CN117528194A - Video front-end equipment authentication method and system based on SM9 cryptographic algorithm - Google Patents
Video front-end equipment authentication method and system based on SM9 cryptographic algorithm Download PDFInfo
- Publication number
- CN117528194A CN117528194A CN202311516761.8A CN202311516761A CN117528194A CN 117528194 A CN117528194 A CN 117528194A CN 202311516761 A CN202311516761 A CN 202311516761A CN 117528194 A CN117528194 A CN 117528194A
- Authority
- CN
- China
- Prior art keywords
- video
- key
- equipment
- encryption
- service platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 82
- 238000012544 monitoring process Methods 0.000 claims abstract description 99
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 18
- 238000005516 engineering process Methods 0.000 claims abstract description 11
- 230000005540 biological transmission Effects 0.000 claims description 18
- 238000012795 verification Methods 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 230000011664 signaling Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 7
- 230000004044 response Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000002513 implantation Methods 0.000 description 4
- 238000004806 packaging method and process Methods 0.000 description 2
- 150000003839 salts Chemical class 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Abstract
The invention provides a video front-end equipment authentication method and a system based on a national secret SM9 algorithm, wherein the method comprises the steps that front-end video equipment downloads an SM9 identification key; the front-end video equipment and the video encryption subsystem perform bidirectional authentication based on an identification password algorithm; the front-end video device encrypts the monitoring video data by adopting an SM4 algorithm and transmits the encrypted monitoring video data to a video encryption subsystem; and the video encryption subsystem decrypts the encrypted monitoring video data and transmits the encrypted monitoring video data to the video user terminal. By adopting the national security technology, the standardization degree can be effectively improved, and the technical weakness can be reduced; the front-end video equipment and the video encryption subsystem are subjected to two-way authentication based on an SM9 algorithm, so that the authenticity of the access equipment is ensured, and the access of malicious equipment and illegal control of the front-end equipment are effectively prevented; the monitoring video data is encrypted and transmitted based on the national encryption algorithm, so that the risk of data leakage can be effectively avoided, and the problem of poor safety performance of the conventional video monitoring system is solved.
Description
Technical Field
The invention relates to the technical field of video authentication, in particular to a method and a system for authenticating video front-end equipment based on a national secret SM9 algorithm.
Background
With the development of informatization technology, video monitoring is developing to network monitoring and intelligent monitoring, and related applications are spread throughout various scenes of cities and life. The video monitoring is easier to suffer from network attack due to IP (Internet protocol) based, networking and standardization, once a hacker controls the video monitoring equipment and the management service platform, video data can be intercepted, and even continuous network attack on a specific target is initiated by forging identity to take over equipment control authority, so that serious crisis such as network paralysis, incapability of running service, privacy leakage and the like is caused.
However, most of the current video monitoring does not adopt a system of video security authentication, video signaling and data encryption, which has the following problems:
1. illegal access by unauthorized users: because the current video monitoring system cannot guarantee the authenticity of the user identity and the controllability of the user access, the illegal access of an unauthorized user can lead to the leakage of sensitive video content;
2. illegally accessing video monitoring front-end video equipment: because the current video monitoring system cannot guarantee the authenticity of the identity of the video equipment at the video monitoring front end connected with the monitoring video system, counterfeit equipment can be illegally connected with the video monitoring front end, false video implantation can be caused, the video called by a user cannot be guaranteed to be the requested equipment but not other counterfeit equipment, and the source credibility cannot be guaranteed;
3. illegally accessing video monitoring management platform server equipment: because the current video monitoring system cannot guarantee the authenticity of the identity of the platform server equipment in the monitoring video system, the illegal access to the monitoring video system server equipment can cause the transfer of sensitive video content;
4. illegally controlling video monitoring front-end video equipment: because the integrity of the signaling content cannot be guaranteed by the existing video monitoring system, namely the signaling content cannot be guaranteed to be detected after being tampered, the illegal control equipment can cause the error of the monitoring angle of the video monitoring front-end video equipment, stop working, the transmission of the acquired video to an unauthorized place and the like;
5. illegally tampering video content generated by video monitoring front-end video equipment: because the integrity of video content cannot be guaranteed and the video content cannot be prevented from being tampered by the existing video monitoring system, the video content of the video monitoring front-end video device cannot be tampered illegally, so that the video content can be changed.
6. Illegally acquiring video content generated by video monitoring front-end video equipment: because the current video monitoring system cannot guarantee confidentiality of video content and cannot ensure that video and audio content is not stolen or leaked, illegal acquisition of video content can lead to leakage of sensitive video content.
Based on the above security risks, it is highly desirable to construct a secure video monitoring system to protect the full life cycle security of video data.
Disclosure of Invention
The invention aims to provide a video front-end equipment authentication method and system based on a national security SM9 algorithm, which are used for solving the problem of poor safety performance of the conventional video monitoring system.
In order to solve the technical problems, the invention provides a video front-end equipment authentication method based on a national secret SM9 algorithm, which comprises the following steps:
the front-end video equipment downloads the SM9 identification key, and adopts a security encryption measure to finish key request, downloading, transmission and storage of a front-end video SM9 private key;
the front-end video equipment and the video encryption subsystem perform bidirectional authentication based on the identification password technology;
the front-end video device encrypts the monitoring video data by adopting an SM4 algorithm and transmits the encrypted monitoring video data to a video encryption subsystem;
the video encryption subsystem decrypts the encrypted monitoring video data and transmits the decrypted monitoring video data to the video user terminal.
