CN1842991A - Device authentication system - Google Patents
Device authentication system Download PDFInfo
- Publication number
- CN1842991A CN1842991A CN 200480024612 CN200480024612A CN1842991A CN 1842991 A CN1842991 A CN 1842991A CN 200480024612 CN200480024612 CN 200480024612 CN 200480024612 A CN200480024612 A CN 200480024612A CN 1842991 A CN1842991 A CN 1842991A
- Authority
- CN
- China
- Prior art keywords
- information
- device authentication
- server
- session key
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
There is provided a device authentication system capable of effectively authenticating devices by using a common key method. When a CE device requests for service provision from a service server, the service server requests the CE device to perform a device authentication in the device authentication server. Upon reception of this request, the CE device requests the device authentication server to perform a device authentication and transmits the device authentication result to the service server. The service server receives the device authentication result from the CE device and if the device authentication server has confirmed that this is the one performed by the device authentication server, the service server starts service provision. The CE device and the device authentication server share a pass phrase. The CE device and the device authentication server mutually perform authentication by checking whether the partner has the pass phrase.
Description
Technical field
The present invention relates to device authentication system, relate in particular to, improve the device authentication system of device authentication efficient by using shared key mode to carry out device authentication.
Background technology
In recent years, popularizing constantly of CE (Consumer Electronics) equipment (consumer-elcetronics devices) enlarges.CE equipment for example is meant that household appliances such as audio-visual equipment such as video tape deck, stero set device, television set or electric rice cooker, refrigerator and other are made in electronic equipment built-in computer and can be utilized with the network is the device of the business of intermediary.
There is the miscellaneous service server on the network, the business that CE equipment can utilize these service servers to provide.
For example, when CE equipment was audio-visual equipment such as video tape deck, stero set device, television set, service server can send content to these CE equipment.
Also propose to constitute CE equipment, also analyze from the detected signal of user's stool and urine, with the service server of checking user health status by the chamber pot of built-in sensors.
Like this, the kind of CE equipment relates to many-side, also exists for these CE equipment professional miscellaneous service server is provided.
When service server provides business, whether legal in order to confirm CE equipment, often require to do device authentication.
The id information (device id) that this CE equipment of CE device storage is intrinsic and carry out the security information that device authentication uses (current phrase) is provided with on network with these information and judges whether legitimate device certificate server of CE equipment.
When CE equipment is received the device authentication request from service server,, and its result sent to service server to device authentication server requests device authentication.
Service server is after the device authentication server confirms that this device authentication result is legal, and beginning provides professional to CE equipment.
When carrying out device authentication, device authentication server and CE equipment generally carry out information exchange with the asymmetric key that a pair of open key and secret key are formed.
The device of confirming with open key has the mutual authenticate device of following user (No. 3278612 communique of Japan Patent).
In this invention, when client computer is done initial the connection to server, open key by mutual use opposite end, random number and shared key information encryption with authentication usefulness, and exchange mutually, authenticate mutually, also in communication thereafter, decide through consultation the random number and the shared key that use which kind of authentication usefulness simultaneously by both party.And, the random number and the shared key of the described authentication usefulness of storage in the memory cell of client-server side.
During being connected between the 2nd time and subsequent same client computer and the server, with described shared key with described authentication of storing with random number encryption after, exchange, thus authentication same pair of end whether mutually.
Yet, the device authentication mode of open key of use and secret key, all there are the big problem of amount of calculation in its equipment and device authentication server.Especially device authentication server, owing to carry out the device authentication of a plurality of equipment, computational load is concentrated.
Become, when existing the secret key of device authentication server to leak, may influence the problem of the equipment that uses the open key corresponding with this secret key.
Therefore, the object of the present invention is to provide a kind of by using shared key mode can effectively carry out device authentication system of device authentication etc.
Summary of the invention
In order to achieve the above object, the invention provides a kind of device authentication system, terminal equipment with security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server, described device authentication server can be encrypted the server intrinsic information that itself produces with described security information in described terminal equipment by affirmation, described terminal equipment is made device authentication, after described terminal equipment is encrypted the terminal intrinsic information that itself produces with described security information, by confirming that described device authentication server can authenticate the terminal intrinsic information deciphering of described encryption to described device authentication server; After carrying out described authentication, described terminal equipment and described device authentication server are encrypted the session key that the either party among both produces with described security information, and this key is sent to the opposite end, thus shared session key; Described device authentication server sends it to described terminal equipment after with described session key proof having been authenticated the permit encryption for information of described terminal equipment; Described terminal equipment by with described session key with the proof decrypts information that described device authentication server sends, obtain this information, and send it to described service server; The proof information that described service server sends described terminal equipment sends to described device authentication server, and confirms that at described device authentication server described proof information is correct (the 1st forms).
The 1st forms, can constitute proof information that described service server confirms that in described device authentication server described terminal equipment sends correct after, provide professional (the 2nd composition) to described terminal equipment.
The 1st forms, can constitute described proof information comprise described device authentication server stipulate described terminal equipment device authentication result provisioning information and with the encryption provisioning information of the intrinsic server key of described device authentication server to described provisioning information encryption; After described device authentication server is deciphered the encryption provisioning information that comprises the proof information of receiving from described service server with described server key, obtain this information, and whether identical by the provisioning information that comprises in the proof information of judging the described provisioning information of obtaining and described reception, confirm that described proof information is correct (the 3rd forms).
The 1st forms, can constitute the 2nd session key encryption that described terminal equipment and described device authentication server produce either party among both with described security information after, send it to the opposite end, thus also shared the 2nd session key; Described the 2nd session key of described device authentication server by utilizing, the described proof information of step conversion does not change the detection information that described proof information is used midway thereby produce to detect in communication, and sends it to described terminal equipment in accordance with regulations; Described terminal equipment with described the 2nd session key by the described proof information that obtains of described regulation step conversion, produce detection information, and the homogeny of the detection information by judging described generation and the detection information of receiving from described device authentication server, confirm that the proof information of described reception does not change (the 4th forms).
Again, the invention provides a kind of device authentication server, be used for device authentication system, this system has the terminal equipment of the security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server, have from the request of described terminal equipment receiving equipment authentication request and accept the unit, the terminal equipment of accepting described request is sent to the server intrinsic information that itself produces the server intrinsic information transmitting element of described terminal equipment, receive with the encryption server intrinsic information receiving element of described security information from described terminal equipment the encryption server intrinsic information of described server intrinsic information encryption, according to the device authentication unit that the encryption server intrinsic information deciphering of described reception can be carried out device authentication with described secret key to described terminal equipment, receiving the session key of encrypting with described security information from described terminal equipment also passes through with described security information with the session key deciphering of described reception or by producing session key, and after encrypting with described secret key the session key of described encryption is sent to described terminal equipment and obtains session key and the session key acquiring unit shared with described terminal equipment, to prove that with the described session key that obtains described device authentication unit made to send to behind the permit encryption for information of device authentication the proof information transmitting unit of described terminal equipment to described terminal equipment, and the proof information receiving unit (the 5th forms) that receives described proof information from the described service server of obtaining described proof information by described terminal equipment.
The 5th forms, and can constitute also to have to confirm that described proof information that described service server sends is affirmation correct and that confirmed affirmation result is sent to described service server transmitting element (the 6th forms) as a result.
The 5th forms, and can constitute to have from described terminal equipment to receive that described terminal equipment produces and the terminal intrinsic information receiving element of the terminal intrinsic information encrypted with security information and by the terminal intrinsic information deciphering of described reception being obtained the terminal intrinsic information transmitting element (the 7th composition) that the described terminal intrinsic information of obtaining is sent to after this information described terminal equipment with described security information.
In the 6th composition, can constitute the provisioning information that described proof information comprises the device authentication result of stipulating described terminal equipment, and obtain encrypting provisioning information after with intrinsic server key described provisioning information being encrypted, encryption provisioning information decrypting device with the encryption provisioning information deciphering that will from the proof information that described service server is received, comprise with described server key, judge the judging unit that the provisioning information that comprises in the proof information of provisioning information and described reception after the described deciphering is whether identical, and with the device authentication result of the provisioning information specified devices authentication result after described judgement regulation unit, and described affirmation as a result transmitting element send the device authentication result of stipulating in the described device authentication result regulation unit (the 8th forms).
In the 5th composition, can constitute have from described terminal equipment receive the 2nd session key of encrypting with described security information and by with described security information with described the 2nd session key deciphering of described reception or pass through generation the 2nd session key, and after encrypting with described secret key the 2nd session key of described encryption is sent to described terminal equipment and obtains described the 2nd session key and the 2nd session key acquiring unit shared with described terminal equipment, and by with the 2nd session key that obtains in accordance with regulations the described proof information of step conversion produce and detect the detection information generation unit that does not change the detection information that described proof information uses in communication midway, and described proof information transmitting unit sends to terminal equipment (the 9th forms) with the detection information that described detection information generation unit produces together with proof information.
In the 5th composition, can constitute the security information regulation unit that the device id of the device id receiving element of the terminal equipment receiving equipment ID that has corresponding stored unit that the security information of the device id of described terminal equipment and the storage of this terminal equipment store accordingly, obtains accepting from described request and the described reception of retrieval described corresponding stored unit and regulation and described device id have the security information of corresponding relation, described server intrinsic information is encrypted (the 10th composition) with the security information of described regulation in described device authentication unit.
Again, the invention provides a kind of terminal equipment, be used for device authentication system, this system has the terminal equipment of the security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server, have request unit to described device authentication server requests device authentication, after encrypting, the server intrinsic information that described device authentication server is sent according to described request with described security information sends to the encryption server intrinsic information transmitting element of described device authentication server, receiving the session key of encrypting with described security information from described device authentication server also passes through with described security information with the session key deciphering of described reception or by producing session key, and after encrypting with described secret key the session key of described encryption is sent to described device authentication server and obtains session key and the session key acquiring unit shared with the device authentication server, receiving proof from described device authentication server encrypts with described session key, and obtain the proof information receiving unit of the proof information of device authentication at described device authentication server, and with the proof information transmitting unit that sends to described service server after the proof decrypts information of described session key with described reception (the 11st form).
The 11st forms, can constitute have produce the terminal intrinsic information, and encrypt with described security information after send it to the terminal intrinsic information transmitting element of described device authentication server and by confirming that described device authentication server is with the server authentication unit (the 12nd composition) of the described device authentication server of terminal intrinsic information decrypted authentication of described transmission.
In the 11st composition, can constitute from described device authentication server receive the 2nd session key of encrypting with described security information and by with described security information with described the 2nd session key deciphering of described reception or pass through generation the 2nd session key, and after encrypting with described secret key the 2nd session key of described encryption is sent to described terminal equipment and obtains described the 2nd session key and the 2nd session key acquiring unit shared with described device authentication server, utilize the 2nd session key in accordance with regulations after the described proof information of step conversion, be used to detect the detection information receiving unit that does not change the detection information of described proof information in communication midway from described device authentication server reception, by with the 2nd session key that the obtains described proof information that receives of step conversion in accordance with regulations, produce the detection information generation unit of detection information, and the homogeny of the detection information by judging described generation and the detection information of described reception, confirm not change the affirmation unit (the 13rd composition) of the proof information of described reception.
Again, the invention provides a kind of equipment authentication method, be used for device authentication system, the terminal equipment of the security information of the jy1 of this system store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server, described device authentication server has request and accepts the unit, server intrinsic information transmitting element, encrypt the intrinsic information receiving element, the device authentication unit, the session key acquiring unit, the proof information transmitting unit, and the proof information receiving unit, described method comprises following steps: accept the unit by described request and accept step from the request of described terminal equipment receiving equipment authentication request, the terminal equipment of accepting described request is sent to the server intrinsic information that itself produces the server intrinsic information forwarding step of described terminal equipment by described server intrinsic information transmitting element, receive with the encryption server intrinsic information receiving step of described security information from described terminal equipment by described encryption server intrinsic information receiving element the encryption server intrinsic information of described server intrinsic information encryption, by described device authentication unit according to the device authentication step that the deciphering of the encryption server intrinsic information of described reception can be carried out device authentication with described secret key to described terminal equipment, receiving the session key of encrypting with described security information by described session key acquiring unit from described terminal equipment also passes through with described security information with the session key deciphering of described reception or by producing session key, and after encrypting with described secret key the session key of described encryption is sent to described terminal equipment and obtains session key and the session key obtaining step shared with described terminal equipment, to prove that with the described session key that obtains described device authentication unit made to send to behind the permit encryption for information of device authentication the proof information forwarding step of described terminal equipment to described terminal equipment by described proof information transmitting unit, and the proof information receiving step (the 14th forms) that receives described proof information by described proof information receiving unit from the described service server of obtaining described proof information by described terminal equipment.
In the 14th composition, can constitute also have confirm transmitting element as a result, described method have by described affirmation as a result transmitting element confirm affirmation that described proof information sends to described service server with the affirmation result of described affirmation after correct forwarding step (the 15th forms) as a result.
In the 14th composition, can constitute described device authentication server and have terminal intrinsic information receiving element, and terminal intrinsic information transmitting element, described method has following steps: receive described terminal equipment by described terminal intrinsic information receiving element from described terminal equipment and produce, and the terminal intrinsic information receiving step of the terminal intrinsic information of encrypting with described security information, and by described terminal intrinsic information transmitting element by with described security information the terminal intrinsic information deciphering of described reception being obtained this information and the terminal intrinsic information of obtaining being sent to the terminal intrinsic information forwarding step (the 16th forms) of described terminal equipment.
In the 15th composition, can constitute described device authentication server and have the provisioning information of encryption decrypting device, judging unit and device authentication result regulation unit, the part of described proof information comprise the provisioning information of the device authentication result of stipulating described terminal equipment and with intrinsic server key described provisioning information is encrypted after the encryption provisioning information that obtains, and described method has the encryption provisioning information decryption step of the encryption provisioning information deciphering that will be comprised with described server key by described encryption provisioning information decrypting device from the proof information that described service server is received, the determining step whether provisioning information that comprises in the proof information by the provisioning information of the described deciphering of described judgment unit judges and described reception is identical, and by the device authentication result regulation step of the provisioning information specified devices authentication result of described device authentication result regulation unit after with described judgement, wherein described affirmation as a result forwarding step send the device authentication result (the 17th composition) of described device authentication result regulation step regulation.
In the 14th composition, can constitute described device authentication server and have the 2nd session key acquiring unit, and the information of detection generation unit, described method has following steps: receive the 2nd session key of encrypting with described security information by described the 2nd session key acquiring unit from described terminal equipment and also pass through with described security information with the 2nd session key deciphering of described reception or by producing the 2nd session key, and after encrypting with described secret key the 2nd session key of described encryption sent to described terminal equipment and obtain described the 2nd session key and with the 2nd session key obtaining step of shared the 2nd session key of described terminal equipment, and by described detection information generation unit by with described the 2nd session key that obtains in accordance with regulations the described proof information of step conversion produce and detect the detection information that communication do not change the detection information that described proof information uses midway and produce step, wherein described detection information is produced the detection information that produces in the step and sends to described terminal equipment (the 18th forms) together with described proof information at described proof information forwarding step.
In the 14th composition, can constitute described device authentication server and have the corresponding stored unit that the security information of the device id of described terminal equipment and the storage of this terminal equipment is stored accordingly, the device id receiving element, and security information regulation unit, and described method has the device id receiving step of the terminal equipment receiving equipment ID that is obtained accepting from described request by described device id receiving element, and having the security information regulation step step of the security information of corresponding relation with described device id by described reception is retrieved in described security information regulation unit in described corresponding stored unit device id and regulation, wherein said device authentication step is encrypted described server intrinsic information (the 19th composition) with the security information of described regulation.
The present invention also provides a kind of equipment authentication method, be used for device authentication system, this system has the terminal equipment of the security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server, described terminal equipment has request unit, encryption server intrinsic information transmitting element, the session key acquiring unit, proof information receiving unit and proof information transmitting unit, described method has following steps: by the request step of described request unit to described device authentication server requests device authentication, after encrypting, the server intrinsic information that with described security information described device authentication server is sent according to described request by described encryption server intrinsic information transmitting element sends to the encryption server intrinsic information forwarding step of described device authentication server, receiving the session key of encrypting with described security information by described session key acquiring unit from described device authentication server also passes through with described security information with the session key deciphering of described reception or by producing session key, and after encrypting with described secret key the session key of described encryption is sent to described device authentication server and obtains session key and the session key obtaining step shared with the device authentication server, receiving proof by described proof information receiving unit from described device authentication server encrypts with described session key, and obtain the proof information receiving step of the proof information of device authentication at described device authentication server, and the proof information forwarding step (the 20th forms) that sends to described service server by described proof information transmitting unit after with the proof decrypts information of described session key with described reception.
In the 20th composition, can constitute described terminal equipment and have terminal intrinsic information transmitting element and server authentication unit, described method has following steps: by described terminal intrinsic information transmitting element produce the terminal intrinsic information, and encrypt with described security information after send it to the terminal intrinsic information forwarding step of described device authentication server and by described server authentication unit by the described device authentication server of affirmation with the server authentication step (the 21st forms) of the described device authentication server of terminal intrinsic information decrypted authentication of described transmission.
In the 20th composition, can constitute described terminal equipment and have the 2nd session key acquiring unit, detect information receiving unit, detection information generation unit, and confirmation unit, described method has following steps: receive the 2nd session key of encrypting with described security information by described the 2nd session key acquiring unit from described device authentication server and also pass through with described security information with described the 2nd session key deciphering of described reception or by producing the 2nd session key, and after encrypting with described secret key the 2nd session key of described encryption is sent to described device authentication server and obtains described the 2nd session key and the 2nd session key obtaining step shared with described device authentication server, utilize the 2nd session key in accordance with regulations after the described proof information of step conversion, receive from described certificate server by described detection information receiving unit and be used to detect the detection message pick-up step that does not change the detection information of described proof information in communication midway, by described detection information generation unit by with the 2nd session key that obtains in accordance with regulations the described proof information that receives of the step conversion detection information that produces detection information produce step, and by the detection information of described confirmation unit by judging described generation and the affirmation step (the 22nd forms) of the homogeny of the detection information of the described reception proof information of confirming not change described reception.
Again, the invention provides a kind of device authentication program, be used to make the device authentication server running that constitutes by computer, this device authentication server is used for device authentication system, this system has the terminal equipment of the security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server, with the following function of computer realization: accept function from the request of described terminal equipment receiving equipment authentication request, the terminal equipment of accepting described request is sent to the server intrinsic information that itself produces the server intrinsic information sending function of described terminal equipment, receive with the encryption server intrinsic information receiving function of described security information from described terminal equipment the encryption server intrinsic information of described server intrinsic information encryption, according to the device authentication function that the encryption server intrinsic information deciphering of described reception can be carried out device authentication with described secret key to described terminal equipment, receiving the session key of encrypting with described security information from described terminal equipment also passes through with described security information with the session key deciphering of described reception or by producing session key, and after encrypting with described secret key the session key of described encryption sent to described terminal equipment and obtain session key and obtain function with the shared session key of described terminal equipment, to prove in the described device authentication function the proof message sending function of described terminal equipment being made to send to behind the permit encryption for information of device authentication described terminal equipment with the described session key that obtains, and the proof information receiving function (the 23rd forms) that receives described proof information from the described service server of obtaining described proof information by described terminal equipment.
The 23rd forms, and can constitute with computer realization and confirm that described proof information is affirmation correct and that the affirmation result after the described affirmation is sent to described service server sending function (the 24th forms) as a result.
The 23rd forms, and can constitute with the following function of computer realization: receive from described terminal equipment that described terminal equipment produces, and the terminal intrinsic information receiving function of the terminal intrinsic information encrypted with described security information and by with described security information the terminal intrinsic information deciphering of described reception being obtained this information, also the described terminal intrinsic information of obtaining sent to the terminal intrinsic information sending function (the 25th composition) of described terminal equipment.
In the 24th composition, can constitute the provisioning information that described proof information comprises the device authentication result of stipulating described terminal equipment, and the encryption provisioning information that obtains after with intrinsic server key described provisioning information being encrypted, described program also realizes following function: the encryption provisioning information decipher function of the encryption provisioning information deciphering that will comprise from the proof information that described service server is received with described server key, the arbitration functions whether provisioning information that comprises in the provisioning information of judging described deciphering and the proof information of described reception is identical, and with the device authentication result predetermined function of the provisioning information specified devices authentication result of described judgement, and described affirmation as a result sending function send the device authentication result of stipulating in the described device authentication result predetermined function (the 26th forms).
In the 23rd composition, can constitute and realize that also receiving the 2nd session key of encrypting with described security information from described terminal equipment also passes through with described security information with the 2nd session key deciphering of described reception or by producing the 2nd session key, and after encrypting with described secret key the 2nd session key of described encryption is sent to described terminal equipment, obtain described the 2nd session key and obtain function with the 2nd session key of shared the 2nd session key of described terminal equipment, and by with described the 2nd session key that obtains in accordance with regulations the described proof information of step conversion produce and detect the detection information that communication do not change the detection information that described proof information uses midway and produce function, and described proof message sending function produces described detection information the detection information that produces in the function and sends to described terminal equipment (the 27th forms) together with described proof information.
In the 23rd composition, can constitute and also realize following function: the device id receiving function of the corresponding stored function that the security information of the device id of described terminal equipment and the storage of this terminal equipment store accordingly, the terminal equipment receiving equipment ID that obtains accepting from described request and retrieve the security information predetermined function that the device id of described reception and regulation and described device id have the security information of corresponding relation with described corresponding stored function, and described device authentication function is encrypted described server intrinsic information (the 28th composition) with the security information of described regulation.
The present invention also provides a kind of device authentication program, be used to make the terminal equipment running that constitutes by computer, this terminal equipment is used for device authentication system, this system has the terminal equipment of the security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server, with the following function of computer realization: to the request function of described device authentication server requests device authentication, after encrypting, the server intrinsic information that described device authentication server is sent according to described request with described security information sends to the encryption server intrinsic information sending function of described device authentication server, receiving the session key of encrypting with described security information from described device authentication server also passes through with described security information with the session key deciphering of described reception or by producing session key, and after encrypting with described secret key the session key of described encryption sent to described device authentication server and obtain session key and obtain function with the shared session key of device authentication server, receive proof encrypted and obtained at described device authentication server the proof information of device authentication with described session key proof information receiving function from described device authentication server, and with the proof message sending function that sends to described service server after the proof decrypts information of described session key with described reception (the 29th form).
The 29th forms, and can constitute and also realize following function: produce the terminal intrinsic information, and encrypt with described security information after send it to the terminal intrinsic information sending function of described device authentication server and by confirming that described device authentication server is with the server authentication function (the 30th composition) of the described device authentication server of terminal intrinsic information decrypted authentication of described transmission.
In the 29th composition, can constitute and also realize following function: receive the 2nd session key of encrypting from described device authentication server and also pass through with described security information with described the 2nd session key deciphering of described reception or by producing the 2nd session key with described security information, and after encrypting with described secret key the 2nd session key of described encryption is sent to described device authentication server, obtain described the 2nd session key and obtain function with shared the 2nd session key of described device authentication server, utilize the 2nd session key in accordance with regulations after the described proof information of step conversion, be used to detect the detection message pick-up function that does not change the detection information of described proof information in communication midway from described certificate server reception, by with the 2nd session key that the obtains described proof information that receives of step conversion in accordance with regulations, generation detects described proof information and produces function in the detection information that communication does not change the detection information of usefulness midway, and the detection information by judging described generation and the homogeny of the detection information of described reception confirm not change the affirmation function (the 31st composition) of the proof information of described reception.
Again, the invention provides a kind of recording medium, this media computer can read, storage is used to make the device authentication program of the device authentication server running that is made of computer, this device authentication server is used for device authentication system, this system has the terminal equipment of the security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and providing professional service server to the described terminal equipment that carries out device authentication at described device authentication server, the device authentication program of storage is with the following function of computer realization: accept function from the request of described terminal equipment receiving equipment authentication request, the terminal equipment of accepting described request is sent to the server intrinsic information that itself produces the server intrinsic information sending function of described terminal equipment, receive with the encryption server intrinsic information receiving function of described security information from described terminal equipment the encryption server intrinsic information of described server intrinsic information encryption, according to the device authentication function that the encryption server intrinsic information deciphering of described reception can be carried out device authentication with described secret key to described terminal equipment, receiving the session key of encrypting with described security information from described terminal equipment also passes through with described security information with the session key deciphering of described reception or by producing session key, and after encrypting with described secret key the session key of described encryption sent to described terminal equipment and obtain session key and obtain function with the shared session key of described terminal equipment, to prove in the described device authentication function the proof message sending function of described terminal equipment being made to send to behind the permit encryption for information of device authentication described terminal equipment with the described session key that obtains, and the proof information receiving function (the 32nd forms) that receives described proof information from the described service server of obtaining described proof information by described terminal equipment.
The present invention also provides a kind of recording medium, this media computer can read, and storage is used to make the device authentication program of the terminal equipment running that is made of computer, this terminal equipment is used for device authentication system, this system has the terminal equipment of the security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and providing professional service server to the described terminal equipment that carries out device authentication at described device authentication server, the device authentication program of storage is with the following function of computer realization: to the request function of described device authentication server requests device authentication, after encrypting, the server intrinsic information that described device authentication server is sent according to described request with described security information sends to the encryption server intrinsic information sending function of described device authentication server, receiving the session key of encrypting with described security information from described device authentication server also passes through with described security information with the session key deciphering of described reception or by producing session key, and after encrypting with described secret key the session key of described encryption sent to described device authentication server and obtain session key and obtain function with the shared session key of device authentication server, receive proof encrypted and obtained at described device authentication server the proof information of device authentication with described session key proof information receiving function from described device authentication server, and with the proof message sending function that sends to described service server after the proof decrypts information of described session key with described reception (the 33rd form).
Utilize shared key can carry out device authentication effectively.
Description of drawings
Fig. 1 is the figure of composition that the device authentication system of present embodiment schematically is shown.
Fig. 2 is the flow chart that step that conceptual illustration CE equipment and device authentication server authenticate is mutually used.
To be explanation begin the flow chart used to the step that provides till the business from carrying out device authentication to Fig. 3.
Fig. 4 is that devices illustrated certificate server and CE equipment carry out the flow chart that the step of device authentication process is used.
Fig. 5 is that the explanation service server is confirmed the flow chart that device authentication result is used with the device authentication server.
Fig. 6 is the figure of composition that the hardware aspect of a routine CE equipment is shown.
Fig. 7 is the flow chart that the device authentication step of explanation variation is used.
Fig. 8 is the flow chart that the session key allocation step of explanation variation 2 is used.
Fig. 9 is the figure of composition that the device authentication system of variation 3 schematically is shown.
Figure 10 is the flow chart that service server provides the step of license to use to CE equipment in the explanation variation 3.
Figure 11 is the flow chart that the step that authenticates mutually of CE equipment is used in the explanation variation 3.
Figure 12 is the flow chart that another step of authenticating mutually of CE equipment is used in the explanation variation 3.
Embodiment
(execution mode general introduction)
The device authentication system of present embodiment is by CE equipment, provide professional service server and the device authentication server that CE equipment carries out device authentication is formed CE equipment.
When CE device request service server provided business, service server request CE equipment was made device authentication at the device authentication server.
When receiving this request, CE device request device authentication server carries out device authentication, and device authentication result is sent to service server.
The device authentication server is from CE equipment receiving equipment authentication result, and confirms that at the device authentication server this is after the device authentication server carries out result that device authentication crosses, to begin to provide professional really.
The shared current phrase of CE equipment and device authentication server.CE equipment and device authentication server are confirmed mutually by confirming the current phrase of opposite end storage respectively.
After random number is encrypted with the phrase that passes through, send to the opposite end, and after confirming that the breath deciphering of collecting mail is docked with current phrase in the opposite end, can obtain this random number, carry out the affirmation of this current phrase.At this moment, will pass through phrase as shared key.
In addition, when sending to the opposite end behind the random number encryption, also produce session key, and after utilizing current phrase with its deciphering, send to the opposite end, after confirming current phrase, this session key is communicated as shared key.
The either party produce session key all can, the constitution equipment certificate server produces this key in the present embodiment, and sends to CE equipment.
By like this, after current phrase is confirmed, the session key is used as shared key, use current phrase in the time of being limited to authentication.
When carrying out device authentication, can increase substantially treatment effeciency with shared key mode.
According to estimation, (identical key information is used in encryption and decryption to adopt the symmetric-key mode, for example use shared key) the information processing load, smaller or equal to 1/100th of the information processing load of adopting asymmetric key mode (different key information are used in encryption and decryption, for example use open key and the secret key corresponding with it).
And, the device authentication server is held under the situation of secret key, if secret key leaks, the a plurality of CE equipment that then have the open key corresponding with this secret key are all impaired, but because the impaired CE equipment that is limited to during will be a certain shared key leakage with this shared key, can make scattered risks, so can improve security personnel's degree.
(execution mode detailed description)
Fig. 1 is the figure of composition that the device authentication system of present embodiment schematically is shown.
The CE equipment 3 of device authentication system 1, service server 7, device authentication server 5 connect into and can communicate by network.
Among Fig. 1,, record and narrate CE equipment 3 and service server 7 each 1 cover, but have many covers usually for illustrative ease.
CE equipment 3 is the CE equipment that can utilize the business that service server 7 provides, and is made up of for example electric products such as video tape deck, television set, game machine.
Uniform resource address) CE equipment 3 has and relies on device authentication server 5 to make the device authentication module of device authentication, the URL of memory device ID, current phrase, device authentication server (Uniform Resource Locators: the required authentication information of device authentication such as.
Device id (Identification: sign) is meant awards the intrinsic information of CE equipment 3, is used for identification CE equipment 3 on network.
Current phrase is meant the security information that device authentication server 5 and CE equipment 3 are shared, is used for device authentication server 5 and CE equipment is made device authentication to the opposite end respectively.Generally with amount of information in the security information more be called current phrase, with amount of information little become password.Amount of information is many more, and the 3rd deciphering is difficult more, and security is high more.
The URL of device authentication server is the information of specified devices authentication location, and CE equipment 3 can be used device authentication place access device certificate server 5.
The device authentication module of CE equipment 3 receives the device authentication request from service server 7, and requesting service certificate server 5 carries out device authentication, and this device authentication result is sent to service server 7.
When service server 7 provided business in 3 requests of CE equipment, request CE equipment was made device authentication, and from CE equipment 3 receiving equipment authentication results.
So, confirm that this device authentication result is the result that carried out of device authentication server 3 really after, begin to provide professional.
Like this, device authentication server 5 and each CE equipment 3 shared current phrase store current phrase by confirming the opposite end that proposes the device authentication request, confirm that opposite end side is legal CE equipment 3.
And, in the present embodiment, also confirm also that by CE equipment 3 sides the opposite end of carrying out the device authentication request stores current phrase, confirm that opposite end side is a legitimate device certificate server 5.
The processing of so mutual affirmation opposite end side is called mutual affirmation.
In addition, device authentication server 5 also stores the junction URL that the service location that inserts each service server 7 (1 device authentication server 7 only is shown among the figure) is used.
The URL (junction URL) that the service location that request is accepted business from 3 transmissions of CE equipment is used confirms whether to store this junction URL.
Like this, in the device authentication system 1, the URL of the service location of service server 7 is registered to device authentication server 5, and confirm whether the service server 7 of the opposite end that CE equipment 3 will be accepted business is registered.Thus, can prevent that device authentication result is distributed to illegal service server 7.
In addition, device authentication server 5 also stores the intrinsic server key Ks of device authentication server 5.
Hereinafter will elaborate, server key Ks is used for from the request of service server 7 confirmation of receipt device authentication result the time, confirms that device authentication result that service server 7 sends is issue itself really.
That is, device authentication server 5 is by encrypting device authentication result with server key Ks, and with the device authentication result deciphering that server key Ks can receive from service server 7, confirms that this result is issue itself.
Then, illustrate that with Fig. 2 CE equipment 3 and device authentication server 5 authenticate mutually, further to share the notion of the step of shared key.
Below, the step of explanation is abideed by the step of IS08798-2 regulation.
At first, device authentication server 5 produces server random number R s, sends to CE equipment 3 (step 20).At this moment, the server random number R s of device authentication server 5 storage transmissions.
CE equipment 3 slave unit certificate servers 5 reception server random number R s also produce client random number Rc (step 5) simultaneously.
Then, the current phrase PP of CE equipment 3 usefulness encrypts client random number Rc and server random number R s, and produces token 1.Here, with following formulate token 1.
(formula 1)
In the present embodiment, the enciphered message that will obtain after generally will encrypting information A with key information K according to cipher mode E be expressed as E (K, A).
Therefore, the implication of formula (1) is: token 1 equals with key information PP (being current phrase here) the result who obtains after information " the Rc ‖ Rs " encryption.
The information of the implication of " Rc ‖ Rs " for producing with Rc and Rs for example can produce by connecting both successively.At this moment, be " 123 " at Rc, Rs is under the situation of " 456 ", " Rc ‖ Rs " equals " 123456 ".
The client random number Rc that 3 storages of CE equipment produce also sends to token 1 device authentication server 5 (step 10) simultaneously.
With the result of current phrase with token 1 deciphering, can obtain Rs, mean that CE equipment 3 utilizes the phrase that should pass through that Rs is encrypted, thereby can confirm that CE equipment 3 stores this current phrase.
In view of the above, device authentication server 5 can confirm that CE equipment 3 is legal CE equipment.
Then, device authentication server 5 produces session key K (step 30).This session key K is as the information of security information and CE equipment 3 shared usefulness, is used as shared key and uses.
After confirming current phrase PP mutually in CE equipment 3 and the device authentication server 5, the phrase PP that will not pass through is used as shared key, and session key K is used as shared key.Thus, can will pass through the use of phrase PP be suppressed to the subsistence level limit.
(formula 2)
Wherein, opposite in the order that makes Rs and Rc and the formula (1).This is in order to make the 3rd to be difficult to understand password.
CE equipment 3 receives token 2, and by with current phrase token 2 being deciphered, obtains Rs ‖ Rc ‖ K.
CE equipment 3 knows that in advance the information that obtains is the information that connects Rs, Rc, K successively, and extracts these information from the result who will obtain after token 2 deciphering.
Then, the Rc that affirmation obtains is identical with the Rc that had before deposited, thereby confirms that device authentication server 5 stores current phrase (step 15).
Thus, CE equipment 3 authenticating device certificate servers 5 are legitimate device certificate servers.
CE equipment 3 can be obtained the session key K that device authentication server 5 produces by with token 2 deciphering, thus can with device authentication server 5 shared session key.
So behind the shared session key K, CE equipment 3 and device authentication server 5 begin to carry out communicate by letter (step 40) based on the enciphered message of using session key K.
Utilize above step, CE equipment 3 and device authentication server 5 authenticate mutually, can also share shared key (session key K) simultaneously.
In the top explanation, be taken as device authentication server 5 and produce session key K, but be not limited thereto, also can constitute CE equipment 3 and produce session key, and send it to device authentication server 5.
At this moment, CE equipment 3 produces session key K, and it is included in the token 1, sends to device authentication server 5.
Then, providing professional from CE equipment 3 requested service servers 7 with the flowchart text device authentication system 1 of Fig. 3 to the step that begins to provide the information processing of carrying out during professional.
At first, CE equipment 3 access service servers 7, it is professional that request provides.
To this request, service server 7 triggers symbol with device authentication and sends to CE equipment 3 (step 50).It is the information that request CE equipment 3 is made device authentication that device authentication triggers symbol.
In the present embodiment, establish the URL that CE equipment 3 stores the device authentication place, but but also constitution equipment authentication trigger the URL that contains the device authentication place of device authentication server 5 in the symbol, and this URL access device authentication location of CE equipment 3 usefulness.At this moment, service server 7 can be to the device authentication server of CE equipment 3 specified request device authentication.
When CE equipment 3 triggers symbol from the authentication of service server 7 receiving equipments, access device certificate server 5.Then, between CE equipment 3 and device authentication server 5, carry out device authentication process (step 65).
When finishing device authentication, CE equipment 3 slave unit certificate servers 5 receiving equipment authentication results send it to service server 7 (step 70).
Then, service server 7 will send to device authentication server 5 from the device authentication result that CE equipment 3 is received, carry out the affirmation of device authentication result and handle (step 55) between service server 7 and device authentication server 5.
After the device authentication result that service server 7 affirmations are received from CE equipment 3 is the result of device authentication server 5 issues, begin to provide professional (step 60).
So, the business (step 75) that CE equipment 3 utilizes service server 7 to provide.
Secret socket layer) etc. (Secure Sockets Layer: agreement is encrypted, and the 3rd is difficult to intervention with SSL in communication between the CE equipment 3 that carries out in the above step, device authentication server 5, the service server 7.
The device authentication process of the present embodiment of Chan Shuing hereinafter is even SSL for example also can keep fail safe.
Then, illustrate that CE equipment 3 and device authentication server 5 carry out the communicate by letter algorithm of cipher mode of usefulness of enciphered message.
In the present embodiment,, use to be called AES128 (AdvancedStandard 128bit Key Version: algorithm 128 key versions of advanced standard) as an example of cipher mode.Session key K has 256 length, and is divided into 128 key K2 that 128 key K1 encrypting usefulness and MAC use.
This algorithm is divided into 128 piece (block of information) with information (message), with 128 shared keys with each block encryption after, receive and dispatch.
So AES128 mainly contains AES128-ECB and AES128-CBC 2 kinds of patterns.
AES128-ECB provides with shared key each block of information is encrypted, and produces enciphered message.
In the present embodiment, the enciphered message of AES128-ECB is represented in decision with following formula (3).
(formula 3)
ECB(K1,msg1‖msg2‖…‖msgn)……(3)
In the formula (3), with information be divided into 128 block of information msg1, msg2 ..., and with 128 shared key K1 each block of information is encrypted.
AES128-CBC uses the encrypted result of preceding 1 block of information that this block of information is encrypted when with shared key each block of information being encrypted.
Therefore, among the AES128-ECB that illustrates previously, identical block of information produces identical programme information, but AES128-CBC then obtains different enciphered messages.So AES128-CBC is more indecipherable than AES128-ECB, can improve security.
In the present embodiment, the enciphered message of AES128-CBC is represented in decision with following formula (4).
(formula 4)
CBC(K1,IV,msg1‖msg2‖…‖msgn)……(4)
In the formula (4), with information be divided into 128 block of information msg1, msg2 ..., and with 128 shared key K1 each block of information is encrypted.When encrypting, use the encrypted result of preceding 1 block of information, even if identical block of information also obtains different encrypted result.
In addition, for being in the msg1 at top, because of unmatched 1 block of information, thus give IV (InitialVector: initialization vector), as initial value.
If CE equipment 3 and device authentication server 5 shared IV.
In addition, AES128 is called the pattern of AES128-CBC-MAC (hereinafter being designated as MAC) in addition.
This pattern is represented with following formula (5), is the end block of information of the CBC enciphered message of formula (4) expression.
(formula 5)
AES128-CBC-MAC(K2,IV,msg1‖msg2‖…‖msgn)…(5)
MAC confirms whether communication distorts the affirmation information that the enciphered message of AES128-CBC is used midway.Use the affirmation of MAC in the following method.
At first, with the enciphered message of MAC, send to together and send the purpose place together with the AES128-CBC of correspondence.
Receive the enciphered message of AES128-CBC and the recipient of the MAC corresponding with it, use key information K1, initial value IV the enciphered message deciphering that obtains from session key K with AES128-CBC after, obtain information.
Then, use the key information K2 that obtains from session key K by AES128-CBC with the information encryption that obtains.
The recipient of enciphered message compares with the MAC that had before received the end block by the AES128-CBC information encrypted.When both are consistent, can confirm the enciphered message of not distorting AES128-CBC midway in communication; When inconsistent, can confirm the enciphered message of distorting AES128-CBC midway in communication.
Also can constitute the hashed value of transmission, to replace MAC to the data of link information (message) and key information K2.
At this moment, enciphered message recipient calculates connecting with the result of K1 deciphering and the hashed value of the data of key information K2, and judgement is distorted thereby can survey with the homogeny of the hashed value of sending here.
Then, with Fig. 4 the step of carrying out device authentication process (step 65 of Fig. 3) with above cryptographic algorithm is described.
At first, CE equipment 3 requesting service certificate servers 5 send server random number R s (request unit) (step 100).
Intrinsic server intrinsic information in the server random number R s constitution equipment certificate server 5.
Here, session id 1 is the session identification information that is used to keep session.
That is, device authentication server 5 carries out the device authentication of a plurality of CE equipment 3, thereby CE equipment 3 needs this access of identification to belong to what session when device authentication process process access device certificate server 5.
Issue session ID1 when CE equipment 3 inserts first, thereafter CE equipment 3 is once more during access device certificate server 5, if CE equipment 3 is accomplished device authentication server 5 is shown session id, device authentication server 5 just can carry out the follow-up equipment authentication processing to CE equipment 3.
CE equipment 3 slave unit certificate servers 5 receive and obtain session id 1 and server random number R s.
Then, CE equipment 3 produces 128 client random number Rc, and is stored (step 105), also produces the token 1 (step 110) by following formula (6) expression simultaneously.Client random number Rc constitutes intrinsic terminal intrinsic information in the CE equipment 3.
(formula 6)
Wherein, with the shared key of current phrase PP as generation token 1 usefulness.And, CE equipment 3 and device authentication server 5 shared current phrase PP and initial value IV.
The session id 1 that CE equipment 3 is received slave unit certificate server 5, the token 1 and the device id that produce send to device authentication server 5 (encryption server intrinsic information transmitting element, terminal intrinsic information transmitting element) (step 115).
Then, device authentication server 5 is according to the device id of receiving from CE equipment 3, identification CE equipment 3, and the shared current phrase PP (security information regulation unit) of regulation and CE equipment 3.Then, the current phrase PP of device authentication server 5 usefulness regulation and initial value IV obtain server random number R s and client random number Rc after token 1 is deciphered.
Hereinafter, decision will be deciphered the server table of random numbers that extracts the back to token 1 be shown Rs ', so that distinguish with the device authentication server 5 previous server random numbers that produce.
Subsequently, CE equipment 3 decrypts information by device authentication server 5 is sent obtain client random number Rc, but decision is expressed as Rc ' with it, so that the client random number Rc difference that produces with CE equipment 3.
Then, the homogeny (step 155) of the server random number R s ' that obtains of device authentication server 5 judgements and the previous server random number R s that produces.
When both are consistent, can confirm that CE equipment 3 holds current phrase PP (device authentication unit), and proceed device authentication process.
When both were inconsistent, device authentication server 5 was judged as CE equipment 3 and does not hold current phrase PP, and being used as authentication is false, and finishes device authentication process.
When device authentication server 5 confirms that server random number R s ' is consistent with server random number R s, produce 128 session key K1 (session key), K2 (the 2nd session key) (step 160).Like this, device authentication server 5 has session key acquiring unit and the 2nd session key acquiring unit.
Subsequently, the session key K1 that these are obtained, K2 are as shared key.
The processing of back also may be with the phrase PP that passes through as shared key, but present embodiment is planned shared session key K1, K2, and uses this point to do one's utmost to suppress the use of current phrase PP.
The processing of back also may be carried out with 1 shared key, but present embodiment is planned the shared key of session key K1 as the information encryption that relevant devices is authenticated, session key K2 as the shared key that the information (message) that is attached to device authentication information etc. is encrypted, is used a plurality of shared keys by different purposes.Thus, can further improve security.
After device authentication server 5 produced session key K1, K2, the token 2 of formula (7) expression below producing sent to CE equipment 3 (terminal intrinsic information transmitting element) (step 165).
(formula 7)
CE equipment 3 slave unit certificate servers 5 receive token 2, after with current phrase PP and initial value IV token 2 being deciphered, obtain " Rc ‖ Rs ‖ K1 ‖ K2 ".
CE equipment 3 knows that this information is to connect the information that obtains behind each information Rc ', Rs ' of 128, K1, the K2 successively, thereby obtains client random number Rc ', server random number R s ', session key K1, K2 (session key acquiring unit, the 2nd session key acquiring unit) from the result with token 2 deciphering.
Then, the homogeny (step 120) of CE equipment 3 judgements client random number Rc that obtains and the client random number Rc that had before produced.
When both are consistent, can confirm that device authentication server 5 holds current phrase PP (server authentication unit), and proceed device authentication.
When both were inconsistent, CE equipment 3 was judged as device authentication server 5 and does not hold current phrase PP, and being used as authentication is false, and finishes device authentication process.
Present embodiment is also judged the homogeny of the server random number R s that device authentication server 5 sends in server random number R s ' and the step 150 in order further to improve security.
CE equipment 3 produces the token 3 (step 125) of following formula (8) expression when confirming that client random number Rc ' is consistent with client random number Rc.
(formula 8)
Token 3=MAC (K2, IV, junction URL) ... (8)
Wherein, junction URL is the URL of the service location of service server 7.
Then, CE equipment 3 sends to device authentication server 5 (step 130) with session ID1, junction URL and token 3.
That is, device authentication server 5 usefulness session key K2 will encrypt from junction URL that CE equipment 3 is received by AES128-CBC, confirm not distort junction URL so that the end block of this enciphered message is consistent with MAC.
Then, device authentication server 5 is by confirming whether register this junction URL at device authentication server 5 in advance, judge the legitimacy (step 175) of junction URL.
When distorting junction URL or junction URL when illegal, device authentication server 5 is used as authentication is false, and finishes device authentication process.
Do not distort junction URL and junction URL when legal, device authentication server 5 produces session ids 2 (step 180).
ICV (the Integrity Check Value: integrity checks values) (step 185) of formula (9) expression below then, intrinsic server key Ks produces in the device authentication server 5 usefulness device authentication servers 5.
(formula 9)
ICV=ECB (Ks, session id 2) ... (9)
Subsequently, session ID2 and ICV are used as the proof information of CE equipment 3 having been used as device authentication to service server 7 proof device authentication servers 5.
The back will elaborate, and device authentication server 5 receives session id 2 and ICV from service server 7, and judge the homogeny with the result of this session id 2 and ICV deciphering, device authentication result for confirmation.
And session id 2 constitutes the provisioning information of the device authentication result of regulation CE equipment 3, the encryption provisioning information that the ICV formation obtains after with server key Ks provisioning information being encrypted.Again, device authentication server 5 has proof information generation unit as step 180, step 185.
Enciphered message C, the MAC (detecting the information generation unit) of formula (10) expression below the session id 2 that device authentication server 5 usefulness produce, ICV produce send to CE equipment 3 (step 190).Whether not MAC constitute confirms the communication detection information used of tamper-proofing information midway.
Produce enciphered message C like this, and then produce the mode of its MAC, be referred to as Encrypt-then-MAC (encrypting back MAC earlier) mode sometimes.
(formula 10)
C=CBC (K1, IV, session id 2 ‖ ICV) ... (10)
(formula 11)
MAC=CBC-MAC(K2,IV,C)……(11)
CE equipment 3 slave unit certificate servers 5 are at first pressed AES128-CBC with session key K2 and initial value IV and enciphered message C are encrypted (detecting the information generation unit) after receiving these information (proof information receiving unit, detection information receiving unit).
Then, judge the end block of information encrypted and the homogeny of the MAC that slave unit certificate server 5 is received, checking MAC (confirmation unit) (step 135).
When both were consistent, CE equipment 3 can be confirmed to communicate by letter and not distort enciphered message C midway.
When both were inconsistent, enciphered message was distorted in the communication can confirmed midway, was false thereby be used as device authentication, finished device authentication process.
After CE equipment 3 usefulness MAC confirm not distort enciphered message C, with session key K1 and initial value IV enciphered message C is deciphered, and obtain information " session id 2 ‖ ICV ".
CE equipment 3 knows that this information is the information that obtains behind connection session ID2 and the ICV successively, thereby obtains session id 2 and ICV (step 140) from the information that the result after the enciphered message C deciphering is obtained.
Device authentication when success, CE equipment 3 as mentioned like that slave unit certificate server 5 obtain session id 2 and ICV as device authentication result.
Then, CE equipment 3 sends to service server 7 (proof information transmitting unit) with these information when the proof information that CE equipment 3 is made device authentication of testifying.
Then, receive the step of these information of service server 7 usefulness of session id 2 and ICV from CE equipment 3 with Fig. 5 explanation in the device authentication result affirmation processing (step 55 of Fig. 3) of device authentication server 5 affirmation device authentication result.
At first, service server 7 receives session id 2 and ICV (step 200) from CE equipment 3.
Then, service server 7 sends to device authentication server 5 (step 205) with session id 2 and the ICV that receives.
If with server key Ks that the result of ICV deciphering is identical with session ID2, device authentication server 5 just can confirm that this session id 2 is itself issue really.
Then, device authentication server 5 is judged the homogeny (judging unit) (step 225) by result that the ICV deciphering is obtained and the session id of receiving from service server 72.
When both are consistent, proceed device authentication result and confirm to handle; When inconsistent, be used as device authentication result and confirm to be false end process.
Here, utilize encryption to carry out session id 2 homogenies and judge, but also can utilize MAC to verify.
Session ID2 is sent to device authentication server 5 together with ICV, use common with it.This is because only from ICV session ID2 deciphering is not known which the announced session id 2 this session id 2 are.
Therefore, decision sends to device authentication server 5 with session ID2 together with ICV, so as with session ID2 as the comparison other after the ICV deciphering.
Then, these session id 2 regulations of device authentication server 5 usefulness are carried out the session of device authentication process, confirm the device authentication result in the session, and affirmation device authentication server 5 is made device authentication (device authentication result regulation unit) (step 230) to CE equipment 3 really.
Then, device authentication server 5 will confirm that the result sends to service server 7 (step 235), and 7 of service servers receive this and confirm result's (step 210).
More than like that, service server 7 is after CE equipment 3 receiving equipment authentication results, whether inquiry unit certificate server 5 these device authentication result proper.Therefore, even CE equipment 3 is subjected to device authentication from the illegal person who pretends to be device authentication server 5, or be not that some equipment of legal CE equipment 3 is pretended slave unit certificate server 5 and is subjected to device authentication, can confirm also in the device authentication server 5 that this device authentication result is not legal.
Also can confirm the life cycle of session id 2 by combination ICV and time mark.
That is, preestablish the valid expiration date of session id 2, thereby service server 7 when being got the affirmation of device authentication result, device authentication server 5 can confirm whether finish this device authentication result in valid expiration date.
Then, the composition of CE equipment 3 at hardware aspect is described.
Fig. 6 illustrates the figure of a routine CE equipment 3 at the composition of hardware aspect.
CPU (CPU) 21 carried out various processing according to the program that ROM (read-only memory) 22 program stored or storage part 28 are loaded into RAM (random access memory) 23.
It is illustrated like that CPU21 for example presses Fig. 4, Fig. 5, carries out and the communicating by letter of device authentication server 5 and service server 7, to carry out the information processing of relevant devices authentication processing; In addition, also for example reproducing content etc. is used for providing professional information processing to the user.
CPU21, ROM22 and RAM23 interconnect by bus 24.
This bus 24 also connects input/output interface 25, by input/output interface 25 input part 26, efferent 27, storage part 28, Department of Communication Force 29, driver 30 etc. is connected to CPU21.
The product type of the input/output unit silver CE equipment 3 of these configuration (television set, video tape recorder, stero set device ... Deng) and different, for example character data input unit such as input part 26 configuration keyboards and Genius mouse etc. are given directions device, voice outputs such as image display device that efferent 27 configuration CRT (cathode ray tube), LCD (LCD), plasma display etc. are formed and loud speaker etc.
Department of Communication Force 29 is made up of communication control units such as modulator-demodulator, terminal adapters, and connects network.
CPU21 communicates by Department of Communication Force 29 and device authentication server 5, service server 7, other server unit etc.
30 of drivers are suitably installed mediums such as disk 41, CD 42, photomagneto disk 43 or storage card 44 as required.
CPU21 can drive these mediums with driver 30, carries out reading and writing of program and data.
When then, using shared key (symmetric-key) mode in the devices illustrated authentication and the amount of calculation when using open key (asymmetric key) mode.
As open key mode, RSA (Rivest-Shamir-Aldleman: pin mode lining West-She Mie-oere Dare plum grace) is arranged typically.
When the AES pin mode that uses in this mode and the present embodiment was compared, for encryption, the rsa cryptosystem mode need be more than the about 100 times amount of calculation of AES pin mode; For deciphering, the rsa cryptosystem mode need be more than the about 2500 times amount of calculation of AES mode.
The amount of calculation of other open key mode, its degree is identical with the rsa cryptosystem mode.
Like this, by carrying out device authentication, can make amount of calculation that device authentication server 5 and CE equipment 3 carries out than reducing significantly when disclosing the key mode with shared key.
Especially the device authentication server 5, owing to concentrate from the device authentication request of a plurality of CE equipment 3, reducing the amount of calculation that needs in the device authentication is important problem.
So far, utilize the present embodiment that has illustrated, can obtain following effect.
(1) CE equipment 3 and the device authentication server 5 phrase PP that can will pass through authenticates mutually as shared key.
(2) can take advantage of the shared session key K1 of mutual authentication, K2, and after authenticating mutually, can communicate with session key K1, K2 as shared key.Therefore, the use of current phrase PP is suppressed to the subsistence level limit, can seeks to improve security.
(3) session key is used the information of transceiver authenticated connection the session key K1 that uses and these the two kinds of keys of session key K2 that are used for the transmitting-receiving of information (message) class, thereby can further improve security.
(4) need not disclose the key mode and just can issue session id 2, thereby can reduce the amount of calculation that device authentication needs significantly as device authentication result with shared key mode.
(5) device authentication server 5 utilizes and encrypts back MAC modes earlier and issue session ID2, thereby can detect communication distorting midway, can improve security.
(6) utilize importing server key Ks, but the legitimacy of authen session ID2.
(variation)
More than in Shuo Ming the execution mode, device authentication needs 5 by way of (step 150 of Fig. 4,115,165,130,190), but this variation is by startup coded communication before authentication is set up, with 3 by way of carrying out device authentication.
By reducing, can raise the efficiency by way of number energy simplified apparatus authentication processing.
The composition of device authentication system is identical with device authentication system 1.
Below, carry out the step of device authentication with 5 pairs of CE equipment of Fig. 7 devices illustrated certificate server 3.
At first, CE equipment 3 requesting service certificate servers 5 send server random number R s (step 300).
To this request, device authentication server 5 produces 128 session id 1 and server random number R s respectively, sends to CE equipment 3 (step 340).
CE equipment 3 receives these information and is stored, and also produces 128 client random number Rc and session key K1 (step 305) simultaneously respectively.
Like this, in this variation, before 5 pairs of CE equipment 3 of device authentication server were made device authentication, CE equipment 3 produced session key K1, and starts the communication of session key K1 as shared key.
The token 1 and the token 2 (step 310) of the formulate below then, CE equipment 3 produces.
(formula 12)
(formula 13)
Then, CE equipment 3 sends to device authentication server 5 (step 315) with session ID1, device id, token 1, token 2.
Like this, CE equipment 3 can provide information (server random number R s) that CE equipment 3 is used as device authentication and the session key K1 that is used as shared key to device authentication server 5 simultaneously by with token 1.
Thus, device authentication server 5 is obtained information " Rs ‖ Rc ‖ K1 ".
And then device authentication server 5 is from this information extraction server random number R s ', client random number Rc ' and session key K1.
Then, device authentication server 5 judge the previous server random number R s that produces with will token 1 deciphering after the homogeny (step 345) of the server random number R s ' that obtains.
When both are consistent, be equivalent to CE equipment 3 and hold current phrase PP, thereby device authentication are set up.When both were inconsistent, device authentication was false.
By use deciphering obtains to token 1 session key K1 and in advance with the shared initial value IV of CE equipment 3 with token 2 deciphering, obtain junction URL, and verify whether in advance it is registered in device authentication server 5.
Then, device authentication server 5 produces 128 session key K2 (step 350), and then the token 3 (step 355) of the formulate below producing.
(formula 14)
Token 3=CBC (PP, IV, Rc ‖ Rs ‖ K2) ... (14)
Then, device authentication server 5 produces session id 2 (step 360).
Then, the ICV (step 365) of device authentication server 5 usefulness server key Ks production (15) expressions, and then token 4, the token 5 (step 370) of production (16), (17) expression, and token 3,4,5 sent to CE equipment 3 (step 375).
(formula 15)
ICV=ECB (Ks, session id 2) ... (15)
(formula 16)
Token 4=CBC (K1, IV, session id 2 ‖ ICV) ... (16)
(formula 17)
CE equipment 3 receives these tokens and is stored.CE equipment 3 is at first deciphered token 3 with current phrase PP, thereby obtains client random number Rc ', server random number R s ' and session key K2.
Then, CE equipment 3 is judged the homogeny (step 320) of the client random number Rc ' that previous client random number Rc that produces and the result that token 3 is deciphered obtain.
When both are consistent, can confirm that device authentication server 5 stores current phrase PP, thereby authentication is set up.When both were inconsistent, authentication was false.
And then CE equipment 3 is also judged the homogeny of the server random number R s ' that slave unit certificate server 5 server random number R s that receives and the result that token 3 is deciphered obtain.
Then, after the token 4 that the session key K2 that CE equipment 3 usefulness initial value IV and the result that token 3 is deciphered obtain receives slave unit certificate server 5 by AES128-CBC is encrypted, end block and MAC (token 5) are compared, carry out mac authentication (step 325).
When end block is consistent with MAC, can confirm the legitimacy of token 4; When inconsistent, can confirm to distort token 4.
After CE equipment 3 is confirmed the legitimacy of token 4, with initial value IV and session key K1 it is deciphered, thereby obtain session id 2 and ICV (step 330).
The information processing that CE equipment 3 is obtained behind session id 2 and the ICV is identical with present embodiment.
In sum, in this variation, before finishing mutual authentication, utilize the coded communication of session key K1, K2, thereby can carry out device authentication by way of (step 340,315,375) with 3.
(variation 2)
In this variation, make CE equipment 3 and service server 1 shared session key, in the coded communication of CE equipment 3 and service server 7 these session key of usefulness.
Make the step of CE equipment 3 and service server 7 shared session key with the flowchart text of Fig. 8.
The system of this variation forms identical with the device authentication system 1 (Fig. 1) of present embodiment.
At first, CE equipment 3 access service servers 7, it is professional that request provides.
To this request, service server 7 triggers symbol with device authentication and sends to CE equipment 3 (step 400).
When CE equipment 3 triggers symbol from the authentication of service server 7 receiving equipments, access device certificate server 5.Then, carry out device authentication process between CE equipment 3 and the device authentication server 5.
So device authentication server 5 utilizes device authentication to confirm that CE equipment 3 is behind the legal CE equipment, to send and provide session key Kses (step 415) to CE equipment 3.
On the other hand, when CE equipment 3 finished device authentication, slave unit certificate server 5 receiving equipment authentication results sent it to service server 7 (step 420).
Then, service server 1 will send to device authentication server 5 from the device authentication result that CE equipment 3 is received, carry out the affirmation of device authentication result and handle between service server 7 and device authentication server 5.
In the top processing, the device authentication of the CE equipment 3 of step 415 is identical with the step 65 of Fig. 3.
The device authentication result of step 405 is confirmed identical with the step 55 of Fig. 3, and when sending affirmation result (step 235 of Fig. 5), Kses sends to service server 7 with the session key.
In sum, in this variation, 5 pairs of CE equipment 3 of device authentication server and service server 7 provide session key Kses, thereby CE equipment 3 and service server 7 can carry out coded communication used as shared key.
Owing to produce session key Kses, can improve the security of communicating by letter of CE equipment 3 and service server 7 at every turn.
(variation 3)
In this variation, make the shared permission of a plurality of CE equipment symbol (information that comprises security information such as current phrase and valid expiration date etc.), and make these CE equipment with the authentication mutually of permission symbol.
That is, the equipment that is supplied to identical permission symbol carries out device authentication mutually.
Like this, make when authenticating mutually between the CE equipment, a side's of mutual authentication CE equipment is worked as client terminal, the opposing party's client terminal works as server unit.
For example, CE device A and CE equipment B are done authentication mutually, and the CE device A is when the CE equipment B is downloaded software, and the CE device A works as client terminal, and the CE equipment B works as server unit.
Like this, when between CE equipment, carrying out software download, can reduce access, can realize that the server unit load reduces the server unit that sends this software.
By making permission symbol shared and the foundation group also can provide special business to this group in CE equipment.
For example, make the permission symbol shared in the identical CE equipment of type, the only shared business and the content of CE equipment of the type can be provided.
And, by from the online dynamic issue permission symbol of permission symbol server, can permit the renewal of symbol easily.
Fig. 9 is the figure of composition that the device authentication system of this variation schematically is shown.
Device authentication system 1a can connect CE device A, CE equipment B, device authentication server 5, permission symbol server 6 by network, communicates.
Among Fig. 9, for the purpose of simplifying the description, 2 cover CE device A, B only are shown, but there are many covers in these equipment usually.When CE device A, B specifically do not distinguish, only be designated as CE equipment.
And the affirmation of 5 pairs of device authentication servers permission symbol server, 6 transmitting apparatus authentication results is supplied with permission symbol server 6 with the type information of CE equipment as a result the time.
Like this, device authentication server 5 sends to permission symbol server 6 with type information, is because each type of 6 pairs of CE equipment of permission symbol server is supplied with different permission symbols.
In this variation, decision makes the shared permission symbol of the CE equipment of same type, but this is an example, also can constitute the shared permission symbol of other attribute according to CE equipment (for example the user of CE equipment register in device authentication system 1a user class).
At this moment, 5 pairs of permission symbols of device authentication server server 6 provides the information of stipulating this attribute.
Permission symbol server 6 is server units that the permission that CE equipment provides CE equipment to authenticate usefulness is mutually accorded with.
Permission symbol server 6 has the permission symbol database 6a of the permission symbol of each Type C E equipment of storage, and permission that will be corresponding with the type information that slave unit certificate server 5 is received symbol sends to CE equipment.
Permission symbol can constitute and comprises the security information that CE equipment authenticates usefulness mutually, and comprises out of Memory (valid expiration date, data are carried out the secret key of encryption and decryption etc.).
In this variation,, be used as the security information that CE equipment authenticates usefulness mutually with authenticating the current phrase of usefulness and the initial value IV of block of information mutually as an example.
CE device A, B carry out the function of device authentication except that having with device authentication server 5, the permission symbol that provides with permission symbol server 6 also is provided carries out the function that authenticates mutually with other CE equipment.
By CE device A, B are authenticated mutually, a side is worked as server, the opposing party is worked as client computer.
Figure 10 is the flow chart that 6 pairs of CE device A of explanation permission symbol server provide the step of permission symbol to use.
The flow chart of Figure 10 and the flow chart of Fig. 3 are compared, then distinguish and permit the service server 7 identical steps that accord with server 6 usefulness and Fig. 3 explanation will permit symbol to supply with the CE device A.
That is, permission symbol server 6 can be called the server that CE equipment is provided the business of supplying with the permission symbol.
Below, the flow chart of Figure 10 is described.
At first, CE device A access permission symbol server 6, request provides the permission symbol.
Valid expiration date of for example permission symbol by the time and CE device A also during the permission symbol, permit the symbol request.
When accepting the request of permission symbol, permission symbol server 6 triggers symbol with device authentication and sends to CE device A (step 51).
When the CE device A triggers symbol from the authentication of permission symbol server 6 receiving equipments, access device certificate server 5.So, carry out device authentication process (step 66) between CE device A and the device authentication server 5.
CE device A slave unit certificate server 5 receiving equipment authentication results send it to permission symbol server 6 (step 71).
When permission accords with server 6 from CE device A receiving equipment authentication result, access device certificate server 5.
Then, permission symbol server 6 will send to device authentication server 5 from the device authentication result that the CE device A is received, and carry out the affirmation processing of device authentication result between permission symbol server 6 and device authentication server 5.
Then, device authentication server 5 will permit the result of affirmation device authentication result in the symbol server 6 and the type information of CE device A to send to permission symbol server 6 (step 56).
When permission symbol server 6 slave unit certificate servers, 5 confirmation of receipt results and type information, after permission accords with the permission symbol of retrieving and obtain the CE device A among the database 6a, the permission symbol of obtaining is sent to CE device A (step 61) with the type information.
The CE device A receives the permission symbol from permission symbol server 5, and with its storage (step 76).
So far, illustrated that the CE device A obtains the step that permission accords with from permission symbol server 6, the CE equipment B obtains the permission symbol from permission symbol server 6 similarly.Thus, CE device A, B can accord with in shared permission.
Then, with the CE device A of the shared permission symbol of the flowchart text of Figure 11, the step that B authenticates mutually.
Below step, request provides professional situation (for example software download etc., the CE device A is accepted business from the CE equipment B) to imagination CE device A after authentication mutually to the CE equipment B, the CE device A is corresponding to client terminal, the CE equipment B is corresponding to server unit.
At first, CE device A request CE equipment B sends random number R s (step 430).
The CE equipment B receives this request, produces session id and 128 s' random number R s and sends to CE device A (step 460).The combination of CE equipment B storage random number R s and session id.
Random number R s constitutes intrinsic server intrinsic information in the CE equipment B.
The CE device A is also stored from CE equipment B reception session id and random number R s, and produces 128 random number R c and session key Kses (step 435).Random number R c constitutes intrinsic terminal intrinsic information in the CE device A.
The token 1 (step 440) of formula (18) expression below then, the CE device A produces.
(formula 18)
Wherein, current phrase PP and initial value IV are respectively the current phrase and the block of information initial values of permitting the mutual authentication usefulness that comprises in the symbol.
The session id that the CE device A will be received from the CE equipment B and the token 1 of generation send to CE equipment B (step 445).
The CE equipment B receives these information from the CE device A.At first, the CE equipment B is utilized the session of these information ownership that session id identification receives.Thus, the random number R s that the CE device A is issued according to the combination regulation of previously stored session id and random number R s.
Then, the CE equipment B is deciphered token 1 with the current phrase PP and the initial value IV of the mutual authentication usefulness that comprises in the permission symbol, thereby obtains random number R s and random number R c.
The CE equipment B knows that the information Rs ‖ Rc ‖ Kses that the result with token 1 deciphering obtains connects the information that obtains behind random number R s, random number R c and the Kses, and knows figure place (128) separately.In view of the above, the information Rs ‖ Rc ‖ Kses that can obtain from the result with token 1 deciphering extracts random number R s ', random number R c ' and Kses '.
Then, the homogeny (step 465) of CE equipment B judgement random number R s ' that obtains and the random number R s that had before produced.
When both are consistent, can confirm that the CE device A holds current phrase PP (device authentication unit), Kses ' is identified as Kses, promptly be identified as the legitimate conversation key of CE device A issue.
When both were inconsistent, the CE equipment B was judged as the CE device A and does not hold current phrase PP, and being used as authentication is false, and finishes device authentication process.
When the CE equipment B confirmed that random number R s ' is consistent with random number R s, the token 2 of formula (19) expression below producing sent to CE device A (step 470).
(formula 19)
The CE device A receives token 2 from the CE equipment B, with current phrase PP and initial value IV token 2 is deciphered, and is obtained Rc ‖ Rs.
The CE device A knows that this information connects the information that obtains behind each information Rc ', Rs ' of 128 successively, thereby from the result after token 2 deciphering is obtained random number R c ', random number R s '.
Then, the homogeny of CE device A judgement random number R c ' that obtains and the random number R c that had before produced.
When both are consistent, can confirm that the CE equipment B holds current phrase PP (server authentication unit), and proceed device authentication process.
When both were inconsistent, the CE device A was judged as the CE equipment B and does not hold current phrase PP, and being used as authentication is false, and finishes device authentication process.
In the present embodiment,, also judge the homogeny (step 450) of random number R s ' and the random number R s that sends in step 470 in order further to improve security.
After the CE device A confirmed that random number R c ' and random number R c and random number R s ' and random number R s are consistent, CE device A and CE equipment B began to adopt the coded communication (step 475) of session key Kses.
Thus, the CE device A can accept to download business such as software from the CE equipment B.Otherwise the CE equipment B also can be accepted business from the CE device A.
Utilize above step, CE device A, B can authenticate mutually with shared permission symbol information, can also shared session key Kses.
In the above step, the CE device A produces session key Kses, and supplies with the CE equipment B, but is not limited thereto, and also can constitute the CE equipment B and produce session key Kses, and supply with the CE device A.
At this moment, the CE device A does not produce session key Kses in step 435, does not comprise session key Kses in the token 1 of step 440 yet.
And replace: the CE equipment B produces session key Kses after judging the homogeny of random number R s ' and random number R s in step 465, and in step 470 it is covered in the token 2, sends to the CE device A.
Then, constitute the CE device A with token 2 deciphering, thereby obtain session key Kses.
Again, also can constitute in the step 470 of Figure 11, produce token 2, shown in following formula (20) in the mode that comprises Kses.
(formula 20)
If constitute like this, then the amount of information of token 2 increases, and has the 3rd and understands advantage such as difficulty.
Then, utilize the mutual authentication of MAC with flowchart text one example of Figure 12.By using MAC, can further improve security.
At first, CE device A request CE equipment B sends random number R s (step 500).
The CE equipment B receives this request, produces session id and 128 s' random number R s, sends to CE device A (step 540).The combination of CE equipment B storage random number R s and session id.
The CE device A is also stored from CE equipment B reception session id and random number R s, and produces 128 random number R c and session key Kses (step 503).
The enciphered message EncMess1 (step 505) of formula (21) expression below then, the CE device A produces.
(formula 21)
EncMess1=CBC(PP,IV,Rs‖Rc‖Kses)……(21)
The MAC1 (step 510) of formula (22) expression below then, the CE device A produces.
(formula 22)
MAC1=HMAC-MD5(PP,EncMess1)……(22)
Wherein, HMAC-MD5 is a kind of MAC, is a kind of hash function.
Say that in more detail MAC1 is by the end block of HMAC-MD5 with the EncMess1 information encrypted with current phrase PP.
Then, the CE device A connects EncMess1 and MAC1 successively, and the token 1 of formula (23) expression below producing sends to CE equipment B (step 515).
(formula 23)
The CE equipment B receives token 1 from the CE device A, obtains EncMess1 and MAC1 from this token.
Then, the CE equipment B is carried out the checking (step 545) of MAC1.That is, pressing HMAC-MD5 with current phrase PP will encrypt from the EncMess1 that token 1 extracts.Then, judge the end block of the information that obtains by encryption and the homogeny of MAC1.
The CE equipment B can confirm that by confirming both unanimities EncMess1 is legal.
Therefore, when both are consistent, proceed authentication processing; When inconsistent, being used as authentication is false end process.
Behind the CE equipment B checking MAC1, from EncMess1 random number R s ', random number R c ' and session key Kses ' are deciphered with current phrase PP.
Then, judge the homogeny (step 550) of random number R s that had before sent to the CE device A and the random number R s ' that after the EncMess1 deciphering, obtains.
When identical, can confirm that the CE device A has the current phrase PP of mutual authentication usefulness, thereby can confirm that Kses ' is legal Kses.
When inequality, being used as authentication is false end process.
The enciphered message EncMess2 (step 550) of formula (24) expression below then, the CE equipment B produces.
(formula 24)
EncMess2=CBC(PP,IV,Rc‖Rs‖Kses)……(24)
The MAC2 (step 560) of formula (25) expression below then, the CE device A produces.
(formula 25)
MAC2=HMAC-MD5(PP,EncMess2)……(25)
Then, the CE equipment B connects EncMess2 and MAC2 successively, and the token 2 of formula (26) expression below producing sends to CE device A (step 565).
(formula 26)
The CE device A receives token 2 from the CE equipment B, obtains EncMess2 and MAC2 from this token.
So the CE device A is carried out the checking (step 520) of MAC2.That is, pressing HMAC-MD5 with current phrase PP will encrypt from the EncMess2 that token 2 extracts.Then, judge the end block of the information that obtains by encryption and the homogeny of MAC2.
The CE device A can confirm that by confirming both unanimities EncMess2 is legal.
Therefore, when both are consistent, proceed authentication processing; When inconsistent, being used as authentication is false end process.
Behind the CE device A checking MAC2, from EncMess2 random number R c ', random number R s ' and session key Kses ' are deciphered with current phrase PP.
Then, judge random number R c, the session key Kses and random number R c ' that after the EncMess2 deciphering, obtains and the homogeny (step 525) of session key Kses ' that had before sent to the CE device A.
These are complete when identical, can confirm that the CE device A has current phrase PP.
Like this, after CE device A, B do authentication mutually, the coded communication (step 570) of session key Kses of CE device A and CE equipment B.
By the variation 3 of above explanation, can obtain following effect.
(1) by making the shared security information of a plurality of CE equipment, can between CE equipment, utilize Peer to authenticate mutually based on the permission symbol.
(2) scope of the CE equipment of shared security information can be defined as that for example device type is identical, the business that the CE equipment that can distribute this scope to comprise can be shared, content etc.
(3) the permission symbol can be by the 6 online dynamic management of permission symbol server.Therefore, can permit the renewal etc. of symbol easily.
Industrial practicality
Can utilize and share the device authentication that the key mode is carried out CE equipment.
Claims (33)
1, a kind of device authentication system is characterized in that, has
The terminal equipment of the security information of store predetermined,
Store described security information and to described terminal equipment carry out device authentication the device authentication server and
Provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server,
Described device authentication server can be encrypted the server intrinsic information that itself produces with described security information by confirming described terminal equipment, and described terminal equipment is made device authentication,
Described terminal equipment after the terminal intrinsic information encryption of described security information to generation own, can authenticate the terminal intrinsic information deciphering of described encryption by confirming described device authentication server to described device authentication server;
After carrying out described authentication, described terminal equipment and described device authentication server are encrypted the session key that the either party among both produces with described security information, and this key is sent to the opposite end, thus shared session key;
Described device authentication server, with described session key to the proof authenticated the permit encryption for information of described terminal equipment after, send it to described terminal equipment;
Described terminal equipment, by with described session key with the proof decrypts information that described device authentication server sends, obtain this information, and send it to described service server;
Described service server, the proof information that described terminal equipment is sent sends to described device authentication server, and confirms that at described device authentication server described proof information is correct.
2, device authentication system as claimed in claim 1 is characterized in that,
Described service server provides professional to described terminal equipment after confirming that in described device authentication server proof information that described terminal equipment sends is correct.
3, device authentication system as claimed in claim 1 is characterized in that,
Described proof information comprises
Described device authentication server stipulate described terminal equipment device authentication result provisioning information and
The encryption provisioning information of described provisioning information being encrypted with the intrinsic server key of described device authentication server;
Described device authentication server, with described server key to the deciphering of the encryption provisioning information that comprises the proof information of receiving from described service server after, obtain this information, and whether identical by the provisioning information that comprises in the proof information of judging the described provisioning information of obtaining and described reception, confirm that described proof information is correct.
4, device authentication system as claimed in claim 1 is characterized in that,
Described terminal equipment and described device authentication server after the 2nd session key encryption of described security information to either party's generation among both, send it to the opposite end, thus also shared the 2nd session key;
Described device authentication server utilizes described the 2nd session key, and the described proof information of step conversion does not change the detection information that described proof information is used midway thereby produce to detect in communication, and sends it to described terminal equipment in accordance with regulations;
Described terminal equipment, with described the 2nd session key by the described proof information that obtains of described regulation step conversion, produce detection information, and the homogeny of the detection information by judging described generation and the detection information of receiving from described device authentication server, confirm that the proof information of described reception does not change.
5, a kind of device authentication server, be used for device authentication system, this system has the terminal equipment, the described security information of storage of the security information of store predetermined and described terminal equipment is carried out the device authentication server of device authentication and provides professional service server to the described terminal equipment that carries out device authentication at described device authentication server, it is characterized in that having
From the request of described terminal equipment receiving equipment authentication request accept the unit,
To accepting the terminal equipment of described request, with the server intrinsic information that itself produces send to described terminal equipment server intrinsic information transmitting element,
From described terminal equipment receive with described security information to the encryption server intrinsic information receiving element of the encryption server intrinsic information of described server intrinsic information encryption,
According to can be with the deciphering of the encryption server intrinsic information of described reception with described secret key, to described terminal equipment carry out device authentication the device authentication unit,
Receive the session key of encrypting with described security information from described terminal equipment, and by with described security information with the deciphering of the session key of described reception or by producing session key, and obtain session key with after the described secret key encryption session key of described encryption being sent to described terminal equipment, and with the shared session key acquiring unit of described terminal equipment,
With the described session key that obtains, proof described device authentication unit made the permit encryption for information of device authentication to described terminal equipment after, send to described terminal equipment the proof information transmitting unit and
From obtain the described service server of described proof information by described terminal equipment, receive the proof information receiving unit of described proof information.
6, the device authentication server described in claim 5 is characterized in that,
Also have and confirm that described proof information that described service server sends is affirmation correct and that confirmed affirmation result is sent to described service server transmitting element as a result.
7, the device authentication server described in claim 5 is characterized in that having
From described terminal equipment receive that described terminal equipment produces and the terminal intrinsic information receiving element of the terminal intrinsic information encrypted with security information and
After the deciphering of the terminal intrinsic information of described reception being obtained this information, the described terminal intrinsic information of obtaining is sent to the terminal intrinsic information transmitting element of described terminal equipment with described security information.
8, the device authentication server described in claim 6 is characterized in that,
Described proof information comprises
Stipulate described terminal equipment device authentication result provisioning information and
Obtain encrypting provisioning information after with intrinsic server key described provisioning information being encrypted,
Have
With described server key, the encryption provisioning information decrypting device of the encryption provisioning information deciphering that will from the proof information that described service server is received, comprise,
Judge judging unit that whether provisioning information that comprises in provisioning information and the described proof information of receiving after the described deciphering identical and
With the provisioning information after the described judgement, the device authentication result of specified devices authentication result regulation unit,
Described affirmation is transmitting element as a result, sends the device authentication result of stipulating in the described device authentication result regulation unit.
9, the device authentication server described in claim 5, it is characterized in that, have from described terminal equipment and receive the 2nd session key of encrypting with described security information, and by described the 2nd session key of described reception being deciphered with described security information, or by produce the 2nd session key, and with after the described secret key encryption the 2nd session key of described encryption being sent to described terminal equipment, obtain described the 2nd session key and with shared the 2nd session key acquiring unit of described terminal equipment and
By with the 2nd session key that the obtains described proof information of step conversion in accordance with regulations, produce and detect the detection information generation unit that does not change the detection information that described proof information uses in communication midway,
Described proof information transmitting unit, the detection information that described detection information generation unit is produced sends to terminal equipment together with proof information.
10, the device authentication server described in claim 5 is characterized in that having
The corresponding stored unit that the security information of the device id of described terminal equipment and the storage of this terminal equipment is stored accordingly,
From the terminal equipment that described request obtains accepting, the device id receiving element of receiving equipment ID and
In described corresponding stored unit the device id of the described reception of retrieval, and regulation have the security information regulation unit of the security information of corresponding relation with described device id,
Described device authentication unit is encrypted described server intrinsic information with the security information of described regulation.
11, a kind of terminal equipment, be used for device authentication system, this system has the terminal equipment, the described security information of storage of the security information of store predetermined and described terminal equipment is carried out the device authentication server of device authentication and provides professional service server to the described terminal equipment that carries out device authentication at described device authentication server, it is characterized in that having
To described device authentication server, the request unit of requesting service authentication,
Use described security information, after the server intrinsic information that described device authentication server is sent according to described request is encrypted, send to described device authentication server encryption server intrinsic information transmitting element,
Receive the session key of encrypting with described security information from described device authentication server, and by with described security information with the deciphering of the session key of described reception or by produce session key, and with after the described secret key encryption session key of described encryption being sent to described device authentication server, obtain session key and with the shared session key acquiring unit of device authentication server,
Receive proof with described session key encryption from described device authentication server, and obtain at described device authentication server device authentication proof information the proof information receiving unit and
After the proof decrypts information of described session key, send to the proof information transmitting unit of described service server with described reception.
12, the terminal equipment described in claim 11 is characterized in that, has
Produce the terminal intrinsic information, and with after the described security information encryption, send it to described device authentication server terminal intrinsic information transmitting element and
By confirming that described device authentication server with the terminal intrinsic information deciphering of described transmission, authenticates the server authentication unit of described device authentication server.
13, the terminal equipment described in claim 11 is characterized in that,
Receive the 2nd session key of encrypting with described security information from described device authentication server, and by described the 2nd session key of described reception being deciphered with described security information, or by produce the 2nd session key, and with after the described secret key encryption the 2nd session key of described encryption being sent to described terminal equipment, obtain described the 2nd session key and with shared the 2nd session key acquiring unit of described device authentication server,
Utilize the 2nd session key in accordance with regulations after the described proof information of step conversion, from described device authentication server receive be used to detect communication do not change midway the detection information of described proof information the detection information receiving unit,
By with the 2nd session key that the obtains described proof information that receives of step conversion in accordance with regulations, produce the detection information generation unit of detection information, and
The homogeny of the detection information by judging described generation and the detection information of described reception confirms not change the affirmation unit of the proof information of described reception.
14, a kind of equipment authentication method, be used for device authentication system, this system has the terminal equipment, the described security information of storage of the security information of store predetermined and described terminal equipment is carried out the device authentication server of device authentication and provides professional service server to the described terminal equipment that carries out device authentication at described device authentication server, it is characterized in that
Described device authentication server has request and accepts unit, server intrinsic information transmitting element, encryption intrinsic information receiving element, device authentication unit, session key acquiring unit, proof information transmitting unit and proof information receiving unit,
Described method comprises following steps:
Accept the unit from described terminal equipment by described request, the request of receiving equipment authentication request accept step,
By described server intrinsic information transmitting element to accepting the terminal equipment of described request, with the server intrinsic information that itself produces send to described terminal equipment server intrinsic information forwarding step,
By described encryption server intrinsic information receiving element from described terminal equipment, receive with described security information to the encryption server intrinsic information receiving step of the encryption server intrinsic information of described server intrinsic information encryption,
By described device authentication unit according to can be with the deciphering of the encryption server intrinsic information of described reception with described secret key, to described terminal equipment carry out device authentication the device authentication step,
Receive the session key of encrypting from described terminal equipment by described session key acquiring unit with described security information, and by with described security information with the deciphering of the session key of described reception or by producing session key and with after the described secret key encryption session key of described encryption being sent to described terminal equipment, obtain session key and with the shared session key obtaining step of described terminal equipment,
By described proof information transmitting unit with the described session key that obtains, with the described device authentication of proof unit to described terminal equipment do to send to behind the permit encryption for information of device authentication described terminal equipment proof information forwarding step and
From obtain the described service server of described proof information by described terminal equipment, receive the proof information receiving step of described proof information by described proof information receiving unit.
15, the equipment authentication method described in claim 14 is characterized in that,
Also have and confirm transmitting element as a result,
Described method has by described affirmation after transmitting element confirms that described proof information is correct as a result, and the affirmation that the affirmation result of described affirmation is sent to described service server is forwarding step as a result.
16, the equipment authentication method described in claim 14 is characterized in that,
Described device authentication server has terminal intrinsic information receiving element and terminal intrinsic information transmitting element,
Described method has following steps:
By described terminal intrinsic information receiving element from described terminal equipment, receive described terminal equipment produce, and with the terminal intrinsic information receiving step of the terminal intrinsic information of described security information encryption and
, obtain this information, and the terminal intrinsic information of obtaining is sent to the terminal intrinsic information forwarding step of described terminal equipment by with of the terminal intrinsic information deciphering of described security information by described terminal intrinsic information transmitting element described reception.
17, the equipment authentication method described in claim 15 is characterized in that,
Described device authentication server has the provisioning information of encryption decrypting device, judging unit and device authentication result regulation unit,
Described proof information comprises
Stipulate described terminal equipment device authentication result provisioning information and
The encryption provisioning information that obtains after with intrinsic server key described provisioning information being encrypted,
Described method has following steps:
By described encryption provisioning information decrypting device with described server key, the encryption provisioning information decryption step of the encryption provisioning information that will from the proof information that described service server is received, comprise deciphering,
By described judging unit, the determining step whether provisioning information that comprises in the provisioning information of judging described deciphering and the proof information of described reception identical and
By the provisioning information of described device authentication result regulation unit with described judgement, the device authentication result regulation step of specified devices authentication result,
At described affirmation forwarding step as a result, send the device authentication result of described device authentication result regulation step regulation.
18, the equipment authentication method described in claim 14 is characterized in that,
Described device authentication server has
The 2nd session key acquiring unit and
Detection information generation unit,
Described method following steps:
Receive the 2nd session key of encrypting from described terminal equipment by described the 2nd session key acquiring unit with described security information, and by the 2nd session key of described reception being deciphered with described security information, or by produce the 2nd session key, and with after the described secret key encryption the 2nd session key of described encryption being sent to described terminal equipment, obtain described the 2nd session key, and with the 2nd session key obtaining step of shared the 2nd session key of described terminal equipment and
, produce and detect the detection information that communication do not change the detection information that described proof information uses midway and produce step by with described the 2nd session key that the obtains described proof information of step conversion in accordance with regulations by described detection information generation unit,
At described proof information forwarding step, described detection information is produced the detection information that produces in the step send to described terminal equipment together with described proof information.
19, the equipment authentication method described in claim 14 is characterized in that,
Described device authentication server has corresponding stored unit, device id receiving element and the security information regulation unit that the security information of the device id of described terminal equipment and the storage of this terminal equipment is stored accordingly,
Described method has following steps:
By the terminal equipment that described device id receiving element obtains accepting from described request, the device id receiving step of receiving equipment ID and
In described corresponding stored unit, retrieve the device id of described reception by described security information regulation unit, and regulation and described device id have the security information regulation step of the security information of corresponding relation,
Described device authentication step is encrypted described server intrinsic information with the security information of described regulation.
20, a kind of equipment authentication method, be used for device authentication system, this system has the terminal equipment, the described security information of storage of the security information of store predetermined and described terminal equipment is carried out the device authentication server of device authentication and provides professional service server to the described terminal equipment that carries out device authentication at described device authentication server, it is characterized in that
Described terminal equipment has request unit, encryption server intrinsic information transmitting element, session key acquiring unit, proof information receiving unit and proof information transmitting unit,
Described method has following steps:
By the described request unit to described device authentication server, the request step of requesting service authentication,
By the described security information of described encryption server intrinsic information transmitting element, after the server intrinsic information that described device authentication server is sent according to described request is encrypted, send to described device authentication server encryption server intrinsic information forwarding step,
Receive the session key of encrypting from described device authentication server by described session key acquiring unit with described security information, and by the session key of described reception being deciphered with described security information, or by produce session key, and with after the described secret key encryption session key of described encryption being sent to described device authentication server, obtain session key, and with the shared session key obtaining step of device authentication server,
Receive proof with described session key encryption by described proof information receiving unit from described device authentication server, and obtain at described device authentication server device authentication proof information proof information receiving step and
By described proof information transmitting unit with the proof decrypts information of described session key with described reception after, send to the proof information forwarding step of described service server.
21, the equipment authentication method described in claim 20 is characterized in that,
Described terminal equipment has
Terminal intrinsic information transmitting element and
The server authentication unit,
Described method has following steps:
Produce the terminal intrinsic information by described terminal intrinsic information transmitting element, and with the terminal intrinsic information forwarding step that sends it to described device authentication server after the described security information encryption and
The terminal intrinsic information of described transmission is deciphered by confirming described device authentication server by described server authentication unit, authenticated the server authentication step of described device authentication server.
22, the equipment authentication method described in claim 20 is characterized in that,
Described terminal equipment has
The 2nd session key acquiring unit, detection information receiving unit, detection information generation unit and confirmation unit,
Described method has following steps:
Receive the 2nd session key of encrypting from described device authentication server by described the 2nd session key acquiring unit with described security information, and by described the 2nd session key of described reception being deciphered with described security information, or by produce the 2nd session key, and with after the described secret key encryption the 2nd session key of described encryption being sent to described device authentication server, obtain described the 2nd session key, and with shared the 2nd session key obtaining step of described device authentication server,
Utilize the 2nd session key in accordance with regulations after the described proof information of step conversion, by described detection information receiving unit from described device authentication server receive be used to detect communication do not change midway the detection information of described proof information detection message pick-up step,
By with the 2nd session key that the obtains described proof information that receives of step conversion in accordance with regulations, the detection information that produces detection information produces step by described detection information generation unit, and
By the detection information of described confirmation unit by judging described generation and the homogeny of the detection information of described reception, affirmation does not change the affirmation step of the proof information of described reception.
23, a kind of device authentication program, be used to make the device authentication server running that constitutes by computer, this device authentication server is used for device authentication system, this system has the terminal equipment, the described security information of storage of the security information of store predetermined and described terminal equipment is carried out the device authentication server of device authentication and provides professional service server to the described terminal equipment that carries out device authentication at described device authentication server, it is characterized in that, use the following function of computer realization:
From described terminal equipment, the request of receiving equipment authentication request accept function,
To accepting the terminal equipment of described request, with the server intrinsic information that itself produces send to described terminal equipment server intrinsic information sending function,
From described terminal equipment, receive with described security information to the encryption server intrinsic information receiving function of the encryption server intrinsic information of described server intrinsic information encryption,
According to can be with the deciphering of the encryption server intrinsic information of described reception with described secret key, to described terminal equipment carry out device authentication the device authentication function,
Receive the session key of encrypting with described security information from described terminal equipment, and by the session key of described reception being deciphered with described security information, or by produce session key, and with after the described secret key encryption session key of described encryption being sent to described terminal equipment, obtain session key, and with the shared session key of described terminal equipment obtain function,
With the described session key that obtains, proof made the permit encryption for information of device authentication to described terminal equipment in the described device authentication function after, send to described terminal equipment the proof message sending function and
From obtain the described service server of described proof information by described terminal equipment, receive the proof information receiving function of described proof information.
24, the device authentication program described in claim 23 is characterized in that,
Use computer realization
Confirm that described proof information is affirmation correct and that the affirmation result after the described affirmation is sent to described service server sending function as a result.
25, the device authentication program described in claim 23 is characterized in that,
With the following function of computer realization:
From described terminal equipment receive described terminal equipment produce, and with the terminal intrinsic information receiving function of the terminal intrinsic information of described security information encryption and
By with of the terminal intrinsic information deciphering of described security information, obtain this information, and the described terminal intrinsic information of obtaining is sent to the terminal intrinsic information sending function of described terminal equipment described reception.
26, the device authentication program described in claim 24 is characterized in that,
Described proof information comprises
Stipulate described terminal equipment device authentication result provisioning information and
The encryption provisioning information that obtains after with intrinsic server key described provisioning information being encrypted,
Described program also realizes following function:
With described server key, the encryption provisioning information decipher function of the encryption provisioning information deciphering that will from the proof information that described service server is received, comprise,
The arbitration functions whether provisioning information that comprises in the provisioning information of judging described deciphering and the proof information of described reception identical and
With the provisioning information after the described judgement, the device authentication result predetermined function of specified devices authentication result,
Described affirmation is sending function as a result, sends the device authentication result of stipulating in the described device authentication result predetermined function.
27, the device authentication program described in claim 23 is characterized in that, also realizes following function:
Receive the 2nd session key of encrypting with described security information from described terminal equipment, and by the 2nd session key of described reception being deciphered with described security information, or by produce the 2nd session key, and with after the described secret key encryption the 2nd session key of described encryption being sent to described terminal equipment, obtain described the 2nd session key, and with the 2nd session key of shared the 2nd session key of described terminal equipment obtain function and
By with described the 2nd session key that the obtains described proof information of step conversion in accordance with regulations, produce and detect the detection information that communication do not change the detection information that described proof information uses midway and produce function,
Described proof message sending function produces the detection information that produces in the function with described detection information and sends to described terminal equipment together with described proof information.
28, the device authentication program described in claim 23 is characterized in that, also realizes following function:
The corresponding stored function that the security information of the device id of described terminal equipment and the storage of this terminal equipment is stored accordingly,
From the terminal equipment that described request obtains accepting, the device id receiving function of receiving equipment ID and
With described corresponding stored function retrieve described reception device id, and regulation have the security information predetermined function of the security information of corresponding relation with described device id,
Described device authentication function is encrypted described server intrinsic information with the security information of described regulation.
29, a kind of device authentication program, be used to make the terminal equipment running that constitutes by computer, this terminal equipment is used for device authentication system, this system has the terminal equipment, the described security information of storage of the security information of store predetermined and described terminal equipment is carried out the device authentication server of device authentication and provides professional service server to the described terminal equipment that carries out device authentication at described device authentication server, it is characterized in that, use the following function of computer realization:
To described device authentication server, the request function of requesting service authentication,
Use described security information, send to after the server intrinsic information that described device authentication server is sent according to described request is encrypted described device authentication server encryption server intrinsic information sending function,
Receive the session key of encrypting with described security information from described device authentication server, and by the session key of described reception being deciphered with described security information, or by produce session key, and with after the described secret key encryption session key of described encryption being sent to described device authentication server, obtain session key, and with the shared session key of device authentication server obtain function,
Receive proof with described session key encryption from described device authentication server, and obtain at described device authentication server device authentication proof information proof information receiving function and
Use described session key, send to the proof message sending function of described service server after the proof decrypts information with described reception.
30, the device authentication program described in claim 29 is characterized in that, also realizes following function:
Produce the terminal intrinsic information and with after the described security information encryption, send it to described device authentication server terminal intrinsic information sending function and
By confirming that described device authentication server with the terminal intrinsic information deciphering of described transmission, authenticates the server authentication function of described device authentication server.
31, the device authentication program described in claim 29 is characterized in that, also realizes following function:
Receive the 2nd session key of encrypting with described security information from described device authentication server, and by described the 2nd session key of described reception being deciphered with described security information, or by produce the 2nd session key, and with after the described secret key encryption the 2nd session key of described encryption being sent to described device authentication server, obtain described the 2nd session key and with shared the 2nd session key of described device authentication server obtain function,
Utilize the 2nd session key in accordance with regulations after the described proof information of step conversion, from described certificate server receive be used to detect communication do not change midway the detection information of described proof information detection message pick-up function,
By with the 2nd session key that the obtains described proof information that receives of step conversion in accordance with regulations, produce and detect described proof information do not change the detection information of usefulness midway in communication detection information and produce function, and
The homogeny of the detection information by judging described generation and the detection information of described reception confirms not change the affirmation function of the proof information of described reception.
32, a kind of recording medium, this media computer can read, and storage is used to make the device authentication program of the device authentication server running that is made of computer, this device authentication server is used for device authentication system, this system has the terminal equipment of the security information of store predetermined, store described security information and described terminal equipment is carried out the device authentication server of device authentication, and provide professional service server to the described terminal equipment that carries out device authentication at described device authentication server, it is characterized in that the device authentication program of the storage following function of computer realization:
From the request of described terminal equipment receiving equipment authentication request accept function,
To accepting the terminal equipment of described request, with the server intrinsic information that itself produces send to described terminal equipment server intrinsic information sending function,
From described terminal equipment, receive with described security information to the encryption server intrinsic information receiving function of the encryption server intrinsic information of described server intrinsic information encryption,
According to can be with the deciphering of the encryption server intrinsic information of described reception with described secret key, to described terminal equipment carry out device authentication the device authentication function,
Receive the session key of encrypting with described security information from described terminal equipment, and by the session key of described reception being deciphered with described security information, or by produce session key, and with after the described secret key encryption session key of described encryption being sent to described terminal equipment, obtain session key, and with the shared session key of described terminal equipment obtain function,
With the described session key that obtains, proof made the permit encryption for information of device authentication to described terminal equipment in the described device authentication function after, send to described terminal equipment the proof message sending function and
From obtain the described service server of described proof information by described terminal equipment, receive the proof information receiving function of described proof information.
33, a kind of recording medium, this media computer can read, and storage is used to make the device authentication program of the terminal equipment running that is made of computer, this terminal equipment is used for device authentication system, this system has the terminal equipment, the described security information of storage of the security information of store predetermined and described terminal equipment is carried out the device authentication server of device authentication and provides professional service server to the described terminal equipment that carries out device authentication at described device authentication server, it is characterized in that the device authentication program of the storage following function of computer realization:
To the request function of described device authentication server requests device authentication,
Use described security information, after the server intrinsic information that described device authentication server is sent according to described request is encrypted, send to described device authentication server encryption server intrinsic information sending function,
Receive the session key of encrypting with described security information from described device authentication server, and by the session key of described reception being deciphered with described security information, or by produce session key, and with after the described secret key encryption session key of described encryption being sent to described device authentication server, obtain session key, and with the shared session key of device authentication server obtain function,
From described device authentication server, receive proof with described session key encryption and obtain at described device authentication server device authentication proof information proof information receiving function and with after the proof decrypts information of described session key with described reception, send to the proof message sending function of described service server.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2003311855 | 2003-09-03 | ||
| JP311855/2003 | 2003-09-03 | ||
| JP229280/2004 | 2004-08-05 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1842991A true CN1842991A (en) | 2006-10-04 |
Family
ID=37031195
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200480024612 Pending CN1842991A (en) | 2003-09-03 | 2004-08-30 | Device authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1842991A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112689833A (en) * | 2018-10-01 | 2021-04-20 | 二村宪人 | Information communication device, authentication program for information communication device, and authentication method |
-
2004
- 2004-08-30 CN CN 200480024612 patent/CN1842991A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112689833A (en) * | 2018-10-01 | 2021-04-20 | 二村宪人 | Information communication device, authentication program for information communication device, and authentication method |
| CN112689833B (en) * | 2018-10-01 | 2022-06-07 | 二村宪人 | Information communication device, authentication program for information communication device, and authentication method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1224909C (en) | Digital works protecting system | |
| CN1252581C (en) | Secreting and/or discriminating documents remote-controlling printing | |
| CN1735939A (en) | Content distribution system, recording device and method, reproduction device and method, and program | |
| CN1222893C (en) | Electronic watermark system, electronic information distribution system, and image filing apparatus | |
| CN100338907C (en) | Information processing system and method, information processing apparatus and method, recording medium, and program | |
| CN1736082A (en) | Group entry approval system, server apparatus, and client apparatus | |
| CN1914649A (en) | Authentication system, authentication device, and recording medium | |
| CN1396568A (en) | Digital works protection system, recording medium device, transmission device and playback device | |
| CN1682174A (en) | Group formation/management system, group management device, and member device | |
| CN1608263A (en) | Rights management unit | |
| CN1460225A (en) | Data processing system, memory device, data processor, data processing method and program | |
| CN1802637A (en) | Password change system | |
| CN1947372A (en) | Personal information management device, distributed key storage device, and personal information management system | |
| CN1855805A (en) | Encryption method for sip message and encrypted sip communication system | |
| CN1303065A (en) | Data bank management device and encryption/deciphering system | |
| CN1839581A (en) | Device authentication information installation system | |
| CN1930625A (en) | Content playback device | |
| CN1483177A (en) | Computer-readable information storage medium where content data is stored and content charging system | |
| CN1708971A (en) | System and method for pushing information from a service provider to a communication terminal comprising a memory card | |
| CN1934582A (en) | Content use system, information terminal, and settlement system | |
| CN1483278A (en) | Contents directory service system | |
| CN1665185A (en) | Content providing system, user system, tracing system, apparatus, method | |
| CN101047495A (en) | Method and system for transferring data | |
| CN1799094A (en) | Contents distribution system, recording apparatus, signature apparatus, contents supply apparatus, and contents playback apparatus | |
| CN1841997A (en) | Information process distribution system, information processing apparatus and information process distribution method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20061004 |