CN117176332A - Identity authentication method, system, terminal equipment and storage medium - Google Patents

Identity authentication method, system, terminal equipment and storage medium Download PDF

Info

Publication number
CN117176332A
CN117176332A CN202210582155.5A CN202210582155A CN117176332A CN 117176332 A CN117176332 A CN 117176332A CN 202210582155 A CN202210582155 A CN 202210582155A CN 117176332 A CN117176332 A CN 117176332A
Authority
CN
China
Prior art keywords
public
private key
key pair
combined
rand
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210582155.5A
Other languages
Chinese (zh)
Inventor
邱勤
张峰
王国宇
徐思嘉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210582155.5A priority Critical patent/CN117176332A/en
Publication of CN117176332A publication Critical patent/CN117176332A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an identity authentication method, an identity authentication system, terminal equipment and a storage medium. The method comprises the following steps: setting public and private key pairs for preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises card public and private key pairs and terminal public and private key pairs; generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair; when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request. The invention aims to solve the problem of end card separation, improve the safety of the business process and reduce the complexity of the business process.

Description

Identity authentication method, system, terminal equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an identity authentication method, system, terminal device, and storage medium.
Background
The mobile network-based internet of vehicles has a security risk of "end card separation", which may cause misuse of SIM (Subscriber Identity Module, subscriber identity card)/USIM (Universal Subscriber Identity Module, global subscriber identity card) cards for the internet of vehicles, and the mobile end also has a case of "end card separation"; the separation of the end card means that the SIM/USIM card in the vehicle-mounted communication terminal can be pulled out to take other functions. Thus, an end card binding mechanism needs to be established to prevent this from happening. At the mobile network level, the end card binding relationship can be detected and confirmed by an IMSI (International Mobile Subscriber Identity )/SUPI (Subscription Permanent Identifier, user hidden identifier) and IMEI (International Mobile Subscriber Identity ) binding setting or signaling analysis method; at the internet of vehicles level, no corresponding binding relation detection and binding relation confirmation mechanism exists at present, and the capability of the mobile network level cannot be directly utilized. If the capability of the mobile network layer is indirectly utilized, a service interface needs to be called, and the complexity of the service flow is increased to a certain extent.
Disclosure of Invention
The embodiment of the invention mainly aims to provide an identity authentication method, an identity authentication system, terminal equipment and a storage medium, and aims to solve the problem of end card separation, improve the safety of a business process and reduce the complexity of the business process.
To achieve the above object, an embodiment of the present invention provides an identity authentication method, including:
setting public and private key pairs for preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises card public and private key pairs and terminal public and private key pairs;
generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair;
when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request.
Optionally, the preset service participant includes an initiator and a receiver, and the step of verifying the identity information corresponding to the first preset request based on the public-private key pair set and the combined public-private key pair includes:
based on the public and private key pair set and the combined public and private key pair, encrypting the first preset request by the initiator to obtain decision information;
And verifying the identity information corresponding to the decision information through the receiver based on the public and private key pair set and the combined public and private key pair.
Optionally, the step of generating the combined public-private key pair based on the card public-private key pair and the terminal public-private key pair includes:
when the receiver receives a second preset request, the receiver sends the second preset request to the initiator;
receiving a first preset request generated by the initiator based on the second preset request, and executing the steps: and verifying the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair.
Optionally, the receiving party includes a first party and a second party, and the step of verifying, by the receiving party, identity information corresponding to the decision information based on the public-private key pair set and the combined public-private key pair includes:
verifying signature information generated based on a public-private key pair of the first participant in the decision information through the first participant;
if the verification is passed, the decision information is sent to the second party through the first party;
And verifying signature information generated based on the combined public and private key pair of the second party in the decision information through the second party.
Optionally, the step of obtaining decision information by encrypting the first preset request by the initiator based on the public-private key pair set and the combined public-private key pair includes:
generating a first random number and a second random number based on the first preset request;
generating combined information based on the first preset request and the second random number;
and obtaining the decision information based on the first random number, the second random number, the combined information, the first preset request, the public and private key pair set and the combined public and private key pair.
Optionally, before the step of sending the decision information to the second party by the first party, the step of sending comprises:
generating a third random number based on the decision information;
encrypting the third random number based on the combined public-private key pair of the second party to obtain a first signature;
based on the first signature, the decision information is updated.
Optionally, the step of generating the combined public-private key pair based on the card public-private key pair and the terminal public-private key pair includes:
Sending the public key of the public-private key pair set to the preset service participant;
and sending the public key of the combined public and private key pair to the preset participant.
In addition, to achieve the above object, the present invention also provides an identity authentication system, the system comprising:
the key set generation module is used for setting public and private key pairs for preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises a card public and private key pair and a terminal public and private key pair;
the combined key generation module is used for generating a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair;
and the identity verification module is used for verifying the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair when the first preset request is received.
In addition, to achieve the above object, the present invention also provides a terminal device including: the system comprises a memory, a processor and an identity authentication method stored in the memory and capable of running on the processor, wherein the identity authentication program is executed by the processor to realize the steps of the identity authentication method.
In addition, in order to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon an authentication program which, when executed by a processor, implements the steps of the authentication method as described above.
The identity authentication method, the system, the terminal equipment and the storage medium provided by the embodiment of the invention obtain a public-private key pair set by setting a public-private key pair for a preset service participant so as to encrypt information according to the public-private key pair set and improve the safety of information transmission, wherein the public-private key pair set comprises a card public-private key pair and a terminal public-private key pair; generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair to confirm the terminal card binding relationship and reduce the abuse frequency of the card of the terminal equipment; when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying the identity information corresponding to the first preset request to confirm the identity information of the first preset request, and providing a judgment basis for responding to the first preset request. The invention aims to solve the problem of end card separation, improve the safety of the business process and reduce the complexity of the business process.
Drawings
FIG. 1 is a schematic diagram of functional modules of a terminal device to which an identity authentication device of the present invention belongs;
FIG. 2 is a flowchart of a first embodiment of an authentication method according to the present invention;
FIG. 3 is a schematic diagram of a first application scenario of the identity authentication method of the present invention;
FIG. 4 is a flowchart of a fourth embodiment of an authentication method according to the present invention;
FIG. 5 is a schematic diagram of a second application scenario of the identity authentication method of the present invention;
FIG. 6 is a schematic diagram of a third application scenario of the identity authentication method of the present invention;
FIG. 7 is an interactive schematic diagram of a remote control service scenario of the Internet of vehicles in the identity authentication method of the present invention;
FIG. 8 is an interactive schematic diagram of a service scenario for ordering Internet of vehicles service by the identity authentication method of the present invention;
FIG. 9 is a schematic diagram of functional modules of an authentication system according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The main solutions of the embodiments of the present invention are: setting public and private key pairs for preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises card public and private key pairs and terminal public and private key pairs; generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair; when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request.
Technical terms related to the embodiment of the invention:
SIM: (Subscriber Identity Module, subscriber identity card) is an IC card held by a mobile subscriber of the GSM system. The GSM system identifies the GSM user through the SIM card. The same SIM card can be used on different handsets. The GSM mobile phone can access to the network only after the SIM card is inserted.
USIM: (Universal Subscriber Identity Module, universal subscriber identity card), universal Subscriber Identity Module (USIM), also called upgrade SIM, is a component of the 3G network in UMTS (universal wireless communication system, collectively Universal Mobile Telecommunication System). Besides supporting multiple applications, the USIM card upgrades the algorithm in terms of security, and increases the authentication function of the card to the network, and the bidirectional authentication can effectively prevent hackers from attacking the card.
OBU: the On board Unit (On board Unit) is a microwave device which communicates with the RSU by adopting DSRC (Dedicated Short Range Communication) technology. In the ETC system, OBUs are placed on vehicles, and roadside set-up Road Side units (RSUs-Road Side units) communicate with each other through microwaves.
T-BOX: the Travel box is a complete movable Travel box developed through accumulation of outdoor life experience and technical innovation.
IMSI: (International Mobile Subscriber Identity ), an identity that is not repeated in all cellular networks for distinguishing between different users in the cellular network. The handset sends the IMSI to the network in a 64-bit field. The IMSI can be used to query the home location register (HLR, home Location Register) or visitor location register (VLR, visitor Location Register) for subscriber information.
SUPI: (Subscription Permanent Identifier) the subscriber hidden identifier) SUPI consists of 15 decimal digits, wherein the first three digits are country code MCC, the middle 2-3 digits are operator code MNC, and the remaining 9-10 digits are mobile subscriber identification code MSIN together to represent the subscriber and operator; SUPI is equivalent to the IMSI uniquely identifying ME and is also a 15-digit string.
IMEI: (International Mobile Subscriber Identity ), an identity that is not repeated in all cellular networks for distinguishing between different users in the cellular network. The handset sends the IMSI to the network in a 64-bit field. The IMSI can be used to query the home location register (HLR, home Location Register) or visitor location register (VLR, visitor Location Register) for subscriber information.
And (3) ECU: (Electronic Control Unit ), also called "car running computer", "car carrying computer", etc. It is composed of Micro Controller (MCU), memory (ROM, RAM), input/output interface (I/O), A/D converter (A/D) and shaping and driving large scale integrated circuits.
IVI: the In-Vehicle Infotainment vehicle-mounted information entertainment system is a vehicle-mounted integrated information processing system which is formed by adopting a vehicle-mounted special central processing unit and based on a vehicle body bus system and Internet services. The IVI can realize a series of applications including three-dimensional navigation, real-time road conditions, IPTV, assisted driving, fault detection, vehicle information, vehicle body control, mobile office, wireless communication, online-based entertainment functions, TSP services, and the like.
APP: application, mobile phone software, mainly referring to software installed on a smart phone, perfecting the shortages and individualization of the original system. The mobile phone is enabled to perfect the functions, and a main means for richer use experience is provided for users. The mobile phone software needs to be operated by a corresponding mobile phone system, and the main mobile phone system is as long as 2017, 6 and 1: apple iOS, google Android (Android) system, saint platform, and microsoft platform.
The internet of vehicles: the internet of vehicles mainly refers to that vehicle-mounted equipment on vehicles effectively utilizes all vehicle dynamic information in an information network platform through a wireless communication technology, and provides different functional services in the running process of the vehicles.
Device fingerprint: a device fingerprint refers to a device characteristic or unique device identification that may be used to uniquely identify the device.
Asymmetric encryption: the symmetric encryption algorithm uses the same key in encryption and decryption; the asymmetric encryption algorithm requires two keys for encryption and decryption, which are a Public Key (Public Key) and a Private Key (Private Key).
Elliptic curve encryption algorithm: (Elliptic Curve Cryptography, ECC), an algorithm for establishing public key encryption, i.e., asymmetric encryption. Also similar are RSA, elGamal, etc. algorithms. ECC is recognized as the most secure asymmetric encryption algorithm given a key length.
National standard public key cryptography algorithm SM2: the SM2 algorithm and the RSA algorithm are both public key cryptography algorithms, and the SM2 algorithm is a more advanced and safe algorithm which is used for replacing the RSA algorithm in our national commercial cryptography.
Along with the development of cryptographic technology and computer technology, the currently commonly used 1024-bit RSA algorithm faces serious security threat, and the national cryptographic management department decides to replace the RSA algorithm by adopting the SM2 elliptic curve algorithm through research.
Identity identification cryptography: identity-based cryptography (Identity-Based Cryptograph, IBC for short) is an asymmetric public key cryptography. The most important point of identification passwords is that certificates are not needed in the system, and the identification of users such as names, IP addresses, email addresses, mobile phone numbers and the like are used as public keys. The private key of the user is calculated by a key generation center (Key Generate Center, KGC for short) according to the system master key and the user identification. The public key of the user is uniquely determined by the user identification so that the user does not need a third party to ensure the authenticity of the public key.
Combined Public Key (CPK): in the field of information security, CPK is an abbreviation of "Combined Public Key", i.e. a combined public key, which is an encryption algorithm that generates large-scale keys with very small resources. The combined public key CPK is an identification-based digital signature protocol and a key exchange protocol.
Message digest algorithm: the message digest algorithm is a very important branch of the cryptographic algorithm, and is used for encrypting sensitive information due to its irreversibility by extracting fingerprint information from all data to realize functions such as data signature and data integrity check. Message digest algorithms are also known as Hash (Hash) algorithms, hash algorithms, or Hash algorithms.
The message digest algorithm has no key management and distribution problems, and is mainly applied to the field of digital signature as a digest algorithm for plaintext.
National cipher standard cryptographic hash algorithm SM3: the SM3 password hash algorithm is a Chinese commercial password hash algorithm standard published by the Chinese national password administration 2010. The algorithm was issued as a cryptographic industry standard (GM/T0004-2012) in 2012 and as a national cryptographic hash algorithm standard (GB/T32905-2016) in 2016.
SM3 is suitable for digital signature and verification in commercial cryptography applications, is an algorithm which is improved to be realized on the basis of SHA-256, and has the security equivalent to SHA-256. The iterative process of SM3 and MD5 is similar, and the Merkle-Damgard structure is also adopted. The message packet length is 512 bits and the digest value length is 256 bits.
The mobile network-based internet of vehicles has the security risk of 'end card separation', which may cause the misuse of SIM/USIM cards for the internet of vehicles, and the mobile end also has the condition of 'end card separation'; the end card separation means that the SIM/USIM card in the on-board communication terminal (OBU/T-BOX) can be pulled out to take other functions. Thus, an end card binding mechanism needs to be established to prevent this from happening. In the mobile network layer, the binding relation of the end card can be detected and confirmed through IMSI/SUPI and IMEI binding setting or signaling analysis methods; at the internet of vehicles level, no corresponding binding relation detection and binding relation confirmation mechanism exists at present, and the capability of the mobile network level cannot be directly utilized. If the capability of the mobile network layer is indirectly utilized, a service interface needs to be called, and the complexity of the service flow is increased to a certain extent.
The invention provides a solution, which aims to solve the problem of end card separation, improve the safety of a business process and reduce the complexity of the business process.
Specifically, referring to fig. 1, fig. 1 is a schematic diagram of functional modules of a terminal device to which the identity authentication device of the present invention belongs. The identity authentication device can be a device which is independent of the terminal equipment and can carry out picture processing and network model training, and can be carried on the terminal equipment in a form of hardware or software. The terminal equipment can be an intelligent mobile terminal with a data processing function such as a mobile phone and a tablet personal computer, and can also be a fixed terminal equipment or a server with a data processing function.
In this embodiment, the terminal device to which the identity authentication device belongs at least includes an output module 110, a processor 120, a memory 130, and a communication module 140.
The memory 130 stores therein an operation method and an authentication program; the output module 110 may be a display screen or the like. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.
Wherein the identity authentication procedure in the memory 130 when executed by the processor implements the steps of: setting public and private key pairs for preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises card public and private key pairs and terminal public and private key pairs;
Generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair;
when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request.
Further, the identity authentication procedure in the memory 130 when executed by the processor also implements the following steps:
based on the public and private key pair set and the combined public and private key pair, encrypting the first preset request by the initiator to obtain decision information;
and verifying the identity information corresponding to the decision information through the receiver based on the public and private key pair set and the combined public and private key pair.
Further, the identity authentication procedure in the memory 130 when executed by the processor also implements the following steps:
when the receiver receives a second preset request, the receiver sends the second preset request to the initiator;
receiving a first preset request generated by the initiator based on the second preset request, and executing the steps: and verifying the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair.
Further, the identity authentication procedure in the memory 130 when executed by the processor also implements the following steps:
verifying signature information generated based on a public-private key pair of the first participant in the decision information through the first participant;
if the verification is passed, the decision information is sent to the second party through the first party;
and verifying signature information generated based on the combined public and private key pair of the second party in the decision information through the second party.
Further, the identity authentication procedure in the memory 130 when executed by the processor also implements the following steps:
generating a first random number and a second random number based on the first preset request;
generating combined information based on the first preset request and the second random number;
and obtaining the decision information based on the first random number, the second random number, the combined information, the first preset request, the public and private key pair set and the combined public and private key pair.
Further, the identity authentication procedure in the memory 130 when executed by the processor also implements the following steps:
generating a third random number based on the decision information;
Encrypting the third random number based on the combined public-private key pair of the second party to obtain a first signature;
based on the first signature, the decision information is updated.
Further, the identity authentication procedure in the memory 130 when executed by the processor also implements the following steps:
sending the public key of the public-private key pair set to the preset service participant;
and sending the public key of the combined public and private key pair to the preset participant.
According to the scheme, the public and private key pairs are set for the preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises a card public and private key pair and a terminal public and private key pair; generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair; when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request. The invention aims to solve the problem of end card separation, improve the safety of the business process and reduce the complexity of the business process.
The method embodiment of the invention is proposed based on the above-mentioned terminal equipment architecture but not limited to the above-mentioned architecture.
Referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of an identity authentication method according to the present invention. The identity authentication method comprises the following steps:
step S101, setting public and private key pairs for preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises a card public and private key pair and a terminal public and private key pair.
The implementation main body of the method of the embodiment may be an identity authentication system, or may be an identity authentication terminal device or a server, and the embodiment uses the identity authentication system as an example. The identity authentication system comprises a preset service participant, wherein the preset service participant comprises an initiator and a receiver; the receiver comprises a first participant and a second participant.
In order to solve the problem of end card separation, improve the security of the business process, reduce the complexity of the business process, set public and private key pairs to preset business participants to obtain a public and private key pair set. In this embodiment, the internet of vehicles service is used as the preset service.
Specifically, firstly, generating a public-private key pair based on identification for all vehicle networking service participants based on elliptic curve algorithm, generating a card public-private key pair and a terminal public-private key pair based on identification for terminal equipment with mobile communication capability, forming a public-private key pair set by the public-private key pair, the card public-private key pair and the terminal public-private key pair, sending public keys of all the participants to related participants, and issuing the keys to corresponding participants.
For example, the internet of vehicles service participants include internet of vehicles service platforms, enterprise service platforms, and internet of vehicles end devices (including vehicle end and mobile end). And taking the mobile terminal as the initiator, and taking the Internet of vehicles service platform, the train enterprise service platform and the train terminal as the receiver.
Based on elliptic curve algorithm, public and private key pairs are generated for the Internet of vehicles service platform, the enterprise service platform and the Internet of vehicles terminal equipment (comprising a vehicle terminal and a mobile terminal), and public keys are distributed. Each party has a public key of the party associated with it. For mobile communication capable end devices, it is necessary to generate an identity based card (SIM/USIM card) public-private key pair and an end (car end/mobile end) public-private key pair, respectively.
Therefore, based on an elliptic curve algorithm, a public and private key pair is generated for a preset service participant, so that the safety of data transmission is improved. And, for the terminal equipment with mobile communication ability, a terminal public and private key pair and a card public and private key pair are generated, so that the binding relation of the terminal card is confirmed, and the phenomenon that the SIM/USIM card in the vehicle-mounted communication terminal (OBU/T-BOX) is possibly pulled out to move to other functions is prevented.
Step S102, based on the card public-private key pair and the terminal public-private key pair, a combined public-private key pair is generated.
Step S103, when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying the identity information corresponding to the first preset request.
Based on the card public-private key pair and the terminal public-private key pair, generating a combined public-private key pair through an elliptic curve algorithm.
Specifically, the key combination characteristic of elliptic curve algorithm is utilized to combine the card public-private key pair and the terminal public-private key pair, generate a new combined public-private key pair for terminal equipment, confirm the binding relation of the terminal card (the vehicle terminal and the corresponding SIM/USIM card and the mobile terminal and the corresponding SIM/USIM card) through the combined key, and distribute the public key to the equipment associated with the terminal equipment.
Therefore, based on the card public-private key pair and the terminal public-private key pair, a combined public-private key pair is generated through an elliptic curve algorithm, and the binding relation between the terminal card (a vehicle terminal and a SIM/USIM card and between a mobile terminal and the SIM/USIM card) is directly determined by utilizing the combined key pair, so that the phenomenon that the SIM/USIM card in the vehicle-mounted communication terminal (OBU/T-BOX) can be pulled out to be moved to other uses is prevented.
Further, when the first preset request is received, based on the public and private key pair set and the combined public and private key pair, identity information corresponding to the first preset request is verified. The first preset request comprises requests for starting an engine/air conditioner, remotely unlocking/locking a vehicle door, remotely searching the vehicle and the like.
Specifically, in the internet of vehicles service interaction process, when a first preset request is received, an identification key, a digital signature and a corresponding encryption technology are adopted, and based on a public-private key pair set and a combined public-private key pair, identity authentication meeting the mutual trust relationship of multiple participants (assumed to be N parties) and verification modes of security requirements such as data confidentiality, integrity, replay resistance, behavior resistance and repudiation and the like related to service processing are established, so that identity information corresponding to the first preset request is verified; the number of identity authentication processes is kept at an N level, and the N level is N× (N-1)/2.
Further, when the receiver receives the second preset request, the receiver sends the second preset request to the initiator; receiving a first preset request generated by the initiator based on the second preset request, and executing step S103: and verifying the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair. The second preset request comprises subscription information services such as subscription of road condition information, video-on-demand of audio service and the like.
Specifically, when the receiver receives the second preset request, the receiver sends the second preset request to the initiator; the initiator displays the second preset request to the user, the user responds, the response information of the user is used as the first preset request, and step S103 is executed: and verifying the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair.
Therefore, the identification key, the digital signature and the corresponding encryption technology are adopted to meet the security requirements of confidentiality, integrity, replay resistance, behavioral resistance and the like of related data of the mutual trust relationship of multiple participants (assumed to be N parties).
According to the scheme, the public and private key pairs are set for the preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises a card public and private key pair and a terminal public and private key pair; generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair; when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request. The invention generates the terminal public and private key pair and the card public and private key pair for the terminal equipment with mobile communication capability, so as to confirm the binding relation of the terminal card, prevent the phenomenon that the SIM/USIM card in the vehicle-mounted communication terminal (OBU/T-BOX) is possibly pulled out to move other functions, improve the safety of the business process and reduce the complexity of the business process.
Based on the embodiment shown in fig. 2, a second embodiment of the identity authentication method of the present invention is proposed. In this embodiment, as shown in fig. 3, the internet of vehicles service participants include a decision maker, a forwarder and an executor, and it is required to generate public-private key pairs for all the participants, distribute the public-private key pairs to the corresponding participants, and distribute the public keys of the respective participants to other participants (public or key exchange with the related participants). The decision maker decides whether to execute certain operation in certain business interaction and stores the execution result; the role of the forwarder is to forward the decision information (through the next forwarder) to the executor, forward the execution result returned by the executor (through the next forwarder) to the decision maker, and store the forwarding process; the executor: and finishing the operation designated by the decision information, returning an execution result, and storing the decision information.
In different application scenarios, the objects of the decision maker, the forwarder and the executor are not identical. For example, in an application example of remote control of the internet of vehicles, the decision maker is a mobile terminal (vehicle owner), the forwarder is an internet of vehicles service platform and an enterprise service platform, the executor is an end of vehicle (ECU), the vehicle owner sends an operation instruction to the end of vehicle through the mobile terminal, the internet of vehicles service platform and the enterprise service platform forward the operation instruction to the end of vehicle, and the ECU of the end of vehicle executes the operation instruction. In an application example of the internet of vehicle service subscription, the decision maker is a mobile terminal (vehicle owner), the forwarder is a vehicle terminal (IVI) and an enterprise service platform, the executor is an internet of vehicle service platform, the vehicle owner sends decision information for the service subscription to the vehicle terminal through the mobile terminal, the IVI and the enterprise service platform of the vehicle terminal forward the decision information to the internet of vehicle service platform (a specific service flow may allow a driver to intervene, for example, directly terminate the service subscription), and the internet of vehicle service platform processes the service subscription (for example, confirms the subscription or cancels the subscription) according to the decision information.
In this embodiment, an elliptic curve algorithm is adopted, and according to a specific parameter definition (for example, refer to parameter definition of SM 2), a public-private key pair is generated based on the identity of each participant, and key distribution is completed through an existing key management system, so that each participant obtains its own public key and private key, and obtains (knows) the public keys of other participants. The private key must be kept secret and may be securely stored using either a hardware cryptographic module (e.g., a cryptographic chip) or a software cryptographic module (e.g., a soft shield). Assuming K as the private key and K as the public key, the decision maker obtains a public-private key pair of (K d ,K d ) The public-private key pair obtained by the forwarder is (k) f ,K f ) The public-private key pair obtained by the performer is (k e ,K e )。
Specifically, in this embodiment, four internet of vehicles service participants will be involved, namely, an internet of vehicles service platform (Ping Taiyun), an enterprise service platform (enterprise cloud), a vehicle end (driver) and a mobile end (owner).
The internet of vehicles service platform may be in the role of a forwarder or an executor. The public-private key pair may be generated based on a platform identification (e.g., operator code) of the internet of vehicle service platform, such as: the public and private key pair obtained by the Internet of vehicles service platform is (k) 01 ,k 01 )。
The vehicle enterprise service platform is a forwarder role. Public and private key pairs may be generated based on a platform identification (e.g., enterprise code) of a vehicle enterprise service platform, such as: the public and private key pair obtained by the Internet of vehicles service platform is (k) 02 ,K 02 )。
The vehicle end can be in a role of a forwarder or an executor. The vehicle end is end equipment with mobile communication capability, a detachable SIM/USIM card is arranged in the communication module, public and private key pairs can be respectively generated based on card identification and end (vehicle) identification, the card identification can be unique identifications such as ICCID and the like, and the end identification can be OBU/T-BOX system characteristic informationThe vehicle end equipment fingerprint generated based on vehicle end multidimensional information. For example: the public and private key pair based on the card identifier obtained by the vehicle end is (k) 11 ,K 11 ) Public-private key pair (k) based on end identification 12 ,K 12 )。
The mobile terminal is in the role of a decision maker. The mobile terminal is terminal equipment with mobile communication capability, a SIM/USIM card of the mobile terminal is detachable, public and private key pairs can be respectively generated based on card identifications and terminal (mobile equipment/mobile phone) identifications, the card identifications can be unique identifications such as ICCID and the like, and the terminal identifications can be Device IDs, MAC or mobile terminal equipment fingerprints generated based on mobile terminal multidimensional information. For example: the public and private key pair obtained by the mobile terminal based on the card identifier is (k) 21 ,K 21 ) Public-private key pair (k) based on end identification 22 ,K 22 )。
Thus, by adopting elliptic curve algorithm, according to specific parameter definition (for example, refer to parameter definition of SM 2), public-private key pairs are generated based on the identification of each participant, and key distribution is completed through the existing key management system, so that each participant obtains own public key and private key, and obtains (knows) the public keys of other participants. The security of the information transmission process is improved, and authentication of identity information is completed through the key pair.
In the internet of vehicles service, end devices typically have end card binding requirements. Based on the embodiment shown in fig. 2, a third embodiment of the identity authentication method of the present invention is proposed. In this embodiment, an elliptic curve algorithm is adopted to generate two pairs of public and private key pairs for the terminal device (vehicle terminal and mobile terminal), wherein the two pairs of public and private key pairs are respectively a public and private key pair based on card identification and a public and private key pair based on terminal identification.
Since the public and private key pairs generated by the elliptic curve algorithm have combined characteristics, namely m pairs of public and private key pairs (k 1 ,K 1 ),…,(k i ,K i ),…,(k m ,K m ) May be combined to generate a new public-private key pair (k c ,K c ) The calculation method for generating the combined public and private key pair is as follows:
k c =(k 1 +…+k i +…+k m )mod(n)
wherein: n is the order of the base point G, n and G are well-defined elliptic curve algorithm parameters, and the calculation modes of Kc and Kc are not identical.
According to the combination characteristic of the elliptic curve algorithm, the card identification public-private key pair and the end identification public-private key pair of the end equipment can be combined to generate the combined public-private key pair of the end equipment so as to utilize the combined key pair to prove the end card binding relationship of the end equipment, and when the combined public-private key pair is generated, the end card binding relationship of the end equipment is proved.
For the vehicle end, assume that the combined public-private key pair is (k 13 ,K 13 ) Then:
k 13 =(k 11 +k 12 )mod(n)
for the mobile end, assume that the combined public-private key pair is (k 23 ,K 23 ) Then:
k 23 =(k 21 +k 22 )mod(n)
through the existing key management system, the vehicle end combines the public key K 13 Distributing the public key K to a vehicle networking service platform, a vehicle enterprise service platform and a mobile terminal, wherein the mobile terminal combines the public key K 23 And the service platform is distributed to a car networking service platform, a car enterprise service platform and a car end.
Therefore, by setting the combined public and private key pair for the terminal equipment, the binding relation between the terminal card (the vehicle terminal and the SIM/USIM card and between the mobile terminal and the SIM/USIM card) is directly determined by using the combined key pair, and the phenomenon that the SIM/USIM card in the vehicle-mounted communication terminal (OBU/T-BOX) can be pulled out to move to other uses is prevented.
Referring to fig. 4, fig. 4 is a flowchart illustrating a fourth embodiment of an identity authentication method according to the present invention. Based on the embodiment shown in fig. 2, in this embodiment, the preset service participant includes an initiator and a receiver, step S103: based on the public and private key pair set and the combined public and private key pair, verifying the identity information corresponding to the first preset request includes:
step S1031, based on the public-private key pair set and the combined public-private key pair, encrypts the first preset request by the initiator to obtain decision information.
As an implementation manner, in this embodiment, based on the public-private key pair set and the combined public-private key pair, the decision information is obtained by initiating Fang Jiami a first preset request.
Specifically, based on a first preset request, generating a first random number and a second random number; generating combined information based on the first preset request and the second random number; and obtaining decision information based on the first random number, the second random number, the combination information, the first preset request, the public and private key pair set and the combination public and private key pair.
For example, the receiving party includes a first party, a second party. Encrypting the first random number by a public key of a public-private key pair of the first participant to obtain a first signature; encrypting the first random number by a private key of a combined public-private key pair of the initiator to obtain a second signature; encrypting the first preset request and the second random number through the public key of the combined public-private key pair of the second participant to obtain a third signature and a fourth signature; based on the first preset request and the second random number, obtaining combined information; encrypting the information abstract of the combined information by the private key of the combined public and private key pair of the initiator to obtain a fifth signature; the first signature, the second signature, the third signature, the fourth signature, and the fifth signature are used as the decision information.
Therefore, based on the public and private key pair set and the combined public and private key pair, the first preset request is encrypted, the public key of each participant is adopted to encrypt the first preset request, and corresponding signature information is generated, so that the signature information is verified through the private key of the participant, and the safety of data is improved. And judging the validity of the decision information by the random number.
Step S1032, based on the public and private key pair set and the combined public and private key pair, the identity information corresponding to the decision information is verified by the receiver.
In this embodiment, based on the public and private key pair set and the combined public and private key pair, the identity information corresponding to the decision information is verified by the receiver.
Specifically, in the decision information verified by the first participant, signature information generated based on a public-private key pair of the first participant; if the verification is not passed, rejecting the request corresponding to the decision information; if the verification is passed, the decision information is sent to a second party through a first party; verifying signature information generated based on a combined public and private key pair of the second party in the decision information through the second party; if the verification is passed, executing a request corresponding to the decision information; if the verification is not passed, rejecting the request corresponding to the decision information.
For example, decrypting the decision information by the private key of the public-private key pair of the first party to obtain a first random number; signing the decision information through the public key of the combined public and private key pair of the initiator; if the verification is not passed, rejecting the request corresponding to the decision information; and if the check mark passes, sending the decision information to the second party through the first party. Decrypting the decision information by the private key of the combined public-private key pair of the second party, and verifying the decision information by the public key of the public-private key pair of the first party so as to verify the decision information; if the verification is passed, executing a request corresponding to the decision information; if the verification is not passed, rejecting the request corresponding to the decision information.
The method comprises the following steps: generating a third random number based on decision information before sending the decision information to the second party by the first party; encrypting the third random number based on the combined public-private key pair of the second party to obtain a first signature; based on the first signature, the decision information is updated.
For example, based on the decision information, generating a third random number; encrypting the third random number by the public key of the combined public-private key pair of the second participant to obtain a fifth signature; and encrypting the information abstract of the third random number by the private key of the public-private key pair of the first participant to obtain a sixth signature. Based on the fifth signature and the sixth signature, the decision information is updated.
Therefore, the parties decrypt, judge and update the decision information through the public key and the private key of the parties, so that the efficiency of encryption and decryption processes is improved, and the safety of the information transmission process is improved.
According to the scheme, the public and private key pairs are set for the preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises a card public and private key pair and a terminal public and private key pair; generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair; when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request. The invention aims to solve the problem of end card separation, adopts the public key of each participant to encrypt the end card, and generates corresponding signature information so as to verify the signature information through the private key of the participant later, thereby improving the security of data and reducing the complexity of a business process.
Based on the embodiment shown in fig. 4, a fifth embodiment of the identity authentication method of the present invention is proposed. In this embodiment, an elliptic curve algorithm-based collaborative identity authentication method for the internet of vehicles is provided, in the process of service interaction of the internet of vehicles, an identification key, a digital signature and a corresponding encryption technology are adopted, so that identity authentication of establishing a mutual trust relationship by multiple participants (assumed to be N parties) and security requirements of data confidentiality, integrity, replay resistance, repudiation resistance and the like related to service processing are met, the number of times of the identity authentication process is kept at N orders, and meanwhile, an end card binding relationship of end equipment is proved by using a combined key.
As shown in fig. 5, the business participants that may be involved in an actual internet of vehicles business scenario include a decision maker, an executor, and zero, one, or multiple (e.g., m) forwarders.
According to the Internet of vehicles collaborative identity authentication method, an elliptic curve algorithm is adopted to encrypt and decrypt related information (decision information: REQ; execution result: RES; random number: RAND) transmitted among all service participants, so that safety requirements of identity authentication (signature/signature verification), data confidentiality, replay resistance, behavior repudiation resistance and the like are met, E is preset to be encryption processing, and D is decryption processing; adopting a message digest algorithm to meet the data integrity requirement, presetting H as the message digest algorithm, wherein the specific message digest algorithm can select SHA, SM3 and the like as required; and the combination key of the terminal equipment is utilized to meet the binding requirement of the terminal card.
As shown in fig. 6, the following consideration relates to the case where the service participants include one decision maker (remote manipulation and service subscription: mobile terminal/vehicle owner), one executor (remote manipulation: vehicle terminal; service subscription: internet of vehicles service platform) and two forwarders (remote manipulation: internet of vehicles service platform and vehicle enterprise service platform; service subscription: vehicle terminal and vehicle enterprise service platform).
After being processed by the Internet of vehicles collaborative identity authentication method, decision information sent to a forwarder #1 by a decision maker is converted into:
{E(K f1 ,RAND f1 ),E(k d ,H(RAND f1 )),E(K e ,RAND e ),E(K e ,REQ),E(k d ,H(REQ,RAND e ))}
wherein K is f1 Is the public key of forwarder #1, RAND f1 Is a random number generated by the decision maker for forwarder #1, RAND e Is a random number generated by the decision maker for the executor. Because the decision maker is the mobile terminal, k d Is a combined key (private key); if forwarder #1 is the vehicle end, then K f1 Is a combined key (public key); if the executor is the vehicle end, K e Is a combined key (public key).
After receiving the decision message, forwarder #1 uses its own private key k f1 Decryption to obtain RAND f1 Using the public key K of the decision maker d Performing label verification processing if
H(D(k f1 ,E(K f1 ,RAND f1 )))=D(K d ,E(k d ,H(RAND f1 ))
The forwarder #1 may complete the identity authentication of the decision maker confirming that the decision information is from the decision maker. The forwarder #1 does not need to know the specific content of the decision information, but may record the encrypted decision information as a certificate.
After the forwarder #1 processes the decision information by adopting the internet of vehicles collaborative identity authentication method, forwarding the decision information to the forwarder #2, wherein the decision information is converted into:
{E(K f2 ,RAND f2 ),E(k f1 ,H(RAND f2 )),E(K e ,RAND e ),E(K e ,REQ),E(k d ,H(REQ,RAND e ))}
wherein is K f2 Public key, RAND, of forwarder #2 f2 Is a random number generated by forwarder #1 for forwarder # 2. If forwarder #1 is the vehicle end, k f1 Is a combined key (private key).
After receiving the decision message, forwarder #2 uses its own private key k f2 Decryption to obtain
RAND f2 Public key K of forwarder #1 is used f1 Performing label verification processing if
H(D(k f2 ,E(K f2 ,RAND f2 )))=D(K f1 ,E(k f1 ,H(RAND f2 ))
The forwarder #2 may complete the authentication of the forwarder #1 confirming that the decision information is from the forwarder #1. The forwarder #2 does not need to know the specific content of the decision information, but may record the encrypted decision information as a certificate.
The forwarder #2 processes the decision information by adopting the cooperative identity authentication method of the internet of vehicles, and forwards the decision information to the executor, and the decision information is converted into:
{E(K e ,RAND fe ),E(k f2 ,H(RAND fe )),E(K e ,RAND e ),E(K e ,REQ),E(k d ,H(REQ,RAND e ))}
wherein, RAND fe Is the random number generated by forwarder #2 for the executor. If the executor is the vehicle end, K e Is a combined key (public key).
After receiving the decision message, the executor uses its own private key K e Decryption to obtain RAND fe Public key K of forwarder #2 is used f2 Performing label verification processing if
H(D(k e ,E(K e ,RAND fe )))=D(K f2 ,E(k f2 ,H(RAND fe ))
The actor may complete the authentication of forwarder #2 confirming that the decision information is from forwarder #2.
The executor uses its own private key k e Decryption to obtain RAND e And REQ, use of the public key K of the decision maker d Performing label verification processing if
H(D(k e ,E(K e ,REQ)),D(k e ,E(K e ,RAND e )))=D(K d ,E(k d ,H(REQ,RAND e )))
The executor can complete the authentication of the decision maker and confirm that the original decision information REQ is from the decision maker and has not been tampered with or replayed.
After the executor completes the related operation according to the requirement of the decision information REQ, the original execution result RES can be notified to the decision maker through the response processing flow. The execution result is transmitted from the executor to the decision maker along the reverse path of the decision information transmission, and the processing method is the same as the decision information transmission except for the corresponding parameter replacement, and is not repeated here.
In the process of reversely transferring the execution result, the identity authentication of the forwarder #2 to the executor, the forwarder #1 to the forwarder #2, the decision maker to the forwarder #1 and the decision maker to the executor are sequentially completed, so that all the bidirectional identity authentication processes required in the service interaction process are completed, the square mutual trust relationship is ensured, the certification of the execution result of the forwarder #1 and the forwarder #2 is completed, and the confidentiality, the integrity and the replay resistance of the original execution result information RES are ensured.
In summary, the internet of vehicles collaborative identity authentication method based on elliptic curve algorithm meets the security requirements of confidentiality, integrity, replay resistance, behavior resistance, repudiation resistance and the like of the identity authentication of the mutual trust relationship established by multiple participants, and keeps the number of the identity authentication process at the N level; and meanwhile, the end card binding relation of the end device is also verified by using the combined secret key.
Referring to fig. 7, fig. 7 is an interaction schematic diagram of a remote control service scenario of the internet of vehicles according to the identity authentication method of the present invention. In the embodiment, the terminal equipment has a combined public and private key pair, and the vehicle networking remote control application allows a vehicle owner to remotely control the vehicle by utilizing a remote control APP, so that functions of remotely starting an engine/air conditioner, remotely unlocking/locking a vehicle door, remotely searching the vehicle and the like are realized.
Assuming that the vehicle owner registers remote control service on the internet of vehicles service platform and downloads and installs remote control APP on a mobile phone (mobile terminal), the internet of vehicles service platform provides unified service management, but may not provide specific remote control service, but is in butt joint with a corresponding vehicle enterprise service platform to realize service delivery. In the application example of the car networking remote control service scene, a mobile terminal (car owner) is a decision maker, a car networking service platform (Ping Taiyun) and a car enterprise service platform (car enterprise cloud) are forwarders, a car terminal (ECU) is an executor, and the application flow is as follows:
first, the vehicle owner starts a remote control APP on a mobile phone (mobile terminal), selects an operation desired to be performed, such as opening an air conditioner, starting an engine, remotely unlocking/locking a door, etc., as an operation instruction, and confirms transmission of the operation instruction.
Further, the mobile phone adopts a collaborative identity authentication method to process the operation instruction. Generating two
Random number RAND 1 And RAND (RAND) 2 Public key K using a vehicle networking service platform (Ping Taiyun) 01 For RAND 1 Encryption is performed to obtain E (K) 01 ,RAND 1 ) Mobile terminal (Mobile phone)
Private key k 23 (Combined Key) pair RAND 1 Encryption is carried out on the information abstract of the mobile phone to obtain the mobile phone to the platform
Cloud ofSignature E (k) 23 ,H(RAND 1 ) A) is provided; using the public key K at the vehicle end 13 (Combined Key) for RAND respectively 2 And decision information REQ (operation instruction) to obtain E (K) 13 ,RAND 2 ) And E (K) 13 REQ), using a handset private key k 23 For REQ and RAND 2 Encrypting the information abstract of the combined information to obtain a signature E (k) of a mobile phone vehicle-feeding End (ECU) 23 ,H(REQ,RAND 2 ))。
Therefore, the mobile phone is used for converting the operation instruction to obtain conversion information of the operation instruction, and the conversion information of the operation instruction is sent to the platform cloud; the transformation information of the operation instruction is as follows:
{E(K 01 ,RAND 1 ),E(k 23 ,H(RAND 1 )),E(K 13 ,RAND 2 ),E(K 13 ,REQ),E(k 23 ,H(REQ,RAND 2 ) Second, the platform cloud processes the transformation information of the received operation instruction.
Specifically, private key k using platform cloud 01 Decrypting transformed information of an operation instruction to obtain RAND 1 Using a mobile phone public key K 23 (Combined key) Siegesbeckiae checking the transformation information of operation instruction, if
H(D(k 01 ,E(K 01 ,RAND 1 )))=D(K 23 ,E(k 23, H(RAND 1 ))
The platform cloud completes the identity authentication of the mobile phone and confirms that the operation instruction is from the mobile phone. If the identity verification is not passed, rejecting the operation instruction. Thus, the platform cloud does not need to know the specific content of the operation instruction, but can record the operation instruction including E (K 13 REQ) is used as a certificate.
Further, based on the transformation information of the operation instruction, a random number RAND is generated 3 Using a vehicle rabbet
Public key K of service platform (vehicle enterprise cloud) 02 For RAND 3 Encryption is performed to obtain E (K) 02 ,RAND 3 ) Using platform cloud private key k 01 For RAND 3 Encryption is carried out on the information abstract of the platform cloudSignature E (k) of cloud of vehicle enterprise 01 ,H(RAND 3 ))。
Therefore, the initiator of the operation instruction can be verified through the random number, the analysis of internal information is not needed, and the efficiency is improved.
Further, the platform cloud updates the conversion information of the operation instruction, and sends the conversion information of the operation instruction to the vehicle enterprise cloud, wherein the conversion information of the operation instruction is updated as follows:
{E(K 02 ,RAND 3 ),E(k 01 ,H(RAND 3 )),E(K 13 ,RAND 2 ),E(K 13 ,REQ),E(k 23 ,H(REQ,RAND 2 ))}
and thirdly, the vehicle enterprise cloud processes the received operation instruction. Using cloud private key k of vehicle enterprise 02 Decryption to obtain RAND 3 Using platform Yun Gong key K 01 Performing label verification processing if
H(D(k 02 ,E(K 02 ,RAND 3 )))=D(K 01 ,E(k 01, H(RAND 3 ))
The vehicle enterprise cloud completes identity authentication of the platform cloud, and confirms that the operation instruction is from the platform cloud. If the identity verification is not passed, rejecting the operation instruction. Thus, the cloud does not need to know the specific content of the operation instruction, but can record E (K 13 REQ) is used as a certificate. Generating random number RAND based on transformation information of operation instruction 4 Using the public key K at the vehicle end 13 For RAND 4 Encryption is performed to obtain E (K) 13 ,RAND 4 ) Using cloud private key k of vehicle enterprise 02 For RAND 4 Encryption is carried out on the information abstract of the vehicle enterprise cloud to obtain a signature E (k) of a vehicle end of the vehicle enterprise cloud 02 ,H(RAND 4 ))。
The vehicle enterprise cloud updates the conversion information of the operation instruction and sends the conversion information to the vehicle end, wherein the conversion information of the operation instruction is updated as follows:
{E(K 13 ,RAND 4 ),E(k 02 ,H(RAND 4 )),E(K 13 ,RAND 2 ),E(K 13 ,REQ).E(k 23 ,H(REQ,RAND 2 ))}
and finally, the vehicle end processes the received operation instruction. Using vehicle-end private key k 13 (Combined secret key)
Decryption to obtain RAND 4 Using a vehicle rabbet Yun Gong key K 02 Performing label verification processing if
H(D(k 13 ,E(K 13 ,RAND 4 )))=D(K 02 ,E(k 02, H(RAND 4 ))
The vehicle end completes the identity authentication of the vehicle enterprise cloud, and confirms that the decision information comes from the vehicle enterprise cloud. If the identity verification is not passed, rejecting the operation instruction. Using vehicle-end private key k 13 Decryption to obtain RAND 2 And REQ, using the public key K of the mobile phone 23 Performing label verification processing if
H(D(k 13 ,E(K 13 ,REQ)),D(k 13 ,E(K 13 ,RAND 2 )))=D(K 23 ,E(k 23 ,H(REQ,RAND 2 ) If the vehicle end completes the identity authentication of the mobile phone, the original operation instruction REQ is confirmed to come from the mobile phone, and the original operation instruction REQ is not tampered or replayed. If the identity verification is not passed, rejecting the operation instruction. The vehicle end gives an operation instruction to the ECU to execute, for example, turning on an air conditioner, starting an engine, remotely unlocking/locking a door, and the like.
After the vehicle end completes related operation according to the requirement of the operation instruction REQ, the execution result RES can be notified to the mobile end (mobile phone/vehicle owner) through a response processing flow. Generating two random numbers RAND 5 And RAND (RAND) 6 Using a vehicle rabbet Yun Gong key K 02 For RAND 5 Encryption is performed to obtain E (K) 02 ,RAND 5 ) Using a vehicle-end private key k 13 For RAND 5 The information abstract of (a) is encrypted to obtain a signature E (k) of a cloud of a vehicle-end vehicle-to-vehicle enterprise 13 ,H(RAND 5 ) A) is provided; using a mobile phone public key K 23 Respectively to RAND 6 And the execution result RES to obtain E (K) 23 ,RAND 6 ) And E (K) 23 RES) using a vehicle end private key k 13 For RES and RAND 6 The information abstract of the combined information is encrypted to obtain a signature E (k) of a vehicle end to a mobile phone 13 ,H(REQ,RAND 6 ))。
Further, the vehicle end sends the conversion information of the execution result processed by the collaborative identity authentication method to the vehicle enterprise cloud, and the conversion information of the execution result is as follows:
{E(K 02 ,RAND 5 ),E(k 13 ,H(FAND 5 )),E(K 23 ,RAND 6 ),E(K 23 ,RES),E(k 13 ,H(RES,RAND 6 ))}
and the vehicle enterprise cloud processes the received execution result. Using cloud private key k of vehicle enterprise 02 Decryption to obtain
RAND 5 Using the public key K at the vehicle end 13 Performing label verification processing if
H(D(k 02 ,E(K 02 ,RAND 5 )))=D(K 13 ,E(k 13 ,H(RAND 5 ))
The cloud of the vehicle enterprise completes the identity authentication of the vehicle end, and confirms that the execution result is from the vehicle end. If the identity verification is not passed, rejecting the operation instruction. The cloud of the vehicle enterprise does not need to know the specific content of the execution result, but can record E (K 23 RES) is used as a certificate. Generating random number RAND 7 Using platform Yun Gong key K 01 For RAND 7 Encryption is performed to obtain E (K) 01 ,RAND 7 ) Using cloud private key k of vehicle enterprise 02 For RAND 7 Encryption is carried out on the information abstract of the vehicle enterprise cloud to obtain a signature E (k) of the vehicle enterprise cloud to the platform cloud 02 ,H(RAND 7 ))。
The vehicle enterprise cloud sends the conversion information of the execution result processed by the collaborative identity authentication method to the platform cloud, and the conversion information of the execution result is updated as follows:
{E(K 01 ,RAND 7 ),E(k 02 ,H(RAND 7 )),E(K 23 ,RAND 6 ),E(K 23 ,RES),E(k 13 ,H(RES,RAND 6 ) Further, the platform cloud processes the received execution result. Using platform cloud private key k 01 Decryption to obtain RAND 7 Using a vehicle rabbet Yun Gong key K 02 Performing label verification processing if
H(D(k 01 ,E(K 01 ,RAND 7 )))=D(K 02 ,E(k 02 ,H(RAND 7 ))
The platform cloud completes identity authentication of the vehicle enterprise cloud, and confirms that the execution result comes from the vehicle enterprise cloud. The platform cloud does not need to know the specific content of the execution result, but can record the execution result including E (K 23 RES) is used as a certificate. If the identity verification is not passed, rejecting the operation instruction. Generating random number RAND based on execution result 8 Using a mobile phone public key K 23 For RAND B Encryption is performed to obtain E (K) 23 ,RAND 8 ) Using platform cloud private key k 01 For RAND 8 Is encrypted to obtain a signature E (k) of the platform cloud to the mobile phone 01 ,H(RAND 8 ))。
Further, the platform cloud sends the conversion information of the execution result processed by the collaborative identity authentication method to the mobile phone, and the conversion information of the execution result is updated as follows:
{E(K 23 ,RAND 8 ),E(k 01 ,H(RAND 8 )),E(K 23 ,RAND 6 ),E(K 23 ,RES),E(k 13 ,H(RES,RAND 6 ) And) the mobile phone processes the received execution result. Using handset private key k 23 Decryption to obtain RAND 8 Using platform Yun Gong key K 01 Performing label verification processing if
H(D(k 23 ,E(K 23 ,RAND 8 )))=D(K 01 ,E(k 01 ,H(RAND 8 ))
The mobile phone completes identity authentication of the platform cloud, and confirms that the execution result is from the platform cloud. If the identity verification is not passed, rejecting the operation instruction. Using handset private key k 23 Decryption to obtain RAND 6 And RES, using vehicle-end public key K 13 Performing label verification processing if
H(D(k 23 ,E(K 23 ,RES)),D(k 23 ,E(K 23 ,RAND 6 )))=D(K 13 ,E(k 13 ,H(RES,RAND 6 )))
The mobile phone completes the identity authentication of the vehicle end, confirms that the original execution result RES comes from the vehicle end and is not tampered or replayed. The mobile phone can record the execution result and/or display the execution result to the vehicle owner.
Therefore, through the transmission of the operation instruction and the execution result, four bidirectional identity authentication processes required in the remote control business interaction process are completed, the four-way mutual trust relationship is ensured, the verification of the platform cloud and the vehicle enterprise cloud on the remote control behavior is completed, and the confidentiality, the integrity and the replay resistance of the original operation instruction and the execution result information are ensured. For a mobile terminal (mobile phone) and a vehicle terminal, a combined secret key is adopted to prove the binding relation of the terminal card.
Because the internet of vehicles remote control application must ensure the security trust between related service participants, in the embodiment, the internet of vehicles collaborative identity authentication method based on elliptic curve algorithm is adopted, so that the security requirements of identity authentication of the related service participants for establishing mutual trust relationship, confidentiality, integrity, replay resistance, behavior repudiation resistance and the like of related data can be met, and the number of the identity authentication processes is kept at N level; and meanwhile, the end card binding relation of the end device is also verified by using the combined secret key.
Referring to fig. 8, fig. 8 is an interaction schematic diagram of a service scenario of ordering a service of internet of vehicles by using the identity authentication method of the present invention. In this embodiment, through an in-vehicle infotainment system (IVI), a driver may subscribe to an information service on a vehicle-enterprise service platform, or may subscribe to an information service on a vehicle-networking service platform through a vehicle-enterprise service platform, such as a traffic information subscription, an audio/video service on-demand, and the like. The driver who actually performs the service order operation may not be the owner of the vehicle (e.g., a child riding a car or a friend who uses a car by borrowing the car, etc.), and thus the service order (particularly the paid service order) should be confirmed by the owner of the vehicle.
The driver uses the IVI to browse and select the information entertainment business of the vehicle enterprise service platform (vehicle enterprise cloud), if the business of the driver browsing or selecting order is not provided by the vehicle enterprise cloud, but provided by the vehicle networking service platform (Ping Taiyun), the vehicle enterprise cloud guides the driver to the platform cloud for corresponding operation. Because the occupant may not be the owner of the vehicle, certain operations (e.g., payment service subscriptions) must be confirmed by the owner of the vehicle.
In the service order confirmation process of the service order service scene application example of the internet of vehicles, the mobile terminal (vehicle owner) is a decision maker, the vehicle terminal (IVI) and the vehicle enterprise service platform (vehicle enterprise cloud) are forwarders, and the internet of vehicles service platform (Ping Taiyun) is an executor. The operator is not considered in the flowchart, although the operator is the initiator of the service subscription, but cannot intervene in the normal service subscription confirmation process flow (of course, the actual service subscription flow may allow the operator to terminate the service subscription at any time). The application flow is briefly described as follows:
First, a driver interacts with a vehicle enterprise cloud and a platform cloud through a vehicle end IVI to browse and purchase information entertainment services. Assuming that the rider selects to subscribe to the audio/video on demand service provided by the platform cloud, when the platform cloud asks the rider to confirm the service subscription, the rider confirms the service subscription (although the service subscription may be terminated by rejecting it).
After the driver selects to confirm the service subscription, the vehicle end (IVI) sends a request for confirming the service subscription to the mobile phone (mobile end) of the vehicle owner because the service subscription needs to be confirmed by the vehicle owner. The mobile phone displays the confirmed service subscription request to the vehicle owner; the owner makes a decision (e.g., agrees or refuses) to confirm the service subscription request as a subscription decision.
And secondly, the mobile phone adopts a collaborative identity authentication method to process the subscription decision of the vehicle owner. Generating two random numbers RAND 1 And RAND (RAND) 2 Using the public key K at the vehicle end 13 (Combined Key) pair RAND 1 Encryption is performed to obtain E (K) 13 ,RAND 1 ) Using mobile terminal (handset) private key k 23 (Combined Key) pair RAND 1 Is encrypted to obtain the signature E (k) of the mobile phone vehicle-feeding end 23 ,H(RAND 1 ) A) is provided; using platform public key K 01 Respectively to RAND 2 Encryption is carried out with decision information REQ (order decision) to obtain E (K) 01 ,RAND 2 ) And E (K) 01 REQ), using a handset private key k 23 For REQ and RAND 2 Information summary addition of combined informationSecret, obtain signature E (k) of mobile phone to platform cloud 23 ,H(REQ,RAND 2 ))。
Further, the mobile phone sends the order decision transformation information processed by the collaborative identity authentication method to the vehicle end, and the order decision transformation information is updated as follows:
{E(K 13 ,RAND 1 ),E(k 23 ,H(RAND 1 )),E(K 01 ,RAND 2 ),E(K 01 ,REQ),E(k 23 ,H(REQ,RAND 2 ))}
the vehicle end processes the received ordering decision. Using vehicle-end private key k 13 (Combined Key) decryption to obtain RAND 1 Using a mobile phone public key K 23 (Combined key) signature verification process, if
H(D(k 13 ,E(K 13 ,RAND 1 )))=D(K 23 ,E(k 23 ,H(RAND 1 ))
The vehicle end completes the identity authentication of the mobile phone and confirms that the order decision comes from the mobile phone. If the authentication is not passed, rejecting the subscription decision. The vehicle side does not need to know the specific content of the subscription decision, but can record E (K 01 REQ) is used as a certificate. Generating random number RAND 3 Public key K using vehicle enterprise service platform (vehicle enterprise cloud) 02 For RAND 3 Encryption is performed to obtain E (K) 02 ,RAND 3 ) Using a vehicle-end private key k 13 For RAND 3 The information abstract of (a) is encrypted to obtain a signature E (k) of a cloud of a vehicle-end vehicle-to-vehicle enterprise 13 ,H(RAND 3 ))。
Further, the vehicle end sends the order decision transformation information processed by the collaborative identity authentication method to the vehicle enterprise cloud, and the order decision transformation information is updated as follows:
{E(K 02 ,RAND 3 ),E(k 13 ,H(RAND 3 )),E(K 01, RAND 2 ),E(K 01 ,REQ),E(k 23 ,H(REQ,RAND 2 ))}
The vehicle enterprise cloud processes the received ordering decisions. Using cloud private key k of vehicle enterprise 02 Decryption to obtain RAND 3 Using the public key K at the vehicle end 13 Performing label verification processing if
H(D(k 02 ,E(K 02 ,RAND 3 )))=D(K 13 ,E(k 13 ,H(RAND 3 ))
The cloud of the vehicle enterprise completes the identity authentication of the vehicle end, and confirms that the ordering decision comes from the vehicle end. If the authentication is not passed, rejecting the subscription decision. Thus, the cloud does not need to know the specific content of the order decision, but can record information including E (K 01 REQ) is used as a certificate. Generating random number RAND 4 Using platform Yun Gong key K 01 For RAND 4 Encryption is performed to obtain E (K) 01 ,RAND 4 ) Using cloud private key k of vehicle enterprise 02 For RAND 4 Encryption is carried out on the information abstract of the vehicle enterprise cloud to obtain a signature E (k) of the vehicle enterprise cloud to the platform cloud 02 ,H(RAND 4 ))。
Further, the vehicle enterprise cloud sends the order decision transformation information processed by the collaborative identity authentication method to the platform cloud, and the order decision transformation information is updated as follows:
{E(K 01 ,RAND 4 ),E(k 02 ,H(RAND 4 )),E(K 01 ,RAND 2 ),E(K 01 ,REQ),E(k 23 ,H(REQ,RAND 2 ) The platform cloud processes the received subscription decisions. Using platform cloud private key k 01 Decryption to obtain RAND 4 Using a vehicle rabbet Yun Gong key K 02 Performing label verification processing if
H(D(k 01 ,E(K 01 ,RAND 4 )))=D(K 02 ,E(k 02 ,H(RAND 4 ))
The platform cloud completes identity authentication of the vehicle enterprise cloud, and confirms that the ordering decision comes from the vehicle enterprise cloud. If the authentication is not passed, rejecting the subscription decision. Using platform cloud private key k 01 Decryption to obtain RAND 2 And REQ, using the public key K of the mobile phone 23 Performing label verification processing if
H(D(k 01 ,E(K 01 ,REQ)),D(k 01 ,E(K 01 ,RAND 2 )))=D(K 23 ,E(k 23 ,H(REQ,RAND 2 )))
The platform cloud completes the identity authentication of the handset, confirms that the original subscription decision REQ comes from the handset and is not tampered or replayed. If the authentication is not passed, rejecting the subscription decision. The platform cloud will process the service subscription according to the subscription decision, e.g. confirm the subscription and open.
After the platform cloud finishes related operations according to the request of the subscription decision REQ, the subscription result RES can be notified to the mobile terminal (mobile phone/vehicle owner) through a response processing flow. Generating two random numbers RAND 5 And RAND (RAND) 6 Using a vehicle rabbet Yun Gong key K 02 For RAND 5 Encryption is performed to obtain E (K) 02 ,RAND 5 ) Using platform cloud private key k 01 For RAND 5 Encryption is carried out on the information abstract of the platform cloud to obtain a signature E (k) of the platform cloud vehicle-giving enterprise cloud 01 ,H(RAND 5 ) A) is provided; using a mobile phone public key K 23 Respectively to RAND 6 And the order result RES to obtain E (K) 23 ,RAND 6 ) And E (K) 23 RES), using platform cloud private key K 01 For RES and RAND 6 Encrypting the information abstract of the combined information to obtain a signature E (k) of the platform cloud to the mobile phone 01 ,H(REQ,RAND 6 ))。
Further, the platform cloud sends the ordering result conversion information processed by the collaborative identity authentication method to the vehicle enterprise cloud, and the conversion information of the execution result is updated as follows:
{E(K 02 ,RAND 5 ),E(k 01 ,H(RAND 5 )),E(K 23 ,RAND 6 ),E(K 23 ,RES),E(k 01 ,H(RES,RAND 6 ) And (3) the vehicle enterprise cloud processes the received ordering result. Using cloud private key k of vehicle enterprise 02 Decryption to obtain RAND 5 Using platform Yun Gong key K 01 Performing label verification processing if
H(D(k 02 ,E(K 02 ,RAND 5 )))=D(K 01 ,E(k 01 ,H(RAND 5 ))
Vehicle enterprise cloudAnd (3) completing identity authentication of the platform cloud, and confirming that the ordering result comes from the platform cloud. If the authentication is not passed, rejecting the subscription decision. The cloud of the vehicle enterprise does not need to know the specific content of the ordering result, but can record E (K) 23 RES) is used as a certificate. Generating random number RAND 7 Using the public key K at the vehicle end 13 For RAND 7 Encryption is performed to obtain E (K) 13 ,RAND 7 ) Using cloud private key k of vehicle enterprise 02 For RAND 7 Encryption is carried out on the information abstract of the vehicle enterprise cloud to obtain a signature E (k) of a vehicle end of the vehicle enterprise cloud 02 ,H(RAND 7 ))。
Further, the vehicle enterprise cloud sends the ordering result conversion information processed by the collaborative identity authentication method to the vehicle end, and the conversion information of the execution result is updated as follows:
{E(K 13 ,RAND 7 ),E(k 02 ,H(RAND 7 )),E(K 23 ,RAND 6 ),E(K 23 ,RES),E(k 01 ,H(RES,RAND 6 ))}
and the vehicle end processes the received ordering result. Using vehicle-end private key k 13 Decryption to obtain RAND 7 Using a vehicle rabbet Yun Gong key K 02 Performing label verification processing if
H(D(k 13 ,E(K 13 ,RAND 7 )))=D(K 02 ,E(k 02 ,H(RAND 7 ))
The vehicle end completes the identity authentication of the vehicle enterprise cloud, and confirms that the ordering result comes from the vehicle enterprise cloud. If the authentication is not passed, rejecting the subscription decision. The vehicle end does not need to know the specific content of the ordering result, but can record E (K 23 RES) is used as a certificate. Generating random number RAND 8 Using a mobile phone public key K 23 For RAND 8 Encryption is performed to obtain E (K) 23 ,RAND 8 ) Using a vehicle-end private key k 13 For RAND 8 Is encrypted to obtain the signature E (k) 13 ,H(RAND 8 ))
The vehicle end sends the ordering result conversion information processed by the collaborative identity authentication method to the mobile phone, wherein the ordering result conversion information is as follows:
{E(K 23 ,RAND 8 ),E(k 13 ,H(RAND 8 )),E(K 23 ,RAND 6 ),E(K 23 ,RES),E(k 01 ,H(RES,RAND 6 ))}
further, the mobile phone processes the received ordering result. Using handset private key k 23 Decryption to obtain RAND 8 Using the public key K at the vehicle end 13 Performing label verification processing if
H(D(k 23 ,E(K 23 ,RAND 8 )))=D(K 13 ,E(k 13 ,H(RAND 8 ))
The mobile phone completes the identity authentication of the vehicle end and confirms that the ordering result is from the vehicle end. If the authentication is not passed, rejecting the subscription decision. Using handset private key k 23 Decryption to obtain RAND 6 And RES, using platform Yun Gong key K 01 Performing label verification processing if
H(D(k 23 ,E(K 23 ,RES)),D(k 23 ,E(K 23 ,RAND 6 )))=D(K 01 ,E(k 01 ,H(RES,RAND 6 )))
The mobile phone completes identity authentication on the platform cloud, confirms that the original subscription result RES comes from the platform cloud and is not tampered or replayed. The mobile phone can record the ordering result and the like.
And finally, the mobile phone displays the ordering result to the vehicle owner. If the owner's subscription decision is to agree to subscribe to the service, and the platform cloud also successfully completes the service subscription process and service activation, the rider may begin using the service, such as beginning to play the on-demand audio-video program.
Through the delivery of the ordering decision and the ordering result, the confirmation flow of the business ordering vehicle owner required in the business ordering business interaction process is completed, the four-way mutual trust relationship is ensured through four-way identity authentication processes, meanwhile, the verification of the business ordering confirmation action of the vehicle enterprise cloud and the vehicle end is completed, and the confidentiality, the integrity and the replay resistance of the original ordering decision and the ordering result information are ensured. For a mobile terminal (mobile phone) and a vehicle terminal, a combined secret key is adopted to prove the binding relation of the terminal card.
Because the internet of vehicles remote control application must ensure the security trust between related service participants, in the embodiment, the internet of vehicles collaborative identity authentication method based on elliptic curve algorithm is adopted, so that the security requirements of identity authentication of the related service participants for establishing mutual trust relationship, confidentiality, integrity, replay resistance, behavior repudiation resistance and the like of related data can be met, and the number of the identity authentication processes is kept at N level; and meanwhile, the end card binding relation of the end device is also verified by using the combined secret key.
Referring to fig. 9, fig. 9 is a schematic diagram of functional modules of the identity authentication system of the present invention. The identity authentication system comprises:
the key set generating module 10 is configured to set a public-private key pair for a preset service participant to obtain a public-private key pair set, where the public-private key pair set includes a card public-private key pair and a terminal public-private key pair;
A combined key generating module 20, configured to generate a combined public-private key pair based on the card public-private key pair and the end public-private key pair;
the identity verification module 30 is configured to, when receiving a first preset request, verify identity information corresponding to the first preset request based on the public-private key pair set and the combined public-private key pair.
The principle and implementation process of identity authentication are realized in this embodiment, please refer to the above embodiments, and are not repeated here.
In addition, the embodiment of the invention also provides a terminal device, which comprises a memory, a processor and an identity authentication program stored in the memory and capable of running on the processor, wherein the identity authentication program realizes the steps of the identity authentication method when being executed by the processor.
Because the identity authentication program is executed by the processor and adopts all the technical schemes of all the embodiments, the identity authentication program at least has all the beneficial effects brought by all the technical schemes of all the embodiments and is not described in detail herein.
In addition, the embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores an identity authentication program, and the identity authentication program realizes the steps of the identity authentication method when being executed by a processor.
Because the identity authentication program is executed by the processor and adopts all the technical schemes of all the embodiments, the identity authentication program at least has all the beneficial effects brought by all the technical schemes of all the embodiments and is not described in detail herein.
Compared with the prior art, the identity authentication method, the system, the terminal equipment and the storage medium provided by the invention have the advantages that the public and private key pair is set for the preset service participants to obtain the public and private key pair set, wherein the public and private key pair set comprises a card public and private key pair and a terminal public and private key pair; generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair; when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request. The invention aims to solve the problem of end card separation, improve the safety of the business process and reduce the complexity of the business process.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or method. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or method that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, a controlled terminal, or a network device, etc.) to perform the method of each embodiment of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims (10)

1. An identity authentication method, characterized in that the method comprises the following steps:
setting public and private key pairs for preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises card public and private key pairs and terminal public and private key pairs;
generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair;
when a first preset request is received, based on the public and private key pair set and the combined public and private key pair, verifying identity information corresponding to the first preset request.
2. The identity authentication method according to claim 1, wherein the preset service participant includes an initiator and a receiver, and the step of verifying the identity information corresponding to the first preset request based on the public-private key pair set and the combined public-private key pair includes:
based on the public and private key pair set and the combined public and private key pair, encrypting the first preset request by the initiator to obtain decision information;
and verifying the identity information corresponding to the decision information through the receiver based on the public and private key pair set and the combined public and private key pair.
3. The identity authentication method of claim 2, wherein the step of generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair comprises:
When the receiver receives a second preset request, the receiver sends the second preset request to the initiator;
receiving a first preset request generated by the initiator based on the second preset request, and executing the steps: and verifying the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair.
4. The identity authentication method according to claim 2, wherein the receiving party includes a first party and a second party, and the step of verifying, by the receiving party, the identity information corresponding to the decision information based on the public-private key pair set and the combined public-private key pair includes:
verifying signature information generated based on a public-private key pair of the first participant in the decision information through the first participant;
if the verification is passed, the decision information is sent to the second party through the first party;
and verifying signature information generated based on the combined public and private key pair of the second party in the decision information through the second party.
5. The identity authentication method according to claim 2, wherein the step of obtaining decision information by encrypting the first preset request by the initiator based on the public-private key pair set and the combined public-private key pair includes:
Generating a first random number and a second random number based on the first preset request;
generating combined information based on the first preset request and the second random number;
and obtaining the decision information based on the first random number, the second random number, the combined information, the first preset request, the public and private key pair set and the combined public and private key pair.
6. The authentication method of claim 4, wherein the step of transmitting the decision information by the first party to the second party is preceded by:
generating a third random number based on the decision information;
encrypting the third random number based on the combined public-private key pair of the second party to obtain a first signature;
based on the first signature, the decision information is updated.
7. The identity authentication method of claim 1, wherein the step of generating a combined public-private key pair based on the card public-private key pair and the terminal public-private key pair comprises:
sending the public key of the public-private key pair set to the preset service participant;
and sending the public key of the combined public and private key pair to the preset participant.
8. An identity authentication system, comprising:
the key set generation module is used for setting public and private key pairs for preset service participants to obtain a public and private key pair set, wherein the public and private key pair set comprises a card public and private key pair and a terminal public and private key pair;
the combined key generation module is used for generating a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair;
and the identity verification module is used for verifying the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair when the first preset request is received.
9. A terminal device, characterized in that it comprises a memory, a processor and an identity authentication method stored on the memory and executable on the processor, the identity authentication program, when executed by the processor, implementing the steps of the identity authentication method according to any one of claims 1-7.
10. A computer-readable storage medium, wherein an authentication program is stored on the computer-readable storage medium, which when executed by a processor, implements the steps of the authentication method according to any one of claims 1-7.
CN202210582155.5A 2022-05-26 2022-05-26 Identity authentication method, system, terminal equipment and storage medium Pending CN117176332A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210582155.5A CN117176332A (en) 2022-05-26 2022-05-26 Identity authentication method, system, terminal equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210582155.5A CN117176332A (en) 2022-05-26 2022-05-26 Identity authentication method, system, terminal equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117176332A true CN117176332A (en) 2023-12-05

Family

ID=88934092

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210582155.5A Pending CN117176332A (en) 2022-05-26 2022-05-26 Identity authentication method, system, terminal equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117176332A (en)

Similar Documents

Publication Publication Date Title
CN110311883B (en) Identity management method, device, communication network and storage medium
CN108564353B (en) Payment system and method based on block chain
CN111970129B (en) Data processing method and device based on block chain and readable storage medium
CN109391631B (en) Internet of vehicles anonymous authentication system and method with controllable links
CN110290525A (en) A kind of sharing method and system, mobile terminal of vehicle number key
CN104683112B (en) A kind of car car safety communicating method that certification is assisted based on RSU
EP1610202B1 (en) Using a portable security token to facilitate public key certification for devices in a network
CN110177354A (en) A kind of wireless control method and system of vehicle
WO2018040758A1 (en) Authentication method, authentication apparatus and authentication system
CN110235424A (en) For providing the device and method with managing security information in a communications system
CN110958209B (en) Bidirectional authentication method, system and terminal based on shared secret key
CN111212400B (en) Anti-quantum computing internet-of-vehicle system based on secret sharing and mobile terminal and authentication method thereof
CN105450623B (en) A kind of access authentication method of electric car
WO2021120924A1 (en) Method and device for certificate application
WO2019056971A1 (en) Authentication method and device
WO2023221591A1 (en) Data transmission method, and related apparatus, device and storage medium
CN113541970A (en) Method and system for using distributed identifier
CN108076016B (en) Authentication method and device between vehicle-mounted devices
CN111182497A (en) V2X anonymous authentication method, device and storage medium
CN108632037B (en) Public key processing method and device of public key infrastructure
WO2004071123A1 (en) Radio ad hoc communication system, terminal, attribute certificate issuing proposal method and attribute certificate issuing request method at the terminal, and a program for executing the methods
CN113676478B (en) Data processing method and related equipment
CN117439740A (en) In-vehicle network identity authentication and key negotiation method, system and terminal
CN116614811A (en) Distributed information authentication method and system for Internet of vehicles
CN116828451A (en) Block chain-based network connection motorcade identity authentication method, device and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination