continuously connected to the network for communication after 60 minutes, the authentication steps are repeated.

The client agent submits multi-factor hardware hash information as the basis of legal equipment, and the server verifies the credibility of the equipment through a knowledge certification and challenge-response method, so that the technical goal of software definition boundary is achieved, namely, a core control assembly is designed and set based on the idea of a zero trust system to evaluate, authenticate and authorize all access requests, and the purpose of access control is achieved. The whole-flow communication process adopts a symmetric cryptosystem and an asymmetric cryptosystem to carry out data encryption protection, so that the confidentiality of the whole-flow data is ensured; meanwhile, signature authentication is carried out on key data by using an asymmetric cryptosystem digital signature technology, so that the integrity and non-repudiation of the data are guaranteed; a timestamp verification mechanism is introduced in the whole communication process, replay attack is effectively prevented, a problem randomization mechanism is introduced in the verification process of the knowledge certification and challenge-response method, the guessing difficulty is increased, replay forgery is prevented, and confidentiality and integrity protection of interactive data between the whole-process host and the server from the registration stage to the authentication stage are achieved.

According to the trusted device authentication method, multi-factor hardware hash information is submitted through the device as a legal device basis in the registration stage and the authentication stage, the server verifies the credibility of the device through knowledge certification and a challenge-response method, a symmetrical password system and an asymmetrical password system are adopted in the whole process to carry out data encryption protection, and the confidentiality of full-flow data is guaranteed; meanwhile, signature authentication is carried out on the key data by using an asymmetric cryptosystem digital signature technology, so that the integrity and non-repudiation of the data are guaranteed; a timestamp verification mechanism is introduced to effectively prevent replay attack, a problem randomization mechanism is introduced in the verification process of the knowledge certification and challenge-response method, the guessing difficulty is increased, and replay forgery is prevented; the confidentiality and integrity protection of the data interaction between the trusted device and the server, namely the host in the whole process from the registration stage to the authentication stage, is realized.

Fig. 7 is a schematic block diagram of a trusted device authentication apparatus 300 according to an embodiment of the present invention. As shown in fig. 7, the present invention further provides a trusted device authentication apparatus 300 corresponding to the above trusted device authentication method. The trusted device authentication apparatus 300 includes a unit for executing the above-described trusted device authentication method, and may be configured in a server. Specifically, referring to fig. 7, the trusted device authentication apparatus 300 includes a device request acquisition unit 301, a determination unit 302, a hash information acquisition unit 303, an ID processing unit 304, an authentication data acquisition unit 305, a question generation unit 306, a question processing unit 307, and an authentication unit 308.

A device request obtaining unit 301, configured to obtain a device request; a determining unit 302, configured to determine whether the device request is to perform identity registration; a hash information obtaining unit 303, configured to obtain hardware factor hash information from the device if the device request is to perform identity registration; the ID processing unit 304 is configured to issue ID credential information to a device according to the hardware factor hash information, so that the device confirms data integrity and non-repudiation of a source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and stores the APPID; an authentication data obtaining unit 305, configured to obtain, if the device request is to perform identity registration, interactive authentication request data initiated by the device through an APPID; a problem generation unit 306, configured to generate a corresponding hardware factor knowledge challenge problem for the interactive authentication request data; the problem processing unit 307 is configured to encrypt the hardware factor knowledge challenge problem to form a signature ciphertext, and send the signature ciphertext, so that the device performs a knowledge challenge according to the signature ciphertext and provides a corresponding hash certificate to generate a response ciphertext; and the authentication unit 308 is configured to perform authentication according to the response ciphertext, and construct data interaction and communication with the device when the authentication is passed.

In an embodiment, as shown in fig. 8, the ID processing unit 304 includes a hash information decryption sub-unit 3041, a hash data storage sub-unit 3042, a key holding sub-unit 3043, a first generation sub-unit 3044, a first encryption sub-unit 3045, and a first issuing sub-unit 3046.

A hash information decryption subunit 3041, configured to decrypt the hardware factor hash information according to its own private key, so as to obtain a motherboard serial number hash data, a central processing unit CPUID hash data, a MAC address hash data, a hard disk serial number hash data, a local symmetric key, and a first timestamp; a hash data storage subunit 3042, configured to store, when the first timestamp is legal, the motherboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data, and the hard disk serial number hash data according to a specific storage order; a key holding subunit 3043 configured to hold the local symmetric key; a first generating subunit 3044 configured to generate an APP ID and a second timestamp; a first encryption subunit 3045, configured to encrypt the APPID and the second timestamp according to the local symmetric key, and perform a digital signature operation using a private key of the first encryption subunit to generate ID credential information; the first issuing subunit 3046 is configured to issue ID credential information to a device, so that the device confirms data integrity and non-repudiation of a source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and stores the APPID.

In an embodiment, the first issuing subunit 3046 is configured to issue the ID credential information to a device, so that the device verifies the ID credential information through a server public key, when the ID credential information is verified, decrypt the ID credential information through a local symmetric key to obtain an AppID and plaintext data of a second timestamp, and determine validity of the second timestamp, and when the second timestamp is legal, store the AppID.

In one embodiment, as shown in fig. 9, the question generating unit 306 includes a first decryption sub-unit 3061, a key determining sub-unit 3062, a second decryption sub-unit 3063, a first authenticating sub-unit 3064, and a selecting sub-unit 3065.

A first decryption subunit 3061, configured to decrypt, using its own private key, the mutual authentication request data to obtain an APPID and a ciphertext associated with the third timestamp; a key determination subunit 3062, configured to determine the local symmetric key from the APPID; a second decryption subunit 3063, configured to decrypt the ciphertext associated with the third timestamp using the local symmetric key; a first verification subunit 3064, configured to, when the decryption succeeds, verify the validity of the third timestamp; and the selecting subunit 3065 is used for randomly selecting a plurality of items from four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm when the third timestamp is legal so as to generate a corresponding hardware factor knowledge challenge problem.

In an embodiment, as shown in fig. 10, the problem processing unit 307 includes a second generating sub-unit 3071, a second encrypting sub-unit 3072, a first signing sub-unit 3073, and a second issuing sub-unit 3074.

A second generating subunit 3071 configured to generate a one-time symmetric communication key and a fourth timestamp; the second encryption subunit 3072 is configured to encrypt the one-time symmetric communication key and the hardware factor knowledge challenge problem with the use of the local symmetric key to obtain ciphertext content; the first signature subunit 3073 is configured to perform data signature on the ciphertext content and the fourth timestamp by using a self key to obtain a signature ciphertext; the second issuing subunit 3074 is configured to issue the signature ciphertext to the device, so that the device performs signature verification operation on the signature ciphertext by using the server public key to obtain the fourth time stamp and ciphertext content, when the time stamp is legal, decrypts the ciphertext content by using the local symmetric key to obtain the one-time symmetric communication key and the hardware factor knowledge challenge problem, performs challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generates a fifth time stamp, and encrypts the challenge response hash data and the fifth time stamp by using the one-time symmetric communication key to generate a response ciphertext.

In one embodiment, as shown in fig. 11, the authentication unit 308 includes a third decryption sub-unit 3081, a second verification sub-unit 3082, a third verification sub-unit 3083, and a determination sub-unit 3084.

A third decryption subunit 3081, configured to decrypt the response ciphertext with the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp; a second verifying subunit 3082, configured to perform validity verification on the fifth timestamp; a third verifying subunit 3083, configured to, when the fifth timestamp is legal, verify whether the challenge-response hash data matches the actual answer to the hardware factor knowledge challenge question; a determining subunit 3084, configured to determine that the device is a legal registered device when the challenge response hash data matches the actual answer to the hardware factor knowledge challenge question, and allow the device to perform network access within the authentication validity period, so as to construct data interaction and communication with the device.

It should be noted that, as can be clearly understood by those skilled in the art, for the specific implementation processes of the trusted device authentication apparatus 300 and each unit, reference may be made to the corresponding description in the foregoing method embodiment, and for convenience and conciseness of description, no further description is provided herein.

The above-described trusted device authentication apparatus 300 may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 12.

Referring to fig. 12, fig. 12 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, where the server may be an independent server or a server cluster composed of a plurality of servers.

Referring to fig. 12, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.

The non-volatile storage medium 503 may store an operating system 5031 and computer programs 5032. The computer programs 5032 include program instructions that, when executed, cause the processor 502 to perform a trusted device authentication method.

The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.

The internal memory 504 provides an environment for the operation of computer programs 5032 in the non-volatile storage medium 503, which when executed by the processor 502, cause the processor 502 to perform a trusted device authentication method, for example.

The network interface 505 is used for network communication with other devices. It will be appreciated by those skilled in the art that the configuration shown in fig. 12 is a block diagram of only a portion of the configuration associated with the present application, and is not intended to limit the scope of the present application as such may be used with a computer device 500, and that a particular computer device 500 may include more or less components than those shown, or some of the components may be combined, or have a different arrangement of components.

Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to perform the steps of:

acquiring a device request; judging whether the equipment request is identity registration or not; if the equipment request is identity registration, acquiring hardware factor hash information from the equipment; issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the source non-repudiation of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID; if the equipment request is not identity registration, acquiring interactive authentication request data initiated by the equipment through an APPID; generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data; encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, and sending the signature ciphertext to enable the equipment to perform knowledge challenge according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext; and performing authentication according to the response ciphertext, and constructing data interaction and communication with the equipment when the authentication is passed.

The hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after a mainboard serial number, a central processing unit CPUID hash data, an MAC address hash data and a hard disk serial number are collected by equipment, and information is formed after encryption operation is carried out by combining a generated local symmetric key and a first timestamp and using a server public key.

In an embodiment, when the processor 502 implements the step of issuing the ID credential information to the device according to the hardware factor hash information, so that the device performs data integrity and non-repudiation confirmation on the ID credential information, and performs decryption processing on the ID credential information to obtain APPID, the following steps are specifically implemented when the APPID is stored:

decrypting the hardware factor hash information according to a private key of the hardware factor hash information to obtain mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data, hard disk serial number hash data, a local symmetric key and a first timestamp; when the first timestamp is legal, storing the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data according to a specific storage sequence; saving the local symmetric key; generating an APP ID and a second timestamp; encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a private key of the APPID to generate ID certificate information; and issuing ID certificate information to equipment to ensure that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.

In an embodiment, the processor 502 implements the step of issuing the ID credential information to the device, so that the device performs data integrity and non-repudiation confirmation on the ID credential information, and performs decryption processing on the ID credential information to obtain an APPID, and when the APPID is stored, the following steps are specifically implemented:

In an embodiment, when implementing the step of generating the hardware factor knowledge challenge question corresponding to the interactive authentication request data, the processor 502 specifically implements the following steps:

decrypting the interactive authentication request data through a private key of the mobile terminal to obtain an APPID and a ciphertext related to a third timestamp; determining the local symmetric key according to the APPID; decrypting ciphertext associated with a third timestamp using the local symmetric key; when the decryption is successful, verifying the validity of the third timestamp; and when the third timestamp is legal, randomly selecting a plurality of hardware names from the four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm so as to generate a corresponding hardware factor knowledge challenge problem.

In an embodiment, when the processor 502 implements the steps of encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, and sending the signature ciphertext to enable the device to perform a knowledge challenge response according to the signature ciphertext and provide a corresponding hash certificate to generate a response ciphertext, the following steps are specifically implemented:

generating a one-time symmetric communication key and a fourth timestamp; encrypting the one-time symmetric communication key and the hardware factor knowledge challenge problem by using the local symmetric key to obtain ciphertext content; performing data signature on the ciphertext content and the fourth timestamp by using a self key to obtain a signature ciphertext; and issuing the signature ciphertext to the equipment so that the equipment uses the server public key to perform signature verification operation on the signature ciphertext to obtain the fourth time stamp and ciphertext content, when the time stamp is legal, using the local symmetric key to decrypt the ciphertext content to obtain the one-time symmetric communication key and the hardware factor knowledge challenge problem, performing challenge response hash data of corresponding hardware according to the hardware factor knowledge challenge problem, generating a fifth time stamp, and using the one-time symmetric communication key to encrypt the challenge response hash data and the fifth time stamp to generate a response ciphertext.

In an embodiment, when the processor 502 implements the authentication according to the response ciphertext and constructs the data interaction and communication step with the device when the authentication is passed, the following steps are specifically implemented:

decrypting the response ciphertext by using the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp; performing validity verification on the fifth timestamp; when the fifth timestamp is legal, verifying whether the challenge response hash data is consistent with an actual answer of the hardware factor knowledge challenge question; and when the challenge response hash data is consistent with the actual answer of the hardware factor knowledge challenge question, determining that the equipment is legal registered equipment, and allowing the equipment to perform network access within the authentication validity period so as to construct data interaction and communication with the equipment.

It should be understood that in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing relevant hardware. The computer program includes program instructions, and the computer program may be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.

Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the steps of:

acquiring a device request; judging whether the equipment request is identity registration or not; if the equipment request is identity registration, hardware factor hash information from the equipment is acquired; issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the source non-repudiation of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID; if the equipment request is not identity registration, acquiring interactive authentication request data initiated by the equipment through an APPID; generating a corresponding hardware factor knowledge challenge problem for the interactive authentication request data; encrypting the hardware factor knowledge challenge problem to form a signature ciphertext, sending the signature ciphertext to enable the equipment to respond to the knowledge challenge according to the signature ciphertext, providing a corresponding hash certificate to generate a response ciphertext to authenticate according to the response ciphertext, and constructing data interaction and communication with the equipment when the authentication is passed.

The hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after a mainboard serial number, a central processing unit CPUID hash data, an MAC address hash data and a hard disk serial number are collected by equipment, and information is formed after encryption operation is carried out by using a server public key in combination with a generated local symmetric key and a first timestamp.

In an embodiment, the processor implements the sending of the ID credential information to the device according to the hardware factor hash information by executing the computer program, so that the device confirms data integrity and non-repudiation of a source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and when the step of storing the APPID is implemented, the following steps are specifically implemented:

decrypting the hardware factor hash information according to a private key of the hardware factor hash information to obtain mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data, hard disk serial number hash data, a local symmetric key and a first timestamp; when the first timestamp is legal, storing the mainboard serial number hash data, the central processing unit CPUID hash data, the MAC address hash data and the hard disk serial number hash data according to a specific storage sequence; saving the local symmetric key; generating an APP ID and a second timestamp; encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a private key of the APPID and the second timestamp to generate ID certificate information; and issuing ID certificate information to equipment to ensure that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID.

In an embodiment, the processor executes the computer program to implement the issuing of the ID credential information to the device, so that the device confirms data integrity and non-repudiation of a source of the ID credential information, and decrypts the ID credential information to obtain an APPID, and stores the APPID, wherein the following steps are specifically implemented when the step is performed:

In an embodiment, when the processor executes the computer program to implement the step of generating the hardware factor knowledge challenge question corresponding to the interactive authentication request data, the following steps are specifically implemented:

decrypting the interactive authentication request data through a private key of the user to obtain an APPID and a ciphertext related to a third timestamp; determining the local symmetric key according to the APPID; decrypting ciphertext associated with a third timestamp using the local symmetric key; when the decryption is successful, verifying the validity of the third timestamp; and when the third timestamp is legal, randomly selecting a plurality of hardware names from the four hardware names of the mainboard serial number, the central processing unit CPUID, the MAC address and the hard disk serial number by adopting a random selection algorithm so as to generate a corresponding hardware factor knowledge challenge problem.

In an embodiment, when the processor executes the computer program to implement the step of encrypting the hardware factor knowledge challenge question to form a signature ciphertext and sending the signature ciphertext, so that the apparatus responds to the knowledge challenge according to the signature ciphertext and provides a corresponding hash certificate to generate a response ciphertext, the following steps are specifically implemented:

In an embodiment, the processor implements the authentication according to the response ciphertext when executing the computer program, and when the authentication is passed, when constructing the data interaction and communication step with the device, the following steps are specifically implemented:

decrypting the response ciphertext by using the one-time symmetric communication key to obtain the challenge response hash data and the fifth timestamp; performing validity verification on the fifth timestamp; when the fifth timestamp is legal, verifying whether the challenge response hash data is consistent with an actual answer of the hardware factor knowledge challenge question; and when the hash data of the challenge response is consistent with the actual answer of the hardware factor knowledge challenge question, determining that the equipment is legal registered equipment, and allowing the equipment to perform network access within the authentication validity period so as to construct data interaction and communication with the equipment.

The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated in another system or some features may be omitted, or not implemented.

The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.

While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. A trusted device authentication method, comprising:

acquiring a device request;

judging whether the equipment request is identity registration or not;

if the equipment request is identity registration, acquiring hardware factor hash information from the equipment;

issuing ID certificate information to equipment according to the hardware factor hash information so that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, decrypting the ID certificate information to obtain an APPID, and storing the APPID;

authenticating according to the response ciphertext, and constructing data interaction and communication with the equipment when the authentication is passed;

the hardware factor hash information comprises mainboard serial number hash data, central processing unit CPUID hash data, MAC address hash data and hard disk serial number hash data which are correspondingly generated after a mainboard serial number, a central processing unit CPUID hash data, an MAC address hash data and a hard disk serial number hash data are collected by equipment, and information is formed after encryption operation is carried out by using a server public key in combination with a generated local symmetric key and a first timestamp;

the issuing of ID certificate information to equipment according to the hardware factor hash information to enable the equipment to confirm data integrity and non-repudiation of a source of the ID certificate information, and to decrypt the ID certificate information to obtain an APPID, and the storing of the APPID comprises:

saving the local symmetric key;

generating an APP ID and a second timestamp;

encrypting the APPID and the second timestamp according to the local symmetric key, and performing digital signature operation by using a private key of the APPID and the second timestamp to generate ID certificate information;

issuing the ID certificate information to equipment so that the equipment verifies the ID certificate information through a server public key, when the ID certificate information is verified, decrypting the ID certificate information through a local symmetric key to obtain an AppID and plaintext data of a second timestamp, judging the legality of the second timestamp, and when the second timestamp is legal, storing the AppID;

the generating of the corresponding hardware factor knowledge challenge problem for the interactive authentication request data comprises:

determining the local symmetric key according to the APPID;

Decrypting a ciphertext associated with a third timestamp using the local symmetric key;

2. The method of claim 1, wherein the encrypting the hardware factor knowledge challenge question to form a signature ciphertext and sending the signature ciphertext to enable the device to respond to a knowledge challenge based on the signature ciphertext and provide a corresponding hash attestation to generate a response ciphertext, comprises:

generating a one-time symmetric communication key and a fourth timestamp;

3. The method for authenticating the trusted device according to claim 2, wherein the authentication is performed according to the response ciphertext, and when the authentication is passed, data interaction and communication with the device are constructed, and the method comprises the following steps:

performing validity verification on the fifth timestamp;

4. An apparatus for authenticating a trusted device, comprising:

a device request acquisition unit configured to acquire a device request;

The ID processing unit is used for issuing ID certificate information to equipment according to the hardware factor hash information so as to ensure that the equipment confirms the data integrity and the non-repudiation of the source of the ID certificate information, and decrypting the ID certificate information to obtain an APPID and storing the APPID;

the authentication unit is used for authenticating according to the response ciphertext and establishing data interaction and communication with equipment when the authentication is passed;

saving the local symmetric key;

generating an APP ID and a second timestamp;

decrypting the interactive authentication request data through a private key of the mobile terminal to obtain an APPID and a ciphertext related to a third timestamp;

determining the local symmetric key according to the APPID;

5. A computer device, characterized in that the computer device comprises a memory, on which a computer program is stored, and a processor, which when executing the computer program implements the method according to any of claims 1 to 3.

6. A storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 3.