Optionally, in the method for authenticating a video front-end device based on the national secret SM9 algorithm, the method for downloading the SM9 identification key by the front-end video device includes:
the front-end video equipment initiates an SM9 key request to the unified password service platform, and adopts a security encryption measure to finish key request, downloading, transmission and storage of a front-end video SM9 private key;
the unified password service platform checks the MAC value, requests KGC to generate SM9 key ciphertext data, adopts a security encryption measure, and transmits the SM9 key ciphertext data of the video front end;
the front-end video equipment acquires SM9 key ciphertext data and decrypts to obtain a video front-end SM9 private key;
the front-end video equipment adopts a security encryption measure to store the SM9 private key of the video front-end.
Optionally, in the method for authenticating a video front-end device based on the national secret SM9 algorithm, the method for initiating the SM9 key request to the unified password service platform by the front-end video device includes:
the front-end video device integrates an SDK, wherein the SDK has stored a device root key;
the front-end video equipment calls an SM2 temporary public-private key generation interface of the SDK to obtain an SM2 temporary public key;
the front-end video device establishes an access token with the unified password service platform to initiate an SM9 key request to the unified password service platform.
Optionally, in the method for authenticating a video front-end device based on the national secret SM9 algorithm, the method for checking the MAC value by the unified cryptographic service platform and requesting KGC to generate SM9 key ciphertext data includes:
the front-end video device invokes an HMAC algorithm of the SDK to calculate an MAC value;
the front-end video device carries an SM2 temporary public key, a device Mac+ID and a MAC value and requests an SM9 key from the unified password service platform;
the unified password service platform verifies the MAC value and generates an SM9 private key according to the Mac+ID of the equipment;
the unified cryptographic service platform encrypts the SM9 private key by using the SM2 temporary public key to obtain SM9 key ciphertext data.
Optionally, in the method for authenticating a video front-end device based on the national secret SM9 algorithm, the method for performing bidirectional authentication based on the identification cryptography between the front-end video device and the video encryption subsystem includes:
the front-end video device initiates a registration request to the video encryption subsystem;
the video encryption subsystem generates a first random number and sends the first random number to the front-end video equipment;
the front-end video device obtains a first signature value according to the first random number and initiates a registration request to the video encryption subsystem again;
the video encryption subsystem performs signature verification on the first signature value to obtain a second signature value;
the front-end video device acquires a second signature value and performs signature verification on the second signature value.
Optionally, in the method for authenticating a video front-end device based on the national secret SM9 algorithm, the method for obtaining a first signature value by the front-end video device according to a first random number and reinitiating a registration request to a video encryption subsystem includes:
the front-end video device generates a second random number;
the front-end video device digitally signs the first random number, the second random number and the server ID by using an SM9 private key to obtain a first signature value;
the front-end video device carries the first random number, the second random number, the first signature value and the server ID, and initiates a registration request to the video encryption subsystem again.
Optionally, in the method for authenticating a video front-end device based on the national secret SM9 algorithm, the method for checking the first signature value by the video encryption subsystem to obtain the second signature value includes:
the video encryption subsystem verifies the validity of the first random number, the server ID and the validity of the first signature value;
the video encryption subsystem calls a unified password service platform to check the first signature value;
the unified password service platform performs digital signature on the first random number, the second random number and the front-end video device by using an SM9 private key so as to obtain a second signature value;
and the unified password service platform returns the signature verification result and the second signature value to the video encryption subsystem.
Optionally, in the method for authenticating a video front-end device based on the national secret SM9 algorithm, the method for encrypting the monitoring video data by the front-end video device by adopting the SM4 algorithm and transmitting the encrypted monitoring video data to the video encryption subsystem includes:
the front-end video equipment randomly generates a 128-bit video encryption key;
the front-end video device encrypts the monitoring video data by using the encryption key to obtain encrypted monitoring video data;
the front-end video equipment calls a unified password service platform and encrypts a video encryption key by using an SM9 public key provided by the unified password service platform;
the front-end video device symmetrically encrypts the video stream data with the stream key to encrypt and transmit the encrypted monitoring video data to the video encryption subsystem.
Optionally, in the method for authenticating a video front-end device based on the national secret SM9 algorithm, the method for decrypting the encrypted monitoring video data by the video encryption subsystem and transmitting the decrypted monitoring video data to the video user terminal includes:
the video encryption subsystem calls a unified password service platform and downloads an SM9 private key corresponding to the national public key;
the video encryption subsystem decrypts the encrypted encryption key by using the SM9 private key to obtain the encryption key;
the video encryption subsystem decrypts the monitoring video data by using the encryption key to obtain the monitoring video data;
and the video encryption subsystem transmits the decrypted monitoring video data to the video user terminal.
In order to solve the technical problems, the invention also provides a video front-end equipment authentication system based on the national secret SM9 algorithm, which is used for realizing the video front-end equipment authentication method based on the national secret SM9 algorithm, wherein the video front-end equipment authentication system based on the national secret SM9 algorithm comprises front-end video equipment, a video encryption subsystem, a video user terminal and a unified password service platform; the video user terminal is in communication connection with the front-end video equipment through the video encryption subsystem so as to acquire a monitoring video of the front-end video equipment; the video encryption subsystem is used for decrypting, storing, accessing and managing the monitoring video of the front-end video equipment through the unified password service platform; the unified password service platform comprises a password resource pool, wherein the password resource pool is used for creating a secret key and managing and monitoring data generated by the unified password service platform.
The invention provides a video front-end equipment authentication method and a system based on a national secret SM9 algorithm, comprising the following steps: the front-end video equipment downloads the SM9 identification key, and adopts a security encryption measure to finish key request, downloading, transmission and storage of a front-end video SM9 private key; the front-end video equipment and the video encryption subsystem perform bidirectional authentication based on the identification password technology; the front-end video device encrypts the monitoring video data by adopting an SM4 algorithm and transmits the encrypted monitoring video data to a video encryption subsystem; the video encryption subsystem decrypts the encrypted monitoring video data and transmits the decrypted monitoring video data to the video user terminal. By selecting the national standard password technology, the standardization degree is high to a certain extent, and the technical weaknesses are few; through carrying out bidirectional authentication on the front-end video equipment and the video encryption subsystem based on an SM9 algorithm, the authenticity of the front-end video equipment access equipment is ensured, and operations such as video leakage and malicious implantation of irrelevant videos caused by the problems of malicious equipment access, illegal control of the front-end equipment and the like are effectively prevented; the monitoring video data is encrypted and transmitted based on the national encryption algorithm, so that malicious video stealing can be effectively prevented, the risk of data leakage is avoided, and the problem of poor safety performance of the conventional video monitoring system is solved.
Drawings
Fig. 1 is a flowchart of a video front-end device authentication method based on the national secret SM9 algorithm provided in this embodiment;
fig. 2 is a logic diagram of a method for downloading a cryptographic key by a front-end video device according to the present embodiment;
fig. 3 is a logic diagram of a detailed method for downloading a cryptographic key by a front-end video device according to the present embodiment;
fig. 4 is a logic schematic diagram of a method for performing bidirectional authentication between a front-end video device and a video encryption subsystem according to the present embodiment;
fig. 5 is a logic schematic diagram of a detailed method for performing bidirectional authentication between a front-end video device and a video encryption subsystem according to the present embodiment;
fig. 6 is a logic diagram of a method for encrypting and decrypting surveillance video data according to the present embodiment;
fig. 7 is a logic diagram of a detailed method for encrypting and decrypting surveillance video data according to the present embodiment;
fig. 8 is a schematic structural diagram of a video front-end device authentication system based on the SM9 algorithm of the present embodiment.
Detailed Description
The video front-end equipment authentication method and system based on the SM9 cryptographic algorithm provided by the invention are further described in detail below with reference to the accompanying drawings and specific embodiments. It should be noted that the drawings are in a very simplified form and are all to a non-precise scale, merely for convenience and clarity in aiding in the description of embodiments of the invention. Furthermore, the structures shown in the drawings are often part of actual structures. In particular, the drawings are shown with different emphasis instead being placed upon illustrating the various embodiments.
It is noted that "first", "second", etc. in the description and claims of the present invention and the accompanying drawings are used to distinguish similar objects so as to describe embodiments of the present invention, and not to describe a specific order or sequence, it should be understood that the structures so used may be interchanged under appropriate circumstances. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
SM9 is an identification crypto algorithm based on an asymmetric cryptosystem, similar to SM 2. As with other identification cryptographic algorithms, the security of the SM9 algorithm is based on the nature of elliptic curve bilinear mapping. Unlike the SM2 algorithm in the traditional sense, SM9 does not need to apply for a digital certificate, so that the method has many advantages over the public key cryptosystem in the traditional sense, and omits certificate management and the like. Under the same safe environment, not only a large amount of expenditure is saved, but also the authentication efficiency is greatly improved, and the method is more practical for mass terminal authentication.
Based on this, the present embodiment provides a method for authenticating a video front-end device based on the national secret SM9 algorithm, as shown in fig. 1, including:
s1, front-end video equipment downloads an SM9 identification key, and adopts a security encryption measure to finish key request, downloading, transmission and storage of a front-end video SM9 private key;
s2, the front-end video equipment and the video encryption subsystem perform bidirectional authentication based on an identification password technology;
s3, the front-end video equipment encrypts the monitoring video data by adopting an SM4 algorithm, and transmits the encrypted monitoring video data to a video encryption subsystem;
s4, the video encryption subsystem decrypts the encrypted monitoring video data and transmits the decrypted monitoring video data to the video user terminal.
The video front-end equipment authentication method based on the SM9 cryptographic algorithm provided by the embodiment selects the national standard cryptographic technology, so that the standardization degree is high to a certain extent, and the technical weaknesses are few; through carrying out bidirectional authentication on the front-end video equipment and the video encryption subsystem based on an SM9 algorithm, the authenticity of the front-end video equipment access equipment is ensured, and operations such as video leakage and malicious implantation of irrelevant videos caused by the problems of malicious equipment access, illegal control of the front-end equipment and the like are effectively prevented; through carrying out encryption and encryption transmission to monitoring video data based on SM4 algorithm, can prevent effectively that malicious video from stealing, avoid the data to reveal the risk, solved the poor problem of current video monitoring system security performance.
Further, in this embodiment, as shown in fig. 2, in step S1, the method for downloading the SM9 identification key by the front-end video device includes:
s11, the front-end video equipment initiates an SM9 key request to the unified password service platform, and adopts a security encryption measure to finish key request, downloading, transmission and storage of a front-end video SM9 private key.
Specifically, in this embodiment, the method for the front-end video device to initiate the SM9 key request to the unified cryptographic service platform includes: first, the front-end video device integrates an SDK, wherein the SDK has stored a device root key; then, the front-end video device calls an SM2 temporary public-private key generation interface of the SDK to obtain an SM2 temporary public key; finally, the front-end video device establishes an access token (access token) with the unified cryptographic service platform to initiate an SM9 key request to the unified cryptographic service platform.
S12, checking the MAC value by the unified password service platform, requesting KGC to generate SM9 key ciphertext data, and adopting a security encryption measure to transmit the SM9 key ciphertext data of the video front end.
Specifically, in this embodiment, the unified cryptographic service platform checks the MAC value, requests KGC to generate SM9 key ciphertext data, and adopts a security encryption measure, and the method for transmitting SM9 key ciphertext data at the front end of the video includes: firstly, the front-end video equipment calls an HMAC algorithm of the SDK to calculate an MAC value, and in the embodiment, the SM3 national encryption algorithm is adopted in the step, and the HMAC algorithm is SM3-HMAC; then, the front-end video device carries an SM2 temporary public key, a device Mac+ID and an MAC value and requests an SM9 secret key from the unified password service platform, wherein the device Mac+ID comprises the device MAC value and the device ID, and the request secret is based on an SM9 algorithm to acquire an SM9 private key; then, the unified password service platform verifies the MAC value and generates an SM9 private key according to the Mac+ID of the equipment; and finally, the unified cryptographic service platform encrypts the SM9 private key by using the SM2 temporary public key to obtain SM9 key ciphertext data.
S13, the front-end video equipment acquires SM9 key ciphertext data and decrypts to obtain a video front-end SM9 private key.
Specifically, the front-end video device decrypts the SM9 key ciphertext data by using an SM2 temporary private key, wherein the SM2 temporary private key is an SM2 temporary private key corresponding to an SM2 temporary public key obtained by calling an SM2 temporary public key generation interface of the SDK by the front-end video device.
S14, the front-end video equipment adopts a security encryption measure to store a private key of the SM9 front-end video.
According to the method for downloading the SM9 key, the SM2 temporary key based on the national encryption algorithm is used for carrying out encryption transmission on the required downloading key, so that the security of key transmission is ensured, and a higher and more reliable security environment is realized.
In a specific embodiment, in order to implement step S1, the front-end video device downloads the SM9 identification key, and first, the front-end video device (such as a camera) needs to be registered in the video encryption subsystem, including information such as a position, a device name, and an industry code of the front-end video device; then the video encryption subsystem generates national standard ID (equipment ID) according to the registration information and the corresponding rule; then, leading in the registration information of the front-end video equipment on the unified password service platform, wherein the registration information comprises equipment names, national standard IDs, salt values, server IDs (such as SIP server IDs) and the like; and in the SDK integrated by the front-end video equipment, information such as national standard ID, salt value, SIP ID and the like is transmitted, and a password SDK downloading key interface is called to store a key into a security chip of the front-end video equipment so as to send an access request to a video encryption subsystem.
As shown in fig. 3, in a specific embodiment, in step S1, a specific method for downloading an SM9 identification key by a front-end video device includes:
first, the embedded SDK generates an SM2 temporary key pair (Pk, sk), wherein Pk is an SM2 public key and Sk is an SM2 private key; encapsulating the SM2 public key Pk in a Json structure of the request body; carrying out Hmac operation on part of important information (such as the identification of equipment, namely national standard ID) in the request body by using a preset root key to obtain a message authentication code, and packaging the message authentication code in a Json structure of the request body; performing Hmac operation on part of important information in the request header by using a default key of the unified password service platform to obtain a message authentication code, and packaging the message authentication code in data of the request header; based on Post protocol of Http, sending request for downloading SM9 key to unified cipher service platform.
Then, after receiving SM9 key request of embedded SDK, unified cipher service platform uses message authentication code in request head to make verification, and the verification is not passed through return error; verifying the message authentication code in the request body by using a preset root key corresponding to the embedded SDK, wherein the verification does not pass the return error; after the verification is passed, the unified cryptographic service platform extracts the SM2 public key Pk in the request body, and requests corresponding SM9 private key data from the KGC by combining the platform identification (including the national standard ID of front-end video equipment and other equipment identifications) of the embedded SDK.
Then, the KGC uses the corresponding SM9 main private key to generate the SM9 private key of the user according to the SM9 identifier (including national standard ID) of the front-end video device; and the KGC encrypts SM9 private key data of the user by using an SM2 public key Pk, and the obtained encrypted SM9 private key data is sent back to the unified password service platform.
Finally, the unified cryptographic service platform sends the encrypted SM9 private key data back to the SDK; the embedded SDK decrypts the returned SM9 private key data by using the generated SM2 private key Sk; according to a user password transmitted by a user, adopting a password protection algorithm based on SM4 to encrypt and protect decrypted SM9 private key data; storing the encrypted SM9 private key data, thereby completing the distribution and downloading of the SM9 private key.
Further, in this embodiment, as shown in fig. 4, in step S2, the method for performing bidirectional authentication between the front-end video device and the video encryption subsystem based on the identification cryptography includes:
s21, the front-end video device initiates a registration request (register) to the video encryption subsystem.
S22, the video encryption subsystem generates a first random number R1 and sends the first random number R1 to the front-end video device.
S23, the front-end video device obtains a first signature value sign1 according to the first random number R1, and initiates a registration request (register) to the video encryption subsystem again.
Specifically, in this embodiment, the method for the front-end video device to obtain the first signature value according to the first random number and to reinitiate the registration request to the video encryption subsystem includes: first, the front-end video device generates a second random number R2; then, the front-end video device digitally signs the first random number R1, the second random number R2 and the server ID (such as the SIP server ID) by using an SM9 private key to obtain a first signature value sign1; finally, the front-end video device carries the first random number R1, the second random number R2, the first signature value sign1 and the server ID, and initiates a registration request again to the video encryption subsystem.
S24, the video encryption subsystem performs signature verification on the first signature value sign1 to obtain a second signature value sign2.
Specifically, in this embodiment, the method for the video encryption subsystem to check the first signature value to obtain the second signature value includes: firstly, a video encryption subsystem verifies the validity of a first random number R1, a server ID and the validity of a first signature value sign1; then, the video encryption subsystem calls a unified password service platform to check the first signature value sign1; the unified password service platform performs digital signature on the first random number R1, the second random number R2 and front-end video equipment (national standard ID) by using an SM9 private key to obtain a second signature value sign2; and finally, the unified password service platform returns the signature verification result and the second signature value sign2 to the video encryption subsystem.
S25, the front-end video equipment acquires a second signature value sign2, and performs signature verification on the second signature value sign2.
Specifically, in this embodiment, the method for the front-end video device to acquire the second signature value and to perform signature verification on the second signature value includes: firstly, the video encryption subsystem carries a second random number R2, a device ID and a second signature value sign2 to send a response to front-end video equipment, and in the embodiment, the video encryption subsystem corresponds to 200OK SDP to the front-end video equipment; then, the front-end video device verifies the validity of the second random number R2, the device ID and the validity of the second signature value sign2; finally, the front-end video device performs signature verification on the second signature value sign2.
The method for performing bidirectional authentication between the front-end video device and the video encryption subsystem based on the SM9 identification password algorithm, which is provided by the embodiment, is different from the traditional RSA and SM2 method for providing unidirectional/bidirectional identity authentication based on digital certificates, is more suitable for a lightweight authentication method of massive video front-end devices, and greatly saves the investment cost of enterprises or individuals while ensuring the authenticity of access devices.
In a specific embodiment, to implement step S2, the front-end video device performs bidirectional authentication based on the identification cryptography with the video encryption subsystem, and the front-end video device identifier (including the national standard ID and the SIP server ID) and the unified cryptographic service platform identifier (including the SIP server ID) need to be synchronized before the key is downloaded. In a specific application process, the synchronization operation is generally completed before the implementation of step S1.
As shown in fig. 5, in a specific embodiment, step S2, a specific method of performing bidirectional authentication between the front-end video device and the video encryption subsystem based on the identification cryptography includes:
firstly, front-end video equipment initiates a REGISTER registration request to a video encryption subsystem; after receiving a REGISTER request sent by front-end video equipment, the video encryption subsystem calls intelligent password middleware (terminal JAVA SDK) to generate a random number R1; the intelligent password middleware returns the random number R1 to the front-end video device.
Then, after the front-end video equipment receives the returned random value R1, the intelligent cryptographic middleware (embedded SDK) generates a random number R2, an SM9 private key is obtained through decryption by using an SM4 key, and an SM9 private key is used for digitally signing the R1+R2+ signaling server ID and marking the digital signature as a first signature value Sign1; the front-end video device initiates a REGISTER request to the video encryption subsystem again, and carries information such as R1, R2, signaling server ID, sign1 and the like.
Then, the video encryption subsystem calls a terminal SDK to verify the transmission value of the front-end video equipment, and verifies the validity of R1, the validity of a signaling server ID and a signature value Sign1; the video encryption subsystem calls the password capability of the unified password service platform, uses a front-end video equipment identifier (public key of the front-end video equipment) to check a signature value sign1, uses an SM9 private key of the unified password service platform to digitally sign R1+R2+ equipment identifiers (comprising a front-end video equipment national standard ID and a SIP server ID) to obtain a signature value sign2; the unified password service platform returns a signature verification result of the signature value sign1 and a digital signature value sign2 to the video encryption subsystem; the video encryption subsystem replies the front-end video device 200OK and carries an SDP message body, wherein the message body carries R1 and R2, a front-end video device identifier (national standard ID of the front-end video device+SIP server ID) and Sign2.
Finally, the front-end video device performs signature verification operation on the message returned by the video encryption subsystem by using the capability of the intelligent password middleware embedded SDK; checking the validity of sign2, the validity of R2 and the national standard ID of front-end video equipment plus the SIP server ID; and calling a unified password service platform identifier (SIP server ID and public key) to check sign2.
Further, in this embodiment, as shown in fig. 6, in step S3, the front-end video device encrypts the surveillance video data by using the SM4 algorithm, and the method for transmitting the encrypted surveillance video data to the video encryption subsystem includes:
s31, the front-end video equipment randomly generates a 128-bit video encryption key.
Specifically, in this embodiment, a packet algorithm SM4 algorithm is adopted to generate a 128-bit encryption key, where the encryption key is a random key and denoted as DK.
S32, the front-end video device encrypts the monitoring video data by using the encryption key to obtain encrypted monitoring video data.
S33, the front-end video equipment calls a unified password service platform, and encrypts the video encryption key by using an SM9 public key provided by the unified password service platform.
Specifically, in this embodiment, the video encryption key DK is encrypted by using the SM9 public key corresponding to the SM9 private key provided by the unified cryptographic service platform.
S34, the front-end video device symmetrically encrypts the video stream data by using the stream key so as to encrypt and transmit the encrypted monitoring video data to the video encryption subsystem.
And step S4, the video encryption subsystem decrypts the encrypted monitoring video data and transmits the decrypted monitoring video data to the video user terminal, and the method comprises the following steps:
s41, the video encryption subsystem calls a unified password service platform and downloads an SM9 private key corresponding to the SM9 public key;
s42, the video encryption subsystem decrypts the encrypted encryption key by using the national encryption private key to obtain the encryption key;
s43, the video encryption subsystem decrypts the monitoring video data by using the encryption key to obtain the monitoring video data;
s44, the video encryption subsystem transmits the decrypted monitoring video data to the video user terminal.
The manner of encrypting and decrypting the video stream data by using the encryption key is the prior art, and those skilled in the art can obtain the encrypted video stream data from the prior art, which is not described in detail in this application.
The encryption and decryption method for the monitoring video data provided by the embodiment also performs the encryption and decryption process on the video encryption key, thereby improving the reliability of the video data in a double encryption mode and avoiding the leakage and the theft of the video data.
In a specific embodiment, in order to implement step S3, the front-end video device encrypts the monitoring video data by using SM4 algorithm, and transmits the encrypted monitoring video data to the video encryption subsystem, where the maximum effective duration of the video encryption key DK is 1h; because the same DK is used in the same GOP, when the video is encrypted, whether the current DK is valid or not and whether a new DK is generated or not need to be judged; if the GOP period is over and a new DK exists currently, the new DK is replaced, otherwise, the current DK is continuously used.
As shown in fig. 7, in a specific embodiment, in step S3, the front-end video device encrypts the surveillance video data by using the SM4 algorithm, and the method for transmitting the encrypted surveillance video data to the video encryption subsystem includes:
firstly, a video encryption subsystem initiates an Invite access request to a signaling server and carries an SDP message body, wherein the SDP message body carries user identity information, such as national standard ID of front-end video equipment, serial number of a sender media stream, ID of a receiving media stream, serial number and the like; after receiving the request, the signaling server sends an Invite access request to the media server; after receiving Invite request of signaling server, media server replies 200OK response, carrying SDP message body, in which IP, port, media format, etc. of media server for receiving media stream are described; after receiving the reply, the signaling server initiates an Invite request to the front-end video equipment, carrying an SDP message body returned by the media server; after receiving the request, the front-end video device replies a 200OK response to the signaling server, wherein the signaling server carries an SDP message body, and the message body carries contents such as IP, port, media format and the like of the video stream; after receiving the 200OK response returned by the front-end video device, the signaling server initiates an ACK request to the media server, wherein the request carries a message body carried by the 200OK reply of the front-end video device, and the Invite session establishment process of the signaling server and the media server is completed.
Then, after receiving the ACK request, the front-end video device invokes the intelligent password middleware (embedded C SDK) capability to encrypt the video data; after receiving the ACK request, the embedded SDK front-end video device randomly generates a 128-bit random key for video encryption and records as DK; encrypting the video data using the DK; encrypting DK by using SM9 public key, marking as E (DK), and encapsulating the encrypted DK in a protocol header of video stream transmission; the front-end video device encrypts and transmits the encrypted video stream to the media server.
As shown in fig. 7, in step S4, the method for decrypting the encrypted surveillance video data by the video encryption subsystem and transmitting the decrypted surveillance video data to the video user terminal includes:
firstly, a signaling server initiates an Invite request to a media server, carrying an SDP message body, wherein the message body describes IP, port, media format and the like of a received media stream; after receiving the request, the media server replies a 200OK response, carrying an SDP message body in which the ID, port, media stream format and other contents of the media stream sender are described; the signaling server replies the video encryption system 200OK response and carries the SDP message body of the media server; after receiving the reply response, the video encryption subsystem initiates an ACK request to the signaling server; the signaling server forwards the ACK request to the media server; after receiving the ACK request, the media server establishes a video transmission channel and transmits the video to the video encryption subsystem.
Then, after receiving the video stream, the video encryption subsystem decrypts the video stream by using the SM9 private key of the video encryption subsystem to obtain a video encryption key DK; and decrypting the video data by using the DK to obtain the video data.
The embodiment also provides a video front-end equipment authentication system based on the national secret SM9 algorithm, which is used for realizing the video front-end equipment authentication method based on the national secret SM9 algorithm, as shown in fig. 8, and comprises front-end video equipment, a video encryption subsystem, a video user terminal and a unified password service platform; the video user terminal is in communication connection with the front-end video equipment through the video encryption subsystem so as to acquire a monitoring video of the front-end video equipment; the video encryption subsystem is used for decrypting, storing, accessing and managing the monitoring video of the front-end video equipment through the unified password service platform; the unified password service platform comprises a password resource pool, wherein the password resource pool is used for creating a secret key and managing and monitoring data generated by the unified password service platform.
Specifically, in this embodiment, the terminal video device is provided with a built-in security chip, integrates the SDK, and provides functions such as identity authentication and video stream encryption; the video encryption subsystem consists of a web server, a video signaling gateway, a media server and safety components thereof, and supports basic streaming media services such as video decryption, video monitoring, video equipment access, video platform access, video equipment and channel management, video storage, video playing and playback and the like; the terminal user can carry out code scanning login through the video user terminal, wherein the code scanning login can be based on a national encryption algorithm to realize the identity authentication of the terminal user, thereby realizing the operations of playing, downloading and the like of the video; the unified password service platform manages and monitors the password machine pool through the password resource pool, and comprises the steps of creating a persistent key pair in the password machine, monitoring the state of password equipment and the like.
The video front-end equipment authentication system based on the SM9 cryptographic algorithm is used for solving the problems of video data leakage, video data tampering, stealing and the like caused by malicious replacement and illegal control of the current front-end video access; the front-end video equipment based on SM9 is legally accessed, so that the identity authenticity of the front-end video equipment is effectively ensured, and risks of video data leakage, replacement and the like caused by access due to the problems of access of unauthorized equipment, malicious replacement of equipment and the like are prevented; the video data is encrypted by adopting the cryptographic technology, so that the video data transmission safety is effectively ensured, the risks of theft, leakage and the like in the video transmission process are prevented, a service system safety scheme taking front-end video equipment and a video encryption subsystem as cores is formed, and the application scene requirement of realizing safe interaction of important service data such as signaling information, video data and the like in a transmission link is met.
In this specification, each embodiment is described in a progressive manner, and each embodiment focuses on the difference from other embodiments, so that the same similar parts of each embodiment are referred to each other.
The video front-end equipment authentication method and system based on the SM9 cryptographic algorithm provided by the embodiment comprise the following steps: the front-end video equipment downloads the SM9 identification key, and adopts a security encryption measure to finish key request, downloading, transmission and storage of a front-end video SM9 private key; the front-end video equipment and the video encryption subsystem perform bidirectional authentication based on the identification password technology; the front-end video device encrypts the monitoring video data by adopting an SM4 algorithm and transmits the encrypted monitoring video data to a video encryption subsystem; the video encryption subsystem decrypts the encrypted monitoring video data and transmits the decrypted monitoring video data to the video user terminal. By selecting the national standard password technology, the standardization degree is high to a certain extent, and the technical weaknesses are few; through carrying out bidirectional authentication on the front-end video equipment and the video encryption subsystem based on an SM9 algorithm, the authenticity of the front-end video equipment access equipment is ensured, and operations such as video leakage and malicious implantation of irrelevant videos caused by the problems of malicious equipment access, illegal control of the front-end equipment and the like are effectively prevented; the monitoring video data is encrypted and transmitted based on the national encryption algorithm, so that malicious video stealing can be effectively prevented, the risk of data leakage is avoided, and the problem of poor safety performance of the conventional video monitoring system is solved.
The above description is only illustrative of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention, and any alterations and modifications made by those skilled in the art based on the above disclosure shall fall within the scope of the appended claims.
Claims (10)
1. The method for authenticating the video front-end equipment based on the SM9 cryptographic algorithm is characterized by comprising the following steps of:
the front-end video equipment downloads the SM9 identification key, and adopts a security encryption measure to finish key request, downloading, transmission and storage of a front-end video SM9 private key;
the front-end video equipment and the video encryption subsystem perform bidirectional authentication based on the identification password technology;
the front-end video device encrypts the monitoring video data by adopting an SM4 algorithm and transmits the encrypted monitoring video data to a video encryption subsystem;
the video encryption subsystem decrypts the encrypted monitoring video data and transmits the decrypted monitoring video data to the video user terminal.
2. The method for authenticating a video front-end device based on the national secret SM9 algorithm according to claim 1, wherein the method for downloading the SM9 identification key by the front-end video device comprises the following steps:
the front-end video equipment initiates an SM9 key request to the unified password service platform, and adopts a security encryption measure to finish key request, downloading, transmission and storage of a front-end video SM9 private key;
the unified password service platform checks the MAC value, requests KGC to generate SM9 key ciphertext data, adopts a security encryption measure, and transmits the SM9 key ciphertext data of the video front end;
the front-end video equipment acquires SM9 key ciphertext data and decrypts to obtain a video front-end SM9 private key;
the front-end video equipment adopts a security encryption measure to store the SM9 private key of the video front-end.
3. The method for authenticating a video front-end device based on the national secret SM9 algorithm according to claim 2, wherein the method for initiating the SM9 key request to the unified cryptographic service platform by the front-end video device comprises the following steps:
the front-end video device integrates an SDK, wherein the SDK has stored a device root key;
the front-end video equipment calls an SM2 temporary public-private key generation interface of the SDK to obtain an SM2 temporary public key;
the front-end video device establishes an access token with the unified password service platform to initiate an SM9 key request to the unified password service platform.
4. The method for authenticating a video front-end device based on the national secret SM9 algorithm as recited in claim 3, wherein the method for verifying the MAC value by the unified cryptographic service platform and requesting KGC to generate SM9 key ciphertext data comprises the following steps:
the front-end video device invokes an HMAC algorithm of the SDK to calculate an MAC value;
the front-end video device carries an SM2 temporary public key, a device Mac+ID and a MAC value and requests an SM9 key from the unified password service platform;
the unified password service platform verifies the MAC value and generates an SM9 private key according to the Mac+ID of the equipment;
the unified cryptographic service platform encrypts the SM9 private key by using the SM2 temporary public key to obtain SM9 key ciphertext data.
5. The method for authenticating a video front-end device based on the national secret SM9 algorithm according to claim 2, wherein the method for performing bidirectional authentication between the front-end video device and the video encryption subsystem based on the identification cryptography comprises the following steps:
the front-end video device initiates a registration request to the video encryption subsystem;
the video encryption subsystem generates a first random number and sends the first random number to the front-end video equipment;
the front-end video device obtains a first signature value according to the first random number and initiates a registration request to the video encryption subsystem again;
the video encryption subsystem performs signature verification on the first signature value to obtain a second signature value;
the front-end video device acquires a second signature value and performs signature verification on the second signature value.
6. The method for authenticating a video front-end device based on the national secret SM9 algorithm according to claim 5, wherein the method for obtaining the first signature value by the front-end video device according to the first random number and re-initiating the registration request to the video encryption subsystem comprises the following steps:
the front-end video device generates a second random number;
the front-end video device digitally signs the first random number, the second random number and the server ID by using an SM9 private key to obtain a first signature value;
the front-end video device carries the first random number, the second random number, the first signature value and the server ID, and initiates a registration request to the video encryption subsystem again.
7. The method for authenticating a video front-end device based on the national secret SM9 algorithm according to claim 6, wherein the method for verifying the first signature value by the video encryption subsystem to obtain the second signature value comprises the following steps:
the video encryption subsystem verifies the validity of the first random number, the server ID and the validity of the first signature value;
the video encryption subsystem calls a unified password service platform to check the first signature value;
the unified password service platform performs digital signature on the first random number, the second random number and the front-end video device by using an SM9 private key so as to obtain a second signature value;
and the unified password service platform returns the signature verification result and the second signature value to the video encryption subsystem.
8. The method for authenticating a video front-end device based on the national secret SM9 algorithm according to claim 1, wherein the method for encrypting the monitoring video data by the front-end video device by using the SM4 algorithm and transmitting the encrypted monitoring video data to the video encryption subsystem comprises the following steps:
the front-end video equipment randomly generates a 128-bit video encryption key;
the front-end video device encrypts the monitoring video data by using the encryption key to obtain encrypted monitoring video data;
the front-end video equipment calls a unified password service platform and encrypts a video encryption key by using an SM9 public key provided by the unified password service platform;
the front-end video device symmetrically encrypts the video stream data with the stream key to encrypt and transmit the encrypted monitoring video data to the video encryption subsystem.
9. The method for authenticating a video front-end device based on the national secret SM9 algorithm according to claim 8, wherein the method for decrypting the encrypted surveillance video data and transmitting the decrypted surveillance video data to the video user terminal by the video encryption subsystem comprises:
the video encryption subsystem calls a unified password service platform and downloads an SM9 private key corresponding to the national public key;
the video encryption subsystem decrypts the encrypted encryption key by using the SM9 private key to obtain the encryption key;
the video encryption subsystem decrypts the monitoring video data by using the encryption key to obtain the monitoring video data;
and the video encryption subsystem transmits the decrypted monitoring video data to the video user terminal.
10. A video front-end equipment authentication system based on a national secret SM9 algorithm, which is used for realizing the video front-end equipment authentication method based on the national secret SM9 algorithm according to any one of claims 1 to 9, and is characterized in that the video front-end equipment authentication system based on the national secret SM9 algorithm comprises a front-end video device, a video encryption subsystem, a video user terminal and a unified password service platform; the video user terminal is in communication connection with the front-end video equipment through the video encryption subsystem so as to acquire a monitoring video of the front-end video equipment; the video encryption subsystem is used for decrypting, storing, accessing and managing the monitoring video of the front-end video equipment through the unified password service platform; the unified password service platform comprises a password resource pool, wherein the password resource pool is used for creating a secret key and managing and monitoring data generated by the unified password service platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311516761.8A CN117528194A (en) | 2023-11-14 | 2023-11-14 | Video front-end equipment authentication method and system based on SM9 cryptographic algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311516761.8A CN117528194A (en) | 2023-11-14 | 2023-11-14 | Video front-end equipment authentication method and system based on SM9 cryptographic algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117528194A true CN117528194A (en) | 2024-02-06 |
Family
ID=89747072
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311516761.8A Pending CN117528194A (en) | 2023-11-14 | 2023-11-14 | Video front-end equipment authentication method and system based on SM9 cryptographic algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117528194A (en) |
-
2023
- 2023-11-14 CN CN202311516761.8A patent/CN117528194A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107888560B (en) | Mail safe transmission system and method for mobile intelligent terminal | |
| JP5106682B2 (en) | Method and apparatus for machine-to-machine communication | |
| US7584505B2 (en) | Inspected secure communication protocol | |
| US7269730B2 (en) | Method and apparatus for providing peer authentication for an internet key exchange | |
| JP5307191B2 (en) | System and method for secure transaction of data between a wireless communication device and a server | |
| CN109218825B (en) | Video encryption system | |
| CN101969638B (en) | Method for protecting international mobile subscriber identity (IMSI) in mobile communication | |
| US20090220091A1 (en) | Communication security | |
| CN109151508B (en) | Video encryption method | |
| WO2010078755A1 (en) | Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof | |
| CN103763356A (en) | Establishment method, device and system for connection of secure sockets layers | |
| AU2009234465B2 (en) | Methods and apparatus for authentication and identity management using a Public Key Infrastructure (PKI) in an IP-based telephony environment | |
| WO2008043292A1 (en) | An authentication method, device and system for multicast and broadcast service | |
| CN110300287B (en) | Access authentication method for public safety video monitoring networking camera | |
| CN109525565B (en) | Defense method and system for short message interception attack | |
| CN116614599B (en) | Video monitoring method, device and storage medium for secure encryption | |
| CN113612797A (en) | Kerberos identity authentication protocol improvement method based on state cryptographic algorithm | |
| CN112332986B (en) | Private encryption communication method and system based on authority control | |
| CN113225352A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN113904809A (en) | Communication method, communication device, electronic equipment and storage medium | |
| KR101016277B1 (en) | Method and apparatus for sip registering and establishing sip session with enhanced security | |
| CN114553430A (en) | SDP-based novel power service terminal safe access system | |
| WO2017197968A1 (en) | Data transmission method and device | |
| CN115766119A (en) | Communication method, communication apparatus, communication system, and storage medium | |
| CN117528194A (en) | Video front-end equipment authentication method and system based on SM9 cryptographic algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |