CN114401087B - Passive lock identity authentication and key agreement system based on state cryptographic algorithm - Google Patents
Passive lock identity authentication and key agreement system based on state cryptographic algorithm Download PDFInfo
- Publication number
- CN114401087B CN114401087B CN202210079490.3A CN202210079490A CN114401087B CN 114401087 B CN114401087 B CN 114401087B CN 202210079490 A CN202210079490 A CN 202210079490A CN 114401087 B CN114401087 B CN 114401087B
- Authority
- CN
- China
- Prior art keywords
- key
- mobile phone
- phone app
- passive lock
- lock
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Lock And Its Accessories (AREA)
- Telephone Function (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a passive lock identity authentication and key agreement system based on a national password algorithm, which comprises a cloud management platform, a mobile phone APP, a Bluetooth key and a passive lock, wherein the cloud management platform comprises a cloud key management system, a cloud security service and a cloud service; according to the invention, the national secret key safety chip is arranged in the lock core of the passive lock, the safety chip is used for processing the key algorithm, and meanwhile, the safety chip is used as a control chip to integrate the safety processing and the service control of the passive lock, so that the information safety in the digital transformation process of the industrial lock is enhanced, the routing inspection by an operation and maintenance user is facilitated, the routing inspection efficiency is improved, the routing inspection record is automatically generated, the cryptology identity authentication technology is applied, the authenticity of data is ensured, and the maintenance cost of a plurality of entity keys is greatly reduced.
Description
Technical Field
The invention relates to the technical field of information security of the Internet of things, in particular to a passive lock identity authentication and key agreement system based on a state cryptographic algorithm.
Background
In enterprise management and people's daily life, the lock is widely used, and enterprise and individual lock are used usually to lock some valuable property and important data, and the purpose is exactly in order to improve security and be convenient for manage, and the lock that the price ratio is more preferential that common on the market is mainly mechanical lock, but ordinary mechanical lock security is not high, is destroyed easily by force, along with the development of science and technology, and the passive electronic lock that the security is higher relatively obtains wide application.
There are many kinds of passive locks on the market at present, but most of them have the following problems:
(1) The device communication adopts a simple encryption or even non-encryption mode to control the unlocking of the lockset, so that the lockset is easy to be attacked by illegal personnel, the lockset can be illegally unlocked downwards, and the record is illegally reported upwards to cause data pollution;
(2) The main control of part of the passive lock body adopts a common MCU controller without a national password security chip, the main controller adopts software to carry out complex password operation, the time is long, the response speed of equipment is influenced, part of encryption algorithm can not be realized by using software in the common MCU, and the stored data of the common MCU is easy to read by a tool for analysis and decryption;
(3) Although a national secret security chip is used in part of passive locks, the national secret security chip is separated from the master controller, the master controller is still a common controller, and the program of the master controller is vulnerable to attack;
(4) Part of passive locks adopt simple cryptographic algorithms, and have the risk of being cracked;
(5) The method comprises the steps that partial passive locks verify unlocking authority by acquiring lock cylinder identification, and after the unlocking authority is verified by using a key, a control command is sent to the lock cylinder to unlock, only the authentication of the key on the passive locks is completed in the process, but the passive locks do not verify the identity of an accessor, so that certain safety risk exists;
the above problems limit the application of the passive lock, and therefore, the invention provides a system for identity authentication and key agreement of the passive lock based on a cryptographic algorithm to solve the problems in the prior art.
Disclosure of Invention
In view of the above problems, the present invention provides a system for identity authentication and key agreement of a passive lock based on a cryptographic algorithm, which solves the problem of low security of the passive lock in the market.
In order to achieve the purpose of the invention, the invention is realized by the following technical scheme: a passive lock identity authentication and key agreement system based on a national cryptographic algorithm comprises a cloud management platform, a mobile phone APP, a Bluetooth key and a passive lock, wherein the cloud management platform comprises a cloud key management system, a cloud security service and a cloud service, the cloud service provides service support of a use scene, the cloud security service processes communication security related services, the cloud key management system generates an identification key pair according to each passive lock device and each user's respective identification ID, and the identification key pair comprises an identification public key and an identification private key;
the mobile phone APP is communicated with the cloud management platform upwards, the mobile phone APP comprises a security component and a business module, the mobile phone APP is used for a user account to log in the mobile phone APP through the business module, and manageable passive phase lock related information in a user permission range is obtained from the cloud management platform;
the Bluetooth key comprises a main cryptographic security chip, a Bluetooth module and a main contact, and the Bluetooth key is upwards communicated with the mobile phone APP through the Bluetooth module;
the passive lock comprises a branch password security chip, a branch contact and a driving motor, and the Bluetooth key is inserted into the passive lock and then supplies power to the passive lock through the contact of the main contact and the branch contact, and establishes a communication line.
The further improvement lies in that: the cloud business service provides business support of a use scene, and the business support comprises responding to a mobile phone APP login request, issuing a user identification key pair, requesting unlocking permission and reporting an unlocking record.
The further improvement lies in that: the communication safety related services comprise the issuing of identification identity information of passive lock equipment in a production stage, the identity authentication of a passive lock and a mobile phone APP, the negotiation of a session key, the encryption of cloud issuing data and the decryption of mobile phone APP reporting data.
The further improvement lies in that: the key management system is matched with cloud security service to issue the passive lock identification key pair to the interior of the passive lock in the passive lock production stage, and safe storage is carried out through a domestic secret security chip in the passive lock, the cloud security service is adopted to issue the identification key pair for the user safety when the mobile phone APP logs in the user account, and the identification key pair of the user is safely stored in the mobile phone.
The further improvement lies in that: the passive lock is passive, and the identification key pair and the identification public key of the cloud management platform are safely distributed by the cloud key management system in the production stage.
The further improvement lies in that: the passive lock verifies the digital key information distributed by the cloud management platform, authenticates authorization legality through a digital signature in the verification information, and drives the electronic part to electronically unlock through the driving motor after authentication is successful.
The further improvement lies in that: the security component comprises a security interface and a security storage which are realized based on a national secret algorithm, the security storage in the mobile phone safely stores offline digital key information in a scattered storage mode, and the main national secret security chip and the branch national secret security chip have the same structure and respectively comprise an identification ID module, a security service module and a business logic module.
The invention has the beneficial effects that: the passive lock is internally provided with a national secret key security chip, a security chip is used for processing a key algorithm and is also used as a control chip, the security processing and the service control of the passive lock are integrated, the communication encryption of the passive lock adopts the national secret key algorithm, the passive lock has higher security, the passive lock uses a hardware processing cryptographic algorithm, the processing speed is higher than that of a software algorithm, the efficiency is high, the response speed of a system can be improved, the respective identity information of the passive lock is preset and is safely stored in the security chip during production, the identity information of the passive lock cannot be directly obtained, the counterfeiting difficulty is high, the communication of the passive lock adopts encryption communication, the replay attack is effectively prevented, the lock core and a Bluetooth key or a mobile phone APP are subjected to two-way authentication before the encryption communication, the legality of the identity authentication of equipment during the communication of the passive lock and the confidentiality and integrity of communication data are further effectively resisted, the replay attack is further, in addition, the communication between the passive lock and an accessor is subjected to the identity authentication and the communication encryption, the unlocking record is credible, the lock is effectively avoided, the lock unlocking and unlocking record of illegal unlocking of the illegal unlocking records of an attacker and pollution to a database is avoided, the power supply and the security of the lock is greatly reduced, and the lock body is maintained, and the lock body is convenient to be maintained, and the maintenance of a plurality of the lock body of the lock.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of the system structure of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
Referring to fig. 1, the embodiment provides a system for passive lock identity authentication and key agreement based on a national cryptographic algorithm, which includes a cloud management platform, a mobile phone APP, a bluetooth key, and a passive lock, where the cloud management platform includes a cloud key management system, a cloud security service, and a cloud service, the cloud service provides service support in a use scenario, the cloud security service processes communication security related services, the cloud key management system generates an identification key pair according to each passive lock device and each user's respective identification ID, and the identification key pair includes an identification public key and an identification private key;
the mobile phone APP is communicated with the cloud management platform upwards, the mobile phone APP comprises a security component and a business module, the mobile phone APP is used for a user account to log in the mobile phone APP through the business module, and manageable passive phase lock related information in a user permission range is obtained from the cloud management platform;
the Bluetooth key comprises a main cryptographic security chip, a Bluetooth module and a main contact, and the Bluetooth key is upwards communicated with the mobile phone APP through the Bluetooth module;
the passive lock comprises a national password distribution safety chip, distribution contacts and a driving motor, the passive lock is powered by the Bluetooth key through the contact of the main contact and the distribution contacts after the Bluetooth key is inserted into the passive lock, a communication line is established, the communication encryption of the passive lock adopts a national password algorithm, a national password asymmetric algorithm SM2 and a symmetric encryption algorithm SM4 are applied, the random number is a true random number, an SM3 abstract algorithm and the like are adopted, and the passive lock has high safety.
The cloud business service provides business support of a use scene, and the business support comprises responding to a mobile phone APP login request, issuing a user identification key pair, requesting unlocking permission and reporting an unlocking and locking record.
The related communication safety services comprise the issuing of equipment identification identity information of a passive lock in a production stage, the identity authentication of the passive lock and a mobile phone APP, the negotiation of a session key, the encryption of cloud issued data and the decryption of mobile phone APP reported data.
The key management system is matched with the cloud security service to issue the passive lock identification key pair to the interior of the passive lock in the passive lock production stage, the passive lock internal secret security chip is used for carrying out security storage, the cloud security service is adopted to issue the identification key pair of the mobile phone APP user for the user security when the mobile phone APP logs in the user account, and the identification key pair of the user is stored in the mobile phone safely.
The passive lock is passive, and the identification key pair and the identification public key of the cloud management platform are safely distributed by the cloud key management system in the production stage.
The passive lock verifies the digital key information distributed by the cloud management platform, authenticates the authorization legality through a digital signature in the verification information, and drives the electronic part to electronically unlock through the driving motor after the authentication is successful.
The security component comprises a security interface and a security storage which are realized based on a national secret algorithm, the security storage in the mobile phone securely stores the offline digital key information in a scattered storage mode, and the main national secret security chip and the branch national secret security chip have the same structure and respectively comprise an identification ID module, a security service module and a business logic module.
Under the cell-phone APP off-line unlocking mode:
when a user is in a network environment and uses a user account to log in a mobile phone APP, the mobile phone APP and a cloud management platform complete bidirectional authentication in a mode of verifying a signature of the other party and negotiate out a session key, after the login is successful, communication between the mobile phone APP and the cloud management platform is encrypted by using the session key, the user applies for obtaining an unlocking authority of a passive lock in an authority range, namely, applies for offline digital key information, and then after the mobile phone APP obtains the offline digital key information in a mode of encryption communication, the offline digital key information is safely stored in a scattered storage mode by using a security component in the mobile phone APP, so that the offline digital key is prevented from being illegally obtained;
under this mode, after bluetooth key and off-line cell-phone APP establish communication, the bluetooth key plays the effect of issuing of uploading, realize the communication between passive lock and the cell-phone APP, the passive lock initiates the authentication request after that, contain passive lock digital signature information in the authentication request data, cell-phone APP obtains its public key according to the passive lock sign afterwards, verify signature data success, judge equipment identity promptly and be legal, then cell-phone APP retrieves the off-line digital key of storage, and according to this information generation high in the clouds management platform's authentication information, send to the passive lock, passive lock receives the authentication information of other side, pass through the public key verification signature of high in the clouds management platform, accomplish challenge response simultaneously, to this, passive lock and cell-phone APP are according to the random number factor of encryption in both sides's the authentication information, negotiate out the session key, later business instruction and record data all adopt the mode transmission of encryption.
Under the bluetooth key off-line unlocking mode:
the method comprises the steps that a mobile phone APP firstly obtains offline digital key information of a cloud management platform, the process is the same as the obtaining mode of the mobile phone APP in an offline unlocking mode, and on the basis, a user transfers and issues offline authorized digital keys to a Bluetooth key to enable the Bluetooth key to independently generate data for identity authentication with a passive lock;
the method comprises the steps that an encryption mode is adopted when the mobile phone APP and the Bluetooth key are transferred and issued with an offline digital key, an encrypted session key is obtained by the mobile phone APP and the Bluetooth key through a challenge response mode, and specifically a public key encryption algorithm is adopted to negotiate out the session key;
after the Bluetooth key acquires the off-line digital key, the user operates the Bluetooth key to complete bidirectional authentication with the passive lock, a session key is negotiated, and then the session key is used for encrypting an unlocking instruction, bluetooth key records and locking and unlocking records;
when the Bluetooth key is connected with the mobile phone APP again, after a session key is negotiated, the internal locking and unlocking records are encrypted and reported to the mobile phone APP, and the mobile phone APP reports the locking and unlocking records to the cloud management platform in an encryption communication mode.
Example two
The embodiment provides an online unlocking process of a passive lock, which comprises the following steps:
a permission manager of the cloud management platform distributes unlocking permission of the passive lock A to the user A;
a user A uses a mobile phone to network, logs in an account of the user A on a mobile phone APP, and opens the Bluetooth of the mobile phone;
the user A wakes up a Bluetooth key in a hand, a Bluetooth module of the Bluetooth key starts broadcasting, bluetooth is searched in a mobile phone APP to form a Bluetooth key list, and the user needs to manually select the Bluetooth key when the user A connects the Bluetooth key for the first time and then can automatically connect the Bluetooth key;
after the Bluetooth key is connected with the mobile phone APP, the Bluetooth key is communicated with the mobile phone APP, the Bluetooth key state information is reported, the Bluetooth key is inserted into the passive lock A, the Bluetooth key supplies power to the passive lock A through the contact of the main contact and the sub contact, and a communication line is established through the contacts;
after the passive lock A is powered on, the built-in national password security chip starts to work and communicates with the Bluetooth key;
in the online unlocking mode, the Bluetooth key is responsible for uploading and issuing data between the passive lock A and the user mobile phone APP, so that interactive communication between the passive lock A and the mobile phone APP is described below, and the mobile phone APP is used for representing the mobile phone APP after the user A logs in according to the data sent by the mobile phone APP as the data related to the user A;
the passive lock A sends a lock ready state to the mobile phone APP, and after the passive lock A receives a reply, the passive lock A and the mobile phone APP perform identity authentication;
the method comprises the steps that a passive lock A sends authentication data to a mobile phone APP, the data is used for the mobile phone APP to verify the identity of the passive lock A, the passive lock A is verified to be legal equipment, at the moment, the mobile phone APP is communicated with a cloud management platform, the identity of the passive lock A is verified, after the cloud management platform verifies the identity of the passive lock A, authentication data of the mobile phone APP are generated according to the authentication data of the passive lock A and sent to the mobile phone APP, the mobile phone APP generates authentication data of the mobile phone APP according to authorization data responded by the cloud management platform and sends the authentication data to the passive lock A, after the authentication data of the mobile phone APP are received by the passive lock A, the user identity of the mobile phone APP is verified, after the authentication data pass, a session key is negotiated, the source of the data is confirmed through identity authentication, a random factor used by the negotiation session key is encrypted, the key does not appear on a communication link, the confidentiality of the data is guaranteed, and similarly, the same session key is negotiated by the mobile phone APP, so far, only the passive lock A and the mobile phone APP and the current session key can be known as the current session key, a new key can be negotiated along with the mobile phone APP next time;
after the passive lock A and the mobile phone APP are authenticated and negotiated, session keys are used for encrypting communication;
the mobile phone APP sends a ciphertext unlocking instruction, the passive lock A decrypts the instruction, and electronic unlocking is executed according to the instruction;
after electronic unlocking, a user A uses a Bluetooth key to rotate a lock cylinder to execute an unlocking action;
after the unlocking is successful, the unlocking record formed by the lock cylinder is reported to the mobile phone APP in a ciphertext form;
and the mobile phone APP reports the unlocking record to the cloud management platform.
EXAMPLE III
The embodiment provides a mobile phone offline unlocking process, which comprises the following steps:
carrying out normal operation business under the condition that the position of the lock cylinder is not provided with a network;
an authority manager of the cloud management platform distributes unlocking authority to the passive lock A for the user A;
the method comprises the steps that a user A applies for unlocking authority data of a passive lock A on a mobile phone APP at a position with a network, the unlocking authority data are called as an offline digital key, the offline digital key comprises authentication information and time range information for unlocking the passive lock A by the user A, and the offline digital key is safely and dispersedly stored on the mobile phone APP;
compared with the unlocking method in the second embodiment, the method for unlocking by the user a operating the key has the following differences:
after the passive lock A sends authentication data, after the identity of the passive lock A is authenticated to be legal by the mobile phone APP, the authentication data of the mobile phone APP are generated according to an offline digital key downloaded to the local part of the mobile phone APP;
after the identity authentication, the session key of current communication is negotiated out to passive lock A and cell-phone APP, and correct unblock instruction is deciphered out to passive lock A, and after the execution unblock, user A passes through the opening and closing of bluetooth key operation lock core, and the switch lock record of production is encrypted and is uploaded to cell-phone APP, and the switch lock record under the local record cell-phone off-line state of cell-phone APP this moment gets back to the position that has the network when cell-phone APP, uploads user A's switch lock record to high in the clouds management platform.
Example four
In the unlocking process of the third embodiment, the mobile phone APP and the bluetooth key are required to be kept connected, in some use scenarios, the mobile phone APP and the bluetooth key cannot be kept connected for a long time, and for the use scenario, the offline digital key is issued to the bluetooth key through the mobile phone APP, and the user a then uses the authorized bluetooth key to unlock the authorized passive lock, which specifically includes the following steps:
a permission manager of the management platform distributes unlocking permission of the passive lock A to the user A;
the user A logs in a mobile phone APP, issues an authorized offline digital key of the passive lock A to the mobile phone APP, and issues the offline digital key to a Bluetooth key through the mobile phone APP, and is worthy of being noticed that the user A can apply for offline digital key information of a plurality of passive locks from a cloud management platform and issue offline digital key information authorized by a plurality of passive locks to the key;
after the authorization is completed, the user A inserts the Bluetooth key into the passive lock A, the Bluetooth key supplies power to the passive lock A through the contact, and a communication line is established through the contact;
after receiving the ready command of the passive lock A, the Bluetooth key replies a command response;
then, the passive lock A sends authentication data to the Bluetooth key, then the Bluetooth key retrieves authorized digital key information which is stored safely inside according to the identification of the passive lock A, and after the Bluetooth key verifies that the identity of the passive lock A passes, the Bluetooth key generates identity authentication data of an authorized user according to the retrieved legal digital key information and sends the identity authentication data to the passive lock A;
the passive lock A authenticates digital key information sent by the Bluetooth key, after the identity of the authentication user A passes, a session key is generated according to encrypted random factors in authentication data, the Bluetooth key acquires the same session key in the same way, the session key is temporarily generated and only used for the communication, the key is invalid after the key is pulled out, the key is inserted again, and the authentication is carried out again to negotiate a new session key;
after a user A uses a Bluetooth key to unlock or lock, the Bluetooth key records the unlocking and locking records of a passive lock A;
when the Bluetooth key is connected with the mobile phone APP again in a Bluetooth mode, the switch lock records stored in the Bluetooth key are encrypted and reported to the mobile phone APP, and when the mobile phone APP has a network, the switch lock records are encrypted and reported to the cloud management platform.
In the implementation mode, after the key storing the digital key information is lost, the authorized passive lock of the digital key can be retrieved at the cloud according to the lost key ID, in order to avoid that someone retrieves the illegal unlocking of the key, the identifier of the lost key needs to be written into the retrieved passive lock, when the lost key is inserted into the lock cylinder, the key is detected to be the lost key, and the lock cylinder actively sends an instruction to clear the digital key in the lost key.
The process of writing the missing key ID into the lock cylinder is as follows:
retrieving a passive lock of which the Bluetooth key A is authorized to be unlocked from a cloud management platform through the identification ID of the lost Bluetooth key A;
a new Bluetooth key B is used, bluetooth connection is established between the Bluetooth key B and a mobile phone APP, the identity authentication and session key negotiation and the processing process of issuing a digital key are the same, the mobile phone APP encrypts and issues information such as the ID (identity) and the failure time of a lost key A and stores the information into the Bluetooth key B, a user inserts the Bluetooth key B into the retrieved passive lock, and the ID of the key A is written into a key blacklist of the passive lock;
when the Bluetooth key A is inserted into the passive lock again, the passive lock detects that the Bluetooth key A is a lost Bluetooth key, if the authorization information in the Bluetooth key A is judged to be valid according to the authorized failure time, the passive lock does not respond to the unlocking instruction, encrypts and sends an authorization clearing instruction to the Bluetooth key A, and then the Bluetooth key A deletes the authorized digital key;
in order to avoid illegal unlocking by illegal persons by using the authorized Bluetooth key lost by the user, the maintenance is carried out by adopting the above mode.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and should not be taken as limiting the scope of the present invention, which is intended to cover any modifications, equivalents, improvements, etc. within the spirit and scope of the present invention.
Claims (2)
1. A passive lock identity authentication and key agreement system based on a state cryptographic algorithm is characterized in that: the system comprises a cloud management platform, a mobile phone APP, a Bluetooth key and a passive lock, wherein the cloud management platform comprises a cloud key management system, a cloud security service and a cloud business service, the cloud business service provides business support of a use scene, the cloud security service processes communication security related businesses, the cloud key management system generates an identification key pair according to each passive lock device and each user's respective identification ID, and the identification key pair comprises an identification public key and an identification private key;
the mobile phone APP is communicated with the cloud management platform upwards, the mobile phone APP comprises a security component and a business module, the mobile phone APP is used for a user account to log in the mobile phone APP through the business module, and manageable passive phase lock related information in a user permission range is obtained from the cloud management platform;
the Bluetooth key comprises a main secret security chip, a Bluetooth module and a main contact, and the Bluetooth key is communicated with the mobile phone APP upwards through the Bluetooth module;
the passive lock comprises a branch password security chip, branch contacts and a driving motor, the passive lock is powered by the Bluetooth key through the contact of the main contact and the branch contacts after the Bluetooth key is inserted into the passive lock, a communication line is established, a state password asymmetric algorithm SM2 and a symmetric encryption algorithm SM4 are applied, random numbers are true random numbers, an SM3 abstract algorithm is adopted, and the passive lock uses a hardware processing cipher algorithm;
the security component comprises a security interface and a security storage which are realized based on a national secret algorithm, the security storage in the mobile phone safely stores offline digital key information in a scattered storage mode, and the main national secret security chip and the branch national secret security chip have the same structure and respectively comprise an identification ID module, a security service module and a business logic module;
the passive lock verifies the digital key information distributed by the cloud management platform, authenticates the authorization legality through a digital signature in the verification information, and drives the electronic part to electronically unlock through the driving motor after the authentication is successful;
the cloud business service provides business support of a use scene, and the business support comprises responding to a mobile phone APP login request, issuing a user identification key pair, requesting unlocking permission and reporting an unlocking and locking record;
the communication safety related service comprises the issuing of equipment identification identity information of a passive lock in a production stage, the identity authentication of the passive lock and a mobile phone APP, the negotiation of a session key, the encryption of cloud issuing data and the decryption of mobile phone APP reporting data;
the passive lock is passive, and an identification key pair and an identification public key of the cloud management platform are safely distributed by the cloud key management system in the production stage;
the passive lock on-line unlocking process comprises the following steps: an authority manager of the cloud management platform distributes unlocking authority to the passive lock A for the user A; the user A uses a mobile phone to perform networking, logs in an account of the user A on a mobile phone APP, and opens the Bluetooth of the mobile phone; the user A wakes up a Bluetooth key in a hand, a Bluetooth module of the Bluetooth key starts broadcasting, bluetooth is searched in a mobile phone APP to form a Bluetooth key list, and the user needs to manually select the Bluetooth key when the user A connects the Bluetooth key for the first time and then can automatically connect the Bluetooth key; after the Bluetooth key is connected with the mobile phone APP, the Bluetooth key is communicated with the mobile phone APP, the Bluetooth key state information is reported, the Bluetooth key is inserted into the passive lock A, the Bluetooth key supplies power to the passive lock A through the contact of the main contact and the sub-contact, and a communication line is established through the contacts; after the passive lock A is powered on, the built-in national password security chip starts to work and communicates with the Bluetooth key; in the online unlocking mode, the Bluetooth key is responsible for uploading and issuing data between the passive lock A and the user mobile phone APP, so that interactive communication between the passive lock A and the mobile phone APP is described below, the data sent by the mobile phone APP is data related to the user A, and the mobile phone APP after the user A logs in is represented below; the passive lock A sends a lock ready state to the mobile phone APP, and after the passive lock A receives a reply, the passive lock A and the mobile phone APP perform identity authentication; the method comprises the steps that a passive lock A sends authentication data to a mobile phone APP, the data is used for the mobile phone APP to verify the identity of the passive lock A, the passive lock A is verified to be legal equipment, the mobile phone APP is communicated with a cloud management platform at the moment, the cloud management platform verifies the identity of the passive lock A, the cloud management platform verifies that the identity of the passive lock A is legal, the authentication data of the passive lock A is sent to the mobile phone APP, the mobile phone APP generates authentication data of the mobile phone APP according to the authentication data responded by the cloud management platform and sends the authentication data to the passive lock A, the passive lock A verifies the user identity of the mobile phone APP after receiving the authentication data of the mobile phone APP, after the authentication is passed, a session key is negotiated according to the authentication data sent by the passive lock A and the received mobile phone APP authentication data, the source of the data is confirmed to be credible after the identity authentication, the random number used by the session key is encrypted, the key does not appear on a communication link, the confidentiality of the data is guaranteed, and the same as the session key is negotiated by the mobile phone APP, so far, only the current session key is the current session key, a new session key is inserted next time, and the session key is known along with the negotiation of the session key; after the passive lock A and the mobile phone APP are authenticated and negotiated, session keys are used for encrypting communication; the mobile phone APP sends a ciphertext unlocking instruction, the passive lock A decrypts the instruction, and electronic unlocking is executed according to the instruction; after electronic unlocking, a user A rotates the lock cylinder by using a Bluetooth key to execute unlocking action; after the unlocking is successful, the unlocking record formed by the lock cylinder is reported to the mobile phone APP in a ciphertext form; the mobile phone APP reports the unlocking record to the cloud management platform;
the mobile phone offline unlocking process comprises the following steps: carrying out normal operation business under the condition that the position of the lock cylinder is not provided with a network; an authority manager of the cloud management platform distributes unlocking authority to the passive lock A for the user A; the user A applies for unlocking authority data of the passive lock A on the mobile phone APP at a position with a network, the unlocking authority data is called as an offline digital key, the offline digital key contains authentication information and time range information for unlocking the passive lock A by the user A, and the offline digital key is safely and dispersedly stored on the mobile phone APP.
2. The system of claim 1, wherein the passive lock identity authentication and key agreement based on the cryptographic algorithm is characterized in that: the cloud key management system is matched with the cloud security service to issue the passive lock identification key pair to the interior of the passive lock in the passive lock production stage, and safe storage is carried out through the domestic secret security chip in the passive lock, the cloud security service is adopted to issue the identification key pair for the user safety when the mobile phone APP logs in the user account, and the identification key pair of the user is safely stored in the mobile phone.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210079490.3A CN114401087B (en) | 2022-01-24 | 2022-01-24 | Passive lock identity authentication and key agreement system based on state cryptographic algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210079490.3A CN114401087B (en) | 2022-01-24 | 2022-01-24 | Passive lock identity authentication and key agreement system based on state cryptographic algorithm |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114401087A CN114401087A (en) | 2022-04-26 |
| CN114401087B true CN114401087B (en) | 2023-03-10 |
Family
ID=81233700
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210079490.3A Active CN114401087B (en) | 2022-01-24 | 2022-01-24 | Passive lock identity authentication and key agreement system based on state cryptographic algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114401087B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114821867A (en) * | 2022-06-08 | 2022-07-29 | 润芯微科技(江苏)有限公司 | Method and system for realizing digital key based on MCU and wireless communication module |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104809795A (en) * | 2015-05-21 | 2015-07-29 | 河南传通电子科技有限公司 | Circuit structure utilizing mobile phone APP (Application Program), cloud platform and Bluetooth intelligent key control switch lock and implementation method of circuit structure |
| CN105023334A (en) * | 2015-08-10 | 2015-11-04 | 广东文城科技发展有限公司 | Unlocking and locking control method based on cloud platform and mobile phone APP |
| CN106296922A (en) * | 2016-08-12 | 2017-01-04 | 杭州聪灵科技有限公司 | A kind of passive intelligent lock cylinder system and implementation method thereof |
| CN111415445A (en) * | 2020-04-28 | 2020-07-14 | 北京仁信证科技有限公司 | Logistics box management method and device, computer equipment and storage medium |
| CN111815813A (en) * | 2020-06-22 | 2020-10-23 | 北京智辉空间科技有限责任公司 | Electronic lock safety system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113595985A (en) * | 2021-06-30 | 2021-11-02 | 江西海盾信联科技有限责任公司 | Internet of things security cloud platform implementation method based on state cryptographic algorithm security chip |
-
2022
- 2022-01-24 CN CN202210079490.3A patent/CN114401087B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104809795A (en) * | 2015-05-21 | 2015-07-29 | 河南传通电子科技有限公司 | Circuit structure utilizing mobile phone APP (Application Program), cloud platform and Bluetooth intelligent key control switch lock and implementation method of circuit structure |
| CN105023334A (en) * | 2015-08-10 | 2015-11-04 | 广东文城科技发展有限公司 | Unlocking and locking control method based on cloud platform and mobile phone APP |
| CN106296922A (en) * | 2016-08-12 | 2017-01-04 | 杭州聪灵科技有限公司 | A kind of passive intelligent lock cylinder system and implementation method thereof |
| CN111415445A (en) * | 2020-04-28 | 2020-07-14 | 北京仁信证科技有限公司 | Logistics box management method and device, computer equipment and storage medium |
| CN111815813A (en) * | 2020-06-22 | 2020-10-23 | 北京智辉空间科技有限责任公司 | Electronic lock safety system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114401087A (en) | 2022-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3661120B1 (en) | Method and apparatus for security authentication | |
| CN102215221B (en) | Methods and systems for secure remote wake, boot, and login to a computer from a mobile device | |
| CN111083131A (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
| CN106713279B (en) | video terminal identity authentication system | |
| CN102217277A (en) | Method and system for token-based authentication | |
| CN1338841A (en) | Intelligent key for security authentication of computer | |
| CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
| CN101695038A (en) | Method and device for detecting SSL enciphered data safety | |
| US7412059B1 (en) | Public-key encryption system | |
| CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
| JPH07325785A (en) | Network user identifying method, ciphering communication method, application client and server | |
| CN101945114A (en) | Identity authentication method based on fuzzy vault and digital certificate | |
| CN109300201A (en) | A kind of intelligent and safe lock and its encryption system and encryption method | |
| CN112861157A (en) | Data sharing method based on decentralized identity and proxy re-encryption | |
| CN106936588A (en) | A kind of trustship method, the apparatus and system of hardware controls lock | |
| CN110138548A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system | |
| CN102404112A (en) | Access authentication method for credible terminal | |
| CN116566705A (en) | Authentication method, system, client and server based on key derivation function | |
| CN114401087B (en) | Passive lock identity authentication and key agreement system based on state cryptographic algorithm | |
| CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system | |
| CN112989320B (en) | User state management system and method for password equipment | |
| CN1953366B (en) | Password management method and system for intelligent secret key device | |
| JPH11353280A (en) | Identity confirmation method and system by means of encipherment of secret data | |
| CN107104792B (en) | Portable mobile password management system and management method thereof | |
| CN113676330B (en) | Digital certificate application system and method based on secondary secret key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: A1501, 15 / F, No. 22, Zhongguancun Street, Haidian District, Beijing 100089 Applicant after: Beijing xinchangcheng Technology Development Co.,Ltd. Address before: No. 302, floor 3, building 4, No. 9, Zhongguancun Street, Haidian District, Beijing 100086 Applicant before: BEIJING RENXINZHENG TECHNOLOGY CO.,LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |