CN117729007A - Safety detection system and method - Google Patents
Safety detection system and method Download PDFInfo
- Publication number
- CN117729007A CN117729007A CN202311707757.XA CN202311707757A CN117729007A CN 117729007 A CN117729007 A CN 117729007A CN 202311707757 A CN202311707757 A CN 202311707757A CN 117729007 A CN117729007 A CN 117729007A
- Authority
- CN
- China
- Prior art keywords
- security
- detection module
- safety
- identification module
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 227
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012545 processing Methods 0.000 claims abstract description 75
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 35
- 230000006854 communication Effects 0.000 claims abstract description 30
- 238000004891 communication Methods 0.000 claims abstract description 29
- 230000003993 interaction Effects 0.000 claims abstract description 21
- 238000006243 chemical reaction Methods 0.000 claims abstract description 18
- 238000002955 isolation Methods 0.000 claims abstract description 15
- 238000007726 management method Methods 0.000 claims description 17
- 230000008569 process Effects 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 9
- 238000013523 data management Methods 0.000 claims description 6
- 238000004148 unit process Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 abstract description 12
- 238000010586 diagram Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 14
- 238000009826 distribution Methods 0.000 description 5
- 239000000243 solution Substances 0.000 description 5
- 230000006378 damage Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Abstract
The invention discloses a safety detection system and a method, comprising the following steps: the system comprises a safety detection module, a safety identification module and an upper computer; the safety detection module performs information interaction with the safety identification module and the upper computer; the safety detection module comprises: the device comprises a safety detection module password processing unit, a power supply unit, a bus isolation unit, a channel selection unit, a protocol conversion unit, a communication interface unit and an antenna unit; the safety identification module is an active RFID safety identification module and comprises an MCU central control unit, a microwave transceiver, a battery, a safety identification module password processing unit and an antenna. The method can be used for the security protection of the terminal of the Internet of things in a typical application scene, provides a bidirectional security access authentication function for the terminal module and the access point, provides a transmission data encryption protection function, and provides a terminal authority access control function.
Description
Technical Field
The invention relates to the technical field of cryptography, in particular to a safety detection system and a safety detection method.
Background
The traditional Radio Frequency Identification (RFID) technology utilizes radio frequency signals to identify specific objects and read and write related data, a system is not required to be in mechanical or optical contact with the specific objects in the read and write process, and the RFID technology is extremely low in cost and widely applied to industrial scenes. However, since data is transmitted in the air, confidentiality and integrity of the data are difficult to be ensured, and an additional power supply system is required to be used in a classical non-lightweight encryption mode, the system is limited in the fields of logistics management, industrial manufacturing, aviation parcel management, file tracking, library management, biological feature identification, sports timing, access control management, traffic control and the like.
Disclosure of Invention
The invention aims to solve the technical problem of providing a safety detection system and a safety detection method, which can overcome the defects of the prior art and ensure the confidentiality and the integrity of stored information and the confidentiality of information transmitted with an electronic safety identification module in a mixed password mode.
To solve the above technical problem, a first aspect of an embodiment of the present invention discloses a security detection system, which includes: the system comprises a safety detection module, a safety identification module and an upper computer;
the safety detection module performs information interaction with the safety identification module and the upper computer;
the safety detection module comprises: the device comprises a safety detection module password processing unit, a power supply unit, a bus isolation unit, a channel selection unit, a protocol conversion unit, a communication interface unit and an antenna unit;
the safety detection module password processing unit is in information interaction with the power supply unit, the antenna unit and the bus isolation unit; the bus isolation unit is in information interaction with the channel selection unit; the protocol conversion unit is in information interaction with the channel selection unit and the communication interface unit;
the safety detection module password processing unit is used for carrying out data management on the safety identification module;
the power supply unit is used for supplying power to the safety detection module password processing unit;
the bus isolation unit is used for protecting the safety detection module password processing unit and the channel selection unit;
the channel selection unit is used for selecting channels;
the protocol conversion unit is used for carrying out protocol conversion;
the communication interface unit comprises a CAN interface, an RJ45 Ethernet interface, an RS232 interface and a TTL interface and is used for signal conversion;
the safety identification module is an active RFID safety identification module and comprises an MCU central control unit, a microwave transceiver, a battery, a safety identification module password processing unit and an antenna.
As an optional implementation method, in the first aspect of the embodiment of the present invention, the security detection module cryptographic processing unit is configured to perform data management on the security identification module to obtain encrypted data information;
the safety detection module password processing unit is used for sending the encrypted data information to an antenna unit;
and the antenna unit is used for transmitting the encrypted data information.
As an optional implementation manner, in a first aspect of the embodiment of the present invention, the antenna unit includes a radio frequency interface chip;
the safety detection module password processing unit comprises a safety chip;
the safety detection module is used for carrying out safety communication with an upper computer by utilizing the radio frequency interface chip and the safety chip;
and the safety detection module password processing unit is used for carrying out SPI communication with the radio frequency interface chip.
The second aspect of the embodiment of the invention discloses a safety detection method, which comprises the following steps:
s1, performing bidirectional authentication between a security detection module and an upper computer by using a first authentication model;
s2, performing bidirectional authentication between the safety detection module and the safety identification module by using a second authentication model;
s3, after the bidirectional authentication is passed, the safety detection module and the safety identification module conduct data interaction;
the data interaction comprises checking, reading data and writing data;
s4, encrypting and managing the data read by the security detection module by using a symmetric key management model to obtain encrypted data information;
s5, the encrypted data information is sent to an antenna unit;
and S6, the antenna unit is utilized to send out the encrypted data information.
As an optional implementation method, in a second aspect of the embodiment of the present invention, the performing, with a second authentication model, bidirectional authentication between the security detection module and the security identification module includes:
s21, carrying out entity authentication on the security identification module by utilizing the security detection module to obtain first entity authentication information;
s22, sending the first entity authentication information to the security detection module by utilizing the security identification module;
s23, processing the first entity authentication information by utilizing the security detection module to obtain second entity authentication information;
s24, the second entity authentication information is sent to the security identification module by utilizing the security detection module;
s25, processing the second entity authentication information by utilizing the security identification module to obtain an entity authentication result, and realizing bidirectional authentication between the security detection module and the security identification module.
As an optional implementation method, in a second aspect of the embodiment of the present invention, the performing entity authentication on the security identifier module by using the security detection module to obtain first entity authentication information includes:
s211, applying a first random number to a password processing unit of the security detection module by using the security detection module;
s212, the security detection module password processing unit returns the first random number;
s213, the security detection module sends an authentication request and the first random number to the security identification module;
s214, the security identification module sends the first random number to the security identification module password processing unit;
s215, the security identification module password processing unit generates a second random number and an authentication request response;
the second random number and the authentication request response constitute first entity authentication information.
As an optional implementation method, in a second aspect of the embodiment of the present invention, the processing, by using the security detection module, the first entity authentication information to obtain second entity authentication information includes
S231, the security detection module sends the first entity authentication information to the security detection module password processing unit;
s232, the security detection module password processing unit authenticates the first entity authentication information to obtain a first authentication result and a 32-bit message check code;
the first authentication result and the 32-bit message check code form second entity authentication information.
As an optional implementation method, in a second aspect of the embodiment of the present invention, the processing, by using the security identification module, the second entity authentication information to obtain an entity authentication result, to implement bidirectional authentication between the security detection module and the security identification module includes:
s251, the second entity authentication information is sent to the password processing unit of the security identification module by utilizing the security identification module;
s252, the security identification module password processing unit processes the second entity authentication information to obtain an entity authentication result;
s253, the security identification module sends the entity authentication result to the security detection module to realize bidirectional authentication between the security detection module and the security identification module.
As an optional implementation method, in a second aspect of the embodiment of the present invention, the encrypting management on the data read by the security detection module by using the symmetric key management model, to obtain encrypted data information, includes:
s41, acquiring the safety parameters of the safety identification module by utilizing the safety detection module;
the security parameters of the security identification module comprise the security capability of the security identification module and a base key index;
s42, the security detection module derives a shared key PSK corresponding to the security identification module according to the acquired base key index and the base key stored by the security detection module;
s43, the security detection module and the security identification module derive an integrity check key and an encryption key according to the shared key PSK, and carry out integrity check and data encryption on the authentication code in the authentication process;
and S44, after authentication is completed, the security detection module and the security identification module derive a session key according to the shared key PSK and RID, TID, RNr and RNt, and encrypt and manage the data read by the security detection module to obtain encrypted data information.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
the invention designs a safety detection system and a method, comprising a safety detection module, a safety identification module and an upper computer; the safety detection module performs information interaction with the safety identification module and the upper computer; the safety detection module comprises: the device comprises a safety detection module password processing unit, a power supply unit, a bus isolation unit, a channel selection unit, a protocol conversion unit, a communication interface unit and an antenna unit; the safety identification module is an active RFID safety identification module and comprises an MCU central control unit, a microwave transceiver, a battery, a safety identification module password processing unit and an antenna. The technical scheme of the invention can be used for the security protection of the terminal of the Internet of things in a typical application scene, provides a bidirectional security access authentication function for the terminal module and the access point, provides a transmission data encryption protection function, and provides a terminal authority access control function. The invention ensures the confidentiality and the integrity of the stored information and the confidentiality of the information transmitted with the safety identification module in a mixed password mode.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a block diagram of a security detection system according to an embodiment of the present invention;
FIG. 2 is a schematic block diagram of the circuit principle of a security detection module disclosed in an embodiment of the present invention;
FIG. 3 is a flow chart of a security detection method according to an embodiment of the present invention;
FIG. 4 is a block diagram illustrating a general schematic of a process of checking a security identification module according to an embodiment of the present invention;
FIG. 5 is a schematic block diagram of a security detection module read data flow disclosed in an embodiment of the present invention;
FIG. 6 is a schematic block diagram of a security detection module write data flow disclosed in an embodiment of the present invention;
FIG. 7 is a schematic diagram of a security identification module disclosed in an embodiment of the invention;
FIG. 8 is a schematic block diagram of symmetric key management for a security detection module disclosed in an embodiment of the present invention;
FIG. 9 is a schematic block diagram of a key usage and destruction flow disclosed in an embodiment of the present invention;
fig. 10 is a schematic block diagram of a two-way authentication flow specification disclosed in an embodiment of the present invention.
Detailed Description
In order to make the present invention better understood by those skilled in the art, the following description will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or device that comprises a list of steps or elements is not limited to the list of steps or elements but may, in the alternative, include other steps or elements not expressly listed or inherent to such process, method, article, or device.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The invention discloses a safety detection system and a method, comprising the following steps: the system comprises a safety detection module, a safety identification module and an upper computer; the safety detection module performs information interaction with the safety identification module and the upper computer; the safety detection module comprises: the device comprises a safety detection module password processing unit, a power supply unit, a bus isolation unit, a channel selection unit, a protocol conversion unit, a communication interface unit and an antenna unit; the safety identification module is an active RFID safety identification module and comprises an MCU central control unit, a microwave transceiver, a battery, a safety identification module password processing unit and an antenna. The method can be used for the security protection of the terminal of the Internet of things in a typical application scene, provides a bidirectional security access authentication function for the terminal module and the access point, provides a transmission data encryption protection function, and provides a terminal authority access control function. The following will describe in detail.
Example 1
Referring to fig. 1, fig. 1 is a block diagram illustrating a security detection system according to an embodiment of the present invention. The security detection system described in fig. 1 ensures confidentiality and integrity of stored information and confidentiality of information transmitted with the electronic security identification module by means of a hybrid password, which is not limited in the embodiment of the present invention. As shown in fig. 1, the security detection system comprises a security detection module, a security identification module and an upper computer;
the safety detection module performs information interaction with the safety identification module and the upper computer;
as shown in fig. 2, the safety detection module includes: the device comprises a safety detection module password processing unit, a power supply unit, a bus isolation unit, a channel selection unit, a protocol conversion unit, a communication interface unit and an antenna unit;
the safety detection module password processing unit is in information interaction with the power supply unit, the antenna unit and the bus isolation unit; the bus isolation unit is in information interaction with the channel selection unit; the protocol conversion unit is in information interaction with the channel selection unit and the communication interface unit;
the safety detection module password processing unit is used for carrying out data management on the safety identification module;
the power supply unit is used for supplying power to the safety detection module password processing unit;
the bus isolation unit is used for protecting the safety detection module password processing unit and the channel selection unit;
the channel selection unit is used for selecting channels;
the protocol conversion unit is used for carrying out protocol conversion;
the communication interface unit comprises a CAN interface, an RJ45 Ethernet interface, an RS232 interface and a TTL interface and is used for signal conversion;
the safety identification module is an active RFID safety identification module and comprises an MCU central control unit, a microwave transceiver, a battery, a safety identification module password processing unit and an antenna.
Optionally, the security detection module password processing unit is used for performing data management on the security identification module to obtain encrypted data information;
the safety detection module password processing unit is used for sending the encrypted data information to the antenna unit through the radio frequency interface chip;
and the antenna unit is used for transmitting the encrypted data information.
Optionally, the security detection module cryptographic processing unit performs the invocation of the cryptographic algorithm and the processing of the communication interface unit, provides reliable communication of the security detection module authentication with the security identification module,
optionally, the antenna unit includes a radio frequency interface chip;
the safety detection module password processing unit comprises a safety chip;
the safety detection module is used for carrying out safety communication with an upper computer by utilizing the radio frequency interface chip and the safety chip;
optionally, the security chip of the security detection module cryptographic processing unit selects an ST semiconductor STM32F207ZG CORTEX-M3 ARM core;
and the safety detection module password processing unit is used for carrying out SPI communication with the radio frequency interface chip.
The security detection module supports the following security elements:
a) Confidentiality of stored information
b) Integrity of stored information
c) Confidentiality of information transmitted with a security identification module
d) Anti-security identification module primary repudiation
e) Security detection module and security identification module bidirectional challenge response identity authentication
f) Access control
g) In addition, the security detection module should support confidentiality and integrity of transmission information with the upper computer (third party middleware), identity authentication, access control, anti-repudiation and other security elements.
Therefore, the technical scheme of the invention can be used for the security protection of the terminal of the Internet of things in a typical application scene, provides a bidirectional security access authentication function for the terminal module and the access point, provides a transmission data encryption protection function, and provides a terminal authority access control function. The invention ensures the confidentiality and the integrity of the stored information and the confidentiality of the information transmitted with the safety identification module in a mixed password mode.
Example two
Referring to fig. 3, fig. 3 is a schematic diagram of a security detection method according to an embodiment of the invention. The security detection method described in fig. 3 ensures confidentiality and integrity of stored information and confidentiality of information transmitted with the electronic security identification module by means of a hybrid password, which is not limited in the embodiment of the present invention. As shown in fig. 3, the security detection method includes:
s1, performing bidirectional authentication between a security detection module and an upper computer by using a first authentication model;
the specific steps of S1 include: and adopting an SM1 symmetric cryptographic algorithm to realize bidirectional identity authentication between the security detection module and the upper computer. Before bidirectional authentication, the security detection module reads the UID of the upper computer, and disperses the root key by using the UID (or other unique parameters) to obtain a dispersed key K1 consistent with the personalized key stored by the upper computer.
(1) The security detection module sends an authentication instruction to the upper computer.
(2) After receiving the authentication instruction, the upper computer generates a random number RT (the random number length is half of the cipher algorithm grouping length) and sends the random number RT to the security detection module.
(3) The security detection module generates a random number RR (the random number length is half of the cipher algorithm block length), and the RR and RT are encrypted by a personalized key K1 of the upper computer to obtain Token1=Enc (RR||RT, K1); the security detection module sends Token1 to the electronic security identification module.
(4) The upper computer decrypts Token1 by using the personalized key K1 to obtain RR 'and RT'. Comparing RT ' with RT, if RT ' =rt, the upper computer sends RR ' to the security detection module.
(5) The security detection module compares RR 'and RR, and if RR' =rr, the bidirectional authentication passes.
S2, performing bidirectional authentication between the safety detection module and the safety identification module by using a second authentication model;
s3, after the bidirectional authentication is passed, the safety detection module and the safety identification module conduct data interaction;
the data interaction comprises checking, reading data and writing data;
the flow of checking the safety identification module by the safety detection module is as follows:
(1) the control main board sends out an inventory command through the serial port.
(2) The security probe module first continues to send a ready command for a period of time to wake up the dormant security identification module.
(3) The security detection module sends out an access instruction, and a collection time slot is allocated to all the security identification modules in the communication range.
(4) The security detection module issues a collect command.
(5) The safety identification module responds to the collection command according to the assigned time slot and returns the ID of the safety identification module.
(6) The safety detection module returns the received ID of the safety identification module through the serial port.
(7) And after judging that the new safety identification module does not exist, the safety detection module informs the main control board of checking the safety identification module through the serial port.
The flow of the security detection module for reading the data security identification module is as follows:
(1) the main control board sends out a command for reading data through the serial port, and the ID of the security identification module, the ID of the read file, the address and the length are specified.
(2) The security detection module firstly selects a file, and according to the security attribute of the file, the security detection module performs bidirectional authentication with the security identification module.
(3) And after the authentication is passed, the data is read between the safety detection module and the safety identification module through safety communication.
(4) And the security detection module decrypts the data and returns the decrypted data to the main control board through the serial port.
The flow of writing the data security identification module by the security detection module is as follows:
(1) the main control board sends out a command of writing data through the serial port, and the ID of the security identification module, the written file ID, the address, the length and the data content are specified.
(2) The security detection module firstly selects a file, and according to the security attribute of the file, the security detection module performs bidirectional authentication with the security identification module.
(3) After the authentication is passed, the safety detection module and the safety identification module read data through safety communication, and the safety detection module encrypts the data and sends the encrypted data to the safety identification module.
(4) And the safety detection module returns the written execution result to the main control board.
S4, encrypting and managing the data read by the security detection module by using a symmetric key management model to obtain encrypted data information;
s5, the encrypted data information is sent to an antenna unit;
and S6, the antenna unit is utilized to send out the encrypted data information.
Alternatively, the symmetric key management model contains four main processes of key generation, key distribution, key usage, and key destruction for the key lifecycle.
The safety detection module is a read-write controller of the safety identification module, and consists of a safety chip, a radio frequency interface chip, a TCP/IP communication interface and the like, and the aim of safe and reliable information exchange with the safety identification module is fulfilled by a microwave wireless transmission means.
Alternatively, the encryption algorithm that can be used is:
1) Symmetric cryptographic algorithms (e.g.: SM1 algorithm, SM4 algorithm and SM7 algorithm
For identity authentication, access control, confidentiality protection, integrity protection, key agreement and key distribution.
2) Asymmetric cryptographic algorithms (e.g.: SM2 algorithm
For anti-repudiation, identity authentication, confidentiality protection, integrity protection, key agreement and key exchange.
3) Cryptographic hash functions (e.g.: SM3 algorithm
And the method is used for generating the data abstract information and carrying out integrity check.
The communication between the safety identification module and the safety detection module adopts a password safety implementation mode, and the confidentiality of transmission information needs to be met; integrity and identity authentication of the transmitted information.
The confidentiality of the transmission information refers to key negotiation by adopting a block cipher algorithm before data encryption transmission between the security detection module and the security identification module; the integrity of the transmission information is that in the communication process of the two parties, an HMAC mode is used for carrying out integrity check; the authentication may be a two-way authentication using SM7 symmetric block cipher algorithm. HMAC is a message authentication algorithm based on Hash functions and keys, and is collectively referred to as "Hash-based Message Authentication Code" (Hash-based message authentication code).
Optionally, an SM1 cryptographic algorithm can be adopted to realize bidirectional identity authentication between the security detection module and the upper computer; and encrypting the data by adopting an SM1 cryptographic algorithm and calculating a check value to realize confidentiality and integrity of information transmission between the security detection module and the upper computer.
The material transportation information in the security identification module is stored in a file, the file can enter a security session to be accessed in a read-write mode after authentication, the security detection module encapsulates the access process of the file, and an external upper computer drives the security detection module to finish checking of the security identification module and operation of the security detection module through serial port communication. Fig. 4 is a general schematic block diagram of a process of checking a security identification module according to an embodiment of the present invention:
1) The control main board sends out an inventory command through the serial port;
2) The security detection module firstly continuously sends a ready instruction for a period of time to wake up the dormant security identification module;
3) The security detection module sends an access instruction to allocate a collection time slot for all security identification modules within a communication range;
4) The safety detection module sends out a collection command;
5) The safety identification module responds to the collection command according to the allocated time slot and returns the ID of the safety identification module;
6) The safety detection module returns the received ID of the safety identification module through the serial port;
7) And after judging that the new safety identification module does not exist, the safety detection module informs the main control board of checking the safety identification module through the serial port.
FIG. 5 is a schematic block diagram of a security detection module read data flow disclosed in an embodiment of the present invention:
1) The main control board sends out a command for reading data through a serial port, and the ID of the security identification module, the ID of the read file, the address and the length are specified;
2) The security detection module firstly selects a file, and according to the security attribute of the file, the security detection module performs bidirectional authentication with the security identification module;
3) After passing the authentication, the safety detection module and the safety identification module read data through safety communication;
4) And the security detection module decrypts the data and returns the decrypted data to the main control board through the serial port.
FIG. 6 is a schematic block diagram of a security detection module write data flow disclosed in an embodiment of the present invention:
1) The main control board sends a command of writing data through the serial port, and the ID of the security identification module, the written file ID, the address, the length and the data content are appointed;
2) The security detection module firstly selects a file, and according to the security attribute of the file, the security detection module performs bidirectional authentication with the security identification module;
3) After passing the authentication, the safety detection module reads data through safety communication with the safety identification module, and the safety detection module encrypts the data and sends the encrypted data to the safety identification module;
4) And the safety detection module returns the written execution result to the main control board.
Fig. 7 is a schematic diagram of a security identification module according to an embodiment of the present invention, where the security identification module stores a root public key Pu, a private key pr_t of the electronic security identification module, and a certificate cer_t issued by the root private key (in a storage space permission situation) when initializing or issuing the security identification module.
The security probing module stores the root public key Pu, the private key pr_r of the security probing module, and the certificate cer_r issued with the root private key.
And selecting a cryptographic algorithm approved by a national cryptographic management department for generating data abstract information and performing integrity verification.
Optionally, the performing, by using the second authentication model, bidirectional authentication between the security detection module and the security identification module includes:
s21, carrying out entity authentication on the security identification module by utilizing the security detection module to obtain first entity authentication information;
s22, sending the first entity authentication information to the security detection module by utilizing the security identification module;
s23, processing the first entity authentication information by utilizing the security detection module to obtain second entity authentication information;
s24, the second entity authentication information is sent to the security identification module by utilizing the security detection module;
s25, processing the second entity authentication information by utilizing the security identification module to obtain an entity authentication result, and realizing bidirectional authentication between the security detection module and the security identification module.
Optionally, the performing entity authentication on the security identification module by using the security detection module to obtain first entity authentication information includes:
s211, applying a first random number to a password processing unit of the security detection module by using the security detection module;
s212, the security detection module password processing unit returns the first random number;
s213, the security detection module sends an authentication request and the first random number to the security identification module;
s214, the security identification module sends the first random number to the security identification module password processing unit;
s215, the security identification module password processing unit generates a second random number and an authentication request response;
the authentication request response is 32 bytes of authentication request response MAC, mac=e (RNr |rnsk, MIK, MEK), MIK is an integrity check key, MEK is a message encryption key;
the second random number and the authentication request response constitute first entity authentication information.
Optionally, the processing the first entity authentication information by using the security detection module to obtain second entity authentication information includes
S231, the security detection module sends the first entity authentication information to the security detection module password processing unit;
s232, the security detection module password processing unit authenticates the first entity authentication information to obtain a first authentication result and a 32-bit message check code;
the first authentication result and the 32-bit message check code form second entity authentication information.
Optionally, the processing the second entity authentication information by using the security identification module to obtain an entity authentication result, to implement bidirectional authentication between the security detection module and the security identification module, includes:
s251, the second entity authentication information is sent to the password processing unit of the security identification module by utilizing the security identification module;
s252, the security identification module password processing unit processes the second entity authentication information to obtain an entity authentication result;
s253, the security identification module sends the entity authentication result to the security detection module to realize bidirectional authentication between the security detection module and the security identification module.
Optionally, the encrypting management of the data read by the security detection module by using the symmetric key management model to obtain encrypted data information includes:
s41, acquiring the safety parameters of the safety identification module by utilizing the safety detection module;
the security parameters of the security identification module comprise the security capability of the security identification module and a base key index;
s42, the security detection module derives a shared key PSK corresponding to the security identification module according to the acquired base key index and the base key stored by the security detection module;
s43, the security detection module and the security identification module derive an integrity check key and an encryption key according to the shared key PSK, and carry out integrity check and data encryption on the authentication code in the authentication process;
and S44, after authentication is completed, the security detection module and the security identification module derive a session key according to the shared key PSK and RID, TID, RNr and RNt, and encrypt and manage the data read by the security detection module to obtain encrypted data information.
RID is an abbreviation for Request Identity, i.e. Request ID. TID is a globally unique code present in an RFID tag, each unique. Each RFID has a unique UID/TID code.
FIG. 8 is a schematic block diagram of symmetric key management of a security detection module disclosed in an embodiment of the present invention, where a key generation system completes the generation of a key and the dispersion of the key in a radio frequency identification system, and a key distribution system completes the distribution and injection of the key to a security identification module and a security detection module; the secret key is used in a security cipher device which comprises a security access module and a security identification module in a security detection module.
FIG. 9 is a schematic block diagram of a key usage and destruction flow disclosed in an embodiment of the present invention: the security detection module and the security identification module have self-destruction capability, and can self-destruct stored user area data and all security data.
Fig. 10 is a schematic block diagram of a two-way authentication flow specification disclosed in an embodiment of the present invention. The symmetric key management model comprises four main processes of key generation, key distribution, key use and key destruction of a key life cycle.
It should be noted that, the security detection module in the security detection system provided by the invention reserves rich interfaces, and is convenient to integrate with an external system.
Therefore, the technical scheme of the invention can be used for the security protection of the terminal of the Internet of things in a typical application scene, provides a bidirectional security access authentication function for the terminal module and the access point, provides a transmission data encryption protection function, and provides a terminal authority access control function. The invention ensures the confidentiality and the integrity of the stored information and the confidentiality of the information transmitted with the safety identification module in a mixed password mode.
The apparatus embodiments described above are merely illustrative, in which the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above detailed description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product that may be stored in a computer-readable storage medium including Read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), programmable Read-Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), one-time programmable Read-Only Memory (OTPROM), electrically erasable programmable Read-Only Memory (EEPROM), compact disc Read-Only Memory (Compact Disc Read-Only Memory, CD-ROM) or other optical disc Memory, magnetic disc Memory, tape Memory, or any other medium that can be used for computer-readable carrying or storing data.
Finally, it should be noted that: the disclosure of a security detection system and method according to the embodiments of the present invention is only a preferred embodiment of the present invention, and is only for illustrating the technical scheme of the present invention, but not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that; the technical scheme recorded in the various embodiments can be modified or part of technical features in the technical scheme can be replaced equivalently; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (9)
1. A security detection system, comprising: the system comprises a safety detection module, a safety identification module and an upper computer;
the safety detection module performs information interaction with the safety identification module and the upper computer;
the safety detection module comprises: the device comprises a safety detection module password processing unit, a power supply unit, a bus isolation unit, a channel selection unit, a protocol conversion unit, a communication interface unit and an antenna unit;
the safety detection module password processing unit is in information interaction with the power supply unit, the antenna unit and the bus isolation unit; the bus isolation unit is in information interaction with the channel selection unit; the protocol conversion unit is in information interaction with the channel selection unit and the communication interface unit;
the safety detection module password processing unit is used for carrying out data management on the safety identification module;
the power supply unit is used for supplying power to the safety detection module password processing unit;
the bus isolation unit is used for protecting the safety detection module password processing unit and the channel selection unit;
the channel selection unit is used for selecting channels;
the protocol conversion unit is used for carrying out protocol conversion;
the communication interface unit comprises a CAN interface, an RJ45 Ethernet interface, an RS232 interface and a TTL interface and is used for signal conversion;
the safety identification module is an active RFID safety identification module and comprises an MCU central control unit, a microwave transceiver, a battery, a safety identification module password processing unit and an antenna.
2. The security detection system according to claim 1, wherein the security detection module cryptographic processing unit is configured to perform data management on the security identification module to obtain encrypted data information;
the safety detection module password processing unit is used for sending the encrypted data information to an antenna unit;
and the antenna unit is used for transmitting the encrypted data information.
3. The security detection system of claim 1 wherein the antenna unit comprises a radio frequency interface chip;
the safety detection module password processing unit comprises a safety chip;
the safety detection module is used for carrying out safety communication with an upper computer by utilizing the radio frequency interface chip and the safety chip;
and the safety detection module password processing unit is used for carrying out SPI communication with the radio frequency interface chip.
4. A security detection method applied to the security detection system of claims 1 to 3, the method comprising:
s1, performing bidirectional authentication between a security detection module and an upper computer by using a first authentication model;
s2, performing bidirectional authentication between the safety detection module and the safety identification module by using a second authentication model;
s3, after the bidirectional authentication is passed, the safety detection module and the safety identification module conduct data interaction;
the data interaction comprises checking, reading data and writing data;
s4, encrypting and managing the data read by the security detection module by using a symmetric key management model to obtain encrypted data information;
s5, the encrypted data information is sent to an antenna unit;
and S6, the antenna unit is utilized to send out the encrypted data information.
5. The method of claim 4, wherein using the second authentication model to perform bidirectional authentication between the security detection module and the security identification module comprises:
s21, carrying out entity authentication on the security identification module by utilizing the security detection module to obtain first entity authentication information;
s22, sending the first entity authentication information to the security detection module by utilizing the security identification module;
s23, processing the first entity authentication information by utilizing the security detection module to obtain second entity authentication information;
s24, the second entity authentication information is sent to the security identification module by utilizing the security detection module;
s25, processing the second entity authentication information by utilizing the security identification module to obtain an entity authentication result, and realizing bidirectional authentication between the security detection module and the security identification module.
6. The method of claim 5, wherein performing entity authentication on the security identification module by using the security detection module to obtain the first entity authentication information includes:
s211, applying a first random number to a password processing unit of the security detection module by using the security detection module;
s212, the security detection module password processing unit returns the first random number;
s213, the security detection module sends an authentication request and the first random number to the security identification module;
s214, the security identification module sends the first random number to the security identification module password processing unit;
s215, the security identification module password processing unit generates a second random number and an authentication request response;
the second random number and the authentication request response constitute first entity authentication information.
7. The method of claim 5, wherein the processing the first entity authentication information with the security detection module to obtain second entity authentication information comprises
S231, the security detection module sends the first entity authentication information to the security detection module password processing unit;
s232, the security detection module password processing unit authenticates the first entity authentication information to obtain a first authentication result and a 32-bit message check code;
the first authentication result and the 32-bit message check code form second entity authentication information.
8. The method of claim 5, wherein the processing the second entity authentication information by using the security identification module to obtain an entity authentication result, implementing bidirectional authentication between the security detection module and the security identification module, includes:
s251, the second entity authentication information is sent to the password processing unit of the security identification module by utilizing the security identification module;
s252, the security identification module password processing unit processes the second entity authentication information to obtain an entity authentication result;
s253, the security identification module sends the entity authentication result to the security detection module to realize bidirectional authentication between the security detection module and the security identification module.
9. The method of claim 4, wherein encrypting the data read by the security detection module using the symmetric key management model to obtain encrypted data information comprises:
s41, acquiring the safety parameters of the safety identification module by utilizing the safety detection module;
the security parameters of the security identification module comprise the security capability of the security identification module and a base key index;
s42, the security detection module derives a shared key PSK corresponding to the security identification module according to the acquired base key index and the base key stored by the security detection module;
s43, the security detection module and the security identification module derive an integrity check key and an encryption key according to the shared key PSK, and carry out integrity check and data encryption on the authentication code in the authentication process;
and S44, after authentication is completed, the security detection module and the security identification module derive a session key according to the shared key PSK and RID, TID, RNr and RNt, and encrypt and manage the data read by the security detection module to obtain encrypted data information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311707757.XA CN117729007B (en) | 2023-12-12 | 2023-12-12 | Safety detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311707757.XA CN117729007B (en) | 2023-12-12 | 2023-12-12 | Safety detection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117729007A true CN117729007A (en) | 2024-03-19 |
| CN117729007B CN117729007B (en) | 2024-05-07 |
Family
ID=90209994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311707757.XA Active CN117729007B (en) | 2023-12-12 | 2023-12-12 | Safety detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117729007B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103366797A (en) * | 2013-07-19 | 2013-10-23 | 丁贤根 | Design method of security U disk by employing wireless authentication terminal for authorizing authentication, encryption and decryption |
| WO2022143030A1 (en) * | 2020-12-31 | 2022-07-07 | 天翼数字生活科技有限公司 | National key identification cryptographic algorithm-based private key distribution system |
| CN116654513A (en) * | 2023-06-05 | 2023-08-29 | 中国人民解放军军事科学院系统工程研究院 | Small-size integrated multi-source automatic identification device |
-
2023
- 2023-12-12 CN CN202311707757.XA patent/CN117729007B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103366797A (en) * | 2013-07-19 | 2013-10-23 | 丁贤根 | Design method of security U disk by employing wireless authentication terminal for authorizing authentication, encryption and decryption |
| WO2022143030A1 (en) * | 2020-12-31 | 2022-07-07 | 天翼数字生活科技有限公司 | National key identification cryptographic algorithm-based private key distribution system |
| CN116654513A (en) * | 2023-06-05 | 2023-08-29 | 中国人民解放军军事科学院系统工程研究院 | Small-size integrated multi-source automatic identification device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117729007B (en) | 2024-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
| CN107959686B (en) | A kind of Internet of Things security certification system and authentication method | |
| US7562221B2 (en) | Authentication method and apparatus utilizing proof-of-authentication module | |
| EP1610202B1 (en) | Using a portable security token to facilitate public key certification for devices in a network | |
| CN100559393C (en) | RFID label and reader thereof, reading system and safety certifying method | |
| US8789195B2 (en) | Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor | |
| CN109327314A (en) | Access method, device, electronic equipment and the system of business datum | |
| US9762567B2 (en) | Wireless communication of a user identifier and encrypted time-sensitive data | |
| CN112673600B (en) | Multiple security authentication system and method between mobile phone terminal and internet of things (IoT) device based on blockchain | |
| JP5544627B2 (en) | Data security access method suitable for electronic tags | |
| JP4987939B2 (en) | Manual RFID security method according to security mode | |
| CN103685323A (en) | Method for realizing intelligent home security networking based on intelligent cloud television gateway | |
| TW201004268A (en) | Method for distributed identification, a station in a network | |
| KR101809974B1 (en) | A system for security certification generating authentication key combinating multi-user element and a method thereof | |
| RU2445740C1 (en) | Simple access authentication method and system | |
| CN110266474A (en) | Key sending method, apparatus and system | |
| CN103971426A (en) | PSAM safety control-based access control system and safe access control method using the same | |
| CN101888626B (en) | Method and terminal equipment for realizing GBA key | |
| KR101848300B1 (en) | METHOD FOR OPERATING COMMUNICATION CLIENT INSTALLED IN IoT DEVICE AND IoT DEVICE INCLUDING THE CLIENT | |
| CN107888376B (en) | NFC authentication system based on quantum communication network | |
| WO2009083478A1 (en) | Delegation of access conditions between portable tokens | |
| KR101745482B1 (en) | Communication method and apparatus in smart-home system | |
| CN117729007B (en) | Safety detection system and method | |
| CN108599936A (en) | A kind of OpenStack increases income the safety certifying method of cloud user | |
| CN114244509A (en) | Method for carrying out SM2 one-time pad bidirectional authentication unlocking by using mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |