CN115694843B - Camera access management method, system, device and medium for avoiding counterfeiting - Google Patents

Camera access management method, system, device and medium for avoiding counterfeiting Download PDF

Info

Publication number
CN115694843B
CN115694843B CN202211700790.5A CN202211700790A CN115694843B CN 115694843 B CN115694843 B CN 115694843B CN 202211700790 A CN202211700790 A CN 202211700790A CN 115694843 B CN115694843 B CN 115694843B
Authority
CN
China
Prior art keywords
camera
target
value
authentication
response value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211700790.5A
Other languages
Chinese (zh)
Other versions
CN115694843A (en
Inventor
周迪
徐爱华
王威杰
朱兵
谢小鸿
宋敏特
牛春咏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN202211700790.5A priority Critical patent/CN115694843B/en
Publication of CN115694843A publication Critical patent/CN115694843A/en
Application granted granted Critical
Publication of CN115694843B publication Critical patent/CN115694843B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The embodiment of the invention discloses a video camera access management method, a system, equipment and a medium for avoiding counterfeiting. The method is executed by a switch connected with a camera, a physical unclonable chip is configured on the camera, and the method comprises the following steps: acquiring identity information of an access camera, and determining a target challenge value-target response value pair corresponding to the camera according to the identity information; the target challenge value-target response value is predetermined based on a physical unclonable chip on the camera; sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; and determining the authentication result of the camera according to the comparison result of the authentication response value and the target response value in the target challenge value-target response value pair, so as to manage the message sent by the camera according to the authentication result. According to the scheme, the safety certification of the camera can be realized based on the physical unclonable chip on the camera, so that the safety of the access management of the camera is improved.

Description

Camera access management method, system, device and medium for avoiding counterfeiting
Technical Field
The invention relates to the technical field of video monitoring, in particular to a video camera access management method, a video camera access management system, video camera access management equipment and a video camera access management medium.
Background
In a public safety video monitoring environment, a camera is exposed in a public place and is easily replaced by own equipment by a lawbreaker, so that the camera invades a video network and has great potential safety hazard. In the prior art, an account password mode is usually adopted to perform security authentication on a camera. But the account number and the password are easy to leak, so that the security is poor. Therefore, how to implement security authentication of the camera, so as to improve the security of the camera access management, is one of the problems to be solved urgently in the video monitoring technology.
Disclosure of Invention
The invention provides a video camera access management method, a video camera access management system, video camera access management equipment and a video camera access management medium, which can realize the safety certification of a video camera based on a physical unclonable chip on the video camera and effectively improve the safety of video camera access management.
According to an aspect of the present invention, there is provided a camera access management method for avoiding counterfeiting, the method being performed by a switch connected to a camera on which a physical unclonable chip is configured, the method including:
acquiring identity information of an access camera, and determining a target challenge value-target response value pair corresponding to the camera according to the identity information; wherein the target challenge value-target response value is predetermined based on a physical unclonable chip on the camera;
sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; wherein the authentication response message includes an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value;
and determining the authentication result of the camera according to the authentication response value and the comparison result of the target response value in the target challenge value-target response value pair, so as to manage the message sent by the camera according to the authentication result.
According to an aspect of the present invention, there is provided a method for managing access to a camera to avoid counterfeiting, the method being performed by a camera on which a physical unclonable chip is configured, the method including:
sending identity information to an accessed switch, and receiving a target challenge value determined by the switch according to the identity information;
determining an authentication response value corresponding to the target challenge value according to the physical unclonable chip, generating an authentication response message according to the authentication response value, and sending the authentication response message to the switch;
and receiving an authentication result returned by the switch according to the authentication response message, and sending a message according to the authentication result.
According to another aspect of the present invention, there is provided a camera access management system for preventing forgery, including:
the camera is connected with the switch, and a physical unclonable chip is configured on the camera and used for sending the identity information to the switch and receiving a target challenge value determined by the switch according to the identity information; determining an authentication response value corresponding to the target challenge value according to the physical unclonable chip, generating an authentication response message according to the authentication response value, and sending the authentication response message to the switch; receiving an authentication result returned by the switch according to the authentication response message, and sending a message according to the authentication result;
the switch is respectively connected with the camera and the server and used for acquiring identity information of the accessed camera and acquiring a target challenge value-target response value pair corresponding to the camera from the server according to the identity information; sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; determining an authentication result of the camera according to the authentication response value and a comparison result of a target response value in the target challenge value-target response value pair, so as to manage a message sent by the camera according to the authentication result;
the server is connected with the switch and used for determining a target challenge value-target response value pair corresponding to the camera according to the identity information sent by the switch and sending the target challenge value-target response value pair to the switch;
wherein the target challenge value-target response value is predetermined based on a physical unclonable chip on the camera; the authentication response message comprises an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value.
According to another aspect of the present invention, there is provided a camera access management electronic device for preventing forgery, the electronic device including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform a method of camera access management for avoiding phishing as described in any of the embodiments of the invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the method for camera access management for avoiding spoofing according to any one of the embodiments of the present invention when the computer instructions are executed.
The technical scheme of the embodiment of the invention is executed by a switch connected with a camera, a physical unclonable chip is configured on the camera, firstly, identity information of the accessed camera is obtained, and a target challenge value-target response value pair corresponding to the camera is determined according to the identity information; the method comprises the steps that a target challenge value-target response value is predetermined based on a physical unclonable chip on a camera; then sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; the authentication response message comprises an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value; and then determining the authentication result of the camera according to the comparison result of the authentication response value and the target response value in the target challenge value-target response value pair, so as to manage the message sent by the camera according to the authentication result. According to the technical scheme, the security authentication of the camera can be realized based on the physical unclonable chip on the camera, and the security of the access management of the camera is effectively improved.
It should be understood that the statements in this section are not intended to identify key or critical features of the embodiments of the present invention, nor are they intended to limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for managing access to a camera to avoid spoofing according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a camera access management system for preventing counterfeiting according to an embodiment of the present invention;
fig. 3 is a schematic diagram of another video camera access management system for avoiding counterfeiting according to an embodiment of the present invention;
fig. 4 is a flowchart of a camera access management method for avoiding spoofing according to a second embodiment of the present invention;
fig. 5 is a schematic diagram of a camera access management method for avoiding spoofing according to a third embodiment of the present invention;
fig. 6 is a schematic structural diagram of a camera access management system for avoiding counterfeiting according to a fourth embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device implementing a video camera access management method for avoiding spoofing according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," "target," and the like in the description and claims of the present invention and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a camera access management method for avoiding spoofing according to an embodiment of the present invention, where this embodiment is applicable to a case of performing secure access management on a camera, and the method may be executed by a switch connected to the camera, where a physical unclonable chip is configured on the camera. The switch can be configured in a counterfeit-prevention camera access management system, which can be implemented in hardware and/or software, and the counterfeit-prevention camera access management system can be configured in an electronic device with data processing capability. As shown in fig. 1, the method includes:
s110, acquiring identity information of an access camera, and determining a target challenge value-target response value pair corresponding to the camera according to the identity information; wherein the target challenge value-target response value is predetermined based on a physical unclonable chip on the camera.
Wherein, the access camera may refer to a camera accessing the network through the switch, see fig. 2. Fig. 2 is a schematic diagram of a camera access management system for preventing spoofing according to an embodiment of the present invention. Wherein, the system comprises three access cameras, namely a camera A, a camera B and a camera C. As shown in fig. 2, three access cameras access the network through different interfaces of the switch, and data interaction can be realized through a server connected with the network. The switch limits each interface, and only allows the authentication message to enter by default, but not other data to enter or exit. And the switch opens the camera to perform data interaction with the server only after the camera passes the authentication. It should be noted that the camera is provided with a physical unclonable chip, and the chip can be fixed by soldering. Based on the process characteristics of the physically unclonable chips, there are small physical differences between any two physically unclonable chips, so each physically unclonable chip responds with a different response value to the same challenge value received.
Wherein the identity information can be used to uniquely characterize the access camera. Illustratively, the identity information may include identification information (e.g., camera ID). The target challenge value-target response value pair may refer to a pair of a target challenge value and a target response value. The target challenge value may refer to a challenge value used for performing security authentication on the access camera. The target response value may refer to a response value corresponding to the target challenge value. Wherein the target challenge value-target response value pair is predetermined based on a physically unclonable chip on the camera. Specifically, for a physical unclonable chip on each camera, a preset number (e.g., 10000) of challenge values may be sent in advance, and a preset number (e.g., 10000) of response values may be obtained correspondingly. Each challenge value and the corresponding response value are used as a set of candidate challenge value-candidate response value pairs, and a set including a preset number (e.g., 10000) of candidate challenge value-candidate response value pairs, that is, a set of candidate challenge value-candidate response value pairs, may be obtained, where the set of candidate challenge value-candidate response value pairs includes a target challenge value-target response value pair. After determining the candidate challenge value-candidate response value pair set, the candidate challenge value-candidate response value pair set and the corresponding camera may be bound, and the binding relationship may be stored in the switch or the server.
For example, assume that camera a replies with a response value A0 for the received challenge value A0, a response value A1 for the received challenge value A1, a response value A2 for the received challenge value A2, and a response value A3 for the received challenge value A3. At this time, A0-A0, A1-A1, A2-A2, and A3-A3 may respectively constitute a set of candidate challenge value-candidate response value pairs, and the four sets of candidate challenge value-candidate response value pairs may constitute a set of candidate challenge value-candidate response value pairs. The set of candidate challenge value-candidate response value pairs may then be bound to camera a and the binding relationship saved to a switch or server.
In this embodiment, after the camera is powered on, an ARP resolution request message about the gateway is sent to the switch. The ARP (Address Resolution Protocol) refers to a TCP/IP Protocol that obtains a physical Address according to an IP Address. The ARP resolution request message includes address information (e.g., MAC address) of the camera. After the switch receives the ARP resolution request message sent by the camera, the address information of the camera and the equipment port number for receiving the ARP resolution request message can be obtained, and then the identity information request message is sent to the camera through the equipment port number and used for obtaining the identity information of the camera. When the camera receives the identity information request message sent by the switch, the camera immediately replies an identity information response message to the switch. The identity information response message includes identity information (such as camera ID) and authentication times. After the switch receives the identity information response message sent by the camera, the identity information of the camera can be acquired, and a target challenge value-target response value pair corresponding to the camera is determined according to the identity information. The number of the target challenge value-target response value pairs can be determined according to the authentication times of the camera. After the target challenge value-target response value pair is determined, the mapping relationship between the target challenge value-target response value pair and the identity information can be respectively established, and the mapping relationship is stored locally in the switch.
For example, it is assumed that the binding relationship between the candidate challenge value-candidate response value pair set and the camera is stored in the switch, and the camera authentication number is 3. After the switch acquires the identity information of the camera, a candidate challenge value-candidate response value pair set bound with the camera can be determined according to the identity information, and then 3 groups of candidate challenge value-candidate response value pairs are randomly selected from the candidate challenge value-candidate response value pair set to serve as target challenge value-target response value pairs. After determining the target challenge value-target response value pair, a mapping relationship between the target challenge value-target response value pair and the identity information may be established, for example, a camera ID: target challenge value-target response value-device port number, and storing the mapping relationship locally in the switch.
S120, sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; the authentication response message comprises an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value.
The authentication response message may be a response message replied by the camera to the target challenge value sent by the switch, and may be used as a basis for camera authentication. Specifically, the authentication response message includes an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value.
In this embodiment, after the target challenge value-target response value pair is determined, the target challenge value in the target challenge value-target response value pair may be sent to the camera through the switch. After the camera receives the target challenge value sent by the switch, the camera may respond to the target challenge value based on a physical unclonable chip in the camera, determine an authentication response message corresponding to the target challenge value, where the authentication response message includes the authentication response value, and send the authentication response message to the switch. Thus, the switch can receive the authentication response message returned by the camera.
S130, determining the authentication result of the camera according to the comparison result of the authentication response value and the target response value in the target challenge value-target response value pair, and managing the sending message of the camera according to the authentication result.
In this embodiment, after the switch receives the authentication response message returned by the camera, the authentication response value in the authentication response message may be compared with the target response value corresponding to the target challenge value stored in the local mapping relationship of the switch, and the authentication result of the camera is determined according to the comparison result, so as to manage the message sent by the camera according to the authentication result. The comparison result comprises comparison consistency or comparison inconsistency, and the authentication result comprises authentication success or authentication failure. Specifically, if the authentication response value is consistent with the target response value in the target challenge value-target response value pair, it may be determined that the camera is authenticated successfully, and at this time, the switch may open an equipment port connected to the camera, and allow the camera to send any message through the equipment port, so as to implement network data interaction between the camera and the server; if the comparison between the authentication response value and the target response value in the target challenge value-target response value pair is inconsistent, it can be determined that the camera authentication fails, and at this time, the switch does not open the device port connected with the camera, and does not allow other messages except the authentication response message to pass through the device port, so as to prohibit network data interaction between the camera and the server.
The technical scheme of the embodiment of the invention is executed by a switch connected with a camera, a physical unclonable chip is configured on the camera, firstly, the identity information of the accessed camera is obtained, and a target challenge value-target response value pair corresponding to the camera is determined according to the identity information; wherein the target challenge value-target response value is predetermined based on a physical unclonable chip on the camera; then sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; the authentication response message comprises an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value; and determining the authentication result of the camera according to the comparison result of the authentication response value and the target response value in the target challenge value-target response value pair, so as to manage the message sent by the camera according to the authentication result. According to the technical scheme, the security authentication of the camera can be realized based on the physical unclonable chip on the camera, and the security of the access management of the camera is effectively improved.
In this embodiment, optionally, determining a target challenge value-target response value pair corresponding to the camera according to the identity information includes: generating request information of the challenge value-response value pair according to the identity information, and sending the request information of the challenge value-response value pair to a server; the challenge value-response value pair request information comprises identity information and the request number of the challenge value-response value pairs; receiving a request number of target challenge value-target response value pairs determined from a candidate challenge value-candidate response value pair set returned by the server according to the identity information; the candidate challenge value-candidate response value set is determined in advance based on a physical unclonable chip on the camera and the candidate challenge value and is stored locally in the server; and respectively establishing a mapping relation between the target challenge value-target response value pair and the identity information, and storing the mapping relation locally.
The challenge value-response value pair request information may refer to instruction information for requesting the switch to obtain the challenge value-response value pair from the server. The challenge value-response value pair request information comprises identity information and the request number of the challenge value-response value pair. Wherein, the number of requests can be determined according to the authentication times of the camera.
In this embodiment, the method is suitable for the case where the binding relationship between the candidate challenge value-candidate response value pair set and the camera is stored in the server. Specifically, after the camera is powered on, an ARP resolution request message about the gateway is sent to the switch. The ARP resolution request message includes address information (e.g., MAC address) of the camera. After the switch receives the ARP resolution request message sent by the camera, the address information of the camera and the equipment port number for receiving the ARP resolution request message can be obtained, and then the identity information request message is sent to the camera through the equipment port number and used for obtaining the identity information of the camera. When the camera receives the identity information request message sent by the switch, the camera immediately replies an identity information response message to the switch. The identity information response message includes identity information (e.g., camera ID) and the number of requests. After the switch receives the identity information response message sent by the camera, the identity information of the camera can be acquired, the challenge value-response value pair request message is generated according to the identity information, and then the challenge value-response value pair request message is sent to the server. The challenge value-response value pair request information includes identity information and request number of challenge value-response value pairs, where the request number is the number of target challenge value-target response value pairs, and may be specifically determined according to the number of camera authentication times. After the server receives the challenge value-response value pair request information sent by the switch, a request number of candidate challenge value-candidate response value pairs can be randomly selected from a candidate challenge value-candidate response value pair set which is stored locally in the server and is bound with the camera to serve as a target challenge value-target response value pair, and the target challenge value-target response value pair is sent to the switch. After receiving the target challenge value-target response value pair sent by the server, the switch may respectively establish a mapping relationship between the target challenge value-target response value pair and the identity information, for example, a camera ID: target challenge value-target response value-device port number, and storing the mapping relationship locally in the switch.
According to the scheme, the target challenge value-target response value pair corresponding to the camera can be determined from the candidate challenge value-candidate response value pair set stored locally in the server through the switch according to the identity information of the camera.
In this embodiment, optionally, a target response value in the target challenge value-target response value pair is obtained by encrypting, by the server, an original response value corresponding to the target challenge value based on a preset encryption algorithm and a random value, and sending the random value carried in the target challenge value-target response value pair to the switch; correspondingly, the sending of the target challenge value in the target challenge value-target response value pair to the camera and the receiving of the authentication response message returned by the camera include: sending the target challenge value and the random value in the target challenge value-target response value pair to the camera; and receiving an authentication response value determined by the camera according to the physical unclonable chip, the target challenge value, the preset encryption algorithm and the random value.
The preset encryption algorithm may refer to a preset irreversible encryption algorithm. For example, the preset encryption Algorithm may be a Hash Algorithm, and may specifically include MD5 (Message-Digest Algorithm), SHA (Secure Hash Algorithm), HMAC (Hash-based Message Authentication Code), and the like. The random value may refer to one of parameters used in a preset encryption algorithm.
In this embodiment, in order to avoid leakage of the target challenge value-target response value pair in the information transfer process, after determining the target challenge value-target response value pair, the server randomly generates a random value for each access camera, binds the camera ID and the random value, and stores the camera ID and the random value locally in the server. And then encrypting the original response value corresponding to the target challenge value by the server based on a preset encryption algorithm and a random value to obtain a target response value, and carrying the random value in the target challenge value-target response value pair to send to the switch. Wherein, the target challenge value in the target challenge value-target response value pair is an original challenge value stored locally in the server, and the target response value is a response value obtained after encrypting an original response value corresponding to the target challenge value. After receiving a target challenge value-target response value pair carrying a random value sent by a server, the switch binds the random value, the target challenge value-target response value pair, the camera ID and the device port number to form a new mapping relationship, for example, the camera ID: and the random value-target challenge value-target response value-device port number, storing the mapping relation in the local switch, and sending the target challenge value and the random value in the target challenge value-target response value pair to the camera by the switch. After the camera receives the target challenge value and the random value in the target challenge value-target response value pair sent by the switch, a corresponding response value can be obtained according to the physical unclonable chip and the target challenge value, and then the response value is encrypted according to a preset encryption algorithm and the random value, so that an authentication response value is determined, and the authentication response value is sent to the switch. Thus, the switch may receive an authentication response value determined by the camera from the physical unclonable chip, the target challenge value, the preset encryption algorithm, and the random value.
According to the scheme, the target challenge value-target response value pair is obtained by encrypting the original response value corresponding to the target challenge value in the server based on the preset encryption algorithm and the random value, so that the safety of the target challenge value-target response value pair is further improved, and the camera authentication failure caused by the leakage of the target challenge value-target response value pair is effectively avoided.
In this embodiment, optionally, determining a target challenge value-target response value pair corresponding to the camera according to the identity information includes: determining whether a mapping relation matched with the identity information exists; the mapping relation comprises identity information, a random value, a target challenge value-target response value pair and an equipment port number; if the target challenge value exists, determining a target challenge value-target response value pair corresponding to the camera according to the mapping relation, and performing offline authentication on the camera according to the target challenge value-target response value pair; if the target challenge value-target response value pair does not exist, generating challenge value-response value pair request information according to the identity information, and sending the challenge value-response value pair request information to the server so as to determine a target challenge value-target response value pair corresponding to the camera according to the challenge value-response value pair request information through the server; the target challenge value-target response value pair is obtained by encrypting an original response value corresponding to the target challenge value based on a preset encryption algorithm and a random value by the server, and the random value is carried in the target challenge value-target response value pair.
In this embodiment, when the switch needs to perform security authentication on the access camera, the switch may search in the mapping relationship stored locally in the switch according to the identity information of the camera, determine whether a corresponding random value, a target challenge value-target response value pair, and a device port number exist, and then determine the target challenge value-target response value pair according to the determination result, so as to perform security authentication on the camera according to the target challenge value-target response value pair. Specifically, after the switch receives the identity information response message replied by the camera, the switch first obtains the camera identity information (such as the camera ID), and searches in the local mapping relationship of the switch according to the camera ID. If the camera ID is searched in the mapping relation, the request information of the challenge value-response value pair is not sent to the server, and the offline authentication of the camera can be directly realized according to the mapping relation of the camera ID, so that the authentication pressure of the server is reduced. If the camera ID is not searched in the mapping relation, the challenge value-response value pair request information needs to be sent to the server to obtain a target challenge value-target response value pair carrying a random value, a new mapping relation is generated according to the random value, the target challenge value-target response value pair, the camera ID and the equipment port number, and then the camera is subjected to security authentication.
By means of the arrangement, when the mapping relation matched with the identity information exists in the switch, the target challenge value-target response value pair can be directly determined according to the mapping relation, and the challenge value-response value pair request information does not need to be sent to the server, so that the authentication pressure of the server is relieved, and the rapid offline authentication of the camera is achieved.
In this embodiment, optionally, the number of requests is at least two; correspondingly, the sending of the target challenge value in the target challenge value-target response value pair to the camera and the receiving of the authentication response message returned by the camera include: sending a first target challenge value in the first target challenge value-target response value pair to the camera, and receiving a first authentication response message returned by the camera; correspondingly, the determining the authentication result of the camera according to the comparison result of the authentication response value and the target response value in the target challenge value-target response value pair includes: determining a first comparison result of the first authentication response value and a first target response value in a first target challenge value-target response value pair; and if the first comparison result is that the comparison is consistent, sequentially sending the subsequent target challenge values in the subsequent target challenge value-target response value pair to the camera, receiving a subsequent authentication response message returned by the camera, and determining the authentication result of the camera according to the subsequent authentication response message.
The first target challenge value-target response value pair may refer to a target challenge value-target response value pair used when the camera is authenticated for the first time. The first target challenge value and the first target response value may refer to a target challenge value and a target response value, respectively, in a first target challenge value-target response value pair. The first authentication response message may refer to an authentication response message corresponding to the first target challenge value returned by the camera. The first comparison result may refer to a comparison result determined according to the first authentication response value and the first target response value. The subsequent target challenge value-target response value pair may refer to a target challenge value-target response value pair used by the camera for a second and subsequent authentications. The subsequent target challenge value may refer to a target challenge value in a subsequent target challenge value-target response value pair. The subsequent authentication response message may refer to an authentication response message returned by the camera corresponding to the subsequent target challenge value.
In this embodiment, there may be a case where two cameras give the same authentication response message to the same target challenge value, and therefore, for the sake of security, it may be selected to authenticate the cameras multiple times, that is, the number of requests is at least two. Specifically, a first target challenge value-target response value pair is determined through the switch, a first target challenge value in the first target challenge value-target response value pair is sent to the camera, and then a first authentication response message returned by the camera is received. And further determining a first comparison result of the first authentication response value and a first target response value in the first target challenge value-target response value pair, and determining the authentication result of the camera according to the first comparison result. If the first comparison result is that the comparison is inconsistent, the camera authentication failure can be directly determined, and the camera does not need to be subsequently authenticated; if the first comparison result is that the comparison is consistent, sequentially sending the subsequent target challenge values in the subsequent target challenge value-target response value pairs to the camera, receiving a subsequent authentication response message returned by the camera, comparing the subsequent authentication response value with the subsequent target response value in the subsequent target challenge value-target response value pairs to determine a subsequent comparison result, and determining the authentication result of the camera according to the subsequent comparison result. If the subsequent comparison results are consistent, the camera authentication can be determined to be successful; if the comparison in the subsequent comparison result is inconsistent, the camera authentication can be determined to be failed.
Through the arrangement, the camera authentication security can be improved through multiple times of camera authentication, and the camera access management security can be further improved.
In this embodiment, optionally, after the mapping relationship is stored locally, the method further includes: determining the generation duration of the target random value, and determining whether the generation duration is greater than a preset life threshold; if so, deleting the mapping relation which is stored locally and corresponds to the target random value, and determining whether the number of the mapping relation which corresponds to the target identity information is smaller than a preset number threshold value; and if the number of the target identity information is less than the preset number, generating challenge value-response value pair adding request information according to the target identity information, and sending the challenge value-response value pair adding request information to the server.
The target random value may refer to a random value generated by the server for accessing the camera. The generation duration may be used to characterize the life cycle (i.e., the validity period) of the target random value. The preset life threshold may be a preset reference value of the generation duration, and may be set according to an actual requirement, which is not limited. For example, the preset life threshold may be set to 48 hours. The target identity information may refer to identity information of the access camera. The preset quantity threshold may be a preset reference value of the quantity of the mapping relationship, and may be set according to actual requirements, which is not limited. The challenge value-response value pair addition request information may refer to instruction information requesting addition of a challenge value-response value pair.
In this embodiment, to ensure security, the server may set a preset life threshold for the random value while generating the random value for each access camera, and replace the random value when the generation duration of the random value is greater than the preset life threshold. If the generation duration of the target random value is less than or equal to the preset life threshold, the target random value is still valid; if the generation duration of the target random value is longer than the preset life threshold, it indicates that the target random value is invalid, and at this time, the mapping relation corresponding to the target random value stored locally in the exchange place needs to be deleted, so that resource waste is avoided, and whether the number of the mapping relations corresponding to the target identity information is smaller than the preset number threshold is further determined. If the number of the mapping relations is smaller than the preset number threshold, adding request information of the challenge value-response value pairs can be generated according to the target identity information, the adding request information of the challenge value-response value pairs is sent to the server, a new target challenge value-target response value pair is determined through the server, and then a new mapping relation corresponding to the target random value is generated through the switch according to the new target challenge value-target response value pair.
According to the scheme, when the generation time is determined to be longer than the preset life threshold value, the mapping relation which is stored locally and corresponds to the target random value is deleted, so that the safety is ensured, and the resource waste is effectively avoided; and when the number of the mapping relations corresponding to the target identity information is determined to be smaller than a preset number threshold, generating challenge value-response value pair adding request information according to the target identity information to request to add a new target challenge value-target response value pair to the server, so that the camera authentication is prevented from being influenced due to too few mapping relations.
It should be noted that, if multiple cameras are connected to the same device port of the switch through the small two-layer switch (as shown in fig. 3), at this time, a situation that authentication of a part of the cameras is successful, but authentication of the remaining cameras is failed may occur, so that it is necessary to identify received message information, distinguish different cameras under the same device port, and process messages sent by the cameras respectively, so as to avoid message management confusion. One possible implementation is that the switch is generating a "camera ID: and when the mapping relation of the random value, the target challenge value, the target response value and the device port number is realized, the MAC address of the camera is increased. Specifically, when the switch receives an identity information response message replied by the camera, the switch simultaneously obtains the camera ID and the MAC address, and generates a "camera ID: random value-target challenge value-target response value-device port number-MAC address mapping relation. When the camera is successfully authenticated, allowing all messages of the MAC address corresponding to the camera to enter the equipment port; when the camera authentication fails, a message of the MAC address corresponding to the camera (except for the authentication response message) is not allowed to enter the device port.
However, the MAC address of the camera is easily changed, and thus there is still a certain safety risk. To further improve the security of camera authentication, further optimization may be performed. In this embodiment, optionally, after determining that the authentication result of the camera is that the authentication is successful, the method further includes: selecting an additional check mapping relation from the mapping relations; generating an authentication passing confirmation message according to the additional verification target challenge value in the additional verification mapping relation, and sending the authentication passing confirmation message to the camera, so that the camera determines a corresponding additional verification authentication response value according to the physical unclonable chip and the additional verification target challenge value, and adds the additional verification authentication response value in a subsequent message sent to the switch; and determining a management mode of the subsequent message according to a comparison result of the additional verification authentication response value in the subsequent message sent by the camera and the additional verification target response value in the additional verification mapping relation.
The additional verification mapping relationship may refer to any one group of mapping relationships in the mapping relationships corresponding to the camera, and may be used to perform additional verification on the camera. The additional verification target challenge value may refer to a target challenge value in the additional verification mapping relationship. The authentication pass acknowledgement message may be used to characterize the camera authentication success. The additional verification authentication response value may refer to an authentication response value determined by the camera according to the physical unclonable chip and the additional verification target challenge value.
In this embodiment, first, a switch randomly selects a group of additional check mapping relationships from mapping relationships corresponding to cameras, such as camera ID: and generating an authentication passing confirmation message according to the additional verification target challenge value and the random value in the additional verification mapping relation, and sending the authentication passing confirmation message to the camera. After receiving the authentication pass confirmation message sent by the switch, the camera may determine a response value corresponding to the additional verification target challenge value based on the physical unclonable chip, and encrypt the response value according to a preset encryption algorithm and a random value, thereby determining an additional verification authentication response value corresponding to the additional verification target challenge value, and then add the additional verification authentication response value in a subsequent message sent to the switch. After the switch receives the subsequent message sent by the camera, the switch can compare the additional verification authentication response value in the subsequent message with the additional verification target response value in the additional verification mapping relation, and determine the management mode of the subsequent message according to the comparison result. If the additional verification authentication response value is consistent with the additional verification target response value in the additional verification mapping relation in comparison, allowing the subsequent message to pass; otherwise, the message except the authentication response message is not allowed to pass through.
It should be noted that, in order to further improve the security of the camera authentication, the switch may irregularly re-select a group of additional verification mapping relationships from the mapping relationships corresponding to the camera, so as to replace the additional verification mapping relationships, regenerate the authentication passing confirmation message according to the additional verification target challenge value in the replaced additional verification mapping relationships, and send the newly generated authentication passing confirmation message to the camera.
According to the scheme, the management mode of the subsequent message is determined through the comparison result of the additional verification authentication response value in the subsequent message sent by the camera and the additional verification target response value in the additional verification mapping relation, so that the security of camera authentication can be further improved, and the security of camera access management is improved.
Example two
Fig. 4 is a flowchart of a camera access management method for avoiding spoofing according to a second embodiment of the present invention, where this embodiment is applicable to a case of performing secure access management on a camera, and the method may be executed by the camera, where a physical unclonable chip is configured on the camera. The camera can be configured in a counterfeit-prevention camera access management system, the counterfeit-prevention camera access management system can be implemented in hardware and/or software, and the counterfeit-prevention camera access management system can be configured in an electronic device with data processing capability. As shown in fig. 4, the method includes:
s210, the identity information is sent to the accessed switch, and a target challenge value determined by the switch according to the identity information is received.
In this embodiment, after the camera is powered on, an ARP resolution request message about the gateway is sent to the switch. The ARP resolution request message includes address information (e.g., MAC address) of the camera. After the switch receives the ARP resolution request message sent by the camera, the switch may obtain address information of the camera and a device port number that receives the ARP resolution request message, and then send an identity information request message to the camera through the device port number, for obtaining identity information of the camera. When the camera receives the identity information request message sent by the switch, the camera immediately replies an identity information response message to the switch. Wherein the identity information response message includes identity information (such as camera ID) and authentication times. After the switch receives the identity information response message sent by the camera, the identity information of the camera can be acquired, a target challenge value-target response value pair corresponding to the camera is determined according to the identity information, and then the target challenge value in the target challenge value-target response value pair is sent to the camera. The number of the target challenge value-target response value pairs can be determined according to the authentication times of the camera. For determining the implementation process of the target challenge value-target response value pair corresponding to the camera according to the identity information, reference may be made to the first embodiment, which is not described herein again.
And S220, determining an authentication response value corresponding to the target challenge value according to the physical unclonable chip, generating an authentication response message according to the authentication response value, and sending the authentication response message to the switch.
In this embodiment, after receiving the target challenge value sent by the switch, the camera may determine, according to the physical unclonable chip, an authentication response value corresponding to the target challenge value, and generate, according to the authentication response value, an authentication response message to send to the switch, so that the switch authenticates the camera according to the authentication response value in the authentication response message.
And S230, receiving the authentication result returned by the switch according to the authentication response message, and sending the message according to the authentication result.
In this embodiment, after the switch receives the authentication response message returned by the camera, the authentication response value in the authentication response message may be compared with the target response value corresponding to the target challenge value stored in the local mapping relationship of the switch, the authentication result of the camera is determined according to the comparison result, and the authentication result is sent to the camera, so that the camera sends a message according to the authentication result. The comparison result comprises consistency comparison or inconsistency comparison, and the authentication result comprises successful authentication or failed authentication. Specifically, if the authentication response value is consistent with the target response value in the target challenge value-target response value pair, it may be determined that the camera is successfully authenticated, and at this time, the camera is allowed to send any message through the device port, so as to implement network data interaction between the camera and the server; if the comparison between the authentication response value and the target response value in the target challenge value-target response value pair is inconsistent, it can be determined that the camera authentication fails, and at this time, other messages except the authentication response message are not allowed to pass through the device port, so as to prohibit network data interaction between the camera and the server.
According to the technical scheme of the embodiment of the invention, the camera is used for executing, the physical unclonable chip is configured on the camera, firstly, the identity information is sent to the accessed switch, and the target challenge value determined by the switch according to the identity information is received; then determining an authentication response value corresponding to the target challenge value according to the physical unclonable chip, generating an authentication response message according to the authentication response value and sending the authentication response message to the switch; and then receiving an authentication result returned by the switch according to the authentication response message so as to send a message according to the authentication result. According to the technical scheme, the security authentication of the camera can be realized based on the physical unclonable chip on the camera, and the security of the access management of the camera is effectively improved.
In this embodiment, optionally, after receiving the authentication result returned by the switch according to the authentication response message, the method further includes: if the authentication result is that the authentication is successful, generating a server authentication message according to the predetermined reference challenge value and the identity information, sending the server authentication message to the switch, and forwarding the server authentication message to the server by the switch; receiving a server authentication response message returned by the server according to the server authentication message, and determining a server authentication result according to a comparison result of a reference authentication response value in the server authentication response message and a reference response value locally determined by the camera; wherein the reference authentication response value is predetermined based on a physical unclonable chip on the camera and stored in the server.
The reference challenge value may refer to a challenge value used in server authentication. The server authentication message may refer to instruction information requesting secure authentication of the server. The server authentication response message may refer to a response message made by the server with respect to the server authentication message. The reference authentication response value may refer to a reference authentication response value in the server authentication response message. Wherein the reference authentication response value is predetermined based on a physical unclonable chip on the camera and stored in the server. The reference response value may refer to a response value corresponding to the reference challenge value. The server authentication result may refer to a security authentication result of the server, and may specifically include a server authentication success or a server authentication failure.
In this embodiment, in order to ensure the security of the server and avoid the server from being invaded and tampered, after the camera authentication is successful, the security authentication may be further performed on the server. If the number of the requests is 1, namely, the camera is authenticated only once, the server is authenticated after the camera is authenticated successfully; if the number of requests is at least two, namely, the camera is authenticated for multiple times, the server is authenticated after the camera is authenticated for the first time successfully and before the camera sends an authentication response message to the switch. Specifically, a server authentication message is generated by the camera according to a predetermined reference challenge value and identity information, and is sent to the switch and forwarded to the server by the switch. After the server receives the server authentication message forwarded by the switch, the server can search for a corresponding reference authentication response value according to the identity information and the reference challenge value in the server authentication message, generate a server authentication response message according to the reference authentication response value, and forward the server authentication response message to the camera through the switch. Wherein the reference authentication response value is predetermined based on a physical unclonable chip on the camera and stored in the server. After the camera receives the server authentication response message, the reference authentication response value in the server authentication response message may be compared with the reference response value locally determined by the camera, and the server authentication result may be determined according to the comparison result. If the comparison is consistent, the server authentication is successful; if the comparison is inconsistent, the server authentication is failed. If the number of the requests is at least two, after the server authentication is successful, the camera can be continuously subjected to subsequent authentication.
It should be noted that information leakage may exist in the process of forwarding the message by the switch, so that a potential safety hazard exists. In order to avoid the situation, when the camera generates the server authentication message, the reference challenge value can be encrypted according to the random value through a preset encryption algorithm, the identity information and the encrypted reference challenge value are packaged into the server authentication message, and then the server authentication message is sent to the switch. After receiving the server authentication message forwarded by the switch, the server firstly finds a reference challenge value and a random value corresponding to the identity information from the server locally according to the identity information in the server authentication message, encrypts the reference challenge value according to the random value through a preset encryption algorithm, and compares the reference challenge value after the server is locally encrypted with the reference challenge value after the server authentication message is encrypted. If the comparison is inconsistent, the server authentication is failed, and the server authentication message can be directly discarded at the moment; if the comparison is consistent, encrypting a reference response value corresponding to the local server and the identity information according to the random value through a preset encryption algorithm to obtain a reference authentication response value, generating a server authentication response message according to the reference authentication response value, sending the server authentication response message to the switch, and forwarding the server authentication response message to the camera by the switch.
After receiving the server authentication response message sent by the server, the switch may generate a new mapping relationship, such as camera ID: and the random value-target challenge value-target response value-device port number-reference authentication response value, and the mapping relation is saved in the local switch. In the subsequent process of authenticating the camera, if the camera is offline and then is online again, when the switch receives a server authentication message from the camera, if the mapping relation corresponding to the camera still exists, namely the random value is not invalid, the reference authentication response value can be directly determined according to the mapping relation, and the server authentication message does not need to be forwarded to the server, so that the authentication of the server can be realized. After the camera receives the server authentication response message forwarded by the switch, firstly, a reference response value corresponding to the local camera and the reference challenge value is encrypted through a preset encryption algorithm according to a random value in the server authentication response message, then, the reference response value after the local encryption of the camera is compared with the reference authentication response value in the server authentication response message, and a server authentication result is determined according to a comparison result. If the comparison is consistent, the server authentication is successful; if the comparison is inconsistent, the server authentication is failed.
According to the scheme, after the camera is successfully authenticated, the server is further authenticated safely, so that the safety of the server can be effectively ensured, the server is prevented from being invaded and tampered, and the safety of camera access management is further improved.
EXAMPLE III
Fig. 5 is a schematic diagram of a video camera access management method for avoiding phishing according to a third embodiment of the present invention, which is optimized based on the foregoing embodiments in this embodiment. As shown in fig. 5, the method of this embodiment specifically includes the following steps:
a1, powering on the camera, and sending an ARP analysis request message to the switch. The ARP resolution request message includes address information (e.g., MAC address) of the camera.
A2, the exchanger receives an ARP analysis request message sent by the camera, acquires address information of the camera and an equipment port number for receiving the ARP analysis request message, and sends an identity information request message to the camera through the equipment port number.
And A3, the camera receives the identity information request message sent by the switch and replies an identity information response message to the switch. Wherein the identity information response message comprises the identity information (e.g. camera ID) and the requested number.
And A4, the exchanger receives the identity information response message sent by the camera, acquires the identity information of the camera, generates a challenge value-response value pair according to the identity information and sends the request message to the server.
The challenge value-response value pair request information comprises identity information and request quantity of challenge value-response value pairs, and the request quantity is at least two.
A5, the server receives request information of the challenge value-response value pairs sent by the switch, randomly selects a request number of candidate challenge value-candidate response value pairs from a candidate challenge value-candidate response value pair set which is stored locally in the server and corresponds to the camera as target challenge value-target response value pairs, and sends the target challenge value-target response value pairs to the switch.
And A6, the switch receives the target challenge value-target response value pair sent by the server, sends a first target challenge value in the first target challenge value-target response value pair to the camera, simultaneously establishes a mapping relation between the first target challenge value-target response value pair and the identity information respectively, and stores the mapping relation in the local switch.
A7, the camera receives a first target challenge value sent by the switch, determines a first authentication response message corresponding to the first target challenge value based on a physical unclonable chip in the camera, and sends the first authentication response message to the switch.
And A8, the switch receives a first authentication response message returned by the camera, determines a first comparison result of a first authentication response value in the first authentication response message and a first target response value corresponding to the first target challenge value and stored in a local mapping relation of the switch, determines a camera authentication result according to the first comparison result, and sends the camera authentication result to the camera.
Specifically, if the first authentication response value is consistent with the first target response value in the first target challenge value-target response value pair, it may be determined that the camera is successfully authenticated, and at this time, the switch opens an equipment port connected to the camera, and allows the camera to send any message through the equipment port, so as to implement network data interaction between the camera and the server; if the first authentication response value is inconsistent with the first target response value in the first target challenge value-target response value pair, it may be determined that the camera authentication fails, and at this time, the switch does not open the device port connected to the camera, and does not allow other messages except the authentication response message to pass through the device port, so as to prohibit network data interaction between the camera and the server.
And A9, if the camera receives successful camera authentication (successful first authentication) sent by the switch, generating a server authentication message according to the predetermined reference challenge value and the identity information, sending the server authentication message to the switch, and forwarding the server authentication message to the server by the switch.
And A10, the server receives the server authentication message forwarded by the switch, generates a server authentication response message corresponding to the server authentication message, sends the server authentication response message to the switch, and forwards the server authentication response message to the camera through the switch.
A11, the camera receives a server authentication response message forwarded by the switch, compares a reference authentication response value in the server authentication response message with a reference response value locally determined by the camera, determines a server authentication result according to the comparison result, and sends the server authentication result to the switch.
Specifically, if the reference authentication response value is consistent with the reference response value in comparison, it indicates that the server authentication is successful; if the reference authentication response value is not consistent with the reference response value in comparison, the server authentication is failed.
And A12, if the server is successfully authenticated, sequentially sending the subsequent target challenge values in the subsequent target challenge value-target response value pairs to the camera through the switch.
And A13, the camera receives the subsequent target challenge value sent by the switch, determines a subsequent authentication response message corresponding to the subsequent target challenge value, and sends the subsequent authentication response message to the switch.
And A14, the switch receives a subsequent authentication response message sent by the camera, determines a subsequent comparison result of a subsequent authentication response value in the subsequent authentication response message and a subsequent target response value corresponding to the subsequent target challenge value and stored in the local mapping relationship of the switch, and determines a final authentication result of the camera according to the subsequent comparison result.
And A15, if the final authentication result of the camera is successful, the switch selects an additional verification mapping relation from the local mapping relation, generates an authentication passing confirmation message according to an additional verification target challenge value in the additional verification mapping relation, and sends the authentication passing confirmation message to the camera.
And A16, the camera receives an authentication passing confirmation message sent by the switch, determines an additional verification authentication response value corresponding to the additional verification target challenge value based on the physical unclonable chip, and appends the additional verification authentication response value in a subsequent message sent to the switch.
And A17, the switch receives a subsequent message sent by the camera, compares an additional verification authentication response value in the subsequent message with an additional verification target response value in the additional verification mapping relation, and determines a management mode of the subsequent message according to a comparison result.
Specifically, if the additional verification authentication response value is consistent with the additional verification target response value in the additional verification mapping relation through comparison, allowing the subsequent message to pass; otherwise, the message except the authentication response message is not allowed to pass through.
The technical scheme of the embodiment of the invention can simultaneously realize the safety certification of the camera and the server based on the physical unclonable chip on the camera, and effectively improve the safety of the access management of the camera.
Example four
Fig. 6 is a schematic structural diagram of a video camera access management system for avoiding spoofing according to a fourth embodiment of the present invention, where the system can execute a video camera access management method for avoiding spoofing according to any embodiment of the present invention, and has corresponding functional modules and beneficial effects of the execution method. As shown in fig. 6, the system includes:
the camera 410 is connected with the switch 420, and a physical unclonable chip is configured on the camera and used for sending the identity information to the switch and receiving a target challenge value determined by the switch according to the identity information; determining an authentication response value corresponding to the target challenge value according to the physical unclonable chip, generating an authentication response message according to the authentication response value, and sending the authentication response message to the switch; receiving an authentication result returned by the switch according to the authentication response message, and sending a message according to the authentication result;
the switch 420 is respectively connected with the camera 410 and the server 430, and is used for acquiring identity information of an accessed camera and acquiring a target challenge value-target response value pair corresponding to the camera from the server according to the identity information; sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; determining an authentication result of the camera according to the authentication response value and a comparison result of a target response value in the target challenge value-target response value pair, so as to manage a message sent by the camera according to the authentication result;
the server 430 is connected to the switch 420, and configured to determine a target challenge value-target response value pair corresponding to the camera according to the identity information sent by the switch, and send the target challenge value-target response value pair to the switch;
wherein the target challenge value-target response value is predetermined based on a physically unclonable chip on the camera; the authentication response message comprises an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value.
Optionally, the camera 410 is further configured to:
after receiving an authentication result returned by the switch according to the authentication response message, if the authentication result is successful, generating a server authentication message according to a predetermined reference challenge value and identity information, sending the server authentication message to the switch, and forwarding the server authentication message to the server by the switch;
receiving a server authentication response message returned by the server according to the server authentication message, and determining a server authentication result according to a comparison result of a reference authentication response value in the server authentication response message and a reference response value locally determined by the camera; wherein the reference authentication response value is predetermined based on a physical unclonable chip on the camera and stored in the server.
Optionally, the switch 420 is further configured to:
generating challenge value-response value pair request information according to the identity information, and sending the challenge value-response value pair request information to a server; the challenge value-response value pair request information comprises identity information and the request number of the challenge value-response value pairs;
receiving the request quantity target challenge value-target response value pairs determined from a candidate challenge value-candidate response value pair set returned by the server according to the identity information; the candidate challenge value-candidate response value set is determined in advance based on a physical unclonable chip on the camera and a candidate challenge value and is stored locally in a server;
and respectively establishing the mapping relation between the target challenge value-target response value pair and the identity information, and storing the mapping relation locally.
Optionally, a target response value in the target challenge value-target response value pair is obtained by encrypting, by the server, an original response value corresponding to the target challenge value based on a preset encryption algorithm and a random value, and the random value is carried in the target challenge value-target response value pair and is sent to the switch;
correspondingly, the switch 420 is further configured to:
sending the target challenge value and the random value of the target challenge value-target response value pair to the camera;
and receiving an authentication response value determined by the camera according to the physical unclonable chip, the target challenge value, a preset encryption algorithm and the random value.
Optionally, the switch 420 is further configured to:
after the mapping relation is stored locally, determining the generation duration of a target random value, and determining whether the generation duration is greater than a preset life threshold value;
if so, deleting the mapping relation which is stored locally and corresponds to the target random value, and determining whether the number of the mapping relations corresponding to the target identity information is smaller than a preset number threshold value;
and if the target identity information is less than the preset target identity information, generating challenge value-response value pair adding request information according to the target identity information, and sending the challenge value-response value pair adding request information to a server.
Optionally, the number of the requests is at least two;
correspondingly, the switch 420 is further configured to:
sending a first target challenge value in a first target challenge value-target response value pair to the camera, and receiving a first authentication response message returned by the camera;
determining a first comparison of the first authentication response value and a first target response value in the first target challenge-target response value pair;
and if the first comparison result is that the comparison is consistent, sequentially sending the subsequent target challenge values in the subsequent target challenge value-target response value pair to the camera, receiving a subsequent authentication response message returned by the camera, and determining the authentication result of the camera according to the subsequent authentication response message.
Optionally, the switch 420 is further configured to:
after the camera is determined to be successfully authenticated, selecting an additional verification mapping relation from the mapping relations;
generating an authentication passing confirmation message according to an additional verification target challenge value in the additional verification mapping relation, and sending the authentication passing confirmation message to the camera, so that the camera determines a corresponding additional verification authentication response value according to the physical unclonable chip and the additional verification target challenge value, and adds the additional verification authentication response value in a subsequent message sent to the switch;
and determining a management mode of the subsequent message according to a comparison result of an additional verification authentication response value in the subsequent message sent by the camera and an additional verification target response value in the additional verification mapping relation.
The anti-counterfeiting camera access management system provided by the embodiment of the invention can execute the anti-counterfeiting camera access management method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
FIG. 7 illustrates a schematic diagram of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 7, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the various methods and processes described above, such as a camera access management method that avoids counterfeiting.
In some embodiments, the camera access management method to avoid counterfeiting may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into the RAM 13 and executed by the processor 11, one or more steps of the above-described anti-counterfeiting camera access management method may be performed. Alternatively, in other embodiments, the processor 11 may be configured by any other suitable means (e.g., by means of firmware) to perform a camera access management method that avoids counterfeiting.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired result of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. A camera access management method for avoiding counterfeiting is characterized in that the method is executed by a switch connected with a camera, a physical unclonable chip is configured on the camera, and the method comprises the following steps:
acquiring identity information of an access camera, and determining a target challenge value-target response value pair corresponding to the camera according to the identity information; the target challenge value-target response value pair is predetermined based on a physical unclonable chip on the camera, and a target response value in the target challenge value-target response value pair is obtained by encrypting an original response value corresponding to the target challenge value by a server based on a preset encryption algorithm and a random value;
sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; wherein the authentication response message includes an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value;
and determining the authentication result of the camera according to the authentication response value and the comparison result of the target response value in the target challenge value-target response value pair, so as to manage the message sent by the camera according to the authentication result.
2. The method of claim 1, wherein determining a target challenge value-target response value pair corresponding to the camera from the identity information comprises:
generating challenge value-response value pair request information according to the identity information, and sending the challenge value-response value pair request information to a server; the challenge value-response value pair request information comprises identity information and the request number of the challenge value-response value pairs;
receiving the request quantity target challenge value-target response value pairs determined from a candidate challenge value-candidate response value pair set and returned by the server according to the identity information; the candidate challenge value-candidate response value set is determined in advance based on a physical unclonable chip on the camera and a candidate challenge value and is stored locally in a server;
and respectively establishing the mapping relation between the target challenge value-target response value pair and the identity information, and storing the mapping relation locally.
3. The method of claim 2, wherein the random value is sent to the switch in the target challenge value-target response value pair;
correspondingly, sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera, includes:
sending the random value and the target challenge value of the target challenge value-target response value pair to the camera;
and receiving an authentication response value determined by the camera according to the physical unclonable chip, the target challenge value, a preset encryption algorithm and the random value.
4. The method of claim 2, wherein the number of requests is at least two;
correspondingly, sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera, includes:
sending a first target challenge value in a first target challenge value-target response value pair to the camera, and receiving a first authentication response message returned by the camera;
correspondingly, determining the authentication result of the camera according to the authentication response value and the comparison result of the target response value in the target challenge value-target response value pair includes:
determining a first comparison result of a first authentication response value in the first authentication response message and a first target response value in the first target challenge value-target response value pair;
and if the first comparison result is that the comparison is consistent, sequentially sending the subsequent target challenge values in the subsequent target challenge value-target response value pairs to the camera, receiving a subsequent authentication response message returned by the camera, and determining the authentication result of the camera according to the subsequent authentication response message.
5. The method according to claim 2, wherein after determining that the camera's authentication result is authentication success, the method further comprises:
selecting an additional check mapping relation from the mapping relations;
generating an authentication passing confirmation message according to an additional verification target challenge value in the additional verification mapping relation, and sending the authentication passing confirmation message to the camera, so that the camera determines a corresponding additional verification authentication response value according to the physical unclonable chip and the additional verification target challenge value, and adds the additional verification authentication response value in a subsequent message sent to the switch;
and determining a management mode of the subsequent message according to a comparison result of an additional verification authentication response value in the subsequent message sent by the camera and an additional verification target response value in the additional verification mapping relation.
6. A camera access management method for avoiding counterfeiting is characterized in that the method is executed by a camera, a physical unclonable chip is configured on the camera, and the method comprises the following steps:
sending identity information to an accessed switch, and receiving a target challenge value determined by the switch according to the identity information;
determining an authentication response value corresponding to the target challenge value according to the physical unclonable chip, generating an authentication response message according to the authentication response value, and sending the authentication response message to the switch;
receiving an authentication result returned by the switch according to the authentication response message, and sending a message according to the authentication result;
after receiving the authentication result returned by the switch according to the authentication response message, the method further comprises:
if the authentication result is successful, generating a server authentication message according to a predetermined reference challenge value and identity information, sending the server authentication message to the switch, and forwarding the server authentication message to the server by the switch;
receiving a server authentication response message returned by the server according to the server authentication message, and determining a server authentication result according to a comparison result of a reference authentication response value in the server authentication response message and a reference response value locally determined by the camera; wherein the reference authentication response value is predetermined based on a physical unclonable chip on the camera and stored in the server.
7. A counterfeit avoidance camera access management system, comprising:
the camera is connected with the switch, and a physical unclonable chip is configured on the camera and used for sending the identity information to the switch and receiving a target challenge value determined by the switch according to the identity information; determining an authentication response value corresponding to the target challenge value according to the physical unclonable chip, generating an authentication response message according to the authentication response value, and sending the authentication response message to the switch; receiving an authentication result returned by the switch according to the authentication response message, and sending a message according to the authentication result;
the switch is respectively connected with the camera and the server and used for acquiring identity information of the accessed camera and acquiring a target challenge value-target response value pair corresponding to the camera from the server according to the identity information; sending the target challenge value in the target challenge value-target response value pair to the camera, and receiving an authentication response message returned by the camera; determining an authentication result of the camera according to the authentication response value and a comparison result of a target response value in the target challenge value-target response value pair, so as to manage a message sent by the camera according to the authentication result;
the server is connected with the switch and used for determining a target challenge value-target response value pair corresponding to the camera according to the identity information sent by the switch and sending the target challenge value-target response value pair to the switch;
wherein the target challenge value-target response value is predetermined based on a physical unclonable chip on the camera; the authentication response message comprises an authentication response value determined by the camera according to the physical unclonable chip and the target challenge value.
8. An anti-counterfeiting camera access management electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of counterfeit avoidance camera access management of any one of claims 1-5 or 6.
9. A computer-readable storage medium storing computer instructions for causing a processor to implement the method of camera access management to avoid counterfeiting of any one of claims 1-5 or 6 when executed.
CN202211700790.5A 2022-12-29 2022-12-29 Camera access management method, system, device and medium for avoiding counterfeiting Active CN115694843B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211700790.5A CN115694843B (en) 2022-12-29 2022-12-29 Camera access management method, system, device and medium for avoiding counterfeiting

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211700790.5A CN115694843B (en) 2022-12-29 2022-12-29 Camera access management method, system, device and medium for avoiding counterfeiting

Publications (2)

Publication Number Publication Date
CN115694843A CN115694843A (en) 2023-02-03
CN115694843B true CN115694843B (en) 2023-04-07

Family

ID=85056436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211700790.5A Active CN115694843B (en) 2022-12-29 2022-12-29 Camera access management method, system, device and medium for avoiding counterfeiting

Country Status (1)

Country Link
CN (1) CN115694843B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108092776A (en) * 2017-12-04 2018-05-29 南京南瑞信息通信科技有限公司 A kind of authentication server and authentication token
CN108768660A (en) * 2018-05-28 2018-11-06 北京航空航天大学 Internet of things equipment identity identifying method based on physics unclonable function
CN110401615A (en) * 2018-04-24 2019-11-01 广东工业大学 A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing
CN113708935A (en) * 2021-08-23 2021-11-26 北京航空航天大学 Internet of things equipment unified authentication method and system based on block chain and PUF

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102012219112A1 (en) * 2012-10-19 2014-04-24 Siemens Aktiengesellschaft Use of a PUF for checking an authentication, in particular for protection against unauthorized access to a function of an IC or control unit
CN103345690B (en) * 2013-07-19 2019-12-24 中山大学 Anti-counterfeiting method based on RFID and physical unclonable function
US11477039B2 (en) * 2018-10-11 2022-10-18 Arizona Board Of Regents On Behalf Of Northern Arizona University Response-based cryptography using physical unclonable functions
KR102384664B1 (en) * 2019-06-28 2022-04-11 한국전자통신연구원 User device, physical unclonable function based authentication server and operating method thereof
CN113282898B (en) * 2021-07-08 2021-11-02 之江实验室 Lightweight identity authentication method based on physical unclonable function
CN115150180A (en) * 2022-07-14 2022-10-04 江苏芯盛智能科技有限公司 Storage device management method, storage device, management device, and storage medium
CN115459918A (en) * 2022-08-04 2022-12-09 视联动力信息技术股份有限公司 Identity authentication method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108092776A (en) * 2017-12-04 2018-05-29 南京南瑞信息通信科技有限公司 A kind of authentication server and authentication token
CN110401615A (en) * 2018-04-24 2019-11-01 广东工业大学 A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing
CN108768660A (en) * 2018-05-28 2018-11-06 北京航空航天大学 Internet of things equipment identity identifying method based on physics unclonable function
CN113708935A (en) * 2021-08-23 2021-11-26 北京航空航天大学 Internet of things equipment unified authentication method and system based on block chain and PUF

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
寇红召 ; 张紫楠 ; 马骏 ; .基于物理不可克隆函数的RFID双向认证.计算机工程.2013,(06),全文. *

Also Published As

Publication number Publication date
CN115694843A (en) 2023-02-03

Similar Documents

Publication Publication Date Title
US11178134B2 (en) Method and apparatus for allocating device identifiers
US10237254B2 (en) Conditional login promotion
CN101465735B (en) Network user identification verification method, server and client terminal
CN106779716B (en) Authentication method, device and system based on block chain account address
WO2015062461A1 (en) Method and system for verifying user identity of an online application
US10419431B2 (en) Preventing cross-site request forgery using environment fingerprints of a client device
CN112637166A (en) Data transmission method, device, terminal and storage medium
CN112651011B (en) Login verification method, device and equipment for operation and maintenance system and computer storage medium
CN112528262A (en) Application program access method, device, medium and electronic equipment based on token
WO2019140790A1 (en) Service tracking method and apparatus, terminal device, and storage medium
WO2018148103A1 (en) Password security
CN113674455B (en) Remote control method, device, system, equipment and storage medium for intelligent door lock
WO2014153959A1 (en) Method, related apparatus and system for preventing cross-site request forgery
US9203616B1 (en) Multi-server fault tolerant data store update
US11153093B2 (en) Protection of online applications and webpages using a blockchain
CN114513350A (en) Identity verification method, system and storage medium
CN113872990A (en) VPN network certificate authentication method and device based on SSL protocol and computer equipment
CN117336092A (en) Client login method and device, electronic equipment and storage medium
CN111988262B (en) Authentication method, authentication device, server and storage medium
CN115694843B (en) Camera access management method, system, device and medium for avoiding counterfeiting
EP4220518A1 (en) Blockchain network-based device management method, related device, and storage medium
CN113992387B (en) Resource management method, device, system, electronic equipment and readable storage medium
CN113225348B (en) Request anti-replay verification method and device
CN111817860B (en) Communication authentication method, device, equipment and storage medium
WO2021026937A1 (en) Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant