TWI543015B - Near Field Communication Authentication System and Method Applied to Cloud Computing Environment - Google Patents

Near Field Communication Authentication System and Method Applied to Cloud Computing Environment Download PDF

Info

Publication number
TWI543015B
TWI543015B TW103138212A TW103138212A TWI543015B TW I543015 B TWI543015 B TW I543015B TW 103138212 A TW103138212 A TW 103138212A TW 103138212 A TW103138212 A TW 103138212A TW I543015 B TWI543015 B TW I543015B
Authority
TW
Taiwan
Prior art keywords
client
authentication
value
cloud server
random number
Prior art date
Application number
TW103138212A
Other languages
Chinese (zh)
Other versions
TW201617961A (en
Inventor
Wen Shenq Juang
Chun I Fan
Zheng Yang Lin
Jheng Jia Huang
Original Assignee
Univ Nat Kaohsiung 1St Univ Sc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Nat Kaohsiung 1St Univ Sc filed Critical Univ Nat Kaohsiung 1St Univ Sc
Priority to TW103138212A priority Critical patent/TWI543015B/en
Publication of TW201617961A publication Critical patent/TW201617961A/en
Application granted granted Critical
Publication of TWI543015B publication Critical patent/TWI543015B/en

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Description

應用於雲端運算環境的近場通訊認證系統與方法Near field communication authentication system and method applied to cloud computing environment

本發明是有關於一種認證系統與方法,特別是有關適用於雲端運算環境進行雙方交互認證的近場通訊認證系統與方法。 The present invention relates to an authentication system and method, and more particularly to a near field communication authentication system and method suitable for mutual authentication between two parties in a cloud computing environment.

先前技術中,近場通訊(Near Field Communication;NFC)技術常見者有三種工作模式:卡模式、點對點模式與讀卡器模式。 In the prior art, Near Field Communication (NFC) technology has three working modes: card mode, peer-to-peer mode, and card reader mode.

卡模式常見之應用有電子錢包、悠遊卡與門禁管制卡等類型;點對點模式常見之應用有圖片、影片、音樂與通訊錄等資料傳輸之類型。讀卡器模式常見之應用在於,讀取NFC標籤內儲資訊,以進行智能海報、場地導覽、電子驗證。 Common applications of card mode include e-wallet, leisure card and access control card; the common applications of peer-to-peer mode are the types of data transmission such as pictures, videos, music and contacts. A common application of the reader mode is to read the information stored in the NFC tag for smart posters, site navigation, and electronic verification.

近場通訊在配合現有的雲端運算技術,更提高NFC技術的適用性,如課堂點名系統、醫療資訊系統與商店的POS系統。 Near field communication is in line with the existing cloud computing technology, which improves the applicability of NFC technology, such as classroom name system, medical information system and store POS system.

然而,雲端運算技術是透過網路進行認證資料的傳輸,因此NFC認證資料在傳輸時,是有可能被盜取與修改數據,造成用戶資料被盜用,或更進一步騙取伺服器的控制、通訊的權限,造成一定程序的資訊安全問題。 However, the cloud computing technology transmits the authentication data through the network. Therefore, when the NFC authentication data is transmitted, it is possible to steal and modify the data, causing the user data to be stolen, or further defrauding the control and communication of the server. Permissions, causing information security issues for certain programs.

為解決上述問題,本發明係揭露一種應用於雲端運算環境的近場通訊認證系統與方法,藉由交互認證機制以確認相互連接的裝置是為可信任的通訊裝置。 To solve the above problems, the present invention discloses a near field communication authentication system and method applied to a cloud computing environment, by means of an interactive authentication mechanism to confirm that the interconnected devices are trusted communication devices.

本發明揭露的應用於雲端運算環境的近場通訊認證系統,其包括具有相同安全權仗值的一客端裝置與一雲端伺服裝置。 The near field communication authentication system applied to the cloud computing environment disclosed by the present invention includes a client device and a cloud server device having the same security right threshold.

客端裝置輸出一客端亂數,於取得一第一伺服認證值與一伺服亂數時,依據客端亂數與安全權仗值雜湊計算一第一客端認證值,在判 斷第一客端認證值等同第一伺服認證值時,依據伺服亂數與安全權仗值雜湊計算並輸出一第二客端認證值。雲端伺服裝置則是依據客端亂數與安全權仗值雜湊計算第一伺服認證值,以輸出第一伺服認證值與伺服亂數,及取得第二客端認證值時,依據伺服亂數與安全權仗值雜湊計算一第二伺服認證值,於第二客端認證值等同第二伺服認證值時,判斷認證完成。 The client device outputs a client random number, and when obtaining a first servo authentication value and a servo random number, calculating a first client authentication value according to the client random number and the security right threshold value, When the first client authentication value is equal to the first servo authentication value, the second client authentication value is calculated according to the servo random number and the security right threshold. The cloud server device calculates the first servo authentication value according to the random number of the client and the security threshold, to output the first servo authentication value and the servo random number, and obtain the second client authentication value, according to the servo random number and The security right threshold hash calculates a second servo authentication value, and when the second client authentication value is equal to the second servo authentication value, it is determined that the authentication is completed.

本發明揭露的應用於雲端運算環境的近場通訊認證方法,適用於具有相同安全權仗值的一客端裝置與一雲端伺服裝置。此方法包括以下步驟:由客端裝置輸出一客端亂數至雲端伺服裝置;由雲端伺服裝置依據客端亂數與安全權仗值雜湊計算一第一伺服認證值,以輸出第一伺服認證值與伺服亂數至客端裝置;當客端裝置取得第一伺服認證值與伺服亂數時,依據客端亂數與安全權仗值雜湊計算一第一客端認證值;當客端裝置判斷第一客端認證值等同第一伺服認證值時,依據伺服亂數與安全權仗值雜湊計算一第二客端認證值,輸出第二客端認證值至雲端伺服裝置;當雲端伺服裝置取得第二客端認證值時,依據伺服亂數與安全權仗值雜湊計算一第二伺服認證值;以及,當雲端伺服裝置判斷第二客端認證值等同第二伺服認證值時,判斷認證完成。 The near field communication authentication method applied to the cloud computing environment disclosed in the present invention is applicable to a client device and a cloud server device having the same security right threshold. The method comprises the following steps: outputting a guest random number to the cloud server by the client device; calculating, by the cloud server device, a first servo authentication value according to the client random number and the security right threshold to output the first servo authentication Value and servo random number to the client device; when the client device obtains the first servo authentication value and the servo random number, the first client authentication value is calculated according to the client random number and the security right threshold; when the client device When determining that the first client authentication value is equal to the first server authentication value, calculating a second client authentication value according to the random number of the server and the security right threshold, and outputting the second client authentication value to the cloud server; when the cloud server is used When the second client authentication value is obtained, a second servo authentication value is calculated according to the servo random number and the security right threshold; and when the cloud server determines that the second client authentication value is equal to the second servo authentication value, determining the authentication carry out.

在一些實施例,本發明所揭系統與方法中,雲端伺服裝置係取得對應安全權仗值的一有效時間數值,並依據有效時間數值判斷安全權仗值失效時,由雲端伺服裝置重新產生安全權仗值並更新於客端裝置,其中有效時間數值是客端裝置所提供與預儲於雲端伺服裝置之至少其一。 In some embodiments, in the system and method of the present invention, the cloud server device obtains a valid time value corresponding to the security right threshold, and determines that the security right threshold fails according to the effective time value, and the cloud server device regenerates the security. The weight is updated and updated to the client device, wherein the valid time value is at least one of the provided by the client device and pre-stored in the cloud server.

本發明所揭系統與方法,其具有以下特點: The system and method disclosed by the present invention have the following characteristics:

(1)雙方具有的安全權仗值可藉由各種方式而事先給予,而且在驗證過程中,安全權仗值是不會出現於傳輸資料中,唯有雙方具有的安全權仗值相同時,才會產生相同的驗證值,以確保可連線的雙方確實是可信賴的連線對象裝置。 (1) The depreciation of the security right of both parties can be given in advance by various means, and in the verification process, the depreciation of the security right does not appear in the transmission data, only when the security rights of both parties have the same value. The same verification value will be generated to ensure that both parties that are connectable are indeed reliable connected objects.

(2)本案所揭是採用雙方裝置交互認證,而且認證值是為認證期間內產生,並不需要在雲端伺服裝置內使用密碼表對照,除簡化認證過程外,更進一步的維持認證保密的安全性,亦避免密碼表外洩而造成 的資訊安全問題。 (2) In this case, the mutual authentication of the two devices is adopted, and the authentication value is generated during the authentication period. It is not necessary to use the password table comparison in the cloud server. In addition to simplifying the authentication process, the security of the authentication and confidentiality is further maintained. Sex, also avoid the leakage of the password table Information security issues.

(3)雙方每次進行交互認證時,會產生不同的亂數,因此每次通訊所使用的認證值皆是不同的,而且是透過漸進式的數值交互驗證,因此不需要顧及時戳的時間同步問題,對於重送攻擊亦有所預防,故具較高的適用性。 (3) Each time the two parties perform interactive authentication, different random numbers will be generated. Therefore, the authentication values used in each communication are different, and the incremental value interaction verification is performed, so there is no need to consider the time stamping time. The synchronization problem is also preventive for resend attacks, so it has high applicability.

(4)所有認證值皆是透過亂數與雜湊計算產生,故每次通訊的認證值皆不同,即使傳輸資料遭到截取,盜取者亦不可能透過累積資料之分析,而取得正確的認證資料,更進一步可保密裝置的詳細資料,或更進一步保密裝置使用者的身份資訊。 (4) All authentication values are generated by random numbers and hash calculations. Therefore, the authentication values of each communication are different. Even if the transmission data is intercepted, it is impossible for the pirate to obtain the correct authentication through the analysis of accumulated data. The information further details the details of the device, or further the identity information of the user of the device.

(5)雙方傳輸資料所使用的會議金鑰可藉由上述的亂數與安全權仗值所產生,因安全權仗值不會於認證期間傳輸,再加上每次通訊所採用亂數為不同,有助於提升會議金鑰,及藉由會議金鑰作加、解密的通訊資料的保密性。 (5) The conference key used by both parties to transmit data can be generated by the above-mentioned random number and security right depreciation, because the security right depreciation will not be transmitted during the authentication period, plus the random number used in each communication is Different, it helps to enhance the conference key, and the confidentiality of the communication data encrypted and decrypted by the conference key.

100‧‧‧客端裝置 100‧‧‧Client devices

101‧‧‧標籤識別資料 101‧‧‧ Label Identification Information

102‧‧‧安全權仗值 102‧‧‧ Security rights depreciation

103‧‧‧有效時間數值 103‧‧‧ Effective time value

111‧‧‧第一客端認證值 111‧‧‧ First client authentication value

112‧‧‧第二客端認證值 112‧‧‧ second client authentication value

113‧‧‧客端亂數 113‧‧‧Customer random number

200‧‧‧雲端伺服裝置 200‧‧‧Cloud Servo

201‧‧‧權仗值表 201‧‧‧ Rights and Values

211‧‧‧第一伺服認證值 211‧‧‧First servo authentication value

212‧‧‧第二伺服認證值 212‧‧‧Second servo authentication value

213‧‧‧伺服亂數 213‧‧‧Servo random number

S100-400‧‧‧步驟 S100-400‧‧‧Steps

圖1繪示本發明實施例之近場通訊認證系統的系統架構示意圖。 FIG. 1 is a schematic diagram showing the system architecture of a near field communication authentication system according to an embodiment of the present invention.

圖2繪示本發明實施例之近場通訊認證方法的整體流程示意圖。 FIG. 2 is a schematic diagram showing the overall flow of a near field communication authentication method according to an embodiment of the present invention.

圖3繪示本發明實施例之近場通訊認證方法的細部流程示意圖。 FIG. 3 is a schematic diagram showing the detailed process of the near field communication authentication method according to the embodiment of the present invention.

茲配合圖式將本發明實施例詳細說明如下。 The embodiments of the present invention are described in detail below with reference to the drawings.

請參閱圖1繪示本發明實施例之近場通訊認證系統的系統架構示意圖。此實施例是以一客端裝置100與其網路連接的一雲端伺服裝置200作說明,適用於先前所述的卡模式、點對點模式與讀卡器模式。 1 is a schematic diagram of a system architecture of a near field communication authentication system according to an embodiment of the present invention. This embodiment is illustrated by a cloud server 200 connected to its network by a client device 100, which is suitable for the card mode, peer-to-peer mode and card reader mode previously described.

(1)卡模式:客端裝置100是模擬、或是本身即為智慧卡(Smart card,IC Card)。智慧卡又稱智能卡、聰明卡、積體電路卡及IC卡,是指貼上或嵌有積體電路晶片的一種可攜式卡片塑膠。卡片包含了微處理器、I/O介面及記憶體,提供了資料的運算、存取控制及儲存功能。客端裝 置100存有認證必要的認證資料。雲端伺服裝置200則包括可感應或讀取客端裝置100之資料的資料讀取器與資料運算器,並具有協同客端裝置100進行認證的能力。 (1) Card mode: The client device 100 is an analog or smart card (IC card). A smart card, also known as a smart card, a smart card, an integrated circuit card, and an IC card, refers to a portable card plastic that is affixed or embedded with an integrated circuit chip. The card contains the microprocessor, I/O interface and memory, providing data calculation, access control and storage functions. Guest equipment Set 100 to have the necessary certification materials for certification. The cloud server 200 includes a data reader and data operator that can sense or read the data of the client device 100 and has the ability to cooperate with the client device 100 for authentication.

(2)點對點模式:傳輸雙方則為具近距離資料無線傳輸能力的電子裝置。客端裝置100存有認證必要的認證資料。雲端伺服裝置200亦是具感應或讀取客端裝置100之資料的資料,與協同客端裝置100進行認證的能力。 (2) Point-to-point mode: Both sides of the transmission are electronic devices with close-range data wireless transmission capability. The client device 100 stores the authentication data necessary for authentication. The cloud server 200 is also capable of sensing or reading the data of the client device 100 and authenticating the client device 100.

(3)讀卡器模式:客端裝置100具有標籤讀取單元或組件,標籤讀取單元存有認證必要的認證資料,且可以感應近場通訊標籤,以依據標籤的資料,配合認證資料來與後端的雲端伺服裝置200進行互動。 (3) Card reader mode: the client device 100 has a tag reading unit or component, and the tag reading unit stores the authentication data necessary for authentication, and can sense the near field communication tag to match the authentication data according to the tag information. Interact with the backend cloud server 200.

但不論是上述何種架構,皆適用於本案所揭認證方式。以下說明僅就客端裝置100與雲端伺服裝置200的認證。 However, regardless of the above structure, it is applicable to the certification method disclosed in this case. Only the authentication of the client device 100 and the cloud server device 200 will be described below.

續請參閱圖2繪示本發明實施例之近場通訊認證方法的整體流程示意圖,請配合圖1以利於了解。整個認證至少包括四個步驟:在客端裝置100與雲端伺服裝置200作近場通訊時,客端裝置100先提供標籤識別資料101予雲端伺服裝置200(步驟S100)。 2 is a schematic diagram of the overall flow of the near field communication authentication method according to the embodiment of the present invention. Please refer to FIG. 1 for understanding. The entire authentication includes at least four steps: when the client device 100 performs near field communication with the cloud server 200, the client device 100 first provides the tag identification data 101 to the cloud server device 200 (step S100).

然而,在卡模式與點對點模式中,客端裝置100包括標籤識別資料101與安全權仗值102,此標籤識別資料101與安全權仗值102是客端裝置100在與雲端伺服裝置200進行近場通訊時直接取得,或是藉由第三方運算裝置間接取得。在讀卡器模式時,客端裝置100是先讀取近場通訊標籤的資料,以取得雲端伺服裝置200儲存於近場通訊標籤的標籤識別資料101與安全權仗值102。 However, in the card mode and the peer-to-peer mode, the client device 100 includes the tag identification data 101 and the security right threshold 102. The tag identification data 101 and the security right threshold 102 are the proximity of the client device 100 to the cloud server 200. Obtained directly during field communication or indirectly through a third-party computing device. In the card reader mode, the client device 100 reads the data of the near field communication tag to obtain the tag identification data 101 and the security right value 102 stored by the cloud server 200 in the near field communication tag.

不論是卡模式、點對點模式還是讀卡機模式,客端裝置100皆必須依據第三方運算裝置、雲端伺服裝置200所提供、或是自近場通訊標籤取得的通訊路徑,將標籤識別資料101提供給雲端伺服裝置200,才能進行後續的認證流程。 Regardless of the card mode, the peer-to-peer mode, or the card reader mode, the client device 100 must provide the tag identification data 101 according to the communication path provided by the third-party computing device, the cloud server 200, or the near field communication tag. The cloud server 200 can be used for subsequent authentication processes.

雲端伺服裝置200具有一權仗值表201,其包括客端裝置100的標籤識別資料101,與每一標籤識別資料101對應的安全權仗值102。雲端伺服裝置200在取得標籤識別資料101,會先分析標籤識別資料101及其 對應的安全權仗值102是否可用(步驟S200),分析方式至少包括如下: The cloud server 200 has a weight table 201 including the tag identification data 101 of the client device 100 and a security weight value 102 corresponding to each tag identification material 101. When the cloud server 200 obtains the tag identification data 101, the cloud identification device 101 first analyzes the tag identification data 101 and Whether the corresponding security right threshold 102 is available (step S200), and the analysis mode includes at least the following:

(1)權仗值表201是否包括所取得的標籤識別資料101。 (1) Whether the weight threshold table 201 includes the acquired tag identification data 101.

(2)每一標籤識別資料101更對應一有效時間數值103,當雲端伺服裝置200判斷所取得的標籤識別資料101為存在時,更進一步分析其對應的有效時間數值103,以判斷此次通訊的客端裝置100,其安全權仗值102是否失效。 (2) Each tag identification data 101 further corresponds to a valid time value 103. When the cloud server 200 determines that the acquired tag identification data 101 is present, it further analyzes the corresponding valid time value 103 to determine the communication. The client device 100 has its security right threshold 102 invalid.

(3)客端裝置100即具有有效時間數值103。在卡模式與點對點模式中,有效時間數值103是客端裝置100在與雲端伺服裝置200近場通訊時直接取得,或是藉由第三方運算裝置間接取得。在讀卡器模式時,客端裝置100是先讀取近場通訊標籤的標籤識別資料101,以取得雲端伺服裝置200儲存於近場通訊標籤的有效時間數值103。客端裝置100會將有效時間數值103協同標籤識別資料101一併傳輸予雲端伺服裝置200,雲端伺服裝置200直接依據有效時間數值103判斷安全權仗值102是否失效。 (3) The client device 100 has a valid time value of 103. In the card mode and the peer-to-peer mode, the valid time value 103 is obtained directly by the client device 100 in near field communication with the cloud server 200, or indirectly by a third-party computing device. In the card reader mode, the client device 100 reads the tag identification data 101 of the near field communication tag to obtain the valid time value 103 stored by the cloud server 200 in the near field communication tag. The client device 100 transmits the valid time value 103 together with the tag identification data 101 to the cloud server device 200. The cloud server device 200 directly determines whether the security right threshold 102 is invalid according to the valid time value 103.

當雲端伺服裝置200分析安全權仗值102為失效時,依據設計人員之需求與程式功能之設計,系統會放棄認證或是重新產生安全權仗值102予客端裝置100(步驟S210),而安全權仗值102的產生與提供,至少包括以下數種模式: When the cloud server 200 analyzes the security right threshold 102 as a failure, the system will abandon the authentication or regenerate the security right threshold 102 to the client device 100 according to the design of the designer and the program function (step S210). The generation and provision of the security right threshold 102 includes at least the following modes:

(1)雲端伺服裝置200判斷客端裝置100具保有相關功能的權限,以結合所取得的標籤識別資料101而重新計算安全權仗值102,並提供予客端裝置100。 (1) The cloud server 200 determines that the client device 100 has the authority to hold the related function, and recalculates the security right threshold 102 in conjunction with the acquired tag identification data 101, and provides it to the client device 100.

(2)雲端伺服裝置200判斷客端裝置100具保有相關功能的權限,將所取得的標籤識別資料101提供予一第三方運算裝置,並從第三方運算裝置取得安全權仗值102,再提供予客端裝置100。 (2) The cloud server 200 determines that the client device 100 has the right to retain the relevant function, and provides the obtained tag identification data 101 to a third-party computing device, and obtains the security right threshold 102 from the third-party computing device, and then provides The client device 100 is provided.

(3)雲端伺服裝置200判斷客端裝置100具保有相關功能的權限,將所取得的標籤識別資料101提供予一第三方運算裝置,第三方運算裝置在取得客端裝置100之申請時,才提供此安全權仗值102予客端裝置100。 (3) The cloud server 200 determines that the client device 100 has the right to retain the related function, and provides the obtained tag identification data 101 to a third-party computing device, and the third-party computing device obtains the application of the client device 100. This security right threshold 102 is provided to the client device 100.

其中,安全權仗值102是由以下參數雜湊計算產生:Ki=h(IDi∥X∥LIFTTIMEi) Ki:第i個安全權仗值;h():單向式雜湊函數;X:雲端伺服裝置產生的主密鑰;IDi:雲端伺服裝置產生的第i個近場通訊標籤資料;LIFTTIMEi:第i個安全權仗的有效時間數值。 Among them, the security right threshold 102 is generated by the following parameter hash calculation: Ki=h(IDi∥X∥LIFTTIMEi) Ki: the i-th security right threshold; h(): one-way hash function; X: the master key generated by the cloud server; IDi: the i-th near-field communication tag data generated by the cloud server; LIFTTIMEi: The effective time value of i security rights.

另一方面,當雲端伺服裝置200分析安全權仗值102為有效時,會告知客端裝置100開始認證作業(步驟S220)。之後,客端裝置100與雲端伺服裝置200即進行雙向認證作業(步驟S300)。 On the other hand, when the cloud server 200 analyzes the security right threshold 102 to be valid, the client device 100 is notified to start the authentication operation (step S220). Thereafter, the client device 100 and the cloud server device 200 perform a mutual authentication operation (step S300).

請同時參閱圖3繪示本發明實施例之近場通訊認證方法的細部流程示意圖,其步驟S300的詳細說明。此流程至少包括以下步驟:由客端裝置100輸出一客端亂數113至雲端伺服裝置200(步驟S310)。客端亂數113的數值範圍與數值格式端視設計人員之需求而定。其次,客端裝置100亦可以將具有的近場通訊標籤提供予雲端伺服裝置200,以輔助雲端伺服裝置200的後續計算或資料比較。 Please refer to FIG. 3, which is a detailed flow chart of the near field communication authentication method according to the embodiment of the present invention, and a detailed description of step S300. The flow includes at least the following steps: a client random number 113 is outputted by the client device 100 to the cloud server 200 (step S310). The value range and numerical format of the client number 113 depends on the needs of the designer. Secondly, the client device 100 can also provide the near field communication tag to the cloud server device 200 to assist subsequent calculation or data comparison of the cloud server device 200.

由雲端伺服裝置200依據一客端亂數113與安全權仗值102雜湊計算一第一伺服認證值211,以輸出第一伺服認證值211與伺服亂數213至客端裝置100(步驟S320)。伺服亂數213的數值範圍與數值格式端視設計人員之需求而定。其正常情形下,雲端伺服裝置200與客端裝置100在認證時,所採用的安全權仗值102應是相同的。然而,雲端伺服裝置200與客端裝置100(或近場通訊標籤)是屬於一對一或一對多的關係時,雲端伺服裝置200會依據近場通訊標籤而從權仗值表201取得需求的安全權仗值102,再依據安全權仗值102與客端亂數113雜湊計算第一伺服認證值211,計算方式如下:v=HMAC(Ki,R1)v:第一伺服認證值;HMAC():雜湊運算消息認證碼函數;Ki:第i個安全權仗值;R1:客端亂數。 The first servo authentication value 211 is calculated by the cloud server 200 according to a guest random number 113 and the security weight threshold 102 to output the first servo authentication value 211 and the servo random number 213 to the client device 100 (step S320). . The numerical range and numerical format of the servo random number 213 depends on the needs of the designer. Under normal circumstances, when the cloud server 200 and the client device 100 are authenticated, the security weights 102 used should be the same. However, when the cloud server 200 and the client device 100 (or the near field communication tag) belong to a one-to-one or one-to-many relationship, the cloud server 200 obtains the request from the weight table 201 according to the near field communication tag. The security right threshold 102, and then the first servo authentication value 211 is calculated according to the security right threshold 102 and the client random number 113, and the calculation manner is as follows: v=HMAC(Ki, R1)v: first servo authentication value; HMAC (): hash operation message authentication code function; Ki: the i-th security right threshold; R1: the client random number.

當客端裝置100取得第一伺服認證值211與伺服亂數213 時,依據客端亂數113與安全權仗值102雜湊計算一第一客端認證值111(步驟S330)。此步驟中,客端裝置100會依據安全權仗值102與客端亂數113雜湊計算第一客端認證值111,計算方式如下:v'=HMAC(Ki,R1)v':第一客端認證值;HMAC():雜湊運算消息認證碼函數;Ki:第i個安全權仗值;R1:客端亂數。 When the client device 100 obtains the first servo authentication value 211 and the servo random number 213 At this time, a first guest authentication value 111 is calculated based on the guest random number 113 and the security right threshold 102 (step S330). In this step, the client device 100 calculates the first client authentication value 111 according to the security right threshold 102 and the client random number 113, and the calculation manner is as follows: v'=HMAC(Ki, R1)v': the first guest End authentication value; HMAC(): hash operation message authentication code function; Ki: i-th security right threshold; R1: guest random number.

當客端裝置100判斷第一客端認證值111等同第一伺服認證值211時,依據伺服亂數213與安全權仗值102雜湊計算一第二客端認證值112,且輸出第二客端認證值112至雲端伺服裝置200(步驟S340)。第二客端認證值112的計算方式如下:w=HMAC(Ki,R2)w:第二客端認證值;HMAC():雜湊運算消息認證碼函數;Ki:第i個安全權仗值;R2:伺服亂數。 When the client device 100 determines that the first client authentication value 111 is equal to the first server authentication value 211, the second client authentication value 112 is calculated by the servo random number 213 and the security right threshold 102, and the second client is output. The authentication value 112 is passed to the cloud server 200 (step S340). The second client authentication value 112 is calculated as follows: w=HMAC(Ki, R2)w: second client authentication value; HMAC(): hash operation message authentication code function; Ki: i-th security weight threshold; R2: Servo random number.

當雲端伺服裝置200取得第二客端認證值112時,依據伺服亂數213與安全權仗值102雜湊計算一第二伺服認證值212(步驟S350)。第二伺服認證值212的計算方式如下:w'=HMAC(Ki,R2)w':第二伺服認證值;HMAC():雜湊運算消息認證碼函數;Ki:第i個安全權仗值;R2:伺服亂數。 When the cloud server 200 obtains the second client authentication value 112, a second servo authentication value 212 is calculated by the servo random number 213 and the security right threshold 102 (step S350). The second servo authentication value 212 is calculated as follows: w'=HMAC(Ki, R2)w': second servo authentication value; HMAC(): hash operation message authentication code function; Ki: i-th security weight threshold; R2: Servo random number.

當雲端伺服裝置200判斷第二客端認證值112等同第二伺服認證值212時,判斷認證完成(步驟S360)。也就是說,在步驟S300流程完成執行時,客端裝置100與雲端伺服裝置200即可以相互認定對方是要連接的對象裝置。而在先前的流程中,只要「標籤識別資料101」、「安全權仗 值102」與「有效時間數值103」中任一者是錯誤或是無效的資料時,相互認證即不可能完成。 When the cloud server 200 determines that the second client authentication value 112 is equal to the second server authentication value 212, it is determined that the authentication is completed (step S360). That is to say, when the process of step S300 is completed, the client device 100 and the cloud server 200 can mutually recognize that the other party is the target device to be connected. In the previous process, as long as "tag identification data 101", "security rights" Mutual authentication is impossible when either of the value 102" and the "valid time value 103" is an error or invalid data.

最後,客端裝置100與雲端伺服裝置200會各自建構會議金鑰,並利用會議金鑰對傳輸資料作加、解密(步驟S400)。此步驟中,客端裝置100與雲端伺服裝置200所知的安全權仗值102、伺服亂數213與客端亂數113,應為相同,故雙方各自建構的會是相同的。會議金鑰的的計算方式如下:E=h(Ki∥R1∥R2)h():單向式雜湊函數;Ki:第i個安全權仗值;R1:客端亂數;R2:伺服亂數。 Finally, the client device 100 and the cloud server device 200 each construct a conference key, and use the conference key to add and decrypt the transmission data (step S400). In this step, the security right threshold 102, the servo random number 213, and the guest random number 113 known by the client device 100 and the cloud server 200 should be the same, so the two parties will construct the same. The conference key is calculated as follows: E=h(Ki∥R1∥R2)h(): one-way hash function; Ki: the i-th security weight ;; R1: guest random number; R2: servo mess number.

綜上所述之,乃僅記載本發明為呈現解決問題所採用的技術手段之實施或實施例而已,並非用來限定本發明專利實施之範圍。即凡與本發明專利申請範圍文義相符,或依本發明專利範圍所做的均等變化與修飾,皆為本發明專利範圍所涵蓋。 In the above, it is merely described that the present invention is an implementation or an embodiment of the technical means for solving the problem, and is not intended to limit the scope of the invention. That is, the equivalent changes and modifications made in accordance with the scope of the patent application of the present invention or the scope of the invention are covered by the scope of the invention.

S310~S360‧‧‧步驟 S310~S360‧‧‧Steps

Claims (10)

一種應用於雲端運算環境的近場通訊認證系統,其包括:一客端裝置,包括一安全權仗值,用以輸出一客端亂數,於取得一第一伺服認證值與一伺服亂數時,依據該客端亂數與該安全權仗值雜湊計算一第一客端認證值,判斷該第一客端認證值等同該第一伺服認證值時,依據該伺服亂數與該安全權仗值雜湊計算並輸出一第二客端認證值;以及一雲端伺服裝置,包括該安全權仗值,依據該客端亂數與該安全權仗值雜湊計算該第一伺服認證值,以輸出該第一伺服認證值與該伺服亂數,及取得該第二客端認證值時,依據該伺服亂數與該安全權仗值雜湊計算一第二伺服認證值,於該第二客端認證值等同該第二伺服認證值時,判斷認證完成。 A near field communication authentication system applied to a cloud computing environment, comprising: a client device, comprising a security right threshold for outputting a guest random number, obtaining a first servo authentication value and a servo random number Calculating a first client authentication value according to the client random number and the security right threshold, and determining that the first client authentication value is equal to the first server authentication value, according to the server random number and the security right Depreciating and outputting a second client authentication value; and a cloud server device, including the security right threshold, calculating the first servo authentication value according to the client random number and the security weight threshold to output The first servo authentication value and the servo random number, and when the second client authentication value is obtained, a second servo authentication value is calculated according to the servo random number and the security right threshold, and the second client authentication is performed on the second client authentication value. When the value is equal to the second servo authentication value, it is judged that the authentication is completed. 根據申請專利範圍第1項所述的應用於雲端運算環境的近場通訊認證系統,其中,該雲端伺服裝置包括一權仗值表,該客端裝置係先傳輸一標籤識別資料,該雲端伺服裝置將該標籤識別資料對照該權仗值表,取得對應該標籤識別資料的該安全權仗值,並回傳予該客端裝置。 The near field communication authentication system applied to the cloud computing environment according to claim 1, wherein the cloud server device includes a weight threshold table, and the client device transmits a label identification data, the cloud server The device compares the tag identification data with the weight threshold table, obtains the security right value corresponding to the tag identification data, and returns the security value to the client device. 根據申請專利範圍第1項所述的應用於雲端運算環境的近場通訊認證系統,其中,該雲端伺服裝置係取得該客端裝置的標籤識別資料,並依據一主密鑰值、該標籤識別資料與一有效時間數值雜湊計算該安全權仗值,並回傳予該客端裝置。 The near field communication authentication system applied to the cloud computing environment according to claim 1, wherein the cloud server device obtains the tag identification data of the client device, and identifies the tag according to a master key value. The data is hashed with a valid time value to calculate the security weight and passed back to the client device. 根據申請專利範圍第1項所述的應用於雲端運算環境的近場通訊認證系統,其中,該雲端伺服裝置係取得對應該安全權 仗值的一有效時間數值,並依據該有效時間數值判斷該安全權仗值失效時,由該雲端伺服裝置重新產生該安全權仗值並更新於該客端裝置,其中該有效時間數值是該客端裝置所提供與預儲於該雲端伺服裝置之至少其一。 The near field communication authentication system applied to the cloud computing environment according to claim 1, wherein the cloud server device obtains the right to security And determining, by the cloud server, the security right threshold is updated and updated on the client device, wherein the valid time value is The client device provides and stores at least one of the cloud server devices. 根據申請專利範圍第1項所述的應用於雲端運算環境的近場通訊認證系統,其中,該客端裝置與該雲端伺服裝置透過一會議金鑰對傳輸資料作加密與解密作業,其中該會議金鑰為該客端亂數、該伺服亂數與該安全權仗值雜湊計算而得。 The near field communication authentication system applied to the cloud computing environment according to claim 1, wherein the client device and the cloud server device encrypt and decrypt the transmission data through a conference key, wherein the conference The key is obtained by hashing the client random number, the servo random number and the security right threshold. 一種應用於雲端運算環境的近場通訊認證方法,適用於一客端裝置與一雲端伺服裝置,該客端裝置與該雲端伺服裝置具有一安全權仗值,該方法包括以下步驟:由該客端裝置輸出一客端亂數至該雲端伺服裝置;由該雲端伺服裝置依據該客端亂數與該安全權仗值雜湊計算一第一伺服認證值,以輸出該第一伺服認證值與一伺服亂數至該客端裝置;當該客端裝置取得該第一伺服認證值與該伺服亂數時,依據該客端亂數與該安全權仗值雜湊計算一第一客端認證值;當該客端裝置判斷該第一客端認證值等同該第一伺服認證值時,依據該伺服亂數與該安全權仗值雜湊計算一第二客端認證值,輸出該第二客端認證值至該雲端伺服裝置;當雲端伺服裝置取得該第二客端認證值時,依據該伺服亂數與該安全權仗值雜湊計算一第二伺服認證值;以及 當該雲端伺服裝置判斷該第二客端認證值等同該第二伺服認證值時,判斷認證完成。 A near field communication authentication method applied to a cloud computing environment, which is applicable to a client device and a cloud server device, the client device and the cloud server device having a security right threshold, the method comprising the following steps: by the guest The terminal device outputs a client random number to the cloud server device; the cloud server device calculates a first servo authentication value according to the client random number and the security weight threshold to output the first servo authentication value and a Serving a random number to the client device; when the client device obtains the first servo authentication value and the servo random number, calculating a first client authentication value according to the client random number and the security right threshold; When the client device determines that the first client authentication value is equal to the first server authentication value, calculating a second client authentication value according to the servo random number and the security right threshold, and outputting the second client authentication a value to the cloud server; when the cloud server obtains the second client authentication value, calculating a second servo authentication value according to the servo random number and the security right threshold; and When the cloud server determines that the second client authentication value is equal to the second server authentication value, it is determined that the authentication is completed. 根據申請專利範圍第6項所述的應用於雲端運算環境的近場通訊認證方法,其中,該雲端伺服裝置包括一權仗值表,該客端裝置係先傳輸一標籤識別資料,該雲端伺服裝置將該標籤識別資料對照該權仗值表,取得對應該標籤識別資料的該安全權仗值,並回傳予該客端裝置。 The near field communication authentication method applied to the cloud computing environment according to claim 6, wherein the cloud server device includes a weight value table, and the client device transmits a tag identification data, the cloud server The device compares the tag identification data with the weight threshold table, obtains the security right value corresponding to the tag identification data, and returns the security value to the client device. 根據申請專利範圍第6項所述的應用於雲端運算環境的近場通訊認證方法,其中,該雲端伺服裝置係取得該客端裝置的標籤識別資料,並依據一主密鑰值、該標籤識別資料與一有效時間數值雜湊計算該安全權仗值,並回傳予該客端裝置。 The near field communication authentication method applied to the cloud computing environment according to claim 6, wherein the cloud server device obtains the tag identification data of the client device, and identifies the tag according to a master key value. The data is hashed with a valid time value to calculate the security weight and passed back to the client device. 根據申請專利範圍第6項所述的應用於雲端運算環境的近場通訊認證方法,其中,該雲端伺服裝置係取得對應該安全權仗值的一有效時間數值,並依據該有效時間數值判斷該安全權仗值失效時,由該雲端伺服裝置重新產生該安全權仗值並更新於該客端裝置,其中該有效時間數值是該客端裝置所提供與預儲於該雲端伺服裝置之至少其一。 The near field communication authentication method applied to the cloud computing environment according to claim 6, wherein the cloud server device obtains a valid time value corresponding to the security right threshold, and determines the valid time value according to the effective time value. When the security right threshold expires, the security threshold is regenerated by the cloud server and updated to the client device, wherein the valid time value is at least provided by the client device and pre-stored in the cloud server device. One. 根據申請專利範圍第6項所述的應用於雲端運算環境的近場通訊認證方法,其中,該客端裝置與該雲端伺服裝置透過一會議金鑰對傳輸資料作加密與解密作業,其中該會議金鑰為該客端亂數、該伺服亂數與該安全權仗值雜湊計算而得。 The near field communication authentication method applied to the cloud computing environment according to claim 6, wherein the client device and the cloud server perform encryption and decryption operations on the transmission data through a conference key, wherein the conference The key is obtained by hashing the client random number, the servo random number and the security right threshold.
TW103138212A 2014-11-04 2014-11-04 Near Field Communication Authentication System and Method Applied to Cloud Computing Environment TWI543015B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW103138212A TWI543015B (en) 2014-11-04 2014-11-04 Near Field Communication Authentication System and Method Applied to Cloud Computing Environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW103138212A TWI543015B (en) 2014-11-04 2014-11-04 Near Field Communication Authentication System and Method Applied to Cloud Computing Environment

Publications (2)

Publication Number Publication Date
TW201617961A TW201617961A (en) 2016-05-16
TWI543015B true TWI543015B (en) 2016-07-21

Family

ID=56508997

Family Applications (1)

Application Number Title Priority Date Filing Date
TW103138212A TWI543015B (en) 2014-11-04 2014-11-04 Near Field Communication Authentication System and Method Applied to Cloud Computing Environment

Country Status (1)

Country Link
TW (1) TWI543015B (en)

Also Published As

Publication number Publication date
TW201617961A (en) 2016-05-16

Similar Documents

Publication Publication Date Title
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
TWI735691B (en) Data key protection method, device and system
US11218330B2 (en) Generating an identity for a computing device using a physical unclonable function
US20220224550A1 (en) Verification of identity using a secret key
CN107113553B (en) Device, method and server for unified near-field communication architecture
TWI497336B (en) Data security devices and computer program
DK2995039T3 (en) SYSTEMS AND PROCEDURES FOR SECURE COMMUNICATION.
US11025437B2 (en) Post-manufacture certificate generation
TWI718567B (en) Two-dimensional code generation method, data processing method, device, server and computer readable storage medium
CN104160652A (en) Method and system for distributed off-line logon using one-time passwords
CN104715187A (en) Method and apparatus used for authenticating nodes of electronic communication system
CN110222531A (en) A kind of method, system and equipment accessing database
CN109997119A (en) Safety element installation and setting
US9449193B2 (en) Information processing apparatus
CN109815747A (en) Offline auditing method, electronic device and readable storage medium storing program for executing based on block chain
Ibrahim et al. An advanced encryption standard powered mutual authentication protocol based on elliptic curve cryptography for RFID, proven on WISP
Cooijmans et al. Secure key storage and secure computation in Android
Bojjagani et al. The use of iot-based wearable devices to ensure secure lightweight payments in fintech applications
JP2021100227A (en) IoT KEY MANAGEMENT SYSTEM, SECURE DEVICE, IoT DEVICE, DEVICE MANAGEMENT APPARATUS, AND METHOD FOR CREATING PUBLIC KEY CERTIFICATE OF SECURE ELEMENT
JP6167667B2 (en) Authentication system, authentication method, authentication program, and authentication apparatus
JP2017108237A (en) System, terminal device, control method and program
TWI543015B (en) Near Field Communication Authentication System and Method Applied to Cloud Computing Environment
JP2015228570A (en) Authentication system and portable communication terminal
CN110798321B (en) Article information service method based on block chain
KR102285310B1 (en) Method for generating session key and electronic apparatus thereof

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees