CN115208685A - Terminal equipment digital identity management method - Google Patents
Terminal equipment digital identity management method Download PDFInfo
- Publication number
- CN115208685A CN115208685A CN202210889790.8A CN202210889790A CN115208685A CN 115208685 A CN115208685 A CN 115208685A CN 202210889790 A CN202210889790 A CN 202210889790A CN 115208685 A CN115208685 A CN 115208685A
- Authority
- CN
- China
- Prior art keywords
- terminal equipment
- security chip
- digital identity
- devid
- authenticated
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a terminal equipment digital identity management method which reduces the working difficulty of a digital identity management mechanism and reduces the probability of working errors of the digital identity management mechanism on the basis of ensuring the safe implementation of digital identity management. In the technical scheme of the invention, a security chip is embedded in intelligent terminal equipment to serve as a digital identity carrier, and a two-stage digital identity registration mechanism is adopted: digital identity binding and networking identity authentication ensure that only terminal equipment which is provided with a security chip and obtains authorization can be networked; the unified safety management of different manufacturers and different types of equipment is realized by the combined use of the digital identity service system, the safety chip serial number and the USB-Key.
Description
Technical Field
The invention relates to the technical field of intelligent traffic terminal equipment digital identity management, in particular to a terminal equipment digital identity management method.
Background
In modern traffic control, intelligent traffic terminal equipment is widely used on urban and rural roads. In traffic management, the intelligent traffic terminals need to be connected to a network in a unified manner, and centralized management is performed through a device management system. In order to realize the secure networking access of the terminal device and prevent the illegal access of the non-record authorization device, in the prior art, a digital identity is generally given to the terminal device, and the identity authentication is performed on the terminal device based on the digital identity. However, in the current digital identity management method, each kind or each kind of terminal equipment is usually given a digital identity, a digital identity management mechanism needs to issue digital identities separately for different terminal equipment, and then a terminal equipment manufacturer embeds the digital identities issued by the digital identity management mechanism into the corresponding terminal equipment; all maintenance and management of digital identities is done at the digital identity management authority, which results in a very complex and error prone operation of the digital identity management authority.
Disclosure of Invention
In order to solve the problem that the digital identity management mechanism is complex in maintenance and management work of the digital identity in the conventional terminal equipment digital identity management method, the invention provides the terminal equipment digital identity management method, which reduces the work difficulty of the digital identity management mechanism and reduces the probability of work errors of the digital identity management mechanism on the basis of ensuring the safe implementation of digital identity management.
The technical scheme of the invention is as follows: a terminal equipment digital identity management method is characterized by comprising the following steps:
s1: a terminal equipment administration uses a security chip embedded in the terminal equipment as a carrier of the digital identity, and the terminal equipment administration initializes the security chip through a digital identity service system and writes the digital identity in the security chip;
the digital identities include: a security chip serial number SamID and a security chip first chip digital certificate SamKert 1;
the first chip digital certificate samcet 1 includes: samID and a security chip public key SamPubKey;
the SamID of the security chip is generated by the sequential coding of the administrative department of the terminal equipment, and the type of equipment embedded in the security chip is not distinguished;
the secure chip public key SamPubKey and a private key SamPriKey stored in the secure chip form a key pair, and the SamPubKey and the SamPriKey are both generated in the secure chip;
s2: a terminal equipment manufacturer embeds the security chip into a terminal equipment to be authenticated, uses a USB-Key issued by a terminal equipment administration department, writes a terminal equipment serial number DevID corresponding to the terminal equipment to be authenticated into the security chip through terminal equipment serial number management software, and pre-binds the terminal equipment serial number DevID and the digital identity of the security chip;
a manufacturer digital certificate KeyCert issued by the administrative department for a terminal equipment manufacturer is stored in the USB-Key, and a manufacturer code factID and an equipment type code DevtypeID are stored in the manufacturer digital certificate KeyCert;
the serial number DevID of the terminal equipment comprises: equipment manufacturer code, equipment type code and equipment serial number;
when writing in a serial number DevID of a terminal device, the security chip verifies the consistency of the device manufacturer code and the factID in the KeyCert and the consistency of the device type code and the DevtypeID in the KeyCert;
s3: after writing in a terminal equipment serial number, the security chip returns prebinding request data PreBindRequust to the terminal equipment serial number management software;
s4: the terminal equipment manufacturer transfers the pre-binding request data PreBindRequst and the terminal equipment to be authenticated to a terminal equipment user unit together;
s5: the user unit of the terminal equipment leads the pre-binding request data PreBindRequst into a digital identity service system and records the digital identity of the terminal equipment;
s6: the terminal equipment to be authenticated is networked before being put into use, and applies for the authority of networking access to the digital identity service system; the digital identity service system sends authorization information to a security chip embedded in the terminal equipment to authorize the networking authority of the terminal equipment to be authenticated;
s7: in the using process, before the authorized terminal equipment to be authenticated is used in a networking mode again, the terminal equipment to be authenticated and the digital identity service system perform networking identity authentication, and the terminal equipment to be authenticated and the digital identity service system can be used in a networking mode only after the authentication is passed.
It is further characterized in that:
when the security chip is initialized by the terminal equipment administration department, initializing the information stored in the security chip further comprises: the method comprises the following steps that initialization time SamInitTime of a security chip, a root certificate RootCert corresponding to a private key used for issuing a certificate SamCoert 1, and a desensitization key DesenKey used for desensitizing the digital identity of the security chip are obtained;
in step S2, the pre-binding process of the serial number DevID of the terminal device and the digital identity of the security chip includes:
a1: the terminal equipment manufacturer embeds the security chip into the terminal equipment to be authenticated and connects the terminal equipment to be authenticated with a computer provided with the terminal equipment serial number management software in a communication way;
a2: the terminal equipment serial number management software calls a USB-Key to generate first authentication request data and sends the first authentication request data to the security chip embedded in the terminal equipment to be authenticated;
the first authentication request data includes: the signature RND1sig of the RND1 and the digital certificate KeyCert of the USB-Key by the private keys of the random number RND1 and the USB-Key;
a3: the security chip verifies the validity of the first authentication request data;
the validity verification specifically comprises: verifying the correctness of KeyCert and RND1sig, and analyzing and obtaining FactID, devtypeID and KeyPubKey from the KeyCert, wherein the KeyPubKey is a public Key of a USB-Key;
a4: the security chip generates first authentication request response data and sends the first authentication request response data to the terminal equipment serial number management software;
the first authentication request response data includes: the method comprises the steps that random numbers RND2 generated by a security chip, a signature value RND12sig of SamPrIKey to RND1| | | RND2 and a digital certificate SamKert 1 of the security chip are called by the security chip;
wherein, | | represents information cascade operation;
a5: the terminal equipment serial number management software verifies the correctness of the first authentication request response data, encodes and generates DevID, calls USB-Key to sign data consisting of system time PCsysTime, RND2 and DevID to obtain DevIdRNDsig, and finally generates second authentication request data and sends the second authentication request data to the terminal equipment to be authenticated;
the verifying the correctness of the first authentication request response data by calling a USB-Key by the serial number management software of the terminal equipment specifically comprises the following steps: verifying the validity of a first digital certificate SamCoort 1 of a security chip, analyzing the SamCoort 1 to obtain a public key SamPubKey of the security chip, and verifying the signature RND12sig of RND1| | RND2 by using the SamPubKey;
the second authentication request data includes: PCSysTime, RND2, devID and DevIDRndsig;
a6: the security chip verifies the correctness of the second authentication request data and returns prebonding request data PreBindRequst to the terminal equipment serial number management software;
the pre-binding request data comprises SamID, devID, PCsysTime, samInitTime and SamFilt 1, and a result PreBindReqsig for signing SamID | | | DevID | | PCsysTime | | SamInitTime by calling SamPrIkey by the security chip;
in step a6, the security chip verifies the correctness of the second authentication request data, specifically including the following verification contents:
verifying whether the device vendor code and the device type code in the DevID are consistent with the relevant fields in the digital certificate KeyCert;
verifying whether the time PCsysTime is later than SamInitTime;
verifying whether the RND2 is consistent with the RND2 generated in the step a 4;
verifying the signature value DevIDRndsig by using KeyPubKey;
if the four verifications are passed, storing the DevID and PCsysTime in the security chip;
the terminal equipment to be authenticated simultaneously saves the DevID in an independent memory in the terminal equipment to be authenticated;
in step S6, the process of authorizing the networking right to the terminal device to be authenticated by the digital identity service system includes the following steps:
b1: the terminal equipment to be authenticated is networked before being put into use, and the authority of networking access is applied to the digital identity service system;
b2: the service system verifies the validity of the PreBindRequst field of the terminal equipment to be authenticated;
the specific verification content comprises the following steps:
it is verified whether SamFilt 1 is issued by the competent department, and within the validity period,
verifying whether the sequence number obtained by analyzing SamID and SamKert 1 is consistent or not;
verifying whether a manufacturer code and a device type code in the DevID are legal or not, and the DevID is not bound with other security chips;
verifying a signature value PreBindReqsig by using a public key in the digital certificate SamKert 1, and verifying a security chip initialization time SamInitTime and a terminal device pre-binding time PCsysTime
If the verification is passed, the digital identity service system calls a networking authorization module to sign and generate a networking authorization file, and sends the networking authorization file to the security chip;
the networking authorization file content comprises: devID, samID, authTime, security chip second digital certificate SamKert 2, and networking authorization File signature value
The networking authorization file signature value is as follows: the digital identity service system root private key is used for signing the DevID [ SamID ] AuthTime [ SamKet 2 ] data;
the serial number in the secure chip second digital certificate SamCert2 includes: samID and a terminal equipment serial number desensitization value DesenDevID; the terminal equipment serial number desensitization value is obtained by desensitizing SAMID | | | DevID by using a desensitization key DesenKey;
b3: the security chip of the terminal equipment to be authenticated calls a public key of RootCert to verify the signature value of the networking authorization file, and verifies whether the DevID and the SamID in the networking authorization file are consistent with the value stored in the security chip or not;
if the verification is passed, the validity of the SamCET 2 is verified, after the validity verification of the SamCET 2 is passed, the authentication is successful, and the terminal equipment to be authenticated returns the successful authentication state to the digital identity service system;
the digital identity service system updates the state information of the terminal equipment to be authenticated in the system and completes the networking authorization process of the terminal equipment to be authenticated;
the step of verifying the validity of SamCort 2 comprises the following steps:
the security chip analyzes SamKert 2 to obtain SamID, desenDevID and a public key, and carries out the following verification:
c1: judging whether the public key is consistent with a secure chip public key SamPubKey or not;
c2: judging whether SamID obtained through SamKert 2 analysis is consistent with SamID stored in the security chip or not;
c3: the security chip calls the desensitization key DesenKey to calculate the MAC check value of SAMID | | | DevID, and the MAC check value is compared with the DesenDevID in a consistent mode;
if the verification of c 1-c 3 is passed, the security chip stores SamCErt2, authTime and DesenDevID in the chip;
in step S7, before the authorized terminal device to be authenticated is re-networked for use each time, when performing the networking identity authentication with the service system, a security chip embedded in the terminal device performs bidirectional identity authentication with the service system based on the security chip second digital certificate SamCert2, where the security chip second digital certificate SamCert2 is a digital identity of the security chip networking access system;
when the security chip performs the networking identity authentication, the DevID stored in the terminal equipment memory is also required to be sent to a service system for verification and comparison, and the networking identity authentication is completed after the DevID passes the verification and comparison.
The invention provides a terminal equipment digital identity management method, which uses a security chip embedded in terminal equipment as a carrier of digital identity, wherein the first digital identity of the security chip does not distinguish the equipment type embedded in the security chip, and only uses the sequence coding of the chip to distinguish the security chip through the serial number SamID of the security chip; when a terminal equipment manufacturer issues a security chip, a terminal equipment administrative department does not need to care about a terminal equipment manufacturer and an equipment type corresponding to the serial number, so that the initialization and the issuance of the security chip are more convenient, the working difficulty of a digital identity management mechanism is reduced, and the probability of working errors of the digital identity management mechanism is reduced; at the side of a terminal equipment manufacturer, because the serial number of the security chip embedded in the terminal equipment does not have attribute fields such as manufacturer, model and the like, the equipment can randomly select one security chip to be embedded into the equipment during production, thereby facilitating the manufacturer to carry out production management and not increasing the difficulty of the terminal equipment manufacturer in managing the digital identity of the security chip. In the method, the serial numbers of the safety chips of different manufacturers and different types of equipment are ensured not to interfere with each other through the USB-Key, so that the uniqueness of the serial numbers of the equipment is ensured; a terminal equipment manufacturer can write the terminal equipment serial number which accords with the coding rule into the security chip only by using a special USB-Key, so that the safety of writing the equipment serial number in the security chip is ensured; the security chip written with the serial number of the terminal equipment can be networked only after being authorized by the digital identity service system, so that the networking can be ensured only when the security chip is installed and authorized terminal equipment is obtained, the network security is improved, and meanwhile, the modified serial number of the unauthorized terminal equipment cannot be networked, so that the equipment serial number can be prevented from being maliciously modified under the unauthorized condition; the method realizes the uniform safety management of different manufacturers and different types of equipment by the combined use of the digital identity service system, the safety chip serial number and the USB-Key, and simultaneously reduces the complexity of the digital identity management.
Drawings
FIG. 1 is a schematic diagram of a digital identity management system according to the present invention;
fig. 2 is a schematic flow chart of a terminal device digital identity management method provided by the present invention;
FIG. 3 is a schematic diagram illustrating a pre-binding process between a serial number of a terminal device and a security chip;
fig. 4 is a diagram illustrating digital identity pre-binding data flow.
Detailed Description
As shown in fig. 1, in the technical scheme of the present invention, a security chip is embedded in an intelligent terminal device as a digital identity carrier, and a two-stage digital identity registration mechanism is adopted, so that the problem that the identity management of the terminal device in the prior art is too complicated is solved; in the method, a digital identity management department manages the digital identity of the terminal equipment with the embedded security chip through a terminal equipment digital identity service system (hereinafter referred to as a digital identity service system).
The two-stage digital identity registration mechanism in the method comprises the following steps: digital identity binding and networking identity authentication.
In the process of binding the digital identity of the terminal equipment to be authenticated, a digital identity service system codes to generate a security chip serial number SAMID and issues a first chip digital certificate SamKet 1 for an embedded security chip of the terminal equipment to be authenticated; the digital identity service system maintains the manufacturer code FactID and the equipment type code DetypeID of all terminal equipment manufacturers, and issues a digital certificate KeyCert of the USB-Key for all the terminal equipment manufacturers according to the FactID and the DetypeID code value of each terminal equipment.
In order to reduce the complexity of the work of digital identity management, reduce the work difficulty of a digital identity management department and reduce the error probability in the work, the method decomposes the management of the digital identity into the following steps: the management of the security chip by the terminal equipment administrative department, the distribution and management of the digital identity of the terminal equipment by the terminal equipment manufacturer and the digital identity filing management before the terminal equipment is used by the terminal equipment user unit.
The terminal equipment manufacturer uses the USB-Key issued by the terminal equipment administrative department, writes the terminal equipment serial number DevID corresponding to the terminal equipment to be authenticated into the security chip through the terminal equipment serial number management software, and pre-binds the terminal equipment serial number DevID and the digital identity of the security chip.
The KeyCert of the USB-Key corresponds to a group of FactiD and DetypeID codes, a manufacturer code and a device type code field in a terminal device serial number DevID written into the security chip must be consistent with the FactiD and DetypeID codes in a digital certificate KeyCert, and when the terminal device serial number management software is used for writing, the correctness of the digital identity is further ensured by ensuring that the manufacturer code and the device type code in the terminal device serial number DevID are consistent with those in the digital certificate KeyCert. Even for terminal equipment manufacturers with multiple types of terminal equipment, when the security chip is embedded into the terminal equipment, the corresponding relation of the security chip does not need to be mistaken. Because the serial number of the security chip embedded in the terminal equipment does not have attribute fields such as manufacturers, models and the like, the equipment can randomly select one security chip embedded equipment during production, and great convenience is brought to manufacturers for production management
After a terminal equipment manufacturer pre-binds a terminal equipment serial number DevID and a digital identity of a security chip, before the terminal equipment is put into use, a terminal equipment user unit leads pre-binding request data PreBindRequst into a digital identity service system to record the digital identity of the terminal equipment, and then the digital identity service system applies for the right of networking access before the terminal equipment is put into use, so that the illegal equipment which is not recorded cannot pass the networking authorization verification of the digital identity service system.
In order to ensure that the digital identity cannot be tampered when the terminal device which passes the authorization is in use, and simultaneously prevent the illegal device from using the authorized security chip to impersonate the network, after the terminal device which has obtained the authorization is disconnected from the network due to reasons such as power failure, the terminal device is required to be connected to the network after the terminal device is authenticated by the networking identity authentication in order to ensure that the terminal device is not tampered illegally when the network is connected again.
After the digital identity binding verification is passed, the digital identity service system responds to the binding request of the terminal equipment, and a security chip embedded in the terminal equipment signs a security chip second chip digital certificate SamCort 2; in the networking identity authentication process, the digital identity service system uses a security chip second chip digital certificate SamKert 2 as a digital identity to verify the terminal equipment networking access information system.
As shown in fig. 2, the method for managing digital identities of terminal devices according to the present invention includes the following steps.
S1: a terminal equipment administration uses a security chip embedded in the terminal equipment as a carrier of the digital identity, and the terminal equipment administration initializes the security chip through a digital identity service system and writes the digital identity in the security chip;
the digital identities include: a security chip serial number SamID and a security chip first chip digital certificate SamKert 1;
the first chip digital certificate SamCert1 includes: samID and a secure chip public key SamPubKey;
the SamID of the security chip is generated by the sequential coding of the administrative department of the terminal equipment, and the type of equipment embedded in the security chip is not distinguished;
the secure chip public key SamPubKey and the private key SamPriKey stored in the secure chip form a key pair, and the SamPubKey and the SamPriKey are both generated in the secure chip.
When the security chip is initialized by the terminal device administration, initializing the information stored in the security chip further includes: the secure chip initialization time SamInitTime, a root certificate RootCert corresponding to a private key used for issuing a certificate SamKet 1, and a desensitization key DesenKey used for desensitizing the digital identity of the secure chip.
S2: a terminal equipment manufacturer embeds a security chip into a terminal equipment to be authenticated, uses a USB-Key issued by a terminal equipment administrative department, writes a terminal equipment serial number DevID corresponding to the terminal equipment to be authenticated into the security chip through terminal equipment serial number management software, and pre-binds the terminal equipment serial number DevID and a digital identity of the security chip;
a manufacturer digital certificate KeyCert signed and issued by a competent department for a terminal equipment manufacturer is stored in the USB-Key, and a manufacturer code factID and an equipment type code DetypeID are stored in the manufacturer digital certificate KeyCert;
the serial number DevID of the terminal device includes: equipment manufacturer code, equipment type code and equipment serial number;
when writing in the serial number DevID of the terminal equipment, the security chip verifies the consistency between the equipment manufacturer code and the factID in the KeyCert and the consistency between the equipment type code and the DevtypeID in the KeyCert.
As shown in fig. 3 and 4, the pre-binding process of the serial number DevID of the terminal device and the digital identity of the security chip includes:
a1: a terminal equipment manufacturer embeds the security chip into the terminal equipment to be authenticated and connects the terminal equipment to be authenticated with a computer provided with terminal equipment serial number management software in a communication way;
a2: the terminal equipment serial number management software calls a USB-Key to generate first authentication request data and sends the first authentication request data to a security chip embedded in the terminal equipment to be authenticated;
the first authentication request data includes: the signature RND1sig of the RND1 and the digital certificate KeyCert of the USB-Key by the private keys of the random number RND1 and the USB-Key;
a3: the security chip verifies the validity of the first authentication request data;
the validity verification specifically comprises: verifying the correctness of KeyCert and RND1sig, and analyzing and obtaining FactID, devtypeID and KeyPubKey from KeyCert, wherein the KeyPubKey is a public Key of a USB-Key;
a4: the security chip generates first authentication request response data and sends the first authentication request response data to the terminal equipment serial number management software;
the first authentication request response data includes: the random number RND2 generated by the security chip, the signature value RND12sig of RND1| | | RND2 by the security chip calling SamPrIKey, and a digital certificate SamKert 1 of the security chip; wherein, | | represents information cascade operation;
a5: the terminal equipment serial number management software verifies the correctness of the first authentication request response data, encodes and generates DevID, calls USB-Key to sign data consisting of system time PCsysTime, RND2 and DevID to obtain DevIdRNDsig, and finally generates second authentication request data and sends the second authentication request data to the terminal equipment to be authenticated;
the method for verifying the correctness of the first authentication request response data by calling a USB-Key by the serial number management software of the terminal equipment specifically comprises the following steps: verifying the validity of a first digital certificate SamKert 1 of the security chip, analyzing the SamKert 1 to obtain a public key SamPubKey of the security chip, and verifying the signature RND12sig of RND1| | RND2 by using the SamPubKey;
the second authentication request data includes: PCSysTime, RND2, devID and DevIDRndsig;
a6: the safety chip verifies the correctness of the second authentication request data and returns prebonding request data PreBindRequst to the terminal equipment serial number management software;
the pre-binding request data includes SamID, devID, PCSysTime, samInitTime, samsert 1, and the result prebondreqsig that the secure chip calls SamPriKey to sign SamID | | DevID | | PCSysTime | | SamInitTime.
In step a6, the security chip verifies the correctness of the second authentication request data, which specifically includes the following verification contents:
verifying whether the device manufacturer code and the device type code in the DevID are consistent with the relevant fields in the digital certificate KeyCert;
verifying whether the time PCsysTime is later than SamInitTime;
verifying whether the RND2 is consistent with the RND2 generated in the step a 4;
verifying the signature value DevIDRndsig by using KeyPubKey;
if the four verifications are passed, storing the DevID and the PCsysTime in a security chip;
the terminal equipment to be authenticated simultaneously saves the DevID in an independent memory in the terminal equipment to be authenticated.
The device serial number written into the security chip can be validated only after authorized binding, so that the device serial number can be effectively prevented from being tampered. Terminal equipment manufacturers can write the serial numbers meeting the coding rules into the security chip only by using the special USB-Key, and the serial numbers can take effect only after being authorized by the service system, so that the safety of writing the serial numbers of the equipment is ensured, and the serial numbers of the equipment can be prevented from being maliciously modified under the unauthorized condition. Meanwhile, the USB-Key is introduced into the method, so that the serial numbers of different manufacturers and different types of equipment cannot interfere with each other, and the uniqueness of the serial numbers of the equipment is ensured.
S3: after the serial number of the terminal equipment is written in, the safety chip returns the prebinding request data PreBindRequst to the serial number management software of the terminal equipment.
S4: and the terminal equipment manufacturer transfers the pre-binding request data PreBindRequust and the terminal equipment to be authenticated to a terminal equipment user unit together.
S5: and the user unit of the terminal equipment leads the pre-binding request data PreBindRequust into a digital identity service system and records the digital identity of the terminal equipment.
S6: the terminal equipment to be authenticated is networked before being put into use, and the authority of networking access is applied to the digital identity service system; and the digital identity service system sends authorization information to a security chip embedded in the terminal equipment to authorize the networking permission of the terminal equipment to be authenticated.
The process of the digital identity service system for providing the networking authority for the terminal equipment to be authenticated comprises the following steps in detail:
b1: the terminal equipment to be authenticated is networked before being put into use, and the authority of networking access is applied to the digital identity service system;
b2: the service system verifies the validity of the PreBindRequust field of the terminal equipment to be authenticated;
the specific verification content comprises the following steps:
it is verified whether SamFilt 1 is issued by the competent department, and within the validity period,
verifying whether the sequence number obtained by analyzing SamID and SamKert 1 is consistent or not;
verifying whether a manufacturer code and a device type code in the DevID are legal or not, and the DevID is not bound with other security chips;
verifying the signature value PreBindReqsig by using a public key in a digital certificate SamKert 1, and verifying a security chip initialization time SamInitTime and a terminal device pre-binding time PCsysTime
If the verification is passed, the digital identity service system calls a networking authorization module to sign and generate a networking authorization file, and the networking authorization file is sent to the security chip;
the networking authorization file content comprises: devID, samID, authorization time AuthTime, security chip second digital certificate SamKet 2 and networking authorization file signature value
The signature value of the networking authorization file is as follows: the digital identity service system root private key is used for signing the DevID (SamID) AuthTime (SamKert 2) data;
the serial number in the secure chip second digital certificate SamCert2 includes: samID and a desensitising value desenveriD of the serial number of the terminal equipment; the terminal equipment serial number desensitization value is obtained by desensitizing SAMID | | | | DevID by using a desensitization key desenKey;
b3: the security chip of the terminal equipment to be authenticated calls a public key of RootCert to verify the signature value of the networking authorization file, and verifies whether the DevID and SamID in the networking authorization file are consistent with the value stored in the security chip or not;
if the verification is passed, the validity of the SamCET 2 is verified, after the validity verification of the SamCET 2 is passed, the authentication is successful, and the terminal equipment to be authenticated returns the successful authentication state to the digital identity service system;
and the digital identity service system updates the state information of the terminal equipment to be authenticated in the system and completes the networking authorization process of the terminal equipment to be authenticated.
In step b3, the step of verifying the validity of samsert 2 includes:
the security chip parses SamKert 2 to obtain SamID, desenDevID and public key, and verifies as follows:
c1: judging whether the public key is consistent with a secure chip public key SamPubKey or not;
c2: judging whether the SamID obtained through SamKert 2 analysis is consistent with the SamID stored in the security chip or not;
c3: the security chip calls a desensitization key DesenKey to calculate the MAC check value of SAMID | | | DevID and carries out consistency comparison with DesenDevID;
if the verification of c 1-c 3 is passed, the security chip saves SamCErt2, authTime and DesneDevID in the chip.
In the method, a second digital certificate SamKert 2 of the security chip issued and generated by the digital identity service system contains a SAMID of the security chip serial number and a desensitization value of the terminal equipment serial number, wherein the SAMID value is consistent with the SAMID value in the first digital certificate of the chip. Desensitization processing of terminal equipment serial numbers includes: and calculating the MAC check value of SAMID (identity | | | DeVID) by using the desensitization key DesenKey, wherein the obtained MAC check value is the desensitization value of the terminal equipment serial number. After the security chip is bound with the terminal equipment, the serial number of the terminal equipment and the desensitization value corresponding to the serial number of the terminal equipment are stored in the service system.
Digital identity used when authority authentication is performed before terminal equipment is networked: the security chip second digital certificate SamKert 2 is subjected to desensitization processing, so that the privacy security of the terminal equipment is effectively protected. The security chip serial number and the desensitization value of the equipment serial number are stored in a security chip second digital certificate SamKert 2 of the security chip embedded in the terminal equipment, wherein the security chip serial number does not contain any field related to equipment manufacturers or types, so that more equipment information cannot be obtained by analyzing the serial number, and the problem that the equipment information is obtained through the security chip serial number so as to illegally forge equipment identity information is solved.
S7: in the using process, before the authorized terminal equipment to be authenticated is used in a networking mode again, the terminal equipment to be authenticated and the digital identity service system are subjected to networking identity authentication, and the terminal equipment to be authenticated and the digital identity service system can be used in a networking mode only after the authentication is passed.
Before the authorized terminal equipment to be authenticated is used in a networking mode again every time and is subjected to networking identity authentication with a service system, a security chip embedded in the terminal equipment performs bidirectional identity authentication with the service system based on a security chip second digital certificate SamCET 2, and the security chip second digital certificate SamCET 2 is the digital identity of a security chip networking access system;
when the security chip carries out networking identity authentication, the DevID stored in the memory of the terminal equipment is also required to be sent to a service system for verification and comparison, and the networking identity authentication is completed after the DevID passes the verification and comparison.
The invention provides a terminal equipment digital identity management method, which decomposes the digital identity management of terminal equipment by embedding a security chip in the terminal equipment as a digital identity carrier and adopting a two-stage digital identity registration mechanism, thereby solving the problem that the existing terminal equipment identity management work is complicated. The terminal equipment digital identity management method provided by the invention improves the digital identity management efficiency, improves the security and traceability of terminal equipment digital identity issuance, and is particularly suitable for use, management and maintenance of digital identities of various types of terminal equipment.
Claims (7)
1. A terminal equipment digital identity management method is characterized by comprising the following steps:
s1: a terminal equipment administration uses a security chip embedded in the terminal equipment as a carrier of the digital identity, and the terminal equipment administration initializes the security chip through a digital identity service system and writes the digital identity in the security chip;
the digital identities include: a security chip serial number SamID and a security chip first chip digital certificate SamKert 1;
the first chip digital certificate samsert 1 includes: samID and a secure chip public key SamPubKey;
the SamID of the security chip is generated by the sequential coding of the administrative department of the terminal equipment, and the type of equipment embedded in the security chip is not distinguished;
the secure chip public key SamPubKey and a private key SamPriKey stored in the secure chip form a key pair, and the SamPubKey and the SamPriKey are both generated in the secure chip;
s2: a terminal equipment manufacturer embeds the security chip into a terminal equipment to be authenticated, uses a USB-Key issued by a terminal equipment administration department, writes a terminal equipment serial number DevID corresponding to the terminal equipment to be authenticated into the security chip through terminal equipment serial number management software, and pre-binds the terminal equipment serial number DevID and the digital identity of the security chip;
a manufacturer digital certificate KeyCert issued by the administrative department for a terminal equipment manufacturer is stored in the USB-Key, and a manufacturer code factID and an equipment type code DevtypeID are stored in the manufacturer digital certificate KeyCert;
the serial number DevID of the terminal equipment comprises: equipment manufacturer code, equipment type code and equipment serial number;
when writing in a serial number DevID of a terminal device, the security chip verifies the consistency between the device manufacturer code and the factID in the KeyCert and the consistency between the device type code and the DevTypeID in the KeyCert;
s3: after writing in the serial number of the terminal equipment, the security chip returns prebonding request data PreBindRequst to the serial number management software of the terminal equipment;
s4: the terminal equipment manufacturer transfers the pre-binding request data PreBindRequst and the terminal equipment to be authenticated to a terminal equipment user unit together;
s5: the user unit of the terminal equipment leads the prebinding request data PreBindRequst into a digital identity service system and records the digital identity of the terminal equipment;
s6: the terminal equipment to be authenticated is networked before being put into use, and applies for the authority of networking access to the digital identity service system; the digital identity service system sends authorization information to a security chip embedded in the terminal equipment to authorize the networking authority of the terminal equipment to be authenticated;
s7: in the using process, before the authorized terminal equipment to be authenticated is used in a networking mode again, the terminal equipment to be authenticated and the digital identity service system perform networking identity authentication, and the terminal equipment to be authenticated and the digital identity service system can be used in a networking mode only after the authentication is passed.
2. The method for managing digital identity of terminal equipment according to claim 1, characterized in that: when the security chip is initialized by the terminal equipment administration department, initializing the information stored in the security chip further comprises: the secure chip initialization time SamInitTime, a root certificate RootCert corresponding to a private key used for issuing a certificate SamKet 1, and a desensitization key DesenKey used for desensitizing the digital identity of the secure chip.
3. The method for managing digital identity of terminal equipment according to claim 1, characterized in that: in step S2, the pre-binding process of the serial number DevID of the terminal device and the digital identity of the security chip includes:
a1: the terminal equipment manufacturer embeds the security chip into the terminal equipment to be authenticated and connects the terminal equipment to be authenticated with a computer provided with the terminal equipment serial number management software in a communication way;
a2: the terminal equipment serial number management software calls a USB-Key to generate first authentication request data and sends the first authentication request data to the security chip embedded in the terminal equipment to be authenticated;
the first authentication request data includes: the signature RND1sig of the RND1 and the digital certificate KeyCert of the USB-Key by the private keys of the random number RND1 and the USB-Key;
a3: the security chip verifies the validity of the first authentication request data;
the validity verification specifically comprises: verifying the correctness of KeyCert and RND1sig, and analyzing and obtaining FactiD, detypeID and KeyPubKey from the KeyCert, wherein the KeyPubKey is a public Key of a USB-Key;
a4: the security chip generates first authentication request response data and sends the first authentication request response data to the terminal equipment serial number management software;
the first authentication request response data includes: the method comprises the steps that random numbers RND2 generated by a security chip, a signature value RND12sig of SamPrIKey to RND1| | | RND2 and a digital certificate SamKert 1 of the security chip are called by the security chip;
wherein, | | represents information cascade operation;
a5: the terminal equipment serial number management software verifies the correctness of the first authentication request response data, encodes and generates DevID, calls USB-Key to sign data consisting of system time PCsysTime, RND2 and DevID to obtain DevIdRNDsig, and finally generates second authentication request data and sends the second authentication request data to the terminal equipment to be authenticated;
the method for verifying the correctness of the first authentication request response data calls a USB-Key by the serial number management software of the terminal equipment, and specifically comprises the following steps: verifying the validity of a first digital certificate SamKert 1 of a security chip, analyzing the SamKert 1 to obtain a security chip public key SamPubKey, and verifying the signature RND12sig of RND1| | | RND2 by using the SamPubKey;
the second authentication request data includes: PCSysTime, RND2, devID and DevIDRndsig;
a6: the security chip verifies the correctness of the second authentication request data and returns prebonding request data PreBindRequst to the terminal equipment serial number management software;
the pre-binding request data includes SamID, devID, PCsysTime, samInitTime, samFilt 1, and a result PreBindReqsig that the secure chip calls SamPriKey to sign SamID DevID PCsysTime.
4. The method for managing digital identity of terminal equipment according to claim 3, characterized in that: in step a6, the security chip verifies the correctness of the second authentication request data, specifically including the following verification contents:
verifying whether the device vendor code and the device type code in the DevID are consistent with the relevant fields in the digital certificate KeyCert;
verifying whether the time PCsysTime is later than SamInitTime;
verifying whether the RND2 is consistent with the RND2 generated in the step a 4;
verifying the signature value DevIDRndsig by using KeyPubKey;
if the four verifications are passed, storing the DevID and the PCsysTime in the security chip;
the terminal equipment to be authenticated simultaneously saves the DevID in an independent memory in the terminal equipment to be authenticated.
5. The method for managing digital identity of terminal equipment according to claim 2, characterized in that: in step S6, the process that the digital identity service system authorizes the networking right to the terminal device to be authenticated includes the following steps:
b1: the terminal equipment to be authenticated is networked before being put into use, and applies for the authority of networking access to the digital identity service system;
b2: the service system verifies the validity of the PreBindRequst field of the terminal equipment to be authenticated;
the specific verification content comprises the following steps:
it is verified whether SamKert 1 is issued by the competent department, and within the validity period,
verifying whether the sequence number obtained by analyzing SamID and SamKert 1 is consistent or not;
verifying whether a manufacturer code and a device type code in the DevID are legal or not, and the DevID is not bound with other security chips;
verifying a signature value PreBindReqsig by using a public key in the digital certificate SamKert 1, and verifying a security chip initialization time SamInitTime and a terminal device pre-binding time PCsysTime
If the verification is passed, the digital identity service system calls a networking authorization module to sign and generate a networking authorization file, and sends the networking authorization file to the security chip;
the networking authorization file content comprises: devID, samID, authTime, security chip second digital certificate SamKert 2, and networking authorization File signature value
The networking authorization file signature value is as follows: the digital identity service system root private key is used for signing the DevID [ SamID ] AuthTime [ SamKet 2 ] data;
the serial number in the secure chip second digital certificate SamCert2 includes: samID and a terminal equipment serial number desensitization value DesenDevID; the terminal equipment serial number desensitization value is obtained by desensitizing SAMID | | | DevID by using a desensitization key DesenKey;
b3: the security chip of the terminal equipment to be authenticated calls a public key of RootCert to verify the signature value of the networking authorization file, and verifies whether the DevID and the SamID in the networking authorization file are consistent with the value stored in the security chip;
if the verification is passed, the validity of the SamCErt2 is verified, and after the validity of the SamCErt2 is verified, the authentication is successful, and the terminal equipment to be authenticated returns the successful authentication state to the digital identity service system;
and the digital identity service system updates the state information of the terminal equipment to be authenticated in the system and completes the networking authorization process of the terminal equipment to be authenticated.
6. The method for managing digital identities of terminal devices according to claim 5, wherein: the verification step of the validity of the SamPert 2 comprises the following steps:
the security chip analyzes SamKert 2 to obtain SamID, desenDevID and a public key, and carries out the following verification:
c1: judging whether the public key is consistent with a secure chip public key SamPubKey or not;
c2: judging whether the SamID obtained through SamKert 2 analysis is consistent with the SamID stored in the security chip or not;
c3: the security chip calls the desensitization key DesenKey to calculate the MAC check value of SAMID | | | DevID, and the MAC check value is compared with the DesenDevID in a consistent mode;
if the verification of c 1-c 3 is passed, the security chip saves SamCErt2, authTime and DesenDevID in the chip.
7. The method for managing digital identity of terminal equipment according to claim 5, wherein: in step S7, before the authorized terminal device to be authenticated is re-networked for use each time, when performing the networking identity authentication with the service system, a security chip embedded in the terminal device performs bidirectional identity authentication with the service system based on the security chip second digital certificate SamCert2, where the security chip second digital certificate SamCert2 is a digital identity of the security chip networking access system;
when the security chip performs the networking identity authentication, the DevID stored in the terminal equipment memory is also required to be sent to a service system for verification and comparison, and the networking identity authentication is completed after the DevID passes the verification and comparison.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210889790.8A CN115208685B (en) | 2022-07-27 | 2022-07-27 | Digital identity management method for terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210889790.8A CN115208685B (en) | 2022-07-27 | 2022-07-27 | Digital identity management method for terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115208685A true CN115208685A (en) | 2022-10-18 |
| CN115208685B CN115208685B (en) | 2023-05-23 |
Family
ID=83584793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210889790.8A Active CN115208685B (en) | 2022-07-27 | 2022-07-27 | Digital identity management method for terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115208685B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090235068A1 (en) * | 2008-03-13 | 2009-09-17 | Fujitsu Limited | Method and Apparatus for Identity Verification |
| US20140281554A1 (en) * | 2013-03-13 | 2014-09-18 | Atmel Corporation | Generating keys using secure hardware |
-
2022
- 2022-07-27 CN CN202210889790.8A patent/CN115208685B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090235068A1 (en) * | 2008-03-13 | 2009-09-17 | Fujitsu Limited | Method and Apparatus for Identity Verification |
| US20140281554A1 (en) * | 2013-03-13 | 2014-09-18 | Atmel Corporation | Generating keys using secure hardware |
Non-Patent Citations (1)
| Title |
|---|
| 康剑萍;何曙;王沈敏;: "PKI技术在质检机构客户身份认证系统中的应用", 质量与认证 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115208685B (en) | 2023-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020073491A1 (en) | Blockchain-based supply chain payment method, payment collection method, device, apparatus, and medium | |
| US20020138761A1 (en) | Authentication system | |
| CN103269271B (en) | A kind of back up the method and system of private key in electronic signature token | |
| CN112165382B (en) | Software authorization method and device, authorization server side and terminal equipment | |
| CN103150770A (en) | On board unit embedded secure access module (ESAM) for free stream toll collection and use method thereof | |
| CN102542451B (en) | Electronic paying method, system and device thereof | |
| CN104424676A (en) | Identity information sending method, identity information sending device, access control card reader and access control system | |
| CN103150771A (en) | Lane purchase secure access module (PSAM) for city road bridge free stream toll collection and use method thereof | |
| CN103117862B (en) | By the method for the X.509 digital certificate authentication Java certificate of openssl | |
| CN104424579A (en) | Security traceability management system | |
| KR20120112598A (en) | Implementing method, system of universal card system and smart card | |
| CN110210863A (en) | Block chain method for secure transactions, device, electronic equipment and storage medium | |
| CN108171019A (en) | Anti-counterfeit authentication method, fake certification system, fake certification equipment and storage medium | |
| CN104104671B (en) | Establish the unified dynamic authorization code system of business entity's account | |
| CN115795428A (en) | Safe reading authentication method and system for automatic driving data and electronic equipment | |
| CN1823494B (en) | Method for securing an electronic certificate | |
| CN108055240B (en) | A kind of user authentication method of shared automobile | |
| CN112073967B (en) | Method and device for downloading identity certificate of mobile phone shield equipment and electronic equipment | |
| CN106599626A (en) | Application program authorization authentication method and system | |
| CN108964883A (en) | It is a kind of using smart phone as the digital certificate store of medium and endorsement method | |
| CN115208685A (en) | Terminal equipment digital identity management method | |
| CN110516427A (en) | Auth method, device, storage medium and the computer equipment of terminal user | |
| CN105279414A (en) | Verification device based on fingerprint application and verification method based on fingerprint application | |
| CN109495276A (en) | A kind of implementation method of the electronic driving license based on SE chip, computer installation, computer readable storage medium | |
| CN104134294A (en) | Authorization authentication method based on business hall self-service terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |