TWI625977B - Method for authenticatting communication device lower-level group - Google Patents

Method for authenticatting communication device lower-level group Download PDF

Info

Publication number
TWI625977B
TWI625977B TW105137267A TW105137267A TWI625977B TW I625977 B TWI625977 B TW I625977B TW 105137267 A TW105137267 A TW 105137267A TW 105137267 A TW105137267 A TW 105137267A TW I625977 B TWI625977 B TW I625977B
Authority
TW
Taiwan
Prior art keywords
communication device
level group
communication
level
certificate
Prior art date
Application number
TW105137267A
Other languages
Chinese (zh)
Other versions
TW201820904A (en
Inventor
魯養麟
藍仁宏
Original Assignee
艾瑞得科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 艾瑞得科技股份有限公司 filed Critical 艾瑞得科技股份有限公司
Priority to TW105137267A priority Critical patent/TWI625977B/en
Priority to CN201710880299.8A priority patent/CN108076039B/en
Application granted granted Critical
Publication of TW201820904A publication Critical patent/TW201820904A/en
Publication of TWI625977B publication Critical patent/TWI625977B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications

Abstract

一種用以認證通訊裝置下階群組之方法。通訊裝置下階群組係基於通訊裝置上階群組所建立。通訊裝置上階群組包含多個通訊裝置。每一個通訊裝置內存各自的第一階裝置安全憑證。本發明之方法為通訊裝置下階群組產生下階群組授權憑證,為歸屬於通訊裝置下階群組之每一個通訊裝置簽署各自的第二階裝置安全憑證,並且將下階群組授權憑證結合該等第二階裝置安全憑證形成多個憑證鏈。由歸屬於通訊裝置下階群組之每一個通訊裝置接收其對應的憑證鏈,並且將接收到的憑證鏈中的第二階安全憑證取代其第一裝置安全憑證。 A method for authenticating a lower-level group of a communication device. The lower-level group of the communication device is established based on the upper-level group of the communication device. The communication device superior group includes a plurality of communication devices. Each communication device has its own first-level device security credentials. The method of the present invention generates a lower-level group authorization certificate for a lower-level group of communication devices, signs a respective second-level device security certificate for each communication device belonging to the lower-level group of communication devices, and authorizes the lower-level group. The credentials are combined with the second-level device security credentials to form multiple credential chains. Each communication device belonging to the lower-level group of communication devices receives its corresponding certificate chain, and replaces its first device security certificate with the second-level security certificate in the received certificate chain.

Description

用以認證通訊裝置下階群組之方法 Method for authenticating lower-level group of communication device

本發明關於一種用以認證通訊裝置下階群組織方法以及進一步關於通訊裝置下階群組織通訊裝間彼此認證之方法。 The invention relates to a method for authenticating a lower-level group organization of a communication device, and further relates to a method for authenticating each other in a communication unit of a lower-level group organization of a communication device.

以往通訊裝置與通訊裝置之間的通訊是藉由有線網路執行。所以,通訊裝置與通訊裝置之間的認證需依靠人工密碼設定方式,或者由通訊裝置的使用者向憑證授權中心取得憑證,用此憑證與其它通訊裝置或網路伺服器完成認證程序取得連線。 In the past, communication between a communication device and a communication device was performed through a wired network. Therefore, the authentication between the communication device and the communication device depends on the manual password setting method, or the user of the communication device obtains a certificate from the certificate authority, and uses this certificate to complete the authentication process with other communication devices or network servers to obtain a connection. .

現有通訊裝置與通訊裝置已多藉由無線網路執行。這些通訊裝置之間的認證是使用人工設定密碼方式(例如,利用藍牙、Wi-Fi的通訊裝置),或者無任何安全認證方式且依靠頻率對應取得連線的方式(例如,利用ZigBee的通訊裝置)。 Existing communication devices and communication devices have been implemented by wireless networks. The authentication between these communication devices is to manually set a password (for example, a communication device using Bluetooth or Wi-Fi), or to obtain a connection by using frequency correspondence without any security authentication method (for example, a communication device using ZigBee) ).

綜合以上對先前技術的描述,對通訊裝置認證的先前技術,多仰賴人工設定密碼方式,需人工設定程序且安全性不足。透過有線網路採用憑證的方式,雖然擁有足夠的安全性,但是需向第三者取得憑證,認證完成後的連線建立為使用者(通訊裝置)與伺服器之間關係。經認證後,通訊裝置與通訊裝置之間的通訊連線仍需經由伺服器。 Based on the foregoing description of the prior art, the prior art of communication device authentication relies on a manual password setting method, which requires manual setting procedures and insufficient security. The certificate is adopted through the wired network. Although it has sufficient security, it needs to obtain a certificate from a third party. The connection after the authentication is established is the relationship between the user (communication device) and the server. After authentication, the communication connection between the communication device and the communication device still needs to pass through the server.

隨著物聯網的興起,通訊裝置之間進行機器對機器(machine-to-machine)通訊交換資料的需求也隨之增加。一 般而言,製造商生產大批通訊裝置,在其出廠前皆會以產品序號存於通訊裝置內作為裝置識別之用。 With the rise of the Internet of Things, the need for machine-to-machine communication and exchange of data between communication devices has also increased. One Generally speaking, manufacturers produce a large number of communication devices, and before they leave the factory, the product serial number is stored in the communication device for device identification.

消費者購入一定數量的批量生產通訊裝置裝設在特定區域,例如,家庭、學校、公司行號等,為了避免受其他區域安裝同型號的通訊裝置通訊干擾,必須針對裝設在特定區域的通訊裝置組成群組與裝設於其他區域的通訊裝置區隔。甚至是裝設通訊裝置在特定區域中區分的多個子區域,例如,學校裡的不同棟建築,則針對特定區域已組成上階群組的通訊裝置需在組成下階群組的通訊裝置。自成一群組的通訊裝置需進行認證,同一群組的通訊裝置之間也需進行認證,才能進行機器對機器通訊交換資料。然而,先前技術並未提供消費者達成上述需求的便利及安全方案。 Consumers purchase a certain number of mass-produced communication devices and install them in specific areas, such as homes, schools, and company lines. In order to avoid interference from communication installations of the same type of communication devices in other areas, the communication devices installed in specific areas must be targeted. Devices are grouped and separated from communication devices installed in other areas. Even multiple sub-areas distinguished by a communication device in a specific area, for example, different buildings in a school, the communication devices that have formed the upper-level group for the specific area need to be the communication devices that form the lower-level group. Communication devices in a group need to be authenticated, and communication devices in the same group also need to be authenticated for machine-to-machine communication to exchange data. However, the prior art does not provide consumers with the convenience and security solutions to meet these needs.

因此,本發明所欲解決的技術問題在於提供一種用以認證通訊裝置下階群組織方法以及進一步關於通訊裝置下階群組織通訊裝間彼此認證之方法。特別地,本發明之方法不需經由第三者或伺服器,更增加通訊裝置認證的安全性及便利性。 Therefore, the technical problem to be solved by the present invention is to provide a method for authenticating a lower-level group organization of a communication device, and further a method for authenticating each other in a communication device lower-level group organization communication room. In particular, the method of the present invention does not need to go through a third party or a server, and further increases the security and convenience of communication device authentication.

根據本發明之一較佳具體實施例之方法係用以認證通訊裝置下階群組。通訊裝置下階群組係基於通訊裝置上階群組所建立。通訊裝置上階群組包含多個通訊裝置。第一管理者裝置內存上階群組私鑰以及與上階群組私鑰配對之上階群組公鑰。每一個通訊裝置內存各自的第一階裝置安全憑證以及各自的裝置序號及上階群組公鑰。本發明之方法首先係由第二管理者裝置產生下階群組私鑰以及與下階群組私鑰配對之下階群組公鑰。接著,本發明之方法係由第一管理者裝置以上階群組私鑰簽署下階群組公鑰以及授權裝置序號範圍,進而產生下階群組授權憑證。下階群組授權憑證包含 下階群組公鑰、授權裝置序號範圍以及授權憑證簽章。接著,本發明之方法係由第二管理者裝置以下階群組私鑰為多個通訊裝置之中其裝置序號分別為授權裝置序號範圍所包含之該等通訊裝置簽署各自的第二階裝置安全憑證。多個通訊裝置之中其裝置序號為授權裝置序號範圍所包含之該等通訊裝置歸屬於通訊裝置下階群組。接著,本發明之方法係將下階群組授權憑證結合該等第二階裝置安全憑證形成多個憑證鏈。每一個憑證鏈對應歸屬於通訊裝置下階群組之一個通訊裝置。最後,本發明之方法係由歸屬於通訊裝置下階群組之每一個通訊裝置接收其對應的憑證鏈,並且將接收到的憑證鏈以上階群組公鑰來檢驗下階群組授權憑證,並且若檢驗結果為肯定者,則以下階群組授權憑證中之下階群組公鑰來檢驗其對應的憑證鏈中之第二階裝置安全憑證,並且若檢驗結果為肯定者,則將其對應的第二階裝置安全憑證取代其內存的第一階裝置安全憑證,並以下階群組公鑰取代上階群組公鑰來檢驗新的群組裝置安全憑證。 The method according to a preferred embodiment of the present invention is used to authenticate a lower-level group of a communication device. The lower-level group of the communication device is established based on the upper-level group of the communication device. The communication device superior group includes a plurality of communication devices. The first manager device stores an upper-level group private key and a higher-level group public key paired with the upper-level group private key. Each communication device stores its own first-level device security certificate, its own device serial number, and its upper-level group public key. The method of the present invention firstly generates a lower-level group private key and a lower-level group public key paired with the lower-level group private key by the second manager device. Next, in the method of the present invention, the public key of the lower-level group and the serial number range of the authorized device are signed by the private key of the higher-level group of the first manager device, thereby generating a lower-level group authorization certificate. Subordinate group authorization certificate contains Lower-level group public key, authorized device serial number range, and authorization certificate signature. Then, the method of the present invention is to sign the second-level device security by the second-level manager device ’s lower-level group private key to a plurality of communication devices whose device serial numbers are authorized communication device serial numbers respectively. certificate. Among the plurality of communication devices, the communication devices whose device serial numbers are within the authorized device serial number range belong to the lower-level group of communication devices. Then, the method of the present invention forms a plurality of certificate chains by combining the lower-level group authorization credentials with the second-level device security credentials. Each certificate chain corresponds to a communication device belonging to a lower-level group of communication devices. Finally, in the method of the present invention, each communication device belonging to the lower-level group of the communication device receives its corresponding certificate chain, and the received certificate chain is used to verify the lower-level group authorization certificate, And if the test result is positive, then the lower-level group public key in the lower-level group authorization certificate is used to verify the second-level device security certificate in the corresponding certificate chain, and if the test result is positive, then it is The corresponding second-level device security certificate replaces the first-level device security certificate in its memory, and the lower-level group public key replaces the upper-level group public key to verify the new group-device security certificate.

於一具體實施例中,每一個通訊裝置並且產生各自的裝置私鑰以及與裝置私鑰配對之各自的裝置公鑰。第二管理者裝置以下階群組私鑰根據歸屬於通訊裝置下階群組之每一個通訊裝置之裝置序號、裝置公鑰以及憑證有限期限簽署其對應的第二階裝置安全憑證。每一個第二階裝置安全憑證包含其對應的通訊裝置之裝置序號、裝置公鑰、憑證有效期限以及裝置憑證簽章。 In a specific embodiment, each communication device generates a respective device private key and a respective device public key paired with the device private key. The private key of the lower-level group of the second manager device signs its corresponding second-level device security certificate based on the device serial number, device public key, and certificate of each communication device belonging to the lower-level group of communication devices. Each second-level device security certificate includes the device serial number of the corresponding communication device, the device public key, the validity period of the certificate, and the device certificate signature.

於一具體實施例中,下階群組授權憑證並且包含授權憑證簽章。 In a specific embodiment, the lower-level group authorization certificate includes an authorization certificate signature.

與先前技術相較,本發明之方法不需經由第三者或伺服器,更增加通訊裝置認證的安全性及便利性。並且,本發明之方法藉由提供憑證鏈,可以將通訊裝置上階群組劃分為多個不同的通訊裝置下階群組,可以使通訊裝置下階群 組自通訊裝置上階群組取得授權憑證後,擁有自我的安全認證憑證,獨立於通訊裝置上階群組或其他通訊裝置下階群組。 Compared with the prior art, the method of the present invention does not require a third party or a server, and further increases the security and convenience of communication device authentication. In addition, the method of the present invention can divide the upper-level group of communication devices into multiple different lower-level groups of communication devices by providing a certificate chain, which can make the lower-level groups of communication devices After the group obtains the authorization certificate from the upper-level group of the communication device, it has its own security authentication certificate, which is independent of the upper-level group of the communication device or other lower-level groups of the communication device.

關於本發明之優點與精神可以藉由以下的發明詳述及所附圖式得到進一步的瞭解。 The advantages and spirit of the present invention can be further understood through the following detailed description of the invention and the accompanying drawings.

10‧‧‧第一管理者裝置 10‧‧‧First Manager Device

12‧‧‧通訊裝置上階群組 12‧‧‧ communication device superior group

122、124‧‧‧通訊裝置下階群組 122, 124‧‧‧ Communication device lower group

122a、122b、122c、124a、124b、124c‧‧‧通訊裝置 122a, 122b, 122c, 124a, 124b, 124c‧‧‧ communication devices

14‧‧‧第二管理者裝置 14‧‧‧Second Manager Device

2‧‧‧網路 2‧‧‧ internet

3‧‧‧方法 3‧‧‧Method

S30~S42‧‧‧流程步驟 S30 ~ S42‧‧‧Process steps

S50~S64‧‧‧流程步驟 S50 ~ S64‧‧‧Process steps

圖1係實施本發明之方法的環境架構之示意圖。 FIG. 1 is a schematic diagram of an environmental architecture for implementing the method of the present invention.

圖2係繪示本發明之方法之一較佳具體實施例的流程圖。 FIG. 2 is a flowchart illustrating a preferred embodiment of the method of the present invention.

圖3係繪示本發明之方法進一步的流程圖 FIG. 3 is a further flowchart of the method of the present invention.

請參閱圖1及圖2,圖2係繪示本發明之一較佳具體實施例之方法3的流程圖。本發明之方法3係用以認證通訊裝置下階群組122。本發明之方法3的實施環境架構係繪示於圖1中。 Please refer to FIG. 1 and FIG. 2, which is a flowchart illustrating a method 3 according to a preferred embodiment of the present invention. The method 3 of the present invention is used to authenticate the lower-level group 122 of the communication device. The implementation environment architecture of the method 3 of the present invention is shown in FIG. 1.

如圖1所示,通訊裝置下階群組122係基於通訊裝置上階群組12所建立。通訊裝置上階群組12包含多個通訊裝置(122a、122b、122c、124a、124b、124c)。於圖1中,除了繪示通訊裝置下階群組122,另一通訊裝置下階群組124也被繪示出。 As shown in FIG. 1, the lower-level group 122 of the communication device is established based on the upper-level group 12 of the communication device. The communication device upper-level group 12 includes a plurality of communication devices (122a, 122b, 122c, 124a, 124b, 124c). In FIG. 1, in addition to the lower-level group 122 of the communication device, another lower-level group 124 of the communication device is also shown.

圖1所示之第一管理者裝置10內存上階群組私鑰以及與上階群組私鑰配對之上階群組公鑰。每一個通訊裝置(122a、122b、122c、124a、124b、124c)內存各自的第一階裝置安全憑證以及各自的裝置序號。 The first manager device 10 shown in FIG. 1 stores an upper-level group private key and an upper-level group public key paired with the upper-level group private key. Each communication device (122a, 122b, 122c, 124a, 124b, 124c) stores a respective first-level device security certificate and a respective device serial number.

於一具體實施例中,第一管理者裝置10可以是製造商的伺服器,也可以是通訊裝置上階群組12之上一階群組中之一協調裝置。 In a specific embodiment, the first manager device 10 may be a server of a manufacturer or a coordination device in a first-order group above the upper-order group 12 of the communication device.

於一具體實施例中,每一個通訊裝置(122a、122b、122c、124a、124b、124c)內存各自的第一階裝置安全憑證包含各自的裝置序號、各自的裝置公鑰以及憑證有限期限, 如圖2所示,本發明之方法3首先係執行步驟S30,由第二管理者裝置14產生下階群組私鑰以及與下階群組私鑰配對之下階群組公鑰。如圖1所示,第二管理者裝置14係能經由網路2聯結第一管理者裝置10。 In a specific embodiment, each communication device (122a, 122b, 122c, 124a, 124b, 124c) has its own first-level device security certificate, which includes its own device serial number, its own public key, and a limited period of time. As shown in FIG. 2, the method 3 of the present invention first performs step S30, and the second manager device 14 generates a lower-level group private key and a lower-level group public key paired with the lower-level group private key. As shown in FIG. 1, the second manager device 14 can be connected to the first manager device 10 via the network 2.

於一具體實施例中,第二管理者裝置14的型態可以是各式的個人資料處理裝置,例如,桌上型電腦、筆記型電腦、智慧手機、平板電腦等,或是該等通訊裝置(122a、122b、122c、124a、124b、124c)中之一協調者裝置。 In a specific embodiment, the type of the second manager device 14 may be various personal data processing devices, such as a desktop computer, a notebook computer, a smart phone, a tablet computer, or the like. (122a, 122b, 122c, 124a, 124b, 124c).

於一具體實施例中,網路2可以是網際網路(internet)、企業外網路(extranet)、區域網路(local area network)、廣域網路(wide area network)、乙太網路(Ethernet)、有線電視線路(cable TV network)、無線電信網路(radio telecommunication network)、公眾交換電話網路(public switched telephone network)、3G網路、4G網路、5G網路、HSPA網路、Wi-Fi網路、WiMAX網路、LTE網路,或其他現行商用的網路。 In a specific embodiment, the network 2 may be the Internet, an extranet, a local area network, a wide area network, or an Ethernet network. ), Cable TV network, radio telecommunication network, public switched telephone network, 3G network, 4G network, 5G network, HSPA network, Wi-Fi -Fi network, WiMAX network, LTE network, or other commercially available networks.

接著,本發明之方法3係執行步驟S32,由第一管理者裝置10以上階群組私鑰簽署下階群組公鑰,進而產生下階群組授權憑證。下階群組授權憑證包含下階群組公鑰、授權裝置序號範圍以及授權憑證簽章。 Then, the method 3 of the present invention executes step S32, and the lower-level group public key is signed by the first-level manager private device 10 or higher-level group private key, thereby generating a lower-level group authorization certificate. The lower-level group authorization certificate includes the lower-level group public key, the authorized device serial number range, and the authorization certificate signature.

接著,本發明之方法係執行步驟S34,由第二管理者裝置14以下階群組私鑰為多個通訊裝置(122a、122b、122c、124a、124b、124c)之中其裝置序號分別為授權裝置序號範圍所包含之該等通訊裝置(122a、122b、122c)簽署各自的 第二階裝置安全憑證。在此僅以通訊裝置下階群組122做為說明例。所以,多個通訊裝置(122a、122b、122c、124a、124b、124c)之中其裝置序號為授權裝置序號範圍所包含之該等通訊裝置(122a、122b、122c)(不包含該等通訊裝置(124a、124b、124c))歸屬於通訊裝置下階群組122。 Next, the method of the present invention executes step S34, and the private key of the lower-level group of the second manager device 14 is a plurality of communication devices (122a, 122b, 122c, 124a, 124b, 124c) whose device serial numbers are authorized respectively. The communication devices (122a, 122b, 122c) included in the device serial number range sign their respective Second-level device security credentials. Here, only the lower-level group 122 of the communication device is used as an example for description. Therefore, among multiple communication devices (122a, 122b, 122c, 124a, 124b, 124c), the device serial number is the communication devices (122a, 122b, 122c) included in the authorized device serial number range (excluding these communication devices) (124a, 124b, 124c)) belongs to the lower-level group 122 of the communication device.

接著,本發明之方法係執行步驟S36,將下階群組授權憑證結合該等第二階裝置安全憑證形成多個憑證鏈。每一個憑證鏈對應歸屬於通訊裝置下階群組122之一個通訊裝置(122a、122b、122c)。 Next, the method of the present invention executes step S36 to form a plurality of certificate chains by combining the lower-level group authorization credentials with the second-level device security credentials. Each certificate chain corresponds to a communication device (122a, 122b, 122c) belonging to the lower-level group 122 of the communication device.

接著,本發明之方法3係執行步驟S38,由歸屬於通訊裝置下階群組122之每一個通訊裝置122a接收其對應的憑證鏈,並且將接收到的憑證鏈以上階群組公鑰來檢驗其授權憑證。 Next, the method 3 of the present invention executes step S38. Each communication device 122a belonging to the lower-level group 122 of the communication device receives its corresponding certificate chain, and verifies the received certificate chain with the public key of the higher-level group. Its authorization credentials.

接著,若步驟S38的檢驗為肯定者,本發明則執行步驟S40,由歸屬於通訊裝置下階群組122之每一個通訊裝置122a以下階群組授權憑證中之下階群組公鑰來檢驗其對應的憑證鏈中之第二階裝置安全憑證。 Next, if the verification of step S38 is affirmative, the present invention executes step S40 to verify by the public key of the lower-level group in the lower-level group authorization certificate of each communication device 122a belonging to the lower-level group 122 of the communication device. A second-level device security certificate in its corresponding certificate chain.

最後,若步驟S40的檢驗結果為肯定者,則執行步驟S42,由歸屬於通訊裝置下階群組122之每一個通訊裝置122a將其對應的第二階裝置安全憑證取代其內存的第一階裝置安全憑證,並且以下階群組公鑰取代上階群組公鑰來檢驗新的群組裝置安全憑證。 Finally, if the result of the check in step S40 is affirmative, step S42 is executed, and each communication device 122a belonging to the communication device lower-level group 122 replaces its corresponding second-level device security certificate with its first-level memory. Device security certificate, and the lower-level group public key replaces the higher-level group public key to verify the new group device security certificate.

於一具體實施例中,每一個通訊裝置(122a、122b、122c、124a、124b、124c)並且產生各自的裝置私鑰以及與裝置私鑰配對之各自的裝置公鑰。第二管理者裝置14以下階群組私鑰根據歸屬於通訊裝置下階群組122之每一個通訊裝置(122a、122b、122c)之裝置序號、裝置公鑰以及憑證有限期限簽署其對應的第二階裝置安全憑證。每一個第二階裝 置安全憑證包含其對應的通訊裝置之裝置序號、裝置公鑰、憑證有效期限以及裝置憑證簽章。 In a specific embodiment, each communication device (122a, 122b, 122c, 124a, 124b, 124c) generates a respective device private key and a respective device public key paired with the device private key. The private key of the lower-level group of the second manager device 14 signs its corresponding first-party number based on the device serial number, device public key, and certificate of each communication device (122a, 122b, 122c) belonging to the lower-level group 122 of the communication device. Second-level device security credentials. Every second order The security certificate includes the device serial number of the corresponding communication device, the device public key, the validity period of the certificate, and the device certificate signature.

於一具體實施例中,下階群組授權憑證並且包含授權憑證簽章。 In a specific embodiment, the lower-level group authorization certificate includes an authorization certificate signature.

於實際應用中,本發明之方法3以授權憑證鏈的方式,來授權不同的下階群組並不受限於執行於兩階層之間,還可以遞迴(recursive)的方式使被授權的下階群組的管理者裝置,再以相同方式授權再下一階層的管理者裝置,新的裝置認證憑證,由最後一階被授權的下階群組管理者的私鑰來簽發。製造出廠的通訊裝置在初始時一律以原始憑證來完成認證與建立安全連線,待收到授權憑證鏈,便以原始群組公鑰從第一階授權憑證檢驗起,並取得下一階群組公鑰,並以此檢驗下一階憑證直到通訊裝置憑證檢驗完畢,並以此最後一階裝置憑證及群組公鑰來更新上一階裝置憑證及群組公鑰,形成新的認證群組。 In practical applications, the method 3 of the present invention authorizes different lower-level groups in a manner of authorizing a credential chain, and is not limited to being executed between two levels. It can also be performed in a recursive manner. The manager device of the lower-level group then authorizes the manager device of the lower-level group in the same way, and the new device authentication certificate is issued by the private key of the last-level authorized manager of the lower-level group. The communication device manufactured by the factory always uses the original certificate to complete the authentication and establish a secure connection. When the authorization certificate chain is received, the original group public key is used to start the first-level authorization certificate inspection and obtain the next-level group. Group public key, and use this to verify the next-level certificate until the communication device certificate is verified, and use the last-level device certificate and group public key to update the previous-level device certificate and group public key to form a new authentication group group.

請參閱圖3,圖3係繪示本發明之方法3進一步的流程圖。圖3所繪示的步驟流程係為了執行通訊裝置(122a、122b、122c)之間的認證。下文將舉歸屬於通訊裝置下階群組122之該等通訊裝置(122a、122b、122c)中第一通訊裝置122a以及第二通訊裝置122b做為說明例。 Please refer to FIG. 3, which is a further flowchart of method 3 of the present invention. The procedure shown in FIG. 3 is to perform authentication between the communication devices (122a, 122b, 122c). In the following, the first communication device 122a and the second communication device 122b of the communication devices (122a, 122b, 122c) belonging to the lower-level group 122 of the communication device will be taken as an example for illustration.

如圖3所示,本發明之方法3進一步執行步驟S50,由第一通訊裝置122a與第二通訊裝置122b彼此交換其對應的第二階裝置安全憑證。 As shown in FIG. 3, the method 3 of the present invention further performs step S50, and the first communication device 122a and the second communication device 122b exchange their corresponding second-level device security credentials with each other.

接著,本發明之方法3係執行步驟S52,由第一通訊裝置122a以其下階群組公鑰檢驗第二通訊裝置122b之第二階裝置安全憑證進而判斷第二通訊裝置122b是否歸屬於通訊裝置下階群組122,由第二通訊裝置122b以其下階群組公鑰檢驗第一通訊裝置122a之第二階裝置安全憑證進而判斷 第一通訊裝置122a是否歸屬於通訊裝置下階群組122,並且若檢驗結果皆為肯定者,則執行步驟S54。 Next, the method 3 of the present invention executes step S52, and the first communication device 122a verifies the second-level device security certificate of the second communication device 122b with its lower-level group public key to determine whether the second communication device 122b belongs to the communication. The lower-level group 122 of the device, and the second communication device 122b verifies the second-level device security certificate of the first communication device 122a with the public key of the lower-level group and judges Whether the first communication device 122a belongs to the lower-level group 122 of the communication device, and if the test results are all positive, step S54 is performed.

於步驟S54中,由第一通訊裝置122a與第二通訊裝置122b彼此繼續交換其產生之各自的隨機變數。 In step S54, the first communication device 122a and the second communication device 122b continue to exchange their respective random variables.

於步驟S54之後,本發明之方法3係執行步驟S56,由第一通訊裝置122a產生第一臨時私鑰以及與第一臨時私鑰配對之第一臨時公鑰,並且由第二通訊裝置122b產生第二臨時私鑰以及與第二臨時私鑰配對之第二臨時公鑰。 After step S54, the method 3 of the present invention executes step S56, the first temporary private key generated by the first communication device 122a and the first temporary public key paired with the first temporary private key, and generated by the second communication device 122b The second temporary private key and a second temporary public key paired with the second temporary private key.

於步驟S56之後,本發明之方法3係執行步驟S58,由第一通訊裝置122a傳送第一臨時公鑰至第二通訊裝置122b,並且由第二通訊裝置122b傳送第二臨時公鑰至第一通訊裝置122a。 After step S56, the method 3 of the present invention executes step S58, and the first communication device 122a transmits the first temporary public key to the second communication device 122b, and the second communication device 122b transmits the second temporary public key to the first Communication device 122a.

於步驟S58之後,本發明之方法3係執行步驟S60,由第一通訊裝置122a藉由第二通訊裝置122b之裝置公鑰、第二臨時公鑰、第二通訊裝置122b之隨機變數以及第一通訊裝置122a之裝置私鑰、第一臨時私鑰且根據密鑰交換協議產生會議密鑰。 After step S58, the method 3 of the present invention executes step S60 by the first communication device 122a through the device public key of the second communication device 122b, the second temporary public key, the random variable of the second communication device 122b, and the first The device private key, the first temporary private key of the communication device 122a and the conference key are generated according to the key exchange protocol.

於步驟S60之後,本發明之方法3係執行步驟S62,由第二通訊裝置122b藉由第一通訊裝置122a之裝置公鑰、第一臨時公鑰、第一通訊裝置122a之隨機變數以及第二通訊裝置122b之裝置私鑰、第二臨時私鑰且根據密鑰交換協議同樣地產生會議密鑰。 After step S60, the method 3 of the present invention executes step S62. The second communication device 122b uses the device public key of the first communication device 122a, the first temporary public key, the random variable of the first communication device 122a, and the second The device private key and the second temporary private key of the communication device 122b also generate a conference key in accordance with the key exchange protocol.

於步驟S62之後,本發明之方法3係執行步驟S64,由第一通訊裝置122a藉由第二通訊裝置122b以會議密鑰建立與第二通訊裝置122b之間之第一通訊安全通道。 After step S62, the method 3 of the present invention executes step S64, and the first communication device 122a and the second communication device 122b establish a first communication secure channel with the second communication device 122b with the conference key.

進一步,本發明之方法3係由第一通訊裝置122a藉由會議密鑰將網路密鑰加密,再將經加密的網路密鑰傳送 給歸屬於通訊裝置下階群組122之其他通訊裝置(122b、122c)。第一通訊裝置122a即做為協調者。歸屬於通訊裝置下階群組122之該等通訊裝置(122a、122b、122c)彼此間藉由網路密鑰建立同一群組網路間之第二通訊安全通道,進而達成該等通訊裝置(122a、122b、122c)能進行機器對機器通訊交換資料。 Further, in the method 3 of the present invention, the first communication device 122a encrypts the network key with the conference key, and then transmits the encrypted network key. To other communication devices (122b, 122c) belonging to the communication device lower-level group 122. The first communication device 122a acts as a coordinator. The communication devices (122a, 122b, 122c) belonging to the lower-level group 122 of the communication device establish a second communication secure channel between the networks of the same group with each other by using a network key, thereby achieving the communication devices ( 122a, 122b, 122c) can perform machine-to-machine communication and exchange data.

藉由以上較佳具體實施例之詳述,相信能清楚了解本發明之方法不需經由第三者或伺服器,更增加通訊裝置認證的安全性及便利性。並且,本發明之方法藉由提供憑證鏈,可以將通訊裝置上階群組劃分為多個不同的通訊裝置下階群組,可以使通訊裝置下階群組自通訊裝置上階群組取得授權憑證後,擁有自我的安全認證憑證,獨立於通訊裝置上階群組或其他通訊裝置下階群組。 Based on the detailed description of the above preferred embodiments, it is believed that the method of the present invention can be clearly understood without the need for a third party or a server, and the security and convenience of communication device authentication are further increased. In addition, the method of the present invention can divide the upper-level group of communication devices into multiple different lower-level groups of communication devices by providing a certificate chain, so that the lower-level groups of communication devices can obtain authorization from the upper-level groups of communication devices. After the certificate, it has its own security authentication certificate, which is independent of the upper-level group of communication devices or other lower-level groups of communication devices.

藉由以上較佳具體實施例之詳述,係希望能更加清楚描述本發明之特徵與精神,而並非以上述所揭露的較佳具體實施例來對本發明之面向加以限制。相反地,其目的是希望能涵蓋各種改變及具相等性的安排於本發明所欲申請之專利範圍的面向內。因此,本發明所申請之專利範圍的面向應該根據上述的說明作最寬廣的解釋,以致使其涵蓋所有可能的改變以及具相等性的安排。 With the above detailed description of the preferred embodiments, it is hoped that the features and spirit of the present invention may be more clearly described, rather than limiting the aspects of the present invention with the preferred embodiments disclosed above. On the contrary, the intention is to cover various changes and equivalent arrangements within the scope of the patent scope of the present invention. Therefore, the aspect of the patent scope of the present invention should be explained in the broadest sense according to the above description, so that it covers all possible changes and equal arrangements.

Claims (5)

一種用以認證一通訊裝置下階群組之方法,該通訊裝置下階群組係基於一通訊裝置上階群組所建立,該通訊裝置上階群組包含多個通訊裝置,一第一管理者裝置內存一上階群組私鑰以及與該上階群組私鑰配對之一上階群組公鑰,每一個通訊裝置內存一各自的第一階裝置安全憑證、一上階群組公鑰以及一各自的裝置序號,包含下列步驟:由一第二管理者裝置產生一下階群組私鑰以及與該下階群組私鑰配對之一下階群組公鑰;由該第一管理者裝置以該上階群組私鑰簽署該下階群組公鑰以及一授權裝置序號範圍,進而產生一下階群組授權憑證,該下階群組授權憑證包含該下階群組公鑰、該授權裝置序號範圍以及一授權憑證簽章;由該第二管理者裝置以該下階群組私鑰為該多個通訊裝置之中其裝置序號分別為該授權裝置序號範圍所包含之該等通訊裝置簽署一各自的第二階裝置安全憑證,其中該多個通訊裝置之中其裝置序號為該授權裝置序號範圍所包含之該等通訊裝置歸屬於該通訊裝置下階群組;將該下階群組授權憑證結合該等第二階裝置安全憑證形成多個憑證鏈,每一個憑證鏈對應歸屬於該通訊裝置下階群組之一個通訊裝置;以及由歸屬於該通訊裝置下階群組之每一個通訊裝置接收其對應的憑證鏈,以該上階群組公鑰檢驗該下階群組授權憑證,並且若檢驗結果為肯定者,則以該下階群組授權憑證中之該下階群組公鑰來檢驗其對應的憑證鏈中之該第二階裝置安全憑證,並且若為檢驗結果為肯定者,則將其對應的第二階裝置安全憑證取代其內存的第一階裝置安全憑證。A method for authenticating a lower-level group of a communication device. The lower-level group of the communication device is established based on a higher-level group of the communication device. The upper-level group of the communication device includes a plurality of communication devices. Each device has a higher-level group private key and a higher-level group public key paired with the higher-level group private key. Each communication device has a respective first-level device security certificate and a higher-level group public key. The key and a respective device serial number include the following steps: a lower-level group private key is generated by a second manager device and a lower-level group public key paired with the lower-level group private key; and the first manager The device signs the lower-level group public key and an authorized device serial number range with the upper-level group private key, thereby generating a lower-level group authorization certificate. The lower-level group authorization certificate includes the lower-level group public key, the Authorized device serial number range and an authorization certificate signature; the second manager device uses the lower-level group private key as the communication number included in the authorized device serial number range among the multiple communication devices Device signing Respective second-level device security credentials, wherein the communication device of the plurality of communication devices whose device serial number is the authorized device serial number range belongs to the lower-level group of the communication device; authorize the lower-level group The certificate combines the second-level device security credentials to form multiple certificate chains, each of which corresponds to a communication device belonging to a lower-level group of the communication device; and each communication belonging to a lower-level group of the communication device The device receives its corresponding certificate chain, verifies the lower-level group authorization certificate with the upper-level group public key, and if the test result is positive, it uses the lower-level group public certificate in the lower-level group authorization certificate. Key to verify the second-order device security certificate in its corresponding certificate chain, and if the test result is affirmative, its corresponding second-tier device security certificate replaces the first-layer device security certificate in its memory. 如請求項1所述之方法,其中每一個通訊裝置並且產生一各自的裝置私鑰以及與該裝置私鑰配對之一各自的裝置公鑰,該第二階管理者裝置以該下階群組私鑰根據歸屬於該通訊裝置下階群組之每一個通訊裝置之該裝置序號、該裝置公鑰以及一憑證有限期限簽署其對應的第二階裝置安全憑證,每一個第二階裝置安全憑證包含其對應的通訊裝置之該裝置序號、該裝置公鑰、該憑證有效期限以及一裝置憑證簽章。The method according to claim 1, wherein each communication device generates a respective device private key and a respective device public key paired with the device private key, and the second-level manager device uses the lower-level group The private key signs its corresponding second-level device security certificate based on the device serial number, the device public key, and a certificate of each communication device belonging to the lower-level group of the communication device, and each second-level device security certificate It includes the device serial number of the corresponding communication device, the device public key, the validity period of the certificate, and a device certificate signature. 如請求項2所述之方法,其中該下階群組授權憑證並且包含一授權憑證簽章。The method according to claim 2, wherein the lower-level group authorization certificate further includes an authorization certificate signature. 如請求項3所述之方法,其中歸屬於該通訊裝置下階群組之該等通訊裝置包含一第一通訊裝置以及一第二通訊裝置,該方法進一步包含下列步驟:由該第一通訊裝置與該第二通訊裝置彼此交換其對應的第二階裝置安全憑證;由該第一通訊裝置以其下階群組公鑰檢驗該第二通訊裝置之該第二階裝置安全憑證進而判斷該第二通訊裝置是否歸屬於該通訊裝置下階群組,由該第二通訊裝置以其下階群組公鑰檢驗該第一通訊裝置之該第二階裝置安全憑證進而判斷該第一通訊裝置是否歸屬於該通訊裝置下階群組,並且若檢驗結果皆為肯定者,則執行下列步驟:由該第一通訊裝置與該第二通訊裝置彼此繼續交換其產生之一各自的隨機變數;由該第一通訊裝置產生一第一臨時私鑰以及與該第一臨時私鑰配對之一第一臨時公鑰,並且由該第二通訊裝置產生一第二臨時私鑰以及與該第二臨時私鑰配對之一第二臨時公鑰;由該第一通訊裝置傳送該第一臨時公鑰至該第二通訊裝置,並且由該第二通訊裝置傳送該第二臨時公鑰至該第一通訊裝置;以及由該第一通訊裝置藉由該第二通訊裝置之該裝置公鑰、該第二臨時公鑰、該第二通訊裝置之該隨機變數以及該第一通訊裝置之該裝置私鑰、該第一臨時私鑰且根據一密鑰交換協議產生一會議密鑰;由該第二通訊裝置藉由該第一通訊裝置之該裝置公鑰、該第一臨時公鑰、該第一通訊裝置之該隨機變數以及該第二通訊裝置之該裝置私鑰、該第二臨時私鑰且根據該密鑰交換協議同樣地產生該會議密鑰;以及由該第一通訊裝置與該第二通訊裝置以該會議密鑰建立彼此之間之一第一通訊安全通道。The method according to claim 3, wherein the communication devices belonging to a lower-level group of the communication device include a first communication device and a second communication device, and the method further includes the following steps: the first communication device Exchange the corresponding second-tier device security certificate with the second communication device with each other; the first communication device verifies the second-layer device security certificate of the second communication device with its lower-level group public key to determine the first Whether the second communication device belongs to the lower-level group of the communication device, and the second communication device checks the second-level device security certificate of the first communication device with the public key of the lower-level group to determine whether the first communication device Belong to the lower-level group of the communication device, and if the test results are positive, then perform the following steps: the first communication device and the second communication device continue to exchange each other with each of its generated random variables; The first communication device generates a first temporary private key and a first temporary public key paired with the first temporary private key, and a second temporary private key is generated by the second communication device. Key and a second temporary public key paired with the second temporary private key; the first temporary public key is transmitted from the first communication device to the second communication device, and the second temporary device is transmitted by the second communication device A public key to the first communication device; and the device public key, the second temporary public key, the random variable of the second communication device, and the first communication by the first communication device through the second communication device The device private key, the first temporary private key of the device and a conference key are generated according to a key exchange protocol; the second communication device uses the device public key of the first communication device, the first temporary public key Key, the random variable of the first communication device and the device private key of the second communication device, the second temporary private key, and the conference key is also generated according to the key exchange protocol; and the first communication The device and the second communication device use the conference key to establish a first communication secure channel between each other. 如請求項4所述之方法,進一步包含下列步驟:由該第一通訊裝置藉由該會議密鑰將一網路密鑰加密,再將該經加密的網路密鑰傳送給歸屬於該通訊裝置下階群組之其他通訊裝置,其中歸屬於該通訊裝置下階群組之該等通訊裝置彼此間藉由該網路密鑰建立彼此之間之一第二通訊安全通道。The method according to claim 4, further comprising the steps of: encrypting a network key by the first communication device with the conference key, and then transmitting the encrypted network key to the communication belonging to the communication The other communication devices of the lower-level device group, wherein the communication devices belonging to the lower-level group of the communication device establish a second communication security channel between each other by using the network key.
TW105137267A 2016-11-15 2016-11-15 Method for authenticatting communication device lower-level group TWI625977B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW105137267A TWI625977B (en) 2016-11-15 2016-11-15 Method for authenticatting communication device lower-level group
CN201710880299.8A CN108076039B (en) 2016-11-15 2017-09-26 Method for authenticating a next-level group of a communication device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW105137267A TWI625977B (en) 2016-11-15 2016-11-15 Method for authenticatting communication device lower-level group

Publications (2)

Publication Number Publication Date
TW201820904A TW201820904A (en) 2018-06-01
TWI625977B true TWI625977B (en) 2018-06-01

Family

ID=62159366

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105137267A TWI625977B (en) 2016-11-15 2016-11-15 Method for authenticatting communication device lower-level group

Country Status (2)

Country Link
CN (1) CN108076039B (en)
TW (1) TWI625977B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013118096A1 (en) * 2012-02-10 2013-08-15 Renesas Mobile Corporation Method, apparatus and computer program for facilitating secure d2d discovery information
US20140013108A1 (en) * 2012-07-06 2014-01-09 Jani Pellikka On-Demand Identity Attribute Verification and Certification For Services
US8983071B2 (en) * 2005-02-07 2015-03-17 Samsung Electronics Co., Ltd. Key management method using hierarchical node topology, and method of registering and deregistering user using the same
TWI556618B (en) * 2015-01-16 2016-11-01 Univ Nat Kaohsiung 1St Univ Sc Network Group Authentication System and Method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011159715A2 (en) * 2010-06-14 2011-12-22 Engels Daniel W Key management systems and methods for shared secret ciphers
WO2013014609A1 (en) * 2011-07-25 2013-01-31 Koninklijke Philips Electronics N.V. Methods, devices and systems for establishing end-to-end secure connections and for securely communicating data packets
US9654284B2 (en) * 2012-02-02 2017-05-16 Nokia Solutions And Networks Oy Group based bootstrapping in machine type communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8983071B2 (en) * 2005-02-07 2015-03-17 Samsung Electronics Co., Ltd. Key management method using hierarchical node topology, and method of registering and deregistering user using the same
WO2013118096A1 (en) * 2012-02-10 2013-08-15 Renesas Mobile Corporation Method, apparatus and computer program for facilitating secure d2d discovery information
US20140013108A1 (en) * 2012-07-06 2014-01-09 Jani Pellikka On-Demand Identity Attribute Verification and Certification For Services
TWI556618B (en) * 2015-01-16 2016-11-01 Univ Nat Kaohsiung 1St Univ Sc Network Group Authentication System and Method

Also Published As

Publication number Publication date
TW201820904A (en) 2018-06-01
CN108076039B (en) 2020-06-30
CN108076039A (en) 2018-05-25

Similar Documents

Publication Publication Date Title
CN108768988B (en) Block chain access control method, block chain access control equipment and computer readable storage medium
US11558187B2 (en) Method and an apparatus for onboarding in an IoT network
US8301887B2 (en) Method and system for automated authentication of a device to a management node of a computer network
WO2018049656A1 (en) Blockchain-based identity authentication method, device, node and system
US8782401B2 (en) Enhanced privacy ID based platform attestation
US7783041B2 (en) System, method and computer program product for authenticating a data agreement between network entities
CN109787761B (en) Equipment authentication and key distribution system and method based on physical unclonable function
US20200280559A1 (en) Security enhanced technique of authentication protocol based on trusted execution environment
CN104104652A (en) Man-machine identification method, network service access method and corresponding equipment
CN103856478A (en) Certificate signing and issuing method of trusted network, attestation method of trusted network and corresponding devices
CN104219055A (en) NFC (near field communication)-based point-to-point trusted authentication method
WO2015003503A1 (en) Network device, terminal device and information security improving method
CN105282179A (en) Family Internet of things security control method based on CPK
CN104735054A (en) Digital family equipment trusted access platform and authentication method
US20220070172A1 (en) Methods and systems for enabling identity-based services using a random identifier
US9503442B1 (en) Credential-based application programming interface keys
CN114760065A (en) Access control method and device for teaching resource sharing of online learning platform
CN110012467A (en) The packet authentication method of narrowband Internet of Things
CN113647080B (en) Providing digital certificates in a cryptographically secure manner
CN113261252A (en) Node and method for secure server communication
TWI625977B (en) Method for authenticatting communication device lower-level group
CN106888455B (en) Wireless local area network access authentication method, device and system
CN110876142A (en) Identification-based wifi authentication method
JP2024513521A (en) Secure origin of trust registration and identification management of embedded devices
KR20070082356A (en) Method and system for certification of mobile phone for home electric appliances control in home network

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees