CN116992497A - Printer consumable identification method and system based on security chip and security authentication technology - Google Patents
Printer consumable identification method and system based on security chip and security authentication technology Download PDFInfo
- Publication number
- CN116992497A CN116992497A CN202311068031.6A CN202311068031A CN116992497A CN 116992497 A CN116992497 A CN 116992497A CN 202311068031 A CN202311068031 A CN 202311068031A CN 116992497 A CN116992497 A CN 116992497A
- Authority
- CN
- China
- Prior art keywords
- consumable
- authentication
- printer
- module
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000005516 engineering process Methods 0.000 title claims abstract description 8
- 238000012795 verification Methods 0.000 claims abstract description 67
- 238000007639 printing Methods 0.000 claims abstract description 47
- 230000006854 communication Effects 0.000 claims abstract description 33
- 238000004891 communication Methods 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims abstract description 12
- 239000000463 material Substances 0.000 claims abstract description 9
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 7
- 230000006855 networking Effects 0.000 claims abstract description 6
- 238000004364 calculation method Methods 0.000 claims abstract description 4
- 230000005540 biological transmission Effects 0.000 claims description 36
- 230000004044 response Effects 0.000 claims description 20
- 238000012800 visualization Methods 0.000 claims description 15
- 230000006870 function Effects 0.000 claims description 13
- 230000003993 interaction Effects 0.000 claims description 13
- 230000010365 information processing Effects 0.000 claims description 10
- 238000004519 manufacturing process Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 230000006835 compression Effects 0.000 claims description 4
- 238000007906 compression Methods 0.000 claims description 4
- 238000007726 management method Methods 0.000 claims description 4
- 238000013475 authorization Methods 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 230000002427 irreversible effect Effects 0.000 claims description 2
- 230000001960 triggered effect Effects 0.000 claims description 2
- 230000000007 visual effect Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000037452 priming Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
- G06F21/608—Secure printing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/12—Digital output to print unit, e.g. line printer, chain printer
- G06F3/1201—Dedicated interfaces to print systems
- G06F3/1202—Dedicated interfaces to print systems specifically adapted to achieve a particular effect
- G06F3/1222—Increasing security of the print job
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Human Computer Interaction (AREA)
- Accessory Devices And Overall Control Thereof (AREA)
Abstract
A printer consumable identification method and system based on a security chip and a security authentication technology is realized by the following technical scheme that a security chip is used for storing key data and operation key programs at a printer end and a consumable end, and a chip communication unit is respectively connected with a chip control circuit. The storage unit stores the required authentication key and certificate, and runs the methods of bidirectional authentication, integrity verification, certificate verification and residual ink calculation to realize controllable printing of the printer. The scheme adopts a multi-flow bidirectional authentication mode to judge whether the printing equipment is authorized, and aims to realize mutual authentication, safety communication and certificate verification between the printer and consumable materials in a non-networking environment, prevent the ink filling behavior of the consumable materials and ensure the use of the consumable materials of the original factory. In addition, the authentication process is high in efficiency, high in safety and controllable in cost.
Description
Technical Field
The application relates to the field of printer consumables in information security technology, in particular to a method and a system for ensuring that sources of the printer consumables meet requirements by using an authentication technology and a security chip technology.
Background
With the popularity of office automation, printers and printing consumables have become indispensable devices in office activities. For printer manufacturers, printer consumables, which are disposable consumables, take up a significant profit margin. In 2021, the global printing consumables market sales volume is over 750 billion dollars. Printing consumables refer to consumable products used by printers, such as the usual consumables: ink box, carbon powder. Printers are intended to be usable by consumers with specified consumables and are not compatible with consumables of other specifications in the design of the printer device. However, in actual usage scenarios, there are still situations of counterfeit low-end consumables, physical destruction of consumables, and refilling. Such behavior hurts the original factory interests and infringes consumer rights.
It is currently common practice for printers to authenticate whether or not the printing consumables are legal by configuring security chips on the printer and the printing consumables, respectively. However, the following problems still exist in the current scheme: 1. in the authentication process, how to resist attack means such as man-in-the-middle attack, charge-discharge attack, violent cracking and the like, and discover and prevent malicious persons from counterfeiting; 2. how to defend after discovering physical attacks on the device itself; 3. private self priming behavior.
Disclosure of Invention
Aiming at the problems in the prior art, in the communication process of the printer and the printing consumables, bidirectional authentication, integrity detection and certificate verification are required, and if all the authentication flows pass, normal printing tasks are continued; otherwise, the printer will reject the printing and write the lock information back to the consumable chip. The application aims to provide a set of authentication method and system based on a security chip, which realize mutual authentication, security communication, integrity verification and certificate verification between a printer and consumable materials in a non-networking environment by embedding the chip into the printer end and the consumable materials, and ensure that the consumable materials of a factory are used. On the basis, measures are further taken to defend physical attack on equipment, prevent consumable ink filling behavior and guarantee the safety of using original factory consumables.
The main idea of the application is to embed a security chip on a printer, a consumable, store the required authentication keys, certificates, and run specific protocols and concepts. Referring to fig. 1, a printer mounting chip provides functions such as integrity verification, certificate verification, etc.; the consumable safety chip stores the certificate of identity authentication, the number of printed pages, the latest date of use and other information, and provides the consumable residual ink calculating function.
A. The printing system includes:
the whole system specifically relates to a client side, a cloud server side, a printer side and an ink box side. The client mainly works in an initial stage, acquires verification information through interaction with the cloud server and burns the chip; the cloud server side comprises an identity authentication module 2, an interface module 2, a key generation module and a certificate generation module, and is mainly responsible for generating related verification data; referring to fig. 2, the printer end is composed of a visualization module 2, a chip control module, a mutual authentication module 1, a communication module 1, an integrity check module, a certificate check module, an information processing module 1 and a printer driving module, wherein the consumable end comprises the mutual authentication module 2, the communication module 2, the information processing module 2, the printer end and the consumable end realize end-to-end mutual authentication by using authentication keys stored in a security chip, and controllable printing of the printer is realized by integrity verification, certificate verification and residual ink calculation methods.
The modules and functions involved by the specific parties are as follows:
a) Client side:
1) The visualization module 1 provides an operation interface such as user authentication, application key, certificate and the like. Referring to fig. 3, a client interacts with a cloud server through the module to obtain an authentication key and a certificate of the security chip. Every time the production of a batch of printer/consumable is completed, the customer enters a customer interface, which contains two options: key application and certificate application, two input windows, three buttons and a display window. The user selects to generate certificates or keys, inputs the generated quantity, fills in corresponding authentication codes, triggers a determination button, the client starts authentication with the cloud server, after the authentication is passed, the cloud server generates the certificates or keys with the required quantity according to the request information of the client, the client displays the result of the application of the user in a display window after receiving the feedback result, and at the moment, the user can export data through an export button. Finally, the user can trigger a clearing button to clear the information of the application.
2) The identity authentication module 1 realizes end-to-end user registration, authentication and other functions. The module is responsible for authentication between the client and the cloud server. The client can register the authentication code representing the identity of the client through the module, and when a key or certificate application is initiated to the server, the client needs to input the authentication code representing the identity to finish the end-to-end authentication.
3) The interface module 1 provides functions such as data transmission between a client and a server. The module is responsible for ensuring the safe transmission of data between the client and the cloud server. When a client sends a request to a cloud server, the request information and the authentication code information are encrypted and then transmitted through the interface module 1, so that the security of data transmission is ensured.
4) The chip burning module is responsible for burning information such as a secret key, a certificate and the like, which are obtained by the client from the cloud server, into the security chip. After the module is processed, the initial stage is completed, and the safety chip can be delivered to be used.
b) Cloud server side:
1) The identity authentication module 2 realizes end-to-end user registration, authentication and other functions. The module is responsible for authentication between the client and the cloud server. When a client initiates a key or certificate application to a server, the cloud end determines the identity of a user of the client through an authentication code, and selects whether to execute the generation work of the key and the certificate according to the authority of the user.
2) The interface module 2 provides functions such as data transmission between the client and the server. The module is responsible for ensuring the safe transmission of data between the client and the cloud server. After receiving the request of the client and verifying the client authority, the cloud server encrypts the generated information and transmits the encrypted information back to the client through the interface module 2 so as to ensure the safety of data transmission.
3) The key generation module generates an authentication key embedded in the printer and the consumable chip, wherein the key is used for realizing mutual authentication between the consumable and the printer. After receiving a key application of a client and verifying the authority of a user, the key generation module generates a key with a specified length meeting the requirements of an encryption algorithm according to the number marked in the application. The key information is embedded in the chip on the printer and consumable for mutual authentication after the printer side detects the presence of the chip.
4) The certificate generation module is responsible for generating certificates written into consumable chips. The certificate is stored on a chip at the consumable end, and the main body consists of two parts: related information of the consumable after the hash compression processing comprises factory information, production date, validity period and the like; and secondly, encrypting the compressed data by using a private key to obtain a digital signature. The public key of the certificate is stored in a chip of the printer end and is used for decrypting the digital signature, acquiring related information and realizing certificate verification.
c) And (3) at a printer end:
1) The visualization module 2 displays relevant information of the use condition of the consumable. Referring to fig. 4, the user can check through the interface whether the consumable is identified, and the number of printable sheets remaining in the consumable. The interface also comprises a print start button, and when the button is triggered, the printer performs operations such as mutual authentication, integrity check and the like. After authentication is completed, the printer calls the driving module to complete the plan, and updates the information such as the number of the remaining printable paper sheets of the consumable, the record of the printing date and the like. The user can view the updated consumable information through the refresh interface. When the print job is successfully completed, the visualization module 2 returns the successful printing and displays the information such as the number of pages and the date of use which can be printed; when the print job is in error, the visualization module 2 returns corresponding error reporting conditions, such as ink consumption, authentication failure, and the like.
2) The chip control module is responsible for controlling the operation of the printer end chip and distinguishing the consumable end chip. The module is used for controlling the operation of the chip, including the calling of the related data information in the memory, and the triggering response processing of the processes of authentication, verification and the like. In addition, the control module is also responsible for checking the accessed consumable and identifying whether the consumable contains a chip or not. Since the device is applied in a non-networking environment, the module is integrated in a chip by means of hardware.
3) The mutual authentication module 1 realizes mutual authentication with the consumable terminal based on a related authentication protocol. The module is used for realizing mutual authentication between the printer and the consumable and generating session keys for secure communication, including challenge-response protocol, key management and other operations. In the authentication process, the module can realize operations such as encryption and decryption by calling the chip control module. The specific negotiation flow adopts a bidirectional authentication protocol.
4) The communication module 1 is responsible for end-to-end secure channel establishment and transmission protocol conversion, and realizes encrypted transmission. And constructing an encryption channel for interaction between the printer and the consumable by using the session key provided by the mutual authentication module, wherein all information interaction is performed on the encryption channel, so that safe transmission of data is ensured.
5) The integrity check module provides integrity checking of the program code. The module is responsible for checking the file integrity of the printer end and the consumable end, namely checking whether the program is tampered maliciously. Specifically, before the printer and consumable are embedded into the chip, the customer uses a verification algorithm to calculate the characteristic values of the on-chip program and the stored data, and stores the obtained characteristic values into the chip. After the mutual authentication is finished, the printer and the consumable respectively call a verification algorithm to calculate the current characteristic value, the characteristic value is compared with the locally stored characteristic value, if the characteristic value is the same, the verification is considered to be passed, otherwise, the program is judged to be tampered. Through the integrality check, whether the logic codes of the printer and the consumable chip are manually modified after leaving the factory to be used is verified, the use of imitated consumables and repeated ink filling are prevented, and the normal use of equipment is ensured. In the integrity verification stage, only if the verification of the printer end and the consumable end is passed, the integrity verification is considered to be passed; otherwise, if the check at any one end fails, the integrity check is considered to fail, an error code is returned, and communication is ended.
6) The certificate verification module is responsible for verifying certificate information stored in the consumable. The module is responsible for verifying certificates of consumable ends. When leaving the factory, the customer carries out irreversible hash compression processing on the related information of the consumable, simultaneously generates a public key and a private key for verifying the certificate, and uses the information encrypted by the private key as a digital signature. Generating a certificate by combining the compressed data and the digital signature, wherein the certificate is written into a chip of the consumable end; the public key is stored in the chip at the printer end. Specifically, after the mutual authentication and the integrity check pass, the consumable end sends the certificate to the printer end chip, the printer end chip decrypts the digital signature by using the prestored public key, the obtained information is compared with the compressed information, and if the obtained information is the same as the compressed information, the matching is considered to be successful, namely the check passes. Otherwise, an error code is returned to end the communication.
7) The information processing module 1 is responsible for recording consumable usage information. The module is responsible for managing data such as authentication information, key information, consumable information and the like, mainly relates to record updating, deletion and consumable production information identification of session keys and the like, and consumable use conditions comprise the number of remaining printable pages, printing date and record of single consumable information. The module can work cooperatively with the mutual authentication module and the secret key generation module, so that the safety and the stability of the system are improved.
8) The printer driver module is responsible for initiating print jobs to the printer. After mutual authentication, a security channel is established, integrity check and certificate check are passed, the received file and related file parameters are sent to the module. And after receiving the information, the driving module initiates a printing task to the printer and executes printing operation.
d) Consumable end:
1) The mutual authentication module 2 realizes mutual authentication with the printer side based on the related authentication protocol. The module is used for realizing mutual authentication between the printer and the consumable and generating session keys for secure communication, including challenge-response protocol, key management and other operations. In the authentication process, the module can realize operations such as encryption and decryption by calling the chip control module, specifically negotiates a flow and adopts a bidirectional authentication protocol.
2) The communication module 2 is responsible for end-to-end secure channel establishment and transmission protocol conversion, and realizes encrypted transmission. And constructing an encryption channel for interaction between the printer and the consumable by using the session key provided by the mutual authentication module, wherein all information interaction is performed on the encryption channel, so that safe transmission of data is ensured.
3) The information processing module 2 is responsible for updating consumable information. The module is responsible for managing data such as authentication information, key information, consumable information and the like, mainly relates to record updating of confidential information such as session keys, deletion, identification of consumable production information and updating of consumable use conditions including the number of remaining printable pages, printing date and single consumable information. The module can work cooperatively with the mutual authentication module and the secret key generation module, so that the safety and the stability of the system are improved.
B. The printing method comprises the following steps:
the whole method is realized based on a security chip and can be divided into an initial stage and an application stage. In the initial stage, a client applies to a cloud server end, generates a security key and a certificate required by authentication between a printer and consumable materials in a non-networking environment, and burns the security key and the certificate in a security chip.
In the application stage, the printer end and the consumable end realize mutual authentication between the ends by using the security key generated in the initial stage based on the authentication key challenge-response authentication protocol, and generate a disposable session key used in the current session. After the mutual authentication is finished, the printer end and the consumable end can carry out secure communication through an encryption channel, and when the printer issues a print job, the consumable end respectively carries out integrity check and certificate check to verify whether the program code is complete and whether the consumable is produced by a former factory. After the verification is passed, the printer executes the print job, the consumable terminal updates the residual number of printing pages, the printer terminal and the consumable terminal discard the session key of the session, multiplexing is avoided, and the session is ended. In the initial stage, the security key and certificate application flow is as follows:
a1: the client logs in through the client interface. The client enters its user name and password through the client to log into the client interface.
A2: the client verifies the user name and the password provided by the client. And after verification is successful, returning information of successful login to the client. If the authentication fails, the client will return information to the client that the authentication failed.
A3: after successful login, the client applies for the certificate and the authentication key of the consumable chip to the cloud server. And the client initiates a certificate and authentication key application request of the consumable chip to the cloud server through the client. And after receiving the request, the cloud server side applies for verification, generates a certificate and an authentication key after the verification is passed, and returns the certificate and the authentication key to the client side.
A4: and establishing a secure channel, encrypting data for transmission and the like to ensure the secure transmission of information. And the client establishes a secure channel with the cloud server. The applied data such as certificates and keys are encrypted by adopting an encryption algorithm in the transmission process, so that the security of data transmission is ensured.
A5: and writing the generated chip certificate and the generated authentication key into the consumable chip. And the client writes the certificate and the authentication key received from the cloud server into the consumable chip to realize authentication and authorization. After the writing is completed, the client returns the writing result to the client, and records and verifies the result.
In the application stage, the interactive flow design of the printer and the consumable is as shown in fig. 5:
s1: the physical interface checks whether a chip is present. When the consumable is inserted into the printer, firstly, whether a safety chip exists on the consumable is checked, if the safety chip does not exist or the consumable information is wrong, the consumable is refused, and corresponding prompt information is given.
S2: based on an authentication key challenge-response authentication protocol. Exchange random numbers R1 and R2: when the printer security chip communicates with the consumable security chip, a built-in authentication key is used to initiate a challenge-response authentication protocol. The printer security chip sends a random number R1, and after the consumable receives the random number R1, the key inside the consumable security chip is used for calculating the response, and a random number R2 and the calculated response value are returned.
S3: an encryption channel is established based on R1, R2. The printer security chip uses R1 and R2 to calculate an encryption key and establishes an encryption channel with the consumable security chip for use in subsequent communication processes.
S4: and (5) checking file integrity. Before printing the file, the printer security chip and the consumable security chip can carry out integrity check on the file so as to ensure that the file is not tampered.
S5: and (5) checking the certificate. Before a file is printed, the consumable security chip sends a certificate to the printer security chip, and the printer security chip performs certificate verification on the certificate to confirm that the certificate is legal.
S6: the number of printed pages and the last date of use are updated according to the print job. In the printing process, the printer driver records the data such as the ID of the consumable, the number of printed pages, the latest use date, the factory information and the like, and updates the data into a memory inside the consumable security chip after the printing is completed.
S7: the channel key is discarded. After the printing task is finished, the printer security chip and the consumable security chip discard the secret key of the encryption channel, so that the secret key is prevented from being maliciously utilized, and one-time encryption is ensured.
The printing system and the method solve the problems of consumable counterfeiting and consumable ink filling, and realize mutual authentication, secure communication and certificate verification between the printer and the consumable in a non-networking environment.
Drawings
FIG. 1 is a block diagram of the present application;
FIG. 2 is a diagram of the initial function architecture and the application function architecture of the present application;
FIG. 3 is an interface schematic of a visualization module of the present application;
FIG. 4 is a schematic diagram of a printer-side visualization module interface of the present application;
FIG. 5 is a schematic flow diagram of a certificate verification module of the present application;
FIG. 6 is a flow chart of the key and certificate application of the present application;
FIG. 7 is a flow chart of the interaction of the printer with the consumable of the present application.
Detailed Description
The application will now be described in further detail with reference to the drawings and to specific examples, without limiting the scope of the application in any way.
The application relates to a printer consumable authentication system based on a security chip and a security authentication technology, which comprises:
the client, the cloud server, the printer and the ink box are square. The client mainly works in an initial stage, acquires verification information through interaction with the cloud server and burns the chip; the cloud server side comprises an identity authentication module 2, an interface module 2, a key generation module and a certificate generation module, and is mainly responsible for generating related verification data; the printer end comprises a visualization module 2, a chip control module, a mutual authentication module 1, a communication module 1, an integrity verification module, a certificate verification module, an information processing module 1 and a printer driving module, wherein the consumable end comprises the mutual authentication module 2, the communication module 2 and the information processing module 2, the printer end and the consumable end use authentication keys stored in a security chip to realize end-to-end mutual authentication, and controllable printing of the printer is realized through integrity verification, certificate verification and residual ink calculation methods.
The specific workflow of the system is as follows:
fig. 6 shows five flows of a client applying for certificate and authentication key writing consumable chips to a cloud server side:
a1 The client logs in through the client interface: the client registers the account at the client, the user name of the account is expressed by letters, the length is not less than 8 bits, the password is required to be composed of case letters and numbers, and the length is not less than 12 bits. After registration is completed, the client enters its username and password through the client to log into the client interface.
A2 The client performs user identity authentication: the client side verifies the user name and the password provided by the client side, judges whether the user is a registered user or not, and returns login success information to the client side after the user is successfully verified. If the authentication fails, the client will return information to the client that the authentication failed.
A3 After successful login, the client applies for certificates and authentication keys of consumable chips to the cloud server: and the client initiates a certificate and authentication key application request of the consumable chip to the cloud server through the client. And after receiving the request, the cloud server side performs application verification, namely, whether the authentication code of the verification user is consistent with the authentication code of the cloud server side or not, and whether the authority of the verification user meets the requirements of being capable of applying certificates and keys or not. After the verification is passed, a certificate and an authentication key are generated, wherein the generated certificate C consists of consumable chip ID, chip factory related information, a shared key K and the like, and the method comprises the following steps of: c= { ID, hash (X), hash (ID, hash (X), K) }, wherein the factory-related information includes information of a chip model, a chip manufacturer, etc., and the shared key is a string of 16-system random number strings (16 bytes), and a shared key is shared in the same batch of secure chips. The authentication key used in the subsequent communication is a fixed 16-ary random number string (16 bytes), and the authentication key of each batch of security chips is the same, so that the end-to-end mutual authentication is realized.
A4 The measures such as establishing a secure channel, encrypting data transmission and the like ensure the secure transmission of information: after the cloud server side completes the generation work, the client side establishes a secure channel with the cloud server side, for example, encryption protocols such as SSL/TLS are used. The authentication key and the certificate are transmitted back to the client over the secure channel. The data is encrypted by adopting an encryption algorithm in the transmission process, so that the safety of data transmission is ensured.
A5 Writing the generated chip certificate and the generated authentication key into the consumable chip: and the client writes the certificate and the authentication key received from the cloud server into the consumable chip to realize authentication and authorization. In the writing process, identity verification is needed, so that only authenticated personnel can write. After the writing is completed, the client returns the writing result to the client, and records and verifies the result.
The printer and consumable interaction flow design:
the communication interaction between the printer and the consumable is roughly divided into the following seven flows shown in fig. 7:
s1, checking whether a chip exists by a physical interface: when the consumable is inserted into the printer, firstly, whether a safety chip exists on the consumable is checked, if the safety chip does not exist or the consumable information is wrong, the consumable is refused, and corresponding prompt information is given.
S2 exchanges random numbers R1 and R2 based on an authentication key challenge-response authentication protocol: when the printer security chip communicates with the consumable security chip, a built-in authentication key is used to initiate a challenge-response authentication protocol. The printer security chip sends a random number R1, and after the consumable receives the random number R1, the key inside the consumable security chip is used for calculating the response, and a random number R2 and the calculated response value are returned. The specific flow can be divided into 2 steps:
a) The printer sends N1 information to the consumable. The printer generates a 16-byte random number R1, encrypts the random number by the authentication key p and sends the encrypted random number to the consumable, and the encryption algorithm is 3DES.
b) The consumable sends N2 information to the printer. N2= { { R2} R1} p, after receiving the information N1 sent by the printer, the consumable obtains the random number R1 by decrypting with the authentication key; the consumable generates a 16-byte random number R2 which is used as a key for mutual authentication communication, and the random number R1 and p are sequentially used for encryption and then sent to the printer, and the encryption algorithm is 3DES.
S3, establishing an encryption channel based on R1 and R2: the printer security chip and the consumable chip use R2 to transmit random numbers R3 and R4 to finish end-to-end mutual authentication, and establish an encryption channel with the consumable security chip, wherein the encryption channel is used for the subsequent communication process. The specific flow is divided into the following 4 steps:
a) The printer sends N3 information to the consumable. After the printer receives the information N2 sent by the consumable, the printer sequentially decrypts the information by using the authentication key p and the random number R1 to obtain the communication key R2, the printer generates a 16-byte random number R3, the 16-byte random number R3 is encrypted by using the R2 and then transmitted back to the consumable, and the encryption algorithm is 3DES.
b) The consumable sends N4 information to the printer. Specific n4= { R3, R4} R2. After receiving the information N3 sent by the printer, the consumable obtains a random number R3 by using R2 decryption, the consumable generates a 16-byte random number R4, and the 16-byte random number R3 is spliced, and is sent to the printer after being encrypted by the R2, and the encryption algorithm is 3DES.
c) The printer sends N5 information to the consumable. Specific n5= { R4} R2. After the printer receives the information N4 sent by the consumable, the random numbers R3 and R4 are obtained through decryption by using the R2, and the printer verifies the random number R3 to finish the authentication of the printer on the consumable. After passing the authentication, the printer uses R2 to encrypt the random number R4 and transmits the random number R4 back to the consumable, and the encryption algorithm is 3DES.
d) After the consumable receives the information N5 returned by the printer, the consumable decrypts by using the R2 to obtain the random number R4, and the consumable verifies the random number R4 to finish the authentication of the consumable to the printer. So far, mutual authentication is completed, and the printer and the consumable use the random number R1 as a session key of the current session to carry out subsequent communication.
S4, checking file integrity: before printing the file, the printer security chip and the consumable security chip can carry out integrity check on the file so as to ensure that the file is not tampered. Specific:
a) Before starting a print job, the printer security chip and the consumable chip respectively perform hash operation on core program codes in the chips: a=hash (code).
b) Comparing the result A of the hash operation with the result B written in the read-only area when the chip leaves the factory, and if A=B, regarding the result A as passing the integrity check, and performing the subsequent flow; otherwise, returning an error to end the session.
S5, checking a certificate: before a file is printed, the consumable security chip sends a certificate to the printer security chip, and the printer security chip performs certificate verification on the certificate to confirm that the certificate is legal. Specific:
a) The consumable sends the ID, the hash (X), the hash (ID, X, K) R1 to the printer, and the consumable chip sends the certificate to the printer security chip for verification before the print job begins. The certificate contains three parts of content, respectively: the method comprises the steps of (1) a consumable chip ID (12 bytes), a Hash value Hash (X) (20 bytes) of consumable factory information, and a Hash value (20 bytes) obtained by carrying out Hash operation on the ID, the X and a shared key K together. The certificate is encrypted by R1, the encryption algorithm is 3DES, and the encrypted data is sent to the printer through an encrypted channel.
b) After receiving the information sent by the consumable, the printer decrypts to obtain the consumable chip ID and the factory information Hash value Hash (X). The printer performs Hash operation on the ID, the Hash (X) and the shared key K stored in the chip, compares the ID with a Hash value obtained by decryption, and if the ID, the Hash (X) and the shared key K are equal to each other, the printer considers that the certificate passes verification, and can perform a printing task; otherwise, returning an error to end the session.
S6 ID, printed page number, latest use date, factory information record and update: in the printing process, the printer driver records the data such as the ID of the consumable, the number of printed pages, the latest use date, the factory information and the like, and updates the data into a memory inside the consumable security chip after the printing is completed. Specific:
a) The printer calls the number of printed pages stored by the consumable chip, calculates whether the number of the remaining printed pages is enough to complete the printing task, if the number of the remaining printed pages meets the condition, performs printing, updates the number of the printed pages after the printing is completed, and returns the number of the remaining printable pages to the visualization module; if the ink quantity is insufficient, corresponding error information is returned.
b) And the printer invokes the latest use date stored by the consumable chip, and after the printing task is finished, the current time information is written into the consumable chip to finish the updating of the use time.
S7, discarding the channel key: after the printing task is finished, the printer security chip and the consumable security chip discard the secret key of the encryption channel, so that the secret key of each session is only used for the session, and the secret key is ensured not to be maliciously utilized.
The above embodiments are only for illustrating the technical solution of the present application and not for limiting it, and those skilled in the art may modify or substitute the technical solution of the present application without departing from the spirit and scope of the present application, and the protection scope of the present application shall be defined by the claims.
Claims (14)
1. A security authentication method for identifying consumable of printer comprises the following steps:
the method is divided into an initial stage and an application stage, and is characterized in that:
the initial stage:
the client applies to the cloud server side and generates a security key and a certificate required by authentication between the printer and the consumable in a non-networking environment;
in the application stage:
the printer end and the consumable end realize the mutual authentication between the ends by using the security key generated in the initial stage based on the authentication key challenge-response authentication protocol, and generate a disposable session key used in the session;
after the mutual authentication is finished, the printer end and the consumable end can carry out secure communication through an encryption channel, and when the printer issues a printing task, the consumable end respectively carries out integrity check and certificate check to verify whether a program code is complete and whether the consumable is produced by a factory;
after the verification is passed, the printer executes the print job, the consumable terminal updates the residual number of printing pages, the printer terminal and the consumable terminal discard the session key of the session, multiplexing is avoided, and the session is ended.
2. The security authentication method according to claim 1, wherein the applying step of the security key and the certificate is as follows:
a1: the client logs in through the client interface, and inputs the user name and the password of the client through the client to log in the client interface;
a2: the client verifies the user name and the password provided by the client, and returns login success information to the client after the user name and the password are verified successfully, and if the user name and the password fail to be verified, the client returns verification failure information to the client;
a3: after successful login, the client applies for certificates and authentication keys of consumable chips to the cloud server: the client initiates a request for applying a certificate and an authentication key of the consumable chip to the cloud server through the client, the cloud server performs application verification after receiving the request, generates the certificate and the authentication key after the verification passes, and returns the certificate and the authentication key to the client;
a4: establishing a secure channel and data encryption transmission measures to ensure the secure transmission of information: the client establishes a secure channel with the cloud server, and the applied certificate and key data are encrypted by adopting an encryption algorithm in the transmission process, so that the security of data transmission is ensured;
a5: writing the generated chip certificate and the generated authentication key into the consumable chip: the client writes the certificate and the authentication key received from the cloud server into the consumable chip to realize authentication and authorization, and after the writing is completed, the client returns a writing result to the client and records and verifies the result.
3. The security authentication method according to claim 1, wherein the steps of the printer interacting with the consumable material in the application stage are:
s1: the physical interface checks whether a chip is present: when the consumable is inserted into the printer, firstly checking whether a safety chip exists on the consumable, and rejecting the consumable and giving corresponding prompt information if the safety chip does not exist or consumable information is wrong;
s2: based on authentication key challenge-response authentication protocol: exchange random numbers R1 and R2: when the printer security chip and the consumable security chip communicate, firstly, a built-in authentication key is used for initiating a challenge-response authentication protocol, the printer security chip sends a random number R1, after the consumable receives the random number R1, the key inside the consumable security chip is used for calculating a response, and a random number R2 and a calculated response value are returned;
s3: establishing an encrypted channel based on R1 and R2: the printer security chip calculates an encryption key by using R1 and R2, and establishes an encryption channel with the consumable security chip, wherein the encryption channel is used for the subsequent communication process;
s4: and (3) checking file integrity: before printing the file, the printer security chip and the consumable security chip can carry out integrity check on the file so as to ensure that the file is not tampered;
s5: certificate verification: before a file is printed, the consumable security chip sends a certificate to the printer security chip, and the printer security chip performs certificate verification on the certificate to confirm that the certificate is legal;
s6: updating the number of printed pages and the latest date of use according to the print job: in the printing process, the printer driver records the ID of the consumable, the number of printed pages, the latest use date and the related data of factory information, and updates the data into a memory inside the consumable safety chip after printing is finished;
s7: discarding the channel key: after the printing task is finished, the printer security chip and the consumable security chip discard the secret key of the encryption channel, so that the secret key is prevented from being maliciously utilized, and one-time encryption is ensured.
4. A printer consumable authentication system based on a security chip and a security authentication technology is characterized in that:
the system comprises a client, a cloud server, a printer and an ink box;
the client comprises a visualization module 1, an identity authentication module 1, an interface module 1 and a chip burning module, and the client acquires verification information and burns the chip by interacting with the cloud server in an initial stage; the cloud server side comprises an identity authentication module 2, an interface module 2, a key generation module and a certificate generation module and is mainly responsible for generating related verification data; the printer end comprises a visualization module 2, a chip control module, a mutual authentication module 1, a communication module 1, an integrity verification module, a certificate verification module, an information processing module 1 and a printer driving module, the consumable end comprises the mutual authentication module 2, the communication module 2 and the information processing module 2, the printer end and the consumable end use authentication keys stored in a security chip to realize the mutual authentication of the end and the end, and the controllable printing of the printer is realized through the integrity verification, the certificate verification and residual ink calculation methods.
5. The printer consumable authentication system of claim 4, wherein the client is:
1) The visualization module 1 provides user authentication, application key and certificate operation interface: the client interacts with the cloud server through the module to acquire an authentication key and a certificate of the security chip; after the authentication is passed, the cloud server generates a corresponding number of certificates or keys according to the request information of the client, the client displays the result of the application of the user on a display window after receiving a feedback result, and finally the user can trigger a clearing button to clear the information of the application;
2) The identity authentication module 1 realizes end-to-end user registration and authentication functions: the module is responsible for authentication between the client and the cloud server, the client can register an authentication code representing the identity of the client through the module, and when a key or certificate application is initiated to the server, the client needs to input the authentication code representing the identity to finish end-to-end authentication;
3) The interface module 1 provides data transmission functions of a client and a server: the module is responsible for ensuring the safe transmission of data between the client and the cloud server, and when a client sends a request to the cloud server, the request information and the authentication code information are encrypted and then transmitted through the interface module 1 so as to ensure the safety of data transmission;
4) The chip burning module is responsible for burning information such as a secret key, a certificate and the like, which are obtained by the client from the cloud server, into the security chip.
6. The printer consumable authentication system of claim 4, wherein the cloud server is to:
1) The identity authentication module 2 realizes end-to-end user registration and authentication functions: the module is responsible for authentication between the client and the cloud server, when a client initiates a key or certificate application to the server, the cloud determines the identity of a user of the client through an authentication code, and selects whether to execute the generation work of the key and the certificate according to the authority of the user;
2) The interface module 2 provides data transmission functions of the client and the server: the module is responsible for ensuring the safe transmission of data between the client and the cloud server, and the cloud server receives the request of the client and verifies the client authority, encrypts the generated information and transmits the encrypted information back to the client through the interface module 2 so as to ensure the safety of data transmission;
3) The key generation module generates an authentication key of the embedded printer and the consumable chip: the key is used for realizing mutual authentication between the consumable and the printer, after receiving a key application of the client and verifying the authority of a user, the key generation module generates a key with a specified length meeting the encryption algorithm requirement according to the quantity marked in the application, key information is embedded into chips on the printer and the consumable, and after detecting the existence of the chips at the printer, the key information is used for realizing the mutual authentication;
4) The certificate generation module is responsible for generating a certificate written into the consumable chip: the certificate is stored on a chip at the consumable end, and the main body consists of two parts: related information of the consumable after hash compression processing comprises factory information, production date, validity period and other information; and secondly, encrypting the digital signature obtained by compressing the data by using a private key, wherein the public key of the certificate is stored in a chip of a printer end and is used for decrypting the digital signature to obtain related information, so that the certificate verification is realized.
7. The printer consumable authentication system of claim 4, wherein the printer side is:
1) The visual module 2 displays the related information of the consumable use condition, the interface also comprises a start printing button, when the button is triggered, the printer performs operations such as mutual authentication, integrity check and the like, and after authentication is finished, the printer calls the driving module to finish planning and updates the related information of the use condition;
2) The chip control module is responsible for controlling the operation of the printer end chip and distinguishing the consumable end chip: the module is used for controlling the operation of the chip, including the retrieval of the related data information in the memory and the trigger response processing of the authentication and verification processes, and the control module is also responsible for checking the accessed consumable and identifying whether the consumable contains the chip or not;
3) The mutual authentication module 1 realizes mutual authentication with the consumable terminal based on a related authentication protocol: the module is used for realizing mutual authentication between the printer and the consumable and generating a session key for secure communication, and comprises a challenge-response protocol and a key management operation;
4) The communication module 1 is responsible for end-to-end secure channel establishment and transmission protocol conversion, and realizes encrypted transmission: constructing an encryption channel for interaction between the printer and the consumable by using the session key provided by the mutual authentication module, wherein all information interaction is performed on the encryption channel, so that safe transmission of data is ensured;
5) The integrity check module provides integrity checking of the program code: the module is responsible for checking the file integrity of the printer end and the consumable end, namely checking whether the program is tampered maliciously;
6) The certificate verification module is responsible for verifying certificate information stored in the consumable materials: the module is responsible for verifying certificates of consumable ends, and when the consumable ends leave a factory, a customer performs irreversible hash compression processing on related information of the consumable, a public key and a private key of a pair of certificate verification labels are generated at the same time, and the information encrypted by the private key is used as a digital signature; generating a certificate by combining the compressed data and the digital signature, wherein the certificate is written into a chip of the consumable end; the public key is stored in a chip of the printer end;
7) The information processing module 1 is responsible for recording consumable usage information: the module is responsible for managing data such as authentication information, key information, consumable information and the like, mainly relates to record updating of confidential information such as session keys and the like, deletion, identification of consumable production information and consumable use conditions including the number of remaining printable pages, printing date and record of single consumable information, and can work cooperatively with the mutual authentication module and the key generation module to improve the safety and stability of the system;
8) The printer driver module is responsible for initiating a print job to the printer: after the mutual authentication, the establishment of a secure channel, the integrity verification and the certificate verification are all passed, the received file and relevant file parameters are sent to the module, and after the driving module receives the information, a printing task is initiated to the printer to execute the printing operation.
8. The printer consumable authentication system of claim 4, wherein the consumable terminal is:
1) The mutual authentication module 2 realizes mutual authentication with the printer end based on a related authentication protocol: the module is used for realizing the mutual authentication between the printer and the consumable and generating a session key for secure communication, and comprises a challenge-response protocol and key management operation, wherein in the authentication process, a negotiation flow and a bidirectional authentication protocol are adopted;
2) The communication module 2 is responsible for end-to-end secure channel establishment and transmission protocol conversion, and realizes encrypted transmission: constructing an encryption channel for interaction between the printer and the consumable by using the session key provided by the mutual authentication module, wherein all information interaction is performed on the encryption channel, so that safe transmission of data is ensured;
3) The information processing module 2 is responsible for updating consumable information: the module is responsible for managing authentication information, key information and consumable information data.
9. The printer consumable authentication system of claim 7, wherein the printer-side visualization module 2 is further configured to enable a user to view updated consumable information via the refresh interface. When the print job is successfully completed, the visualization module 2 returns the successful printing and displays the information such as the number of pages and the date of use which can be printed; when the print job is in error, the visualization module 2 returns corresponding error reporting conditions, such as ink consumption, authentication failure, and the like.
10. The printer consumable authentication system of claim 7, the module being integrated in hardware in a chip as the device is applied in a non-networked environment.
11. The consumable authentication system of claim 7, wherein the mutual authentication module 1 can implement encryption and decryption operations by calling the chip control module during authentication, and the negotiation flow adopts a bidirectional authentication protocol.
12. The printer consumable authentication system of claim 8, wherein the process is negotiated and a mutual authentication protocol is used during the authentication.
13. The printer consumable identification system of claim 7, wherein when the integrity check module provides integrity check of the program code, before the printer and the consumable are embedded into the chip, a client calculates the characteristic values of the program and the stored data in the chip by using a check algorithm, and stores the obtained characteristic values into the chip, after mutual authentication is completed, the printer and the consumable respectively call the check algorithm to calculate the current characteristic value, and compare the characteristic value with the locally stored characteristic value, and if the characteristic values are the same, the verification is considered to be passed, otherwise, the program is judged to be tampered; through the integrality check, whether the logic codes of the printer and the consumable chip are manually modified after leaving the factory to be used is verified, the use of imitated consumables and repeated ink filling are prevented, and the normal use of equipment is ensured. In the integrity verification stage, only if the verification of the printer end and the consumable end is passed, the integrity verification is considered to be passed; otherwise, if the check at any one end fails, the integrity check is considered to fail, an error code is returned, and communication is ended.
14. The printer consumable authentication system according to claim 7, wherein when the certificate verification module is responsible for verifying the certificate information stored in the consumable, the consumable sends the certificate to the printer-side chip after the mutual authentication and the integrity verification pass, the printer-side chip decrypts the digital signature by using a pre-stored public key, compares the obtained information with the compressed information, and if the obtained information is the same, the matching is considered to be successful, namely the verification passes; otherwise, an error code is returned to end the communication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311068031.6A CN116992497A (en) | 2023-08-23 | 2023-08-23 | Printer consumable identification method and system based on security chip and security authentication technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311068031.6A CN116992497A (en) | 2023-08-23 | 2023-08-23 | Printer consumable identification method and system based on security chip and security authentication technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116992497A true CN116992497A (en) | 2023-11-03 |
Family
ID=88526703
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311068031.6A Pending CN116992497A (en) | 2023-08-23 | 2023-08-23 | Printer consumable identification method and system based on security chip and security authentication technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116992497A (en) |
-
2023
- 2023-08-23 CN CN202311068031.6A patent/CN116992497A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108064440B (en) | FIDO authentication method, device and system based on block chain | |
| US11218323B2 (en) | Method and system for producing a secure communication channel for terminals | |
| US7571489B2 (en) | One time passcode system | |
| TWI454111B (en) | Techniques for ensuring authentication and integrity of communications | |
| US9858401B2 (en) | Securing transactions against cyberattacks | |
| CN108377190B (en) | Authentication equipment and working method thereof | |
| US8181223B2 (en) | Electronic apparatus conducting two-port authentication, method of authenticating and receiving job data, an recording medium containing job data authentication-reception program | |
| US20050055552A1 (en) | Assurance system and assurance method | |
| CN108494551A (en) | Processing method, system, computer equipment and storage medium based on collaboration key | |
| US20080022085A1 (en) | Server-client computer network system for carrying out cryptographic operations, and method of carrying out cryptographic operations in such a computer network system | |
| US20150350164A1 (en) | Intelligent card secure communication method | |
| US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
| US9998288B2 (en) | Management of secret data items used for server authentication | |
| CN107920052B (en) | Encryption method and intelligent device | |
| US20130097427A1 (en) | Soft-Token Authentication System | |
| US11743053B2 (en) | Electronic signature system and tamper-resistant device | |
| US7213267B2 (en) | Method of protecting a microcomputer system against manipulation of data stored in a storage assembly of the microcomputer system | |
| JP4823704B2 (en) | Authentication system, authentication information delegation method and security device in the same system | |
| WO2019196285A1 (en) | Consumable chip, consumable, and consumable communication method | |
| JP4226582B2 (en) | Data update system | |
| WO2020024852A1 (en) | Authentication method and authentication device | |
| CN111161454A (en) | Intelligent lock safety networking and control method | |
| CN117021770A (en) | Printer consumable identification method and system based on double security chips | |
| US20090319778A1 (en) | User authentication system and method without password | |
| KR101996317B1 (en) | Block chain based user authentication system using authentication variable and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |