CN116545751A - Intelligent equipment safety authentication method and device based on zero trust - Google Patents

Intelligent equipment safety authentication method and device based on zero trust Download PDF

Info

Publication number
CN116545751A
CN116545751A CN202310662713.3A CN202310662713A CN116545751A CN 116545751 A CN116545751 A CN 116545751A CN 202310662713 A CN202310662713 A CN 202310662713A CN 116545751 A CN116545751 A CN 116545751A
Authority
CN
China
Prior art keywords
random code
server
key information
information
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310662713.3A
Other languages
Chinese (zh)
Inventor
赵奕捷
成国强
宫敏
杨立扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Digital Life Technology Co Ltd
Original Assignee
Tianyi Digital Life Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Digital Life Technology Co Ltd filed Critical Tianyi Digital Life Technology Co Ltd
Priority to CN202310662713.3A priority Critical patent/CN116545751A/en
Publication of CN116545751A publication Critical patent/CN116545751A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The scheme provided by the application is that when the intelligent device initiates a connection authentication request to a server, the intelligent device generates encryption information through first key information based on a first random number generated locally and sends the encryption information to the server, the server decrypts through corresponding first key information, the first random number obtained through decryption and a second random number generated locally are fed back to the intelligent device after being encrypted, and then the intelligent device decrypts through corresponding second key information.

Description

Intelligent equipment safety authentication method and device based on zero trust
Technical Field
The application relates to the technical field of information security, in particular to an intelligent device security authentication method and device based on zero trust.
Background
With the development of network technology, more and more intelligent devices of the internet of things are going into thousands of households, and the security of the devices is very important to operators.
The existing intelligent equipment security policy performs security authentication through key data fixedly written by a manufacturer, and when equipment is used or connected with a platform, the symmetric key in the equipment and the symmetric key stored in the platform are checked to authenticate the identity of the intelligent equipment, but the authentication policy cannot solve the conditions of counterfeit attack and the like, and has the technical problem of insufficient security.
Disclosure of Invention
The application provides an intelligent equipment safety authentication method and device based on zero trust, which are used for solving the technical problem of low safety of the existing intelligent equipment safety strategy of the Internet of things.
In order to solve the above technical problems, a first aspect of the present application provides a security authentication method for an intelligent device based on zero trust, which is applied to a server, and includes:
responding to a connection authentication request message sent by an intelligent device, and extracting first encryption information contained in the connection authentication request message, wherein the first encryption information is obtained by the intelligent device through encryption according to a device identifier of the intelligent device and a first random code, and the first random code is a digital code randomly generated by the intelligent device;
decrypting the first encrypted information through first key information stored locally at the server to obtain the first random code;
encrypting the first random code and a second random code through second key information corresponding to the equipment identifier to obtain second encrypted information, wherein the second random code is a digital code randomly generated by the server;
the second encryption information is sent to the intelligent equipment, so that the intelligent equipment decrypts the second encryption information according to second key information stored in the equipment, then the first random code obtained through decryption is checked with the first random code stored in the local, and if the first random code passes the check, the second random code obtained through decryption is fed back to the server;
and checking according to the received second random code and the locally stored second random code, and if the check is passed, judging that the intelligent equipment passes the security authentication.
Preferably, the method further comprises:
responding to a reset connection authentication request message sent by an intelligent device, and extracting third encryption information contained in the reset connection authentication request message, wherein the reset connection authentication request message is a request message sent by the intelligent device when the intelligent device is connected with a server after the first time or initialization, and the third encryption information is encryption information obtained by encrypting the intelligent device according to third key information, device identification and a third random code generated by the intelligent device and combining first key information stored in the local area of the device;
decrypting the third encrypted information through the first key information stored locally at the server to obtain the third key information, the equipment identifier and the third random code;
generating second key information of the intelligent equipment according to the equipment identifier;
and encrypting the second key information and the first random number through the third key information to obtain fourth encrypted information, sending the fourth encrypted information to the intelligent device, enabling the intelligent device to decrypt the fourth encrypted information according to the third key information, checking the third random code obtained through decryption and the third random code stored locally, and storing the second key information obtained through decryption after the checking is passed.
Preferably, before checking the received second random code with the locally stored second random code, the method further comprises:
when the received second random code is a ciphertext message encrypted by a first starting key, a second starting key is generated according to the first random number and the second random number through a preset key generation algorithm, and the ciphertext message is decrypted through the second starting key to obtain the second random number, wherein the first starting key is key information generated by the intelligent device according to the first random number and the second random number which are stored locally and combined with the key generation algorithm.
Preferably, the first key information and the second key information are asymmetric key information;
the first key information stored in the intelligent device specifically comprises: the public key part of the first key information, the first key information stored in the server side is specifically: a private key portion of the first key information;
the second key information stored in the intelligent device is specifically: the private key part of the second key information, the second key information stored in the server is specifically: a public key portion of the second key information.
Preferably, the third key information is specifically: symmetric key information.
The second aspect of the application provides a security authentication method of intelligent equipment based on zero trust, which is applied to intelligent equipment and comprises the following steps:
according to the equipment identifier and the first random code of the equipment, the first encryption information is obtained by encrypting the first key information stored in the local equipment;
generating a connection authentication request message according to the first encryption information, sending the connection authentication request message to a server, enabling the server to decrypt the first encryption information through first key information stored locally at the server to obtain the first random code, encrypting the first random code and the second random code through second key information corresponding to the equipment identifier to obtain second encryption information, and sending the second encryption information to the intelligent equipment;
and when the second encryption information is received, decrypting the second encryption information by combining the second key information stored in the local of the equipment, checking the first random code obtained by decryption with the first random code stored in the local, and if the first random code passes the check, feeding back the second random code obtained by decryption to the server, so that the server checks the second random code according to the received second random code and the second random code stored in the local, and if the second random code passes the check, judging that the intelligent equipment passes the security authentication.
Preferably, the method further comprises:
when the intelligent equipment is connected with the server for the first time after being reset, third encryption information is obtained after encryption is carried out according to third key information, equipment identification and third random codes generated by the intelligent equipment and the first key information stored in the local equipment;
generating a reset connection authentication request message according to the third encryption information, sending the reset connection authentication request message to a server, enabling the server to decrypt the third encryption information through first key information stored locally at the server to obtain third key information, the equipment identifier and the third random code, generating second key information of the intelligent equipment according to the equipment identifier, encrypting the second key information and the first random number through the third key information, and sending fourth encryption information obtained through encryption to the intelligent equipment;
and when the fourth encryption information is received, decrypting the fourth encryption information according to the third key information, checking the third random code obtained by decryption and the third random code stored locally, and storing the second key information obtained by decryption after the verification is passed.
Preferably, before feeding back the second random code obtained by decryption to the server, the method further includes:
and generating a first starting key according to the first random number and the second random number which are locally stored and a preset key generation algorithm, and encrypting the second random number through the first starting key so as to feed back ciphertext information containing the second random number to the server.
The third aspect of the present application provides an intelligent device security authentication device based on zero trust, which is disposed at a server, and includes:
a connection request response unit, configured to respond to a connection authentication request message sent by an intelligent device, and extract first encryption information included in the connection authentication request message, where the first encryption information is obtained by the intelligent device after encrypting according to a device identifier of the intelligent device and a first random code, and the first random code is a digital code randomly generated by the intelligent device, by combining first key information stored in the local device;
the server decryption unit is used for decrypting the first encryption information through the first key information stored locally at the server to obtain the first random code;
the server side encryption unit is used for encrypting the first random code and the second random code through second key information corresponding to the equipment identifier to obtain second encryption information, wherein the second random code is a digital code randomly generated by the server side;
the encryption information sending unit is used for sending the second encryption information to the intelligent equipment, so that the intelligent equipment decrypts the second encryption information according to second key information stored in the equipment local area, then checks the first random code obtained through decryption with the first random code stored in the local area, and if the first random code passes the check, feeds back the second random code obtained through decryption to the server;
and the server authentication unit is used for checking according to the received second random code and the locally stored second random code, and if the second random code passes the check, the intelligent equipment is judged to pass the security authentication.
The fourth aspect of the present application provides an intelligent device security authentication apparatus based on zero trust, which is disposed on an intelligent device, and includes:
the device end encryption unit is used for encrypting according to the device identifier and the first random code of the device and combining the first key information stored in the local area of the device to obtain first encryption information;
a request message sending unit, configured to generate a connection authentication request message according to the first encryption information, send the connection authentication request message to a server, so that the server decrypts the first encryption information through first key information stored locally at the server to obtain the first random code, encrypts the first random code and the second random code through second key information corresponding to the device identifier to obtain second encryption information, and then sends the second encryption information to the intelligent device;
and the equipment end authentication unit is used for decrypting the second encryption information by combining the second key information stored in the equipment when the second encryption information is received, checking the second encryption information according to the first random code obtained by decryption and the first random code stored in the local, and feeding back the second random code obtained by decryption to the server end if the second random code passes the check, so that the server end checks the second random code according to the received second random code and the second random code stored in the local, and judging that the intelligent equipment passes the security authentication if the second random code passes the check.
From the above technical scheme, the application has the following advantages:
according to the scheme, when the intelligent device initiates a connection authentication request to the server, the intelligent device generates encryption information through first key information based on a first random number generated locally and sends the encryption information to the server, the server decrypts through corresponding first key information, the decrypted first random number and a locally generated second random number are fed back to the intelligent device after being encrypted through the second key information, and then the intelligent device decrypts through corresponding second key information.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive faculty for a person skilled in the art.
Fig. 1 is a schematic flow chart of an embodiment of a security authentication method for an intelligent device based on zero trust.
Fig. 2 is a schematic flow chart of a connection authentication embodiment after the first time or initialization in the security authentication method of the intelligent device based on zero trust.
Fig. 3 is a schematic structural diagram of an embodiment of a security authentication device for an intelligent device based on zero trust provided in the present application.
Fig. 4 is a schematic structural diagram of another embodiment of a smart device security authentication device based on zero trust provided in the present application.
Detailed Description
The existing intelligent equipment security policy performs security authentication through the fixedly written key data, and when the equipment is used or connected with a platform, the symmetric key in the equipment and the symmetric key stored in the platform are checked to authenticate the identity of the intelligent equipment.
The counterfeit attack is one of common attack means of the intelligent equipment at present, and is that the lawless person tamper information according to the equipment information of the regular equipment by cracking the inherent key data of the equipment manufacturer, and finally the counterfeit equipment is accessed by using the counterfeit assumption to crack the inherent key data, or the regular equipment is accessed to the counterfeit server by making a counterfeit server platform, so that the user privacy information is illegally stolen, and the existing authentication strategy cannot effectively avoid the counterfeit attack, and has the technical problem of insufficient security.
In view of this, the embodiment of the application provides an intelligent device security authentication method and device based on zero trust, which are used for solving the technical problem of low security of the existing internet of things intelligent device security policy.
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the embodiments described below are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
It should be noted that, the intelligent device security authentication method based on zero trust provided by the present application is used for implementing a hardware system architecture of the method of the present application, which includes: the server side and a plurality of intelligent devices of the Internet of things, wherein the intelligent devices comprise, but are not limited to, intelligent cameras, intelligent door locks, home safety sensors and the like, and the server side is used for managing the intelligent devices and storing data sent by the intelligent devices. The server adopts a zero trust-based mechanism, and when intelligent equipment terminals such as video networking cameras initiate connection each time, the platform which is tried to be connected is considered to be unreliable; meanwhile, the zero trust authentication platform also considers that intelligent terminals such as cameras which request connection are not trusted, and a trusted communication link is established after two parties are required to carry out bidirectional identity authentication. The security of video communication of the video networking platform is increased. The following provides a detailed description of an embodiment of a security authentication method for an intelligent device based on zero trust for the application, which is specifically as follows:
referring to fig. 1, the method for authenticating security of an intelligent device based on zero trust provided by the present application includes:
step 101, the intelligent device encrypts according to the device identifier and the first random code of the intelligent device and the first key information stored in the local device to obtain first encrypted information.
Step 102, the intelligent device generates a connection authentication request message according to the first encryption information, and sends the connection authentication request message to the server.
It should be noted that, first, according to the method provided by the present application, when the intelligent device is to access the server, the intelligent device will generate a random code, that is, a first random code, and then, according to the device identifier of the present device and the first random code, encrypt the first encrypted information by using the first key information stored locally in the device, so as to send the first encrypted information to the server.
Step 103, the server side responds to the connection authentication request message sent by the intelligent device and extracts the first encryption information contained in the connection authentication request message.
Step 104, the server decrypts the first encrypted information through the first key information stored locally at the server to obtain the first random code.
Step 105, the server encrypts the first random code and the second random code through the second key information corresponding to the device identifier, so as to obtain second encrypted information.
The second random code is a digital code randomly generated by the server.
And step 106, the server side sends the second encrypted information to the intelligent equipment.
After receiving a request sent by the intelligent device, the server extracts first encryption information contained in the connection authentication request message, and decrypts the first encryption information through first key information stored locally at the server, so as to obtain a first random number and a device identifier of the intelligent device sending the request, wherein the decrypted device identifier can be used for matching second key information corresponding to the device identifier, then the decrypted first random number and the second random number generated by the server are encrypted by using the matched second key information, so that second encryption information can be obtained and used for being sent to the intelligent device.
And 107, the intelligent equipment decrypts the second encryption information according to the second key information stored in the local area of the equipment, and then checks the first random code obtained by decryption with the first random code stored in the local area, and if the check is passed, the second random code obtained by decryption is fed back to the server.
And step 108, the server checks the second random code according to the received second random code and the locally stored second random code, and if the second random code passes the check, the intelligent equipment is judged to pass the security authentication.
It should be noted that, after the intelligent device receives the second encrypted information returned by the server, the corresponding verification step may be executed, first, the intelligent device decrypts the second encrypted information according to the second key information stored locally in the device, when the decryption is completed, the intelligent device has two groups of first random numbers, one group is generated by the device, the other group is returned after the server decrypts, if the two groups of first random numbers are consistent, it is indicated that the server that the intelligent device requests to access is correct, because only the correct server platform can decrypt the first random numbers correctly, otherwise, it is indicated that the server that the intelligent device requests to access may be counterfeit.
Similarly, after the intelligent device determines that the intelligent device is connected with the correct server, the second random number obtained by decryption from the second encrypted information can be fed back to the server, two groups of second random numbers of the server are compared, if the two groups of second random numbers are consistent, the intelligent device requesting to be connected with the server belongs to legal devices, if the verification results of the two ends are all passed, the intelligent device can be judged to pass the security authentication, if any one of the verification results is not passed, the verification is not passed, and then the authentication flow is terminated or the authentication flow is directly terminated.
According to the scheme provided by the embodiment, when the intelligent device initiates a connection authentication request to the server, the intelligent device generates encryption information through first key information based on a first random number generated locally and sends the encryption information to the server, the server decrypts through corresponding first key information, the first random number obtained through decryption and a second random number generated locally are fed back to the intelligent device after being encrypted through the second key information, and then the intelligent device decrypts through corresponding second key information.
The foregoing is a detailed description of a basic embodiment of a security authentication method for an intelligent device based on zero trust provided in the present application, and the following is a detailed description of further implementation of the security authentication method for an intelligent device based on zero trust provided on the basis of the foregoing embodiment, where the detailed description is specifically as follows:
further, the first key information and the second key information are asymmetric key information, and an asymmetric key based on SM9 can be preferably adopted;
the first key information stored in the intelligent device is specifically: the public key part of the first key information, the first key information stored in the server is specifically: a private key portion of the first key information;
the second key information stored in the intelligent device is specifically: the private key part of the second key information, the second key information stored in the server is specifically: public key portion of the second key information.
Further, the method provided by the application can further comprise the following steps:
step 1001, when the intelligent device is connected with the server for the first time after being reset, the intelligent device encrypts the first key information stored in the local area of the device according to the third key information, the device identifier and the third random code generated by the intelligent device to obtain third encrypted information;
step 1002, generating a reset connection authentication request message according to the third encryption information, and sending the reset connection authentication request message to the server.
Step 1003, the server responds to the reset connection authentication request message sent by the intelligent device, and extracts the third encryption information contained in the reset connection authentication request message.
The reset connection authentication request message is a request message sent by the intelligent device when the intelligent device is connected with the server after the first time or initialization, and the third encryption information is encryption information obtained by the intelligent device after encryption according to third key information, device identification and a third random code generated by the intelligent device and combining the first key information stored in the local device.
Step 1004, the server decrypts the third encrypted information through the first key information stored locally at the server to obtain third key information, a device identifier and a third random code;
step 1005, the server generates second key information of the intelligent device according to the device identifier;
step 1006, the server encrypts the second key information and the first random number through the third key information to obtain fourth encrypted information, and then sends the fourth encrypted information to the intelligent device.
Step 1007, when the intelligent device receives the fourth encrypted information, decrypting the fourth encrypted information according to the third key information, checking the third random code obtained by decryption and the third random code stored locally, and storing the second key information obtained by decryption after the verification is passed.
It should be noted that, steps 1001 to 1007 in this embodiment provide an authentication step of data loss after the smart device is installed or initialized for the first time, for example, after triggering a device reset switch or powering off, which specifically includes: when the intelligent equipment terminal is initialized, a random number S is randomly generated, namely a third random number, and is combined with third key information, an SM9 identification public key of the platform is used for encrypting the SM4 symmetric key and the random number S, and the random number S and the equipment delivery identification are transmitted to the platform server; the platform generates an SM9 identification private key of the intelligent terminal equipment according to a certain rule, encrypts the SM9 private key of the equipment by using the SM4 symmetric key decrypted in the last step and the random number S decrypted in the last step, and sends the SM9 private key and the random number S to the equipment, and the equipment decrypts the SM9 private key and the random number S by using the SM4 symmetric key generated in the first step. Verifying the validity of the platform by comparing whether the random number generated in the first step and the decrypted random number are the same, and at the moment, the device obtains the SM9 encryption private key of the device and stores the SM9 encryption private key in the local hardware storage chip.
After receiving the encryption information, the platform decrypts the SM4 symmetric key and the random number S by using the SM9 private key of the platform. The platform identifies the initial verification device through the intelligent device.
More specifically, the third key information is specifically: the symmetric key information may preferably be a symmetric key based on SM4, and may be key data randomly generated by the smart device.
Optionally, before checking the received second random code with the locally stored second random code, step 108 may further include:
when the received second random code is the ciphertext message encrypted by the first starting key, the second starting key is generated through a preset key generation algorithm according to the first random number and the second random number, and the ciphertext message is decrypted through the second starting key to obtain the second random number.
The first startup secret key is secret key information generated by the intelligent device according to the first random number and the second random number which are stored locally and combined with a secret key generation algorithm.
And before feeding back the decrypted second random code to the server in step 107, the method may further include:
and generating a first starting key according to the first random number and the second random number which are locally stored and a preset key generation algorithm, and encrypting the second random number through the first starting key so as to feed ciphertext information containing the second random number back to the server.
The embodiment can further protect the security of the check data by generating key information by using the first random number and the second random number which are interacted and used for encrypting the second random code which is fed back to the server,
the foregoing is a detailed description of an embodiment of a security authentication method for an intelligent device based on zero trust provided by the present application, and the following is a detailed description of an embodiment of a security authentication device for an intelligent device based on zero trust provided by the present application.
Referring to fig. 3, this embodiment provides an intelligent device security authentication apparatus based on zero trust, which is disposed at a server and includes:
a connection request response unit 201, configured to respond to a connection authentication request message sent by an intelligent device, and extract first encryption information included in the connection authentication request message, where the first encryption information is encryption information obtained by the intelligent device after encrypting according to a device identifier of the intelligent device and a first random code, and the first random code is a digital code randomly generated by the intelligent device, by combining first key information stored in the local device;
the server decryption unit 202 is configured to decrypt the first encrypted information through the first key information stored locally at the server, to obtain a first random code;
a server encryption unit 203, configured to encrypt the first random code and the second random code with second key information corresponding to the device identifier to obtain second encrypted information, where the second random code is a digital code randomly generated by the server;
the encryption information sending unit 204 is configured to send second encryption information to the intelligent device, so that the intelligent device decrypts the second encryption information according to second key information stored locally in the device, and then verifies the first random code obtained by decryption with the first random code stored locally, and if the verification is passed, feeds back the second random code obtained by decryption to the server;
and the server authentication unit 205 is configured to verify the received second random code with a locally stored second random code, and if the verification is passed, determine that the intelligent device has passed the security authentication.
Referring to fig. 4, this embodiment provides a smart device security authentication device based on zero trust, which is disposed in a smart device and includes:
the device-side encryption unit 301 is configured to encrypt, according to a device identifier of the device and a first random code, first key information stored locally in the device, to obtain first encrypted information;
a request message sending unit 302, configured to generate a connection authentication request message according to the first encryption information, send the connection authentication request message to the server, enable the server to decrypt the first encryption information through first key information stored locally at the server, obtain a first random code, encrypt the first random code and the second random code through second key information corresponding to the device identifier, obtain second encryption information, and send the second encryption information to the intelligent device;
the device authentication unit 303 is configured to decrypt the second encrypted information by combining the second key information stored in the local area of the device when the second encrypted information is received, and then verify the second encrypted information according to the first random code obtained by decrypting and the first random code stored in the local area, if the second encrypted information passes the verification, feed back the second random code obtained by decrypting to the server, so that the server verifies the second encrypted information according to the received second random code and the second random code stored in the local area, and if the second encrypted information passes the verification, determine that the intelligent device has passed the security authentication.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the terminal, apparatus and unit described above may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed terminal, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The terms "first," "second," "third," "fourth," and the like in the description of the present application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented, for example, in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above embodiments are merely for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (10)

1. The intelligent equipment safety authentication method based on zero trust is applied to a server and is characterized by comprising the following steps:
responding to a connection authentication request message sent by an intelligent device, and extracting first encryption information contained in the connection authentication request message, wherein the first encryption information is obtained by the intelligent device through encryption according to a device identifier of the intelligent device and a first random code, and the first random code is a digital code randomly generated by the intelligent device;
decrypting the first encrypted information through first key information stored locally at the server to obtain the first random code;
encrypting the first random code and a second random code through second key information corresponding to the equipment identifier to obtain second encrypted information, wherein the second random code is a digital code randomly generated by the server;
the second encryption information is sent to the intelligent equipment, so that the intelligent equipment decrypts the second encryption information according to second key information stored in the equipment, then the first random code obtained through decryption is checked with the first random code stored in the local, and if the first random code passes the check, the second random code obtained through decryption is fed back to the server;
and checking according to the received second random code and the locally stored second random code, and if the check is passed, judging that the intelligent equipment passes the security authentication.
2. The smart device security authentication method based on zero trust according to claim 1, further comprising:
responding to a reset connection authentication request message sent by an intelligent device, and extracting third encryption information contained in the reset connection authentication request message, wherein the reset connection authentication request message is a request message sent by the intelligent device when the intelligent device is connected with a server after the first time or initialization, and the third encryption information is encryption information obtained by encrypting the intelligent device according to third key information, device identification and a third random code generated by the intelligent device and combining first key information stored in the local area of the device;
decrypting the third encrypted information through the first key information stored locally at the server to obtain the third key information, the equipment identifier and the third random code;
generating second key information of the intelligent equipment according to the equipment identifier;
and encrypting the second key information and the first random number through the third key information to obtain fourth encrypted information, sending the fourth encrypted information to the intelligent device, enabling the intelligent device to decrypt the fourth encrypted information according to the third key information, checking the third random code obtained through decryption and the third random code stored locally, and storing the second key information obtained through decryption after the checking is passed.
3. The intelligent device security authentication method based on zero trust according to claim 1, further comprising, before checking the received second random code with the locally stored second random code:
when the received second random code is a ciphertext message encrypted by a first starting key, a second starting key is generated according to the first random number and the second random number through a preset key generation algorithm, and the ciphertext message is decrypted through the second starting key to obtain the second random number, wherein the first starting key is key information generated by the intelligent device according to the first random number and the second random number which are stored locally and combined with the key generation algorithm.
4. The intelligent device security authentication method based on zero trust according to claim 1, wherein the first key information and the second key information are asymmetric key information;
the first key information stored in the intelligent device specifically comprises: the public key part of the first key information, the first key information stored in the server side is specifically: a private key portion of the first key information;
the second key information stored in the intelligent device is specifically: the private key part of the second key information, the second key information stored in the server is specifically: a public key portion of the second key information.
5. The smart device security authentication method based on zero trust according to claim 2, wherein the third key information is specifically: symmetric key information.
6. The intelligent equipment safety authentication method based on zero trust is applied to intelligent equipment and is characterized by comprising the following steps:
according to the equipment identifier and the first random code of the equipment, the first encryption information is obtained by encrypting the first key information stored in the local equipment;
generating a connection authentication request message according to the first encryption information, sending the connection authentication request message to a server, enabling the server to decrypt the first encryption information through first key information stored locally at the server to obtain the first random code, encrypting the first random code and the second random code through second key information corresponding to the equipment identifier to obtain second encryption information, and sending the second encryption information to the intelligent equipment;
and when the second encryption information is received, decrypting the second encryption information by combining the second key information stored in the local of the equipment, checking the first random code obtained by decryption with the first random code stored in the local, and if the first random code passes the check, feeding back the second random code obtained by decryption to the server, so that the server checks the second random code according to the received second random code and the second random code stored in the local, and if the second random code passes the check, judging that the intelligent equipment passes the security authentication.
7. The zero trust based intelligent device security authentication method of claim 6, further comprising:
when the intelligent equipment is connected with the server for the first time after being reset, third encryption information is obtained after encryption is carried out according to third key information, equipment identification and third random codes generated by the intelligent equipment and the first key information stored in the local equipment;
generating a reset connection authentication request message according to the third encryption information, sending the reset connection authentication request message to a server, enabling the server to decrypt the third encryption information through first key information stored locally at the server to obtain third key information, the equipment identifier and the third random code, generating second key information of the intelligent equipment according to the equipment identifier, encrypting the second key information and the first random number through the third key information, and sending fourth encryption information obtained through encryption to the intelligent equipment;
and when the fourth encryption information is received, decrypting the fourth encryption information according to the third key information, checking the third random code obtained by decryption and the third random code stored locally, and storing the second key information obtained by decryption after the verification is passed.
8. The intelligent device security authentication method based on zero trust according to claim 6, wherein before feeding back the second random code obtained by decryption to the server, the method further comprises:
and generating a first starting key according to the first random number and the second random number which are locally stored and a preset key generation algorithm, and encrypting the second random number through the first starting key so as to feed back ciphertext information containing the second random number to the server.
9. Intelligent device safety certification device based on zero trust sets up at the server, its characterized in that includes:
a connection request response unit, configured to respond to a connection authentication request message sent by an intelligent device, and extract first encryption information included in the connection authentication request message, where the first encryption information is obtained by the intelligent device after encrypting according to a device identifier of the intelligent device and a first random code, and the first random code is a digital code randomly generated by the intelligent device, by combining first key information stored in the local device;
the server decryption unit is used for decrypting the first encryption information through the first key information stored locally at the server to obtain the first random code;
the server side encryption unit is used for encrypting the first random code and the second random code through second key information corresponding to the equipment identifier to obtain second encryption information, wherein the second random code is a digital code randomly generated by the server side;
the encryption information sending unit is used for sending the second encryption information to the intelligent equipment, so that the intelligent equipment decrypts the second encryption information according to second key information stored in the equipment local area, then checks the first random code obtained through decryption with the first random code stored in the local area, and if the first random code passes the check, feeds back the second random code obtained through decryption to the server;
and the server authentication unit is used for checking according to the received second random code and the locally stored second random code, and if the second random code passes the check, the intelligent equipment is judged to pass the security authentication.
10. Intelligent device safety certification device based on zero trust sets up at intelligent device, its characterized in that includes:
the device end encryption unit is used for encrypting according to the device identifier and the first random code of the device and combining the first key information stored in the local area of the device to obtain first encryption information;
a request message sending unit, configured to generate a connection authentication request message according to the first encryption information, send the connection authentication request message to a server, so that the server decrypts the first encryption information through first key information stored locally at the server to obtain the first random code, encrypts the first random code and the second random code through second key information corresponding to the device identifier to obtain second encryption information, and then sends the second encryption information to the intelligent device;
and the equipment end authentication unit is used for decrypting the second encryption information by combining the second key information stored in the equipment when the second encryption information is received, checking the second encryption information according to the first random code obtained by decryption and the first random code stored in the local, and feeding back the second random code obtained by decryption to the server end if the second random code passes the check, so that the server end checks the second random code according to the received second random code and the second random code stored in the local, and judging that the intelligent equipment passes the security authentication if the second random code passes the check.
CN202310662713.3A 2023-06-06 2023-06-06 Intelligent equipment safety authentication method and device based on zero trust Pending CN116545751A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310662713.3A CN116545751A (en) 2023-06-06 2023-06-06 Intelligent equipment safety authentication method and device based on zero trust

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310662713.3A CN116545751A (en) 2023-06-06 2023-06-06 Intelligent equipment safety authentication method and device based on zero trust

Publications (1)

Publication Number Publication Date
CN116545751A true CN116545751A (en) 2023-08-04

Family

ID=87452495

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310662713.3A Pending CN116545751A (en) 2023-06-06 2023-06-06 Intelligent equipment safety authentication method and device based on zero trust

Country Status (1)

Country Link
CN (1) CN116545751A (en)

Similar Documents

Publication Publication Date Title
US6073237A (en) Tamper resistant method and apparatus
JP4712871B2 (en) Method for comprehensive authentication and management of service provider, terminal and user identification module, and system and terminal apparatus using the method
CA2241052C (en) Application level security system and method
CN101340436B (en) Method and apparatus implementing remote access control based on portable memory apparatus
US8724819B2 (en) Credential provisioning
CN109728909A (en) Identity identifying method and system based on USBKey
CN109981562B (en) Software development kit authorization method and device
CN113472793B (en) Personal data protection system based on hardware password equipment
CN106953732B (en) Key management system and method for chip card
CN112565265B (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
CN113886771A (en) Software authorization authentication method
CN111540093A (en) Access control system and control method thereof
US20020018570A1 (en) System and method for secure comparison of a common secret of communicating devices
US20060053288A1 (en) Interface method and device for the on-line exchange of content data in a secure manner
CN111740995B (en) Authorization authentication method and related device
CN104901967A (en) Registration method for trusted device
KR20160146090A (en) Communication method and apparatus in smart-home system
US8583930B2 (en) Downloadable conditional access system, secure micro, and transport processor, and security authentication method using the same
CN111541708B (en) Identity authentication method based on power distribution
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
CN110086627B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp
CN116545751A (en) Intelligent equipment safety authentication method and device based on zero trust
EP3035589A1 (en) Security management system for authenticating a token by a service provider server
KR101490638B1 (en) Method of authenticating smart card, server performing the same and system performint the same
CN108243156B (en) Method and system for network authentication based on fingerprint key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination