CN1983926A - Safety method of equipment - Google Patents
Safety method of equipment Download PDFInfo
- Publication number
- CN1983926A CN1983926A CN 200610060374 CN200610060374A CN1983926A CN 1983926 A CN1983926 A CN 1983926A CN 200610060374 CN200610060374 CN 200610060374 CN 200610060374 A CN200610060374 A CN 200610060374A CN 1983926 A CN1983926 A CN 1983926A
- Authority
- CN
- China
- Prior art keywords
- equipment
- authentication number
- terminal equipment
- authentication
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention is concerned with the safety guarantee method for the equipment, includes: 1) setups the key unit, keeps the private key inside the key unit; keeps the corresponding public key in the equipment; 2) processes the certification of the key unit according to the saved public key; if the certification is approved, the equipment allows to visit, otherwise, rejects for visiting. The invention can help users to use the equipment safely without inputting password, ensure the safety of the equipment, provide great deal of convenience.
Description
Technical field
The present invention relates to the safety guarantee technology, be specifically related to a kind of method for protecting of equipment.
Background technology
At present, the Information Access of the subscriber card such as SIM card is protected by PIN code in the mobile terminal device.Specifically, be provided with the PIN code of subscriber card as the user after, will protect by PIN code the visit of subscriber card, also be common run into PIN code is set after, mobile phone prompting user imports PIN code, and is then could normal boot-strap the same.
Though control the information that can protect subscriber card to the visit of subscriber card by PIN code,, each calling party card, promptly each start all will allow the user import PIN code, then is difficult to be accepted by users.Therefore, present most users are not provided with PIN code.Based on this reason; in fact, present subscriber card PIN code does not have due effect to the safeguard protection of subscriber card, because nobody or the few are ready to use; the usefulness that just is equal to nothing, it is the same to have its operability as rigorous again system and legal provision.
Equally, terminal equipment is provided with after the password, when start, also must import the relevant information that correct password can be started shooting and terminal equipment is preserved and conduct interviews.
If terminal equipment is provided with startup password, subscriber card wherein is provided with PIN code again, so, during start, prompting input startup password and PIN code will occur.Originally, password of general user was not thought input, and it is just difficult more to allow it input twice password.
Summary of the invention
In view of this, main purpose of the present invention provides a kind of method for protecting of equipment, in the fail safe that guarantees described equipment simultaneously, makes it have better ease for use.When this method is applied to the mobile phone users card, can be so that the mobile terminal device user uses its subscriber card easily and safely; When this method is applied to portable terminal, can be so that the mobile terminal device user uses its portable terminal easily and safely; When this method is applied to the anti-theft device of automobile or door and window etc., can be so that the anti-theft device user uses this anti-theft device easily and safely.
Above-mentioned purpose of the present invention is achieved by the following technical solutions:
A kind of method for protecting of equipment comprises the steps: at least
A., key unit is set, in key unit, preserves private key; In described equipment, preserve corresponding PKI;
B. described equipment authenticates key unit according to the PKI of preserving; If authentication is passed through, allow the described equipment of visit, otherwise denied access.
Described key unit the authentication according to the PKI that is provided with of step b comprises:
B11. produce an authentication number, according to this authentication number of encrypted private key, and send the ciphertext that obtains to described equipment by key unit;
B12. described equipment is deciphered described ciphertext with PKI, and plaintext and the described authentication number that obtains compared, if consistent, then authentication is passed through; Otherwise authentication is not passed through.
Described authentication number is produced by described equipment, and sends key unit to.
Described authentication number is produced by key unit, and sends described equipment to.
Further comprise before the step b12: described equipment judges whether authentication number is illegal, if illegal, then authentication is not passed through, otherwise, execution in step b12.
Described equipment is judged that authentication number is whether legal and is: this equipment last time preserved during authentication success be received from key unit authentication number as historical authentication number, this equipment this by judging whether this authentication number judges its legitimacy greater than the historical authentication number of preserving; If greater than legal, otherwise, illegal.
Described authentication number is a random number.
Described authentication number is made up of an incremented sequence number and a random number; Described equipment is judged that authentication number is whether legal and is: this equipment had been preserved sequence number in the authentication number that is received from key unit during authentication success as historical series number in last time, and whether this equipment this number judge its legitimacy greater than the historical series of preserving by judging the sequence number in this authentication number; If greater than legal, otherwise, illegal.
Described equipment is subscriber card.
Described key unit is mobile terminal device, PDA, PC computer, electron key, attaching position register, AUC or equipment identity register.
Described key unit is an electron key;
This method further comprises: a radio receiving transmitting module is set respectively in mobile terminal device and electron key, mobile terminal device is set up radio communication with electron key by set radio receiving transmitting module and is connected, and mobile terminal device connects the interactive information that transmits between subscriber card and the electron key by this radio communication.
Perhaps this method further comprises: a data order wire interface is set respectively in mobile terminal device and electron key, mobile terminal device and electron key are set up wired communicating to connect by described two interfaces, and mobile terminal device connects the interactive information that transmits between subscriber card and the electron key by this wire communication.
Described equipment is terminal equipment.
Described key unit is subscriber card, electron key, attaching position register, AUC or equipment identity register.
Described key unit is an electron key;
This method further comprises: a radio receiving transmitting module is set respectively in terminal equipment and electron key, terminal equipment is set up radio communication with electron key by set radio receiving transmitting module and is connected, and terminal equipment connects by this radio communication and electron key carries out information interaction.
Perhaps this method further comprises: a data order wire interface is set respectively in terminal equipment and electron key, terminal equipment and electron key are set up wired communicating to connect by described two interfaces, and terminal equipment carries out information interaction by this wire communication connection and electron key.
Described equipment is anti-theft device, and described key unit is a terminal equipment.
This method further comprises:
A radio receiving transmitting module is set respectively in terminal equipment and anti-theft device, and terminal equipment is set up radio communication with anti-theft device by set radio receiving transmitting module and is connected, and terminal equipment connects by this radio communication and anti-theft device carries out information interaction.
Perhaps: a data order wire interface is set respectively in terminal equipment and anti-theft device, and terminal equipment and anti-theft device are set up wired communicating to connect by described two interfaces, and terminal equipment carries out information interaction by this wire communication connection and anti-theft device.
This method further comprises: described anti-theft device is a communication terminal, and described terminal equipment and alarms and security systems for automobiles carry out information interaction by communication network.
The described equipment of visit comprises among the step b: the access request of the information material that described equipment is preserved, Network in the described equipment is provided with the operational access of data, or carries out request that corresponding digest calculations or encryption and decryption calculate or the normal running of described equipment.
From technical scheme of the present invention as can be seen, the present invention is provided with key unit, preserves private key at key unit, and the PKI of correspondence is kept in the described equipment; This equipment authenticates key unit according to the PKI that is provided with before the relevant access request of response; If authentication is passed through, allow relevant access request, otherwise the relevant access request of refusal.
For example, for described equipment is subscriber card, described key unit is the situation of mobile terminal device, after subscriber card is provided with function of safety protection, when this subscriber card is inserted other illegal terminal equipment, can because authentication not by and the visit that can't be correlated with to subscriber card has so just guaranteed the safety of subscriber card.And when inserting subscriber card in the legal terminal equipment, because authentication can be passed through, therefore, just can directly subscriber card be conducted interviews, like this, the user does not need to import PIN code promptly can the calling party card, so convenient for users.As can be seen, utilize the inventive method, by the authentication of subscriber card to key unit, when guaranteeing the subscriber card fail safe, convenient for users to use, improved the available rows of subscriber card, thereby, solved the subscriber card safety issue of bringing because the user is unwilling to import PIN code.
Also for example, described equipment can be portable terminal, and, the key unit here can be a subscriber card, like this, after terminal equipment is provided with function of safety protection, when in this terminal equipment, inserting other subscriber card, can because authentication not by and the visit that can't be correlated with to terminal equipment has so just guaranteed the safety of terminal equipment.And in terminal equipment, insert the legal users card, when promptly having the subscriber card of private key of the PKI pairing of preserving with terminal equipment, because authentication can be passed through, therefore, just can directly conduct interviews to terminal equipment, like this, the user does not need to import startup password promptly can access terminal equipment, therefore convenient for users.As can be seen, utilize the inventive method, by the authentication of terminal equipment to key unit, when guaranteeing the terminal equipment fail safe, convenient for users to use, improved the availability of terminal equipment, thereby, the terminal equipment safety issue of bringing because the user is unwilling to import startup password solved.
Foregoing invention can solve the user terminal equipment is provided with startup password, and when being provided with PIN code in the subscriber card therein, when each start, the problem that needs twice password of input, the number of times that makes the user input password can reduce once, convenient for users to use, improved user's experience!
Description of drawings
Fig. 1 is the overview flow chart of guarantee subscriber card safety of the present invention;
Fig. 2 is the first embodiment flow chart that the present invention ensures subscriber card safety;
Fig. 3 is the second embodiment flow chart that the present invention ensures subscriber card safety;
Fig. 4 is the 3rd embodiment flow chart that the present invention ensures subscriber card safety;
Fig. 5 is the 4th embodiment flow chart that the present invention ensures subscriber card safety;
Fig. 6 is the 5th embodiment flow chart that the present invention ensures subscriber card safety;
Fig. 7 is the 6th embodiment flow chart that the present invention ensures subscriber card safety;
Fig. 8 is the overview flow chart of guarantee terminal equipment safety of the present invention;
Fig. 9 is the first embodiment flow chart that the present invention ensures terminal equipment safety;
Figure 10 is the second embodiment flow chart that the present invention ensures terminal equipment safety.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and Examples.
Device security support method of the present invention is provided with key unit, preserves private key in key unit; In described equipment, preserve corresponding PKI; Described equipment authenticates key unit according to the PKI of preserving before the relevant access request of response; If authentication is passed through, allow relevant access request, otherwise the relevant access request of refusal.
Described equipment can be subscriber card, like this, by key unit is set, preserves private key at key unit, and preserve corresponding PKI in subscriber card; Subscriber card authenticates key unit according to the PKI of preserving before the relevant access request of response; If authentication is passed through, allow relevant access request, otherwise the relevant access request of refusal.Can ensure the safety of subscriber card like this.
Fig. 1 is the overview flow chart of guarantee subscriber card safety of the present invention.As shown in Figure 1, the present invention comprises the steps: at least
Step S11, key unit is set, in key unit, preserves private key.
The key unit here can be a terminal equipment itself, also can be an electron key, also can be an equipment of network side, as attaching position register (HLR), AUC (AUC) and equipment identity register (EIR) etc.
If key unit is a terminal equipment itself, then terminal equipment can directly be preserved this described private key.If key unit is an electron key, a radio receiving transmitting module then is set respectively in mobile terminal device and electron key, mobile terminal device is set up radio communication with electron key by this radio receiving transmitting module and is connected, mobile terminal device connects the interactive information that transmits between subscriber card and the electron key by this radio communication, at this moment, mobile terminal device can connect by this radio communication, and described private key is set to electron key.Described radio communication connects and can set up by infrared ray or basket tooth or the like the communication technology.Certainly, also a data order wire interface can be set respectively in mobile terminal device and electron key, mobile terminal device and electron key are set up wired communicating to connect by described two interfaces, for example, set up wired communicating to connect by the data telecommunication line that is connected between described two interfaces, perhaps two interfaces are directly pegged graft by socket and are set up wired communicating to connect for the communication socket.Mobile terminal device connects the interactive information that transmits between subscriber card and the electron key by this wire communication.
If key unit is the network equipments such as HLR, terminal equipment and this key unit can pass through short message or OTA (Over The Air) interface, or information interaction is carried out in business operation order (as the calling transfer order being set or checking the calling transfer status command) etc.Certainly, also can carry out information interaction by other signaling method.
Step S12, in subscriber card, preserve the PKI with the pairing of private key described in the S11.If subscriber card has been provided with PIN code, when then in subscriber card, preserving described PKI, be by carrying out after the PIN code checking.
Right technology has been known, mature technique to produce PKI and private key, can repeat no more here referring to " applied cryptography " or other document.
Step S13, subscriber card authenticate key unit according to the PKI of preserving before the relevant access request of response; If authentication is passed through, then execution in step S14 allows relevant access request, otherwise, execution in step S15, the relevant access request of refusal.
The relevant access request here can be the access request to the information material of subscriber card preservation, such as, check the numbering directory record that subscriber card is preserved, check the short message that subscriber card is preserved, or the like.Or to the operational access of the data that are provided with about Network in the subscriber card, such as, some custom services of operator are provided with data.Or carry out the request that corresponding digest calculations or encryption and decryption are calculated, such as, terminal equipment sends to random number of subscriber card, and subscriber card to the computing of making a summary of this random number, and returns to the digest value of calculating the operation of terminal equipment according to the own root key of preserving.
The mode that subscriber card authenticates key unit according to the PKI of preserving can be based on that an authentication number carries out, and in fact this authentication number can be a random number.
Usually, when subscriber card authenticated key unit, described authentication number was to produce and send to key unit by subscriber card.
Below in conjunction with drawings and the specific embodiments the present invention program is done further detailed description.
As shown in Figure 2, be the first embodiment flow chart that the present invention ensures subscriber card safety, key unit is a terminal equipment in the present embodiment.
Step S101, in terminal equipment, preserve private key, in subscriber card, preserve corresponding PKI.
Step S102, the terminal equipment access request of will being correlated with sends to subscriber card;
Step S103, subscriber card produce first authentication number, and send first authentication number to terminal equipment after receiving relevant access request.Described authentication number can be a random number, and for example, subscriber card is provided with a pseudorandom number generator, produces random number by this generator.
Step S104, terminal equipment be according to described first authentication number of encrypted private key, and send the ciphertext that obtains to subscriber card.
After step S105, subscriber card receive the ciphertext that terminal equipment returns, decipher described ciphertext according to PKI and obtain expressly.
Step S106, subscriber card judge whether the plaintext that obtains is consistent with described first authentication number, if consistent, then at step S107, the permission terminal equipment is to the subscriber card visit of being correlated with; Otherwise, promptly inconsistent, then at step S108, do not allow terminal equipment to the subscriber card visit of being correlated with.
Above-mentioned authentication number also can be to be produced by key unit, and will together send subscriber card to according to ciphertext and this authentication number that the encrypted private key authentication number obtains, subscriber card PKI decrypting ciphertext, obtain expressly, and relatively expressly determine whether allowing to the subscriber card visit of being correlated with whether authentication number is consistent.
Need to prove, when described authentication number is produced by key unit, subscriber card can further carry out legitimacy to described authentication number and judge before described decrypting ciphertext, avoids the assailant to utilize the authentication number of intercepting and capturing and ciphertext that subscriber card is carried out message replay attack.Like this, if subscriber card judges that the authentication number of key unit generation is illegal, then, this authentication for key unit is not passed through, if legal, just carries out described decryption oprerations.
As shown in Figure 3, be the second embodiment flow chart that the present invention ensures subscriber card safety, generate authentication number by key unit among this embodiment, and authentication number is carried out legitimate verification by subscriber card.Key unit is a terminal equipment in the present embodiment.
Step S201, in terminal equipment, preserve private key, in subscriber card, preserve corresponding PKI.
Step S202, terminal equipment produce second authentication number, obtain ciphertext according to encrypted private key second authentication number of preserving; The terminal equipment access request of will being correlated with sends to subscriber card, carries second authentication number and the described ciphertext of generation in this relevant access request.
After step S203, subscriber card receive relevant access request, judge the legitimacy of carrying second authentication number in the solicited message, if illegal, execution in step S207 does not then allow terminal equipment to the subscriber card visit of being correlated with; Otherwise, continue to carry out following steps S204.
Subscriber card can be avoided message replay attack by the legitimacy of carrying second authentication number in the solicited message is judged.
Step S204, subscriber card are deciphered described ciphertext according to PKI and are obtained expressly.
Step S205, subscriber card judge whether above-mentioned plaintext is consistent with second authentication number, if consistent, then at step S206, allow terminal equipment to the subscriber card visit of being correlated with; Otherwise, promptly inconsistent, then at step S207, do not allow terminal equipment to the subscriber card visit of being correlated with.
Here judge that expressly whether consistent with second authentication number can be to judge expressly whether to equate with second authentication number.
Subscriber card is judged for the legitimacy of second authentication number among the above-mentioned steps S203, can adopt repeatability to judge and carry out.Also promptly judge the repeatability of the authentication number that key unit produces, thereby can avoid the assailant to utilize same authentication number effectively or the authentication number used carries out message replay attack to subscriber card.Such as, when carrying out the repeatability judgement, when can preserving last authentication success, subscriber card produces and sends to the authentication number of oneself by key unit, when this authenticates, judge when whether authentication number that this key unit produces is greater than or less than the own last authentication success of preserving described authentication number by the key unit generation, wherein, for require to increase progressively produce the authentication number for judge whether greater than, for the generation authentication number that requires to successively decrease then be judge whether less than.Here, the authentication number that can require key unit to produce be increase progressively or successively decrease.At this moment, subscriber card is when authentication success, and second authentication number that is produced by key unit in the time of can preserving this authentication success is so that when authenticating, judge with this authentication number whether new second authentication number that produces of key unit is legal next time.
In the middle of the reality, terminal equipment can utilize the increasing or decreasing randomizer to produce increasing or decreasing authentication number sequence.
Certainly, in the practical application, terminal equipment is when the calling party card, be difficult to be listened to related news by the third party, therefore, the authentication number subscriber card that produces for key unit also can not carry out described legitimate verification, so also can realize purpose of the present invention, but fail safe will decrease.
Certainly, the authentication number that terminal equipment produces can be the new random number that is formed by an incremented sequence number and a random number merging, or (sequence number, the random number) be made up of an incremented sequence number and random number is right.Like this, subscriber card can only be preserved corresponding sequence number when each authentication success, and the sequence number in the authentication number that sends according to the sequence number of preserving and key unit when next time authenticating judges whether this authentication number is legal.
As shown in Figure 4, be the 3rd embodiment flow chart that the present invention ensures subscriber card safety, generate authentication number by key unit among this embodiment, this authentication number is that one (sequence number, random number) is right.Subscriber card is preserved historical authentication number information in advance, promptly authentication when success last time the authentication number information that produces by key unit, the historical authentication number information here was the sequence number in the authentication number, became historical series number.Its initial value can be 0.Subscriber card carries out legitimate verification according to the sequence number of preserving to the authentication number of this authentication.Key unit is a terminal equipment in the present embodiment.
Step S301, in terminal equipment, preserve private key, in subscriber card, preserve corresponding PKI.
Step S302, terminal equipment produce second authentication number, and this second authentication number is that one (sequence number, random number) is right; Terminal equipment obtains ciphertext according to encrypted private key second authentication number of preserving; The terminal equipment access request of will being correlated with sends to subscriber card, carries second authentication number and the described ciphertext of generation in this relevant access request.
After step S303, subscriber card receive relevant access request, judge sequence number in second authentication number whether greater than the historical series of preserving in advance number, if not, then second authentication number is illegal, execution in step S307 does not allow terminal equipment to the subscriber card visit of being correlated with; Otherwise promptly, the sequence number in second authentication number then continues to carry out following steps S304 greater than the historical series of preserving number.
Step S304, subscriber card are deciphered described ciphertext according to PKI and are obtained expressly.
Step S305, subscriber card judge whether above-mentioned plaintext is consistent with second authentication number, if consistent, then at step S306, sequence number in second authentication number are saved as historical series number, and allow terminal equipment to the subscriber card visit of being correlated with; Otherwise, promptly inconsistent, then at step S307, do not allow terminal equipment to the subscriber card visit of being correlated with.
Here judge that expressly whether consistent with second authentication number can be to judge whether sequence number and random number in the plaintext equate fully with sequence number and random number in second authentication number.
Usually, generate in the processing procedure of the second new authentication number at above-mentioned key unit, can also send to key unit by first authentication number that subscriber card is preserved self or generate, key unit produces second authentication number according to first authentication number of receiving.Wherein, subscriber card sends to first authentication number of key unit, can be that the miscellaneous equipment such as key unit sends to subscriber card, also can be that subscriber card self initiatively generates, certainly, can also be that subscriber card generates according to the information that miscellaneous equipment sends.
In the middle of the reality, also can be to produce first authentication number by subscriber card, produce second authentication number by key unit, described computations also can be to first authentication number according to private key, second authentication number is carried out computations and is obtained ciphertext, and sends described ciphertext and second authentication number to subscriber card and be used for the authentication of subscriber card to key unit.
As shown in Figure 5, be the 4th embodiment flow chart that the present invention ensures subscriber card safety, key unit is a terminal equipment in the present embodiment.
Step S401, in terminal equipment, preserve private key, in subscriber card, preserve corresponding PKI.
Step S402, terminal equipment produce second authentication number, and the access request of will being correlated with sends to subscriber card, carry second authentication number of generation in the request.
Step S403, subscriber card produce first authentication number, and send first authentication number to terminal equipment after receiving relevant access request.
Step S404, terminal equipment are carried out computations according to the private key of preserving to first authentication number and second authentication number, obtain ciphertext, and send described ciphertext to subscriber card.
After step S405, subscriber card receive described ciphertext, carry out deciphering according to PKI and calculate, obtain expressly.
Step S406, subscriber card judge whether described plaintext is consistent with described first authentication number and second authentication number, if consistent, then at step S407, allow terminal equipment to the subscriber card visit of being correlated with; Otherwise,,, do not allow terminal equipment to the subscriber card visit of being correlated with then at step S408 if inconsistent.
Need to prove that among the above-mentioned steps S402, terminal equipment can not produce second authentication number earlier, but the access request of only will being correlated with sends to subscriber card; Accordingly, step S404 is before carrying out described computations, just produce second authentication number, then carry out described computations, and when sending described ciphertext to subscriber card, also send described second authentication number to subscriber card, so that the described deciphering calculating of subscriber card execution in step S405 and the consistency decision operation of step S406.
Among the above-mentioned steps S404, when carrying out computations, can be earlier first authentication number and second authentication number to be carried out a preliminary treatment, for example first authentication number and second authentication number are carried out a calculating, this calculating can be that XOR calculates, and then, encryption is carried out at result of calculation.
As shown in Figure 6, be the 5th embodiment flow chart that the present invention ensures subscriber card safety, key unit is a terminal equipment in the present embodiment.
Step S501, in terminal equipment, preserve private key, in subscriber card, preserve corresponding PKI.
Step S502, terminal equipment produce second authentication number, second authentication number is carried in the relevant access request sends to subscriber card.
Second authentication number here can be a random number.
Step S503, subscriber card produce first authentication number, and send first authentication number to terminal equipment after receiving relevant access request.
Step S504, terminal equipment carry out combined calculation to first authentication number and second authentication number, obtain a result of calculation, and according to the described result of encrypted private key, and send the ciphertext that obtains to subscriber card.
The combined calculation here can be that XOR calculates.
After step S505, subscriber card receive the ciphertext that terminal equipment returns, decipher described ciphertext according to PKI and obtain expressly, and first authentication number and second authentication number are carried out combined calculation, obtain a result of calculation.
Step S506, subscriber card judge whether the plaintext that described result of calculation and deciphering obtain is consistent, if consistent, then at step S507, allow terminal equipment to the subscriber card visit of being correlated with; Otherwise, promptly inconsistent, then at step S508, do not allow terminal equipment to the subscriber card visit of being correlated with.
As further optimization to the 5th embodiment, in the middle of the reality, also can be to produce second authentication number by key unit, send to subscriber card, subscriber card produces first authentication number according to described second authentication number, and sends first authentication number to key unit.Like this, can produce an authentication number that randomness is higher by key unit, and subscriber card can produce one to the less demanding authentication number of randomness, thereby reduce the requirement that subscriber card produces authentication number.
As shown in Figure 7, be the 6th embodiment flow chart that the present invention ensures subscriber card safety, key unit is a terminal equipment in the present embodiment.
Step S601, in terminal equipment, preserve private key, in subscriber card, preserve corresponding PKI.
Step S602, terminal equipment produce second authentication number, second authentication number is carried in the relevant access request sends to subscriber card.
Second authentication number here can be a random number.
Step S603, subscriber card produce first authentication number according to second authentication number, and send first authentication number to terminal equipment after receiving relevant access request.
When subscriber card produces described first authentication number according to described second authentication number, can be to produce a pseudo random number, and the XOR of carrying out this pseudo random number and described second random number obtain this first authentication number; Also can be to produce a sequence number that increases progressively at random, and the XOR of carrying out this sequence number and described second random number obtain this first authentication number.
Step S604, terminal equipment be according to described first authentication number of encrypted private key, and send the ciphertext that obtains to subscriber card.
After step S605, subscriber card receive the ciphertext that terminal equipment returns, decipher described ciphertext according to PKI and obtain expressly.
Step S606, subscriber card judge whether the plaintext that obtains is consistent with described first authentication number, if consistent, then at step S607, the permission terminal equipment is to the subscriber card visit of being correlated with; Otherwise, promptly inconsistent, then at step S608, do not allow terminal equipment to the subscriber card visit of being correlated with.
Certainly, the terminal equipment among above-mentioned first to the 6th embodiment also can be other key unit.
Device security support method of the present invention, described equipment can be terminal equipments, like this, by key unit is set, preserve private key at key unit, and preserve corresponding PKI in terminal equipment; Terminal equipment authenticates key unit according to the PKI of preserving before the relevant access request of response; If authentication is passed through, allow relevant access request, otherwise the relevant access request of refusal.Like this, can ensure the safety of terminal equipment.
Fig. 8 is the overview flow chart of guarantee terminal equipment safety of the present invention.As shown in Figure 8, the present invention comprises the steps: at least
Step S21, key unit is set, in key unit, preserves private key.
The key unit here can be a subscriber card, also can be an electron key, also can be an equipment of network side, as attaching position register (HLR), AUC (AUC) and equipment identity register (EIR) etc.
If key unit is a subscriber card itself, then subscriber card can directly be preserved this described private key.If key unit is an electron key, a radio receiving transmitting module then is set respectively in terminal equipment and electron key, terminal equipment is set up radio communication with electron key by this radio receiving transmitting module and is connected, and terminal equipment carries out information interaction by this radio communication connection.Terminal equipment can connect by this radio communication, and described private key is set to electron key.Described radio communication connects and can set up by infrared ray or basket tooth or the like the communication technology.Certainly, also a data order wire interface can be set respectively in terminal equipment and electron key, terminal equipment and electron key are set up wired communicating to connect by described two interfaces, and terminal equipment carries out information interaction by this wire communication connection.
If key unit is the network equipments such as HLR, terminal equipment and this key unit can pass through short message or OTA (Over The Air) interface, or information interaction is carried out in business operation order (as the calling transfer order being set or checking the calling transfer status command) etc.Certainly, also can carry out information interaction by other signaling method.
Step S22, in terminal equipment, preserve the PKI with the pairing of private key described in the S21.
Usually, this step operation should be received cryptoguard,, a password is set that is, when carrying out this step, should pass through this password authentification, and just allow the operation of described preservation PKI after checking is passed through.
Right technology has been known, mature technique to produce PKI and private key, can repeat no more here referring to " applied cryptography " or other document.
Step S23, terminal equipment authenticate key unit according to the PKI of preserving before the relevant access request of response; If authentication is passed through, then execution in step S24 allows relevant access request, otherwise, execution in step S25, the relevant access request of refusal.
The relevant access request here can be the access request to the information material of terminal equipment preservation, such as, check the numbering directory record, check short message record, carry out and call out, or the like.
The mode that terminal equipment authenticates key unit according to the PKI of preserving can be based on that an authentication number carries out, and in fact this authentication number can be a random number.
Usually, when terminal equipment authenticated key unit, described authentication number was to produce and send to key unit by terminal.
Below in conjunction with drawings and the specific embodiments the present invention program is done further detailed description.
As shown in Figure 9, be the first embodiment flow chart that the present invention ensures terminal equipment safety, key unit is a subscriber card in the present embodiment.
Step S2101, in subscriber card, preserve private key, in terminal equipment, preserve corresponding PKI.
Step S2103, terminal equipment produce authentication number, and send authentication number to subscriber card.Described authentication number can be a random number, and for example, terminal equipment is provided with a pseudorandom number generator, produces random number by this generator.
Step S2104, subscriber card be according to the described authentication number of encrypted private key, and send the ciphertext that obtains to terminal equipment.
After step S2105, terminal equipment receive the ciphertext that subscriber card returns, decipher described ciphertext according to PKI and obtain expressly.
Step S2106, terminal equipment judge whether the plaintext that obtains is consistent with described authentication number, if consistent, then at step S2107, permission is to the terminal equipment visit of being correlated with; Otherwise, promptly inconsistent, then at step S2108, do not allow the terminal equipment visit of being correlated with.
Above-mentioned authentication number also can be to be produced by key unit, and will together send terminal equipment to according to ciphertext and this authentication number that the encrypted private key authentication number obtains, terminal equipment PKI decrypting ciphertext, obtain expressly, and relatively expressly determine whether allowing to the terminal equipment visit of being correlated with whether authentication number is consistent.
Need to prove, when described authentication number is produced by key unit, terminal equipment can further carry out legitimacy to described authentication number and judge before described decrypting ciphertext, avoids the assailant to utilize the authentication number of intercepting and capturing and ciphertext that terminal equipment is carried out message replay attack.Like this, if terminal equipment judges that the authentication number of key unit generation is illegal, then, this authentication for key unit is not passed through, if legal, just carries out described decryption oprerations.
As shown in figure 10, be the second embodiment flow chart that the present invention ensures terminal equipment safety, generate authentication number by key unit among this embodiment, and authentication number is carried out legitimate verification by terminal equipment.Key unit is EIR in the present embodiment.
Step S2201, in EIR, preserve private key, in terminal equipment, preserve corresponding PKI.
Step S2202, EIR produce authentication number, obtain ciphertext according to the encrypted private key authentication number of preserving; EIR sends to terminal equipment with this authentication number and described ciphertext.
The legitimacy of step S2203, the described authentication number of terminal equipment, if illegal, execution in step S2207 does not then allow the terminal equipment visit of being correlated with; Otherwise, continue to carry out following steps S2204.
Step S2204, terminal equipment are deciphered described ciphertext according to PKI and are obtained expressly.
Step S2205, terminal equipment judge whether above-mentioned plaintext is consistent with authentication number, if consistent, then at step S2206, allow the terminal equipment visit of being correlated with; Otherwise, promptly inconsistent, then at step S2207, do not allow the terminal equipment visit of being correlated with.
Here judge that expressly whether consistent with authentication number can be to judge expressly whether to equate with authentication number.
Terminal equipment is judged for the legitimacy of authentication number among the above-mentioned steps S2203, can adopt repeatability to judge and carry out.Also promptly judge the repeatability of the authentication number that EIR produces, thereby can avoid the assailant to utilize same authentication number effectively or the authentication number used carries out message replay attack to terminal equipment.Such as, when carrying out the repeatability judgement, when can preserving last authentication success, terminal equipment produces and sends to the authentication number of oneself by EIR, when this authenticates, judge when whether authentication number that this EIR produces is greater than or less than the own last authentication success of preserving described authentication number by the EIR generation, wherein, for require to increase progressively produce the authentication number for judge whether greater than, for the generation authentication number that requires to successively decrease then be judge whether less than.Here, the authentication number that can require EIR to produce be increase progressively or successively decrease.At this moment, terminal equipment is when authentication success, and the authentication number that is produced by EIR in the time of can preserving this authentication success is so that when authenticating, judge with this authentication number whether the new authentication number that produces of EIR is legal next time.
In the middle of the reality, EIR can utilize the increasing or decreasing randomizer to produce increasing or decreasing authentication number sequence.
Certainly, the authentication number that EIR produces can be the new random number that is formed by an incremented sequence number and a random number merging, or (sequence number, the random number) be made up of an incremented sequence number and random number is right.Like this, terminal equipment can only be preserved and deposit corresponding sequence number when each authentication success, and the sequence number in the authentication number that sends according to the sequence number of preserving and EIR when next time authenticating judges whether this authentication number is legal.
Subscriber card described in the manuscript of the present invention can be SIM card in the GSM network or the UIM card in the cdma network, can the time usim card in the WCDMA network.Certainly, can be other Subscriber Identity Module also, or have the module of similar this function.
Relevant access request can be start.
Device security support method of the present invention, described equipment can be anti-theft devices, like this, by key unit is set, preserve private key at key unit, and preserve corresponding PKI in anti-theft device; Anti-theft device authenticates key unit according to the PKI of preserving before the relevant access request of response; If authentication is passed through, allow relevant access request, otherwise the relevant access request of refusal.Like this, can ensure the validity of anti-theft device.
When described key unit is terminal equipment, a radio receiving transmitting module can be set respectively in terminal equipment and anti-theft device, terminal equipment is set up radio communication with anti-theft device by set radio receiving transmitting module and is connected, and terminal equipment connects by this radio communication and anti-theft device carries out information interaction.
When described key unit is terminal equipment, a data order wire interface can also be set respectively in terminal equipment and anti-theft device, terminal equipment and anti-theft device are set up wired communicating to connect by described two interfaces, and terminal equipment carries out information interaction by this wire communication connection and anti-theft device.
When described key unit is terminal equipment, in the described anti-theft device communication terminal module can be set, described terminal equipment and alarms and security systems for automobiles can carry out information interaction by communication network.Terminal equipment in the manuscript of the present invention can be a mobile terminal device, as mobile phone, also can be PDA, also can be other portable set, or the like.
Be appreciated that the above only for preferred embodiment of the present invention, or not within the spirit and principles in the present invention not all in order to restriction the present invention, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (18)
1, a kind of method for protecting of equipment is characterized in that, this method comprises the steps:
A., key unit is set, in key unit, preserves private key; In described equipment, preserve corresponding PKI;
B. described equipment authenticates key unit according to the PKI of preserving; If authentication is passed through, allow the described equipment of visit, otherwise denied access.
2, method according to claim 1 is characterized in that, described key unit the authentication according to the PKI that is provided with of step b comprises:
B11. produce an authentication number, according to this authentication number of encrypted private key, and send the ciphertext that obtains to described equipment by key unit;
B12. described equipment is deciphered described ciphertext with PKI, and plaintext and the described authentication number that obtains compared, if consistent, then authentication is passed through; Otherwise authentication is not passed through.
3, method according to claim 2 is characterized in that, described authentication number is produced by described equipment, and sends key unit to.
4, method according to claim 2 is characterized in that, described authentication number is produced by key unit, and sends described equipment to.
5, method according to claim 4 is characterized in that, further comprise before the step b12: described equipment judges whether authentication number is illegal, if illegal, then authentication is not passed through, otherwise, execution in step b12.
6, method according to claim 5, it is characterized in that, described equipment is judged that authentication number is whether legal and is: this equipment last time preserved during authentication success be received from key unit authentication number as historical authentication number, this equipment this by judging whether this authentication number judges its legitimacy greater than the historical authentication number of preserving; If greater than legal, otherwise, illegal.
7, according to any described method in the claim 2 to 6, it is characterized in that described authentication number is a random number.
8, method according to claim 6 is characterized in that, described authentication number is made up of an incremented sequence number and a random number; Described equipment is judged that authentication number is whether legal and is: this equipment had been preserved sequence number in the authentication number that is received from key unit during authentication success as historical series number in last time, and whether this equipment this number judge its legitimacy greater than the historical series of preserving by judging the sequence number in this authentication number; If greater than legal, otherwise, illegal.
9, according to any described method in claim 2 to 6 or 8, it is characterized in that described equipment is subscriber card.
10, method according to claim 9 is characterized in that, described key unit is mobile terminal device, PDA, PC computer, electron key, attaching position register, AUC or equipment identity register.
11, method according to claim 9 is characterized in that, described key unit is an electron key;
This method further comprises: a radio receiving transmitting module is set respectively in mobile terminal device and electron key, mobile terminal device is set up radio communication with electron key by set radio receiving transmitting module and is connected, and mobile terminal device connects the interactive information that transmits between subscriber card and the electron key by this radio communication.
Perhaps this method further comprises: a data order wire interface is set respectively in mobile terminal device and electron key, mobile terminal device and electron key are set up wired communicating to connect by described two interfaces, and mobile terminal device connects the interactive information that transmits between subscriber card and the electron key by this wire communication.
12, method according to claim 1 is characterized in that, described equipment is terminal equipment.
13, method according to claim 12 is characterized in that, described key unit is subscriber card, electron key, attaching position register, AUC or equipment identity register.
14, method according to claim 12 is characterized in that, described key unit is an electron key;
This method further comprises: a radio receiving transmitting module is set respectively in terminal equipment and electron key, terminal equipment is set up radio communication with electron key by set radio receiving transmitting module and is connected, and terminal equipment connects by this radio communication and electron key carries out information interaction.
Perhaps this method further comprises: a data order wire interface is set respectively in terminal equipment and electron key, terminal equipment and electron key are set up wired communicating to connect by described two interfaces, and terminal equipment carries out information interaction by this wire communication connection and electron key.
15, method according to claim 1 is characterized in that, described equipment is anti-theft device, and described key unit is a terminal equipment.
16, method according to claim 15 is characterized in that, this method further comprises:
A radio receiving transmitting module is set respectively in terminal equipment and anti-theft device, and terminal equipment is set up radio communication with anti-theft device by set radio receiving transmitting module and is connected, and terminal equipment connects by this radio communication and anti-theft device carries out information interaction.
Perhaps: a data order wire interface is set respectively in terminal equipment and anti-theft device, and terminal equipment and anti-theft device are set up wired communicating to connect by described two interfaces, and terminal equipment carries out information interaction by this wire communication connection and anti-theft device.
17, method according to claim 15 is characterized in that, this method further comprises: described anti-theft device is a communication terminal, and described terminal equipment and alarms and security systems for automobiles carry out information interaction by communication network.
18, method according to claim 1, it is characterized in that, the described equipment of visit comprises among the step b: the access request of the information material that described equipment is preserved, Network in the described equipment is provided with the operational access of data, or carries out request that corresponding digest calculations or encryption and decryption calculate or the normal running of described equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610060374 CN1983926A (en) | 2006-04-18 | 2006-04-18 | Safety method of equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610060374 CN1983926A (en) | 2006-04-18 | 2006-04-18 | Safety method of equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1983926A true CN1983926A (en) | 2007-06-20 |
Family
ID=38166187
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610060374 Pending CN1983926A (en) | 2006-04-18 | 2006-04-18 | Safety method of equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1983926A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102299930A (en) * | 2011-09-19 | 2011-12-28 | 北京无限新锐网络科技有限公司 | Method for ensuring security of client software |
-
2006
- 2006-04-18 CN CN 200610060374 patent/CN1983926A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102299930A (en) * | 2011-09-19 | 2011-12-28 | 北京无限新锐网络科技有限公司 | Method for ensuring security of client software |
| CN102299930B (en) * | 2011-09-19 | 2014-09-10 | 北京无限新锐网络科技有限公司 | Method for ensuring security of client software |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105978917B (en) | A kind of system and method for trusted application safety certification | |
| JP4199074B2 (en) | Method and apparatus for secure data communication link | |
| US11882442B2 (en) | Handset identifier verification | |
| KR101047641B1 (en) | Enhance security and privacy for security devices | |
| US8171527B2 (en) | Method and apparatus for securing unlock password generation and distribution | |
| CN110572804B (en) | Bluetooth communication authentication request, receiving and communication method, mobile terminal and equipment terminal | |
| US20080095361A1 (en) | Security-Enhanced Key Exchange | |
| EP1401141A2 (en) | Method for establishing a key using over-the-air communication | |
| CN112533202B (en) | Identity authentication method and device | |
| CN101621794A (en) | Method for realizing safe authentication of wireless application service system | |
| JP2008535427A (en) | Secure communication between data processing device and security module | |
| EP1680940B1 (en) | Method of user authentication | |
| Park et al. | Smartphone remote lock and wipe system with integrity checking of SMS notification | |
| CN112929339A (en) | Message transmitting method for protecting privacy | |
| Hwang et al. | On the security of an enhanced UMTS authentication and key agreement protocol | |
| CN101895885A (en) | Method and system for protecting key file | |
| KR20130010522A (en) | An authentication method for preventing damages from lost and stolen smart phones | |
| EP1737201A1 (en) | A method for the safe protecting of the user card | |
| CN111918292B (en) | Access method and device | |
| CN1983926A (en) | Safety method of equipment | |
| KR100545512B1 (en) | System and method for preventing replay attacks in wireless communication | |
| CN101175324B (en) | Safety guaranteeing method of user card | |
| CN112054905A (en) | Secure communication method and system of mobile terminal | |
| CN100389634C (en) | Synchronously attach protecting method and relative power authentifying method | |
| KR101298216B1 (en) | Authentication system and method using multiple category |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20070620 |