CN116032486B - Authentication method and system for asymmetric key and readable storage medium - Google Patents
Authentication method and system for asymmetric key and readable storage medium Download PDFInfo
- Publication number
- CN116032486B CN116032486B CN202211639805.1A CN202211639805A CN116032486B CN 116032486 B CN116032486 B CN 116032486B CN 202211639805 A CN202211639805 A CN 202211639805A CN 116032486 B CN116032486 B CN 116032486B
- Authority
- CN
- China
- Prior art keywords
- terminal
- certificate
- server
- message
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 description 9
- 230000002457 bidirectional effect Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an authentication method, a system and a readable storage medium of an asymmetric key, wherein the method comprises the following steps: the authentication platform sends a first terminal certificate and a first service end certificate to the terminal; the terminal acquires a first message after receiving the first message and sends the first message to the server; the server forwards the first message to the authentication platform; the authentication platform receives the first message, acquires a second terminal certificate and a second server certificate according to a serial number in the first message, carries out key negotiation to obtain a first session key, encrypts a first random number and a second random number according to the first session key to obtain a first random ciphertext, and sends the second message to the server; the server forwards the second message to the terminal; the terminal receives the second message and carries out key negotiation to obtain a second session key, and encrypts the first random number and the second random number based on the second session key to obtain a second random ciphertext; the terminal compares the first random ciphertext with the second random ciphertext. The method can improve the authentication speed and can be applied to the field of authentication of asymmetric keys.
Description
Technical Field
The present invention relates to the field of asymmetric key authentication, and in particular, to a method, a system, and a readable storage medium for authenticating an asymmetric key.
Background
When the traditional terminal and the service platform perform bidirectional authentication, the two ends need to exchange and transfer certificates, so that the calculation of the verification and key negotiation of the certificates can be realized. And each transfer of a certificate requires a large amount of data, resulting in a slow authentication.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a method, a system and a readable storage medium for authenticating an asymmetric key, so as to increase the authentication speed.
A first aspect of the present invention provides an authentication method of an asymmetric key, including: the authentication platform sends a first terminal certificate and a first server side certificate to a terminal, wherein the first terminal certificate is a digital certificate of the terminal, and the first server side certificate is a digital certificate of a server side; the terminal receives the first terminal certificate and the first server certificate, acquires a first message and sends the first message to the server, wherein the first message comprises: a first temporary public key, a first random number, a terminal certificate serial number, and a server certificate serial number; the server receives the first message and sends the first message to an authentication platform; the authentication platform receives the first message sent by the server, obtains a second terminal certificate and a second server certificate according to the terminal certificate serial number and the server certificate serial number in the first message, and carries out key negotiation based on the first temporary public key, the second terminal certificate and the second server certificate to obtain a first session key, wherein the second temporary public key is generated by the authentication platform; the authentication platform encrypts the first random number and the second random number according to the first session key to obtain a first random ciphertext, wherein the second random number is generated by the authentication platform; the authentication platform sends a second message to the server, wherein the second message comprises the second temporary public key and the second random number; the server receives the second message and sends the second message to the terminal; the terminal receives the second message, carries out key negotiation based on the first temporary public key, the second temporary public key, the first terminal certificate and the first server certificate to obtain a second session key, and encrypts the first random number and the second random number based on the second session key to obtain a second random ciphertext; and the terminal compares whether the first random ciphertext is the same as the second random ciphertext, and if so, the terminal and the server are determined to finish authentication.
According to some embodiments of the present invention, after the authentication platform receives the first message sent by the server, the authentication platform further includes: and checking a first signature value in the first message through a second terminal certificate, wherein the first signature value is obtained by carrying out SM2 signature on first data through a first terminal private key, and the first message comprises the first signature value and the first data.
According to some embodiments of the invention, after the terminal receives the second message, the method further includes: and checking a second signature value in the second message through the first server certificate, wherein the second signature value is obtained by carrying out SM2 signature on second data through a second server private key, and the second message comprises the second signature value and the second data.
According to some embodiments of the invention, the generating of the first random ciphertext or the second random ciphertext comprises: carrying out SM 4-CBC-NOPAD encryption on the first random number and the second random number through the first session key to obtain a first random ciphertext; and carrying out SM 4-CBC-NOPAD encryption on the first random number and the second random number through the second session key to obtain a second random ciphertext.
According to some embodiments of the invention, further comprising: and carrying out SM4-MAC calculation on the second random ciphertext through the second session key to obtain a server MAC, wherein the second message comprises the server MAC.
According to some embodiments of the invention, after comparing whether the first random ciphertext and the second random ciphertext are the same, the terminal further comprises: performing SM4-MAC calculation on the second random ciphertext through a session key to obtain a terminal MAC; comparing whether the terminal MAC is the same as the service end MAC, and if so, determining that authentication is completed between the terminal and the service end.
Another aspect of the present invention provides an authentication system of an asymmetric key, comprising: the authentication platform is used for sending a first terminal certificate and a first server side certificate to the terminal, wherein the first terminal certificate is a digital certificate of the terminal, and the first server side certificate is a digital certificate of the server side; receiving a first message sent by the server, acquiring a second terminal certificate and a second server certificate according to a terminal certificate serial number and a server certificate serial number in the first message, and performing key negotiation based on a first temporary public key, a second temporary public key, the second terminal certificate and the second server certificate to acquire a first session key, wherein the second temporary public key is generated by the authentication platform; encrypting a first random number and a second random number according to the first session key to obtain a first random ciphertext, wherein the second random number is generated by the authentication platform; sending a second message to the server, wherein the second message comprises the second temporary public key and the second random number; the terminal is configured to receive the first terminal certificate and the first server certificate, obtain a first message, and send the first message to a server, where the first message includes: a first temporary public key, a first random number, a terminal certificate serial number, and a server certificate serial number; receiving the second message, performing key negotiation based on the first temporary public key, the second temporary public key, the first terminal certificate and the second server certificate to obtain a second session key, and encrypting the first random number and the second random number based on the second session key to obtain a second random ciphertext; comparing whether the first random ciphertext is identical to the second random ciphertext, and if so, determining that authentication is completed between the terminal and the server; the server is used for receiving the first message and sending the first message to the authentication platform; and receiving the second message and sending the second message to the terminal.
Another aspect of the invention provides an electronic device comprising a processor and a memory; the memory is used for storing programs; the processor executes the program to implement the authentication method of an asymmetric key as described in any one of the above.
The electronic equipment provided by the embodiment of the invention has at least the same beneficial effects as the authentication method of the asymmetric key.
Another aspect of the present invention provides a computer-readable storage medium storing a program that is executed by a processor to implement the authentication method of an asymmetric key as set forth in any one of the above.
The computer-readable storage medium according to an embodiment of the present invention has at least the same advantageous effects as the above-described authentication method of asymmetric keys.
Embodiments of the present invention also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the foregoing method.
In the embodiment of the invention, a terminal certificate and a server certificate are managed through an authentication platform, in the authentication process, a terminal calculates a first message through a preset terminal certificate and a server certificate, the authentication platform inquires through a terminal certificate serial number and a server certificate serial number in the first message to obtain corresponding certificate contents, then a temporary key and two-party certificate contents are used for carrying out key negotiation to obtain a first session key, a first random number sent by the first message and a second random number on the authentication platform are encrypted through the first session key and sent to the terminal through the server, after the terminal receives the second message, the terminal calculates to obtain a second session key based on a random public key, the terminal certificate and the server message of the terminal, the first random number and the second random number are encrypted through the second session key, and whether encrypted ciphertext is identical or not is compared, so that verification is completed. The terminal reduces the data of the whole certificate content to be transmitted during authentication by transmitting the serial number to the authentication platform instead of directly transmitting the authentication certificate to the server, and enables the authentication platform to search the corresponding certificate content in the authentication platform according to the serial number. After the authentication platform completes the key agreement, the transmitted message is sent to the terminal, so that the terminal does not carry complete certificate related data in the process of verifying and determining that the authentication is completed. Therefore, data transmission in the bidirectional authentication process is reduced, and the authentication speed is further improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of steps of an authentication method for asymmetric keys according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an asymmetric key authentication system according to an embodiment of the present invention;
fig. 3 is a schematic block diagram of an apparatus of an embodiment of the present invention.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
At present, in the process of mutual authentication between the terminal 210 and the server 220, certificates of both sides need to be interacted to negotiate a session key approved by both sides, but in the present internet environment, the data transmission size is required to be increased, so that the transmission rate is improved.
Referring to fig. 1, fig. 1 is a step flowchart of an asymmetric key authentication method according to an embodiment of the present invention, including the steps of:
In step S110, the authentication platform 230 sends the first terminal 210 certificate and the first server 220 certificate to the terminal 210, where the first terminal 210 certificate is a digital certificate of the terminal 210, and the first server 220 certificate is a digital certificate of the server 220.
Specifically, the authentication platform 230 manages the lifecycle of issuing the certificate of the terminal 210 and the certificate of the server 220, and provides service functions such as issuing, retrieving, suspension, archiving, etc. of the certificate, when the terminal 210 initiates the bidirectional authentication, the authentication platform 230 issues the certificate of the terminal 210 and the certificate of the server 220 to be subjected to the bidirectional authentication by the terminal 210 to the terminal 210, and writes the two certificates into the card of the terminal 210, which means that the terminal 210 may send a certain instruction to the authentication platform 230 to initiate the bidirectional authentication.
In step S120, the terminal 210 receives the first terminal 210 certificate and the first server 220 certificate, and obtains a first message and sends the first message to the server 220, where the first message includes: the first temporary public key, the first random number, the terminal 210 certificate serial number, the server certificate serial number.
After the terminal 210 receives the first terminal 210 certificate and the first server 220 certificate, because each certificate includes a corresponding serial number, the terminal 210 obtains the terminal 210 certificate serial number corresponding to the first terminal 210 certificate and the server 220 certificate serial number corresponding to the first server 220 certificate, and generates a temporary public key and a random number, and assembles the temporary public key and the random number into a first message, and sends the first message to the server 220, further, the terminal 210 adopts a SE device, and message data in the first message is composed of a first signature value and first data, specifically, a device ID (i.e., IMEI,10 bytes) +device type (1 byte) +se basic information length (2 bytes) +se basic information+authentication counter (2 bytes) +timestamp (6 bytes) +first random number (8 bytes) +first temporary public key (64 bytes) +first signature value (64 bytes). The SE basic information consists of RFU (11 bytes) +standard version number (1 byte) +cos version number (1 byte) +year of production (4 bytes) +seid (16 bytes) +rfu (5) +first terminal 210 certificate (LV format, L is 2 bytes). Note that the first signature value is obtained by performing SM2 signature operation on the first data from the above device ID to the first temporary public key using the first terminal 210 private key. The first byte in RFU (11 bytes) in SE basic information represents a mutual authentication protocol, specifically, in the mutual authentication with a certificate, FF represents the mutual authentication with a certificate in 0-1 bytes, the full FF takes up the place in 2-6 bytes, and the full FF takes up the place in 7-11 bytes; in the two-way authentication without a certificate, FE in 0-1 byte indicates the two-way authentication without a certificate, the serial number of the certificate of the server 220 in 2-6 bytes and the serial number of the certificate of the terminal 210 in 7-11 bytes. Note that the first terminal 210 certificate (LV format, L is 2 bytes) in the first data is 0000 when there is no certificate mutual authentication. It can be seen that the first message does not include data corresponding to the certificate, which also greatly reduces the size of the delivered content. Wherein the first random number is randomly generated by the terminal 210, the first signature value is also generated by the terminal 210, and the terminal 210 also generates a temporary public-private key pair.
In step S130, the server 220 receives the first message and sends the first message to the authentication platform 230.
In step S140, the authentication platform 230 receives the first message sent by the server 220, obtains the second terminal 210 certificate and the second server 220 certificate according to the terminal 210 certificate serial number and the server 220 certificate serial number in the first message, and performs key negotiation based on the first temporary public key, the second terminal 210 certificate and the second server 220 certificate to obtain the first session key, where the second temporary public key is generated by the authentication platform 230.
Specifically, after receiving the first message, the server 220 forwards the first message to the authentication platform 230, and after receiving the first message, the authentication platform 230 queries the second terminal 210 certificate and the second server 220 certificate according to the terminal 210 certificate serial number and the server 220 certificate serial number in the first message, and checks whether the second terminal 210 certificate and the second server 220 certificate exist, and if so, acquires the corresponding certificate. The second terminal 210 certificate is then used to verify the first signature value in the first message, which is to verify the identity, because the terminal 210 certificate serial number is obtained from the first terminal 210 certificate, so the second terminal 210 certificate queried according to the terminal 210 certificate serial number should be the same certificate as the first terminal 210 certificate, and the first signature value is obtained by performing SM2 signature operation on the first data using the first terminal 210 private key, so the first signature is now verified by using the second terminal 210 certificate to verify whether the first terminal 210 certificate and the second terminal 210 certificate are the digital certificate of the same terminal 210, or whether the first message is tampered, thereby improving security. After the verification is successful, the authentication platform 230 negotiates the first session key, and the first temporary public key, the second terminal 210 certificate and the second server 220 certificate need to be used in the negotiation process. It can be seen that the size of the data transmission during the certificate interaction is reduced, the certificate is obtained in the authentication platform 230 by transmitting the serial number, and the size of the transmission message during the mutual authentication is reduced by defining the message.
In step S150, the authentication platform 230 encrypts the first random number and the second random number according to the first session key to obtain a first random ciphertext, where the second random number is generated by the authentication platform 230.
In step S160, the authentication platform 230 sends a second message to the server 220, where the second message includes a second temporary public key and a second random number.
Specifically, the authentication platform 230 encrypts the first random number and the second random number included in the authentication platform 230 according to the first session key to obtain the first random ciphertext by using sm4_cbc_ NOPAD. The second temporary public key and the second random number in the authentication platform 230 are assembled into a second message, and it is to be noted that, the second temporary public key and the second random number are both generated for the server 220, and the message data includes second data and a second signature value, specifically, the message data includes session key ID (1 byte) +session key validity period (6 bytes) +second random number (8 bytes) +second server 220 certificate (LV format, L is 2 bytes) +second temporary public key (64 bytes) +first random ciphertext (16 bytes) +mac check value (4 bytes) +second signature value (64 bytes). The second random ciphertext is obtained by performing an SM4_CBC_ NOPAD encryption operation on the SE random number and the platform random number by using the session key calculated through negotiation. The server 220MAC performs SM4-MAC operation on the second random ciphertext using the session key calculated by negotiation. The second signature value is obtained by performing SM2 signature operation on the first data from the session key ID to the MAC check value by using the private key of the second server 220. Note that the second server side 220 certificate (LV format, L is 2 bytes) is 0000 when there is no certificate mutual authentication. And then sent to the server 220.
In step S170, the server 220 receives the second message and sends the second message to the terminal 210.
In step S180, the terminal 210 receives the second message, performs key negotiation based on the first temporary public key, the second temporary public key, the first terminal 210 certificate and the first server 220 certificate to obtain a second session key, and encrypts the first random number and the second random number based on the second session key to obtain a second random ciphertext.
In step S190, the terminal 210 compares whether the first random ciphertext and the second random ciphertext are the same, and if so, determines that authentication is completed between the terminal 210 and the server 220.
Specifically, the server 220 receives the second message, forwards the second message to the terminal 210, after the terminal 210 receives the second message, verifies a second signature value in the second message through the first server 220 certificate, performs key negotiation by using the first temporary public key, the second temporary public key, the first terminal 210 certificate and the first server 220 certificate to obtain a second session key, and encrypts the first random number and the second random number by using the second session key to obtain a second random ciphertext. And comparing the first random ciphertext with the second random ciphertext, if the first random ciphertext and the second random ciphertext are the same, the second session key and the first session key are successfully verified, that is, the first session key is the key finally obtained by mutual authentication negotiation, and the authentication is completed at the moment. The second session key is calculated by using the related data in the first terminal 210 certificate and the second server 220 certificate, that is, the first terminal 210 certificate and the second terminal 210 certificate are verified to be the same terminal 210 certificate, the first server 220 certificate and the second server 220 certificate are the same server 220 certificate, so that the security is improved, and the terminal 210 certificate and the server 220 certificate which are subjected to key negotiation in the authentication platform 230 are not the terminal 210 and the server 220 to be authenticated in practice. By exchanging the temporary key and the random number, the key negotiation is directly performed on the authentication platform 230 and the key negotiation is directly performed on the terminal 210, so that the scene that the certificate has to be interacted in the traditional method is reduced, and the size of a transmission message during the bidirectional authentication of the terminal 210 and the service platform can be reduced through a defined message format. Further, after comparing the random ciphertext, the SM4-MAC calculation may be performed on the second random ciphertext by using the second session key to obtain the terminal 210MAC, and comparing whether the terminal 210MAC is the same as the server 220MAC, if so, determining that authentication is completed between the terminal 210 and the server 220. The certificates of the two parties are not interacted any more in the whole process.
Referring to fig. 2, fig. 2 is a schematic diagram of an asymmetric key authentication system according to an embodiment of the present invention, where the asymmetric key authentication system includes: authentication platform 230, terminal 210, server 220:
An authentication platform 230, configured to send a first terminal 210 certificate and a first server 220 certificate to the terminal 210, where the first terminal 210 certificate is a digital certificate of the terminal 210, and the first server 220 certificate is a digital certificate of the server 220; receiving a first message sent by a server 220, obtaining a second terminal 210 certificate and a second server 220 certificate according to a terminal 210 certificate serial number and a server 220 certificate serial number in the first message, and performing key negotiation based on a first temporary public key, a second temporary public key, the second terminal 210 certificate and the second server 220 certificate to obtain a first session key, wherein the second temporary public key is generated by an authentication platform 230; encrypting the first random number and the second random number according to the first session key to obtain a first random ciphertext, wherein the second random number is generated by the authentication platform 230; sending a second message to the server 220, wherein the second message includes a second temporary public key and a second random number;
The terminal 210 is configured to receive the first terminal 210 certificate and the first server 220 certificate, obtain a first message, and send the first message to the server 220, where the first message includes: a first temporary public key, a first random number, a terminal 210 certificate serial number, and a server certificate serial number; receiving a second message, performing key negotiation based on the first temporary public key, the second temporary public key, the first terminal 210 certificate and the second server 220 certificate to obtain a second session key, and encrypting the first random number and the second random number based on the second session key to obtain a second random ciphertext; comparing whether the first random ciphertext is the same as the second random ciphertext, and if so, determining that authentication is completed between the terminal 210 and the server 220;
the server 220 is configured to receive the first message and send the first message to the authentication platform 230; the second message is received and sent to the terminal 210.
Referring to fig. 3, the embodiment provides an electronic device, which includes a processor and a memory coupled to the processor, wherein the memory stores program instructions executable by the processor, and the processor implements the target risk website detection method when executing the program instructions stored by the memory. The processor may also be referred to as a CPU (Central Processing Unit ). The processor may be an integrated circuit chip having signal processing capabilities. The processor may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, or discrete hardware components. The general purpose processor may be a microprocessor, or the general purpose processor may be any conventional processor or the like. The memory may include various components (e.g., machine readable media) including, but not limited to, random access memory components, read-only components, and any combination thereof. The memory 520 may also include: instructions (e.g., software) stored on one or more machine-readable media; the instruction implements the target risk website detection method in the above embodiment. The electronic device has the function of carrying and running a software system for target risk website detection provided by the embodiment of the invention, such as a Personal computer (Personal Computer, a PC), a mobile phone, a smart phone, a Personal digital assistant (Personal DIGITAL ASSISTANT, PDA), a wearable device, a palm computer PPC (Pocket PC), a tablet computer and the like.
Embodiments of the present invention also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the method shown in fig. 1.
In some alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flowcharts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of a larger operation are performed independently.
Furthermore, while the invention is described in the context of functional modules, it should be appreciated that, unless otherwise indicated, one or more of the described functions and/or features may be integrated in a single physical device and/or software module or one or more functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be apparent to those skilled in the art from consideration of their attributes, functions and internal relationships. Accordingly, one of ordinary skill in the art can implement the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative and are not intended to be limiting upon the scope of the invention, which is to be defined in the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiment of the present application has been described in detail, the present application is not limited to the embodiments described above, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present application, and these equivalent modifications or substitutions are included in the scope of the present application as defined in the appended claims.
Claims (10)
1. A method of authenticating an asymmetric key, comprising:
the authentication platform sends a first terminal certificate and a first server side certificate to a terminal, wherein the first terminal certificate is a digital certificate of the terminal, and the first server side certificate is a digital certificate of a server side;
The terminal receives the first terminal certificate and the first server certificate, acquires a first message and sends the first message to the server, wherein the first message comprises: a first temporary public key, a first random number, a terminal certificate serial number, and a server certificate serial number;
the server receives the first message and sends the first message to an authentication platform;
The authentication platform receives the first message sent by the server, obtains a second terminal certificate and a second server certificate according to the terminal certificate serial number and the server certificate serial number in the first message, and carries out key negotiation based on the first temporary public key, the second terminal certificate and the second server certificate to obtain a first session key, wherein the second temporary public key is generated by the authentication platform;
The authentication platform encrypts the first random number and the second random number according to the first session key to obtain a first random ciphertext, wherein the second random number is generated by the authentication platform;
the authentication platform sends a second message to the server, wherein the second message comprises the second temporary public key and the second random number;
The server receives the second message and sends the second message to the terminal;
the terminal receives the second message, carries out key negotiation based on the first temporary public key, the second temporary public key, the first terminal certificate and the first server certificate to obtain a second session key, and encrypts the first random number and the second random number based on the second session key to obtain a second random ciphertext;
And the terminal compares whether the first random ciphertext is the same as the second random ciphertext, and if so, the terminal and the server are determined to finish authentication.
2. The method for authenticating an asymmetric key according to claim 1, wherein after the authentication platform receives the first message sent by the server, the method further comprises:
and checking a first signature value in the first message through a second terminal certificate, wherein the first signature value is obtained by carrying out SM2 signature on first data through a first terminal private key, and the first message comprises the first signature value and the first data.
3. The method for authenticating an asymmetric key according to claim 1, wherein after the terminal receives the second message, the method further comprises:
and checking a second signature value in the second message through the first server certificate, wherein the second signature value is obtained by carrying out SM2 signature on second data through a second server private key, and the second message comprises the second signature value and the second data.
4. The authentication method of an asymmetric key according to claim 1, the generating step of the first random ciphertext or the second random ciphertext comprises:
carrying out SM 4-CBC-NOPAD encryption on the first random number and the second random number through the first session key to obtain a first random ciphertext;
And carrying out SM 4-CBC-NOPAD encryption on the first random number and the second random number through the second session key to obtain a second random ciphertext.
5. The method for authenticating an asymmetric key as recited in claim 1, further comprising:
And carrying out SM4-MAC calculation on the second random ciphertext through the second session key to obtain a server MAC, wherein the second message comprises the server MAC.
6. The authentication method of an asymmetric key as claimed in claim 5, wherein after comparing whether the first random ciphertext and the second random ciphertext are identical, the terminal further comprises:
performing SM4-MAC calculation on the second random ciphertext through a session key to obtain a terminal MAC;
Comparing whether the terminal MAC is the same as the service end MAC, and if so, determining that authentication is completed between the terminal and the service end.
7. An asymmetric key authentication system, comprising:
The authentication platform is used for sending a first terminal certificate and a first server side certificate to the terminal, wherein the first terminal certificate is a digital certificate of the terminal, and the first server side certificate is a digital certificate of the server side; receiving a first message sent by the server, acquiring a second terminal certificate and a second server certificate according to a terminal certificate serial number and a server certificate serial number in the first message, and performing key negotiation based on a first temporary public key, a second temporary public key, the second terminal certificate and the second server certificate to acquire a first session key, wherein the second temporary public key is generated by the authentication platform; encrypting a first random number and a second random number according to the first session key to obtain a first random ciphertext, wherein the second random number is generated by the authentication platform; sending a second message to the server, wherein the second message comprises the second temporary public key and the second random number;
the terminal is configured to receive the first terminal certificate and the first server certificate, obtain a first message, and send the first message to a server, where the first message includes: a first temporary public key, a first random number, a terminal certificate serial number, and a server certificate serial number; receiving the second message, performing key negotiation based on the first temporary public key, the second temporary public key, the first terminal certificate and the second server certificate to obtain a second session key, and encrypting the first random number and the second random number based on the second session key to obtain a second random ciphertext; comparing whether the first random ciphertext is identical to the second random ciphertext, and if so, determining that authentication is completed between the terminal and the server;
the server is used for receiving the first message and sending the first message to the authentication platform; and receiving the second message and sending the second message to the terminal.
8. An electronic device comprising a processor and a memory;
the memory is used for storing programs;
the processor executing the program implements the method of any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that the storage medium stores a program that is executed by a processor to implement the method of any one of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211639805.1A CN116032486B (en) | 2022-12-20 | 2022-12-20 | Authentication method and system for asymmetric key and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211639805.1A CN116032486B (en) | 2022-12-20 | 2022-12-20 | Authentication method and system for asymmetric key and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116032486A CN116032486A (en) | 2023-04-28 |
| CN116032486B true CN116032486B (en) | 2024-07-09 |
Family
ID=86069830
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211639805.1A Active CN116032486B (en) | 2022-12-20 | 2022-12-20 | Authentication method and system for asymmetric key and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032486B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112118223A (en) * | 2020-08-11 | 2020-12-22 | 北京智芯微电子科技有限公司 | Authentication method of master station and terminal, master station, terminal and storage medium |
| CN112565205A (en) * | 2020-11-19 | 2021-03-26 | 湖南大学 | Credible authentication and measurement method, server, terminal and readable storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1731890A (en) * | 2005-08-09 | 2006-02-08 | 重庆邮电学院 | Method for mobile communication value-added service identification and payment |
| JP2013223171A (en) * | 2012-04-18 | 2013-10-28 | Nippon Telegr & Teleph Corp <Ntt> | Public key infrastructure control system, certificate authority server, user terminal, public key infrastructure control method and program |
| CN109743176B (en) * | 2018-12-28 | 2020-07-28 | 百富计算机技术(深圳)有限公司 | POS terminal certificate updating method, server and POS terminal |
| CN114710289B (en) * | 2022-06-02 | 2022-09-02 | 确信信息股份有限公司 | Internet of things terminal security registration and access method and system |
| CN115134154B (en) * | 2022-06-30 | 2024-06-18 | 长城汽车股份有限公司 | Authentication method, authentication device, method and system for remotely controlling vehicle |
-
2022
- 2022-12-20 CN CN202211639805.1A patent/CN116032486B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112118223A (en) * | 2020-08-11 | 2020-12-22 | 北京智芯微电子科技有限公司 | Authentication method of master station and terminal, master station, terminal and storage medium |
| CN112565205A (en) * | 2020-11-19 | 2021-03-26 | 湖南大学 | Credible authentication and measurement method, server, terminal and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116032486A (en) | 2023-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021238527A1 (en) | Digital signature generation method and apparatus, computer device, and storage medium | |
| CN108965230B (en) | Secure communication method, system and terminal equipment | |
| CN110798315B (en) | Data processing method and device based on block chain and terminal | |
| CN108737106B (en) | User authentication method and device on block chain system, terminal equipment and storage medium | |
| WO2020186827A1 (en) | User authentication method and apparatus, computer device and computer-readable storage medium | |
| US8555069B2 (en) | Fast-reconnection of negotiable authentication network clients | |
| US11436597B1 (en) | Biometrics-based e-signatures for pre-authorization and acceptance transfer | |
| CA2838322C (en) | Secure implicit certificate chaining | |
| CN110958209B (en) | Bidirectional authentication method, system and terminal based on shared secret key | |
| CN110299996A (en) | Authentication method, equipment and system | |
| CN110599342B (en) | Block chain-based identity information authorization method and device | |
| CN110598433B (en) | Block chain-based anti-fake information processing method and device | |
| CN111538784A (en) | Block chain-based digital asset transaction method and device and storage medium | |
| CN105635070B (en) | Anti-counterfeiting method and system for digital file | |
| WO2020102974A1 (en) | Data access method, data access apparatus, and mobile terminal | |
| CN103546289A (en) | USB (universal serial bus) Key based secure data transmission method and system | |
| US11070378B1 (en) | Signcrypted biometric electronic signature tokens | |
| CN113326525B (en) | Data processing method and device based on intelligent contract | |
| WO2023071751A1 (en) | Authentication method and communication apparatus | |
| CN111931209B (en) | Contract information verification method and device based on zero knowledge proof | |
| TW202211047A (en) | Data acquisition method, apparatus and device, and medium | |
| WO2022048318A1 (en) | Method for establishing communication channel, and user terminal | |
| CN113610526A (en) | Data trust method and device, electronic equipment and storage medium | |
| CN107135219B (en) | Internet of things information secure transmission method | |
| WO2018227471A1 (en) | Secure processing method and apparatus for biometric feature data, sensor, and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |