WO2015149658A1 - 一种实体鉴别方法及装置 - Google Patents
一种实体鉴别方法及装置 Download PDFInfo
- Publication number
- WO2015149658A1 WO2015149658A1 PCT/CN2015/075285 CN2015075285W WO2015149658A1 WO 2015149658 A1 WO2015149658 A1 WO 2015149658A1 CN 2015075285 W CN2015075285 W CN 2015075285W WO 2015149658 A1 WO2015149658 A1 WO 2015149658A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- entity
- identity authentication
- message
- sig
- authentication message
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/006—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
- H04L2209/805—Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
Definitions
- the present application relates to the field of network security technologies, and in particular, to an entity authentication method and apparatus.
- NFC Near Field Communication
- NFC technology communicates over the air interface without any physical or visible contact. It is also widely used and faces multiple security threats, including: attackers intercepting illegal interception of communications. Interaction information between the two parties; copying or forging a legitimate card to counterfeit; reading the confidential information in the card remotely through a large RF power card reader, and then using the background server to crack to achieve the purpose of illegally acquiring the information in the card.
- NFC technology must have anti-counterfeiting capabilities, and provide identity authentication functions for cards and readers through the identity authentication mechanism of both parties to provide guarantee for the legality and authenticity of the identity of the two parties.
- the current NFC air interface communication technology does not provide an identity authentication mechanism, and there is a large security risk.
- the present application provides an entity identification method and apparatus for solving the problems in the background art.
- An entity authentication method characterized in that:
- Step 1 a first authentication entity A transmits a message including N A
- Step 2 After receiving the first identity authentication message from the entity A, the entity B checks the validity of the certificate Cert A in the first identity authentication message, and terminates the authentication if the certificate is invalid.
- Step 4 After receiving the second identity authentication message from the entity B including N A
- Step 7 after receiving the third identity authentication message from the entity A including N A
- Step 8 to check the entity B has already stored the temporary public key of the entity A Q A, Q A Ruoyi stores, using the stored Q A, or effective third authentication check message received in the Q A Sex, if valid, use the Q A in the received third identity authentication message, and if not, terminate the authentication;
- a working method of entity A when entity A and entity B perform entity authentication includes the following steps:
- MacTag B MAC1 (MK, ID B , ID A , Q B , Q A ) and compare it with MacTag B in the received fourth identity authentication message. If it is not equal, entity B is considered illegal; if it is equal, entity B is considered to be legal.
- SIG is a digital signature algorithm
- ID A is the identity of entity A
- ID B is the identity of entity B
- f is a key calculation function
- KDF is a key derivation algorithm
- MAC1 is a kind Message authentication code calculation method.
- a working method of entity B when entity A and entity B perform entity authentication includes the following steps:
- MacTag B MAC1 (MK, ID B , ID A , Q B , Q A ), and sends a fourth identity authentication message including MacTag B to entity A.
- SIG is a digital signature algorithm
- ID A is the identity of entity A
- ID B is the identity of entity B
- f is a key calculation function
- KDF is a key derivation algorithm
- MAC1 is a kind Message authentication code calculation method.
- a device for performing physical authentication with another device comprising a storage unit, a processing unit, and a transceiver unit:
- the storage unit is configured to store the certificate Cert A and the private key CS A of the device ;
- the processing unit is configured to generate a random number N A , a temporary private key d A , and a temporary public key Q A ;
- the transceiver unit is configured to send a first identity authentication message including N A
- the processing unit is further configured to check, according to the received second identity authentication message, including N A
- Sig B from the another device, if the verification is incorrect, Termination of identification;
- the processing unit is further configured to check whether the temporary public key Q B of the other device has been stored, and if the Q B has been stored, use the stored Q B , otherwise check the Q in the received second identity authentication message. The validity of B , if valid, uses the Q B in the received second identity authentication message, and if not, terminates the authentication;
- the transceiver unit is further configured to send, to the another device, a third identity authentication message including N A
- MacTag A and configured to receive, by the another device, a MacTag The fourth identity authentication message of B ;
- SIG is a digital signature algorithm
- ID A is the identity of the device
- ID B is the identity of the other device
- f is a key calculation function
- KDF is a key derivation algorithm
- MAC1 is a message authentication code calculation method.
- a device for performing physical authentication with another device comprising a storage unit, a processing unit, and a transceiver unit:
- the storage unit is configured to store the certificate Cert B and the private key CS B of the device ;
- the processing unit is configured to generate a random number N B , a temporary private key d B , and a temporary public key Q B ;
- the transceiver unit is configured to receive a first identity authentication message from the another device that includes the transmission of N A
- the transceiver unit is further configured to send, to the another device, a second identity authentication message including N A
- Sig B and is configured to receive the N message sent by the another device.
- the processing unit is further configured to check the received third identity authentication message including N A
- the processing unit is further configured to check whether the temporary public key Q A of the other device has been stored, and if the Q A has been stored, use the stored Q A , otherwise check the Q in the received third identity authentication message. The validity of A , if valid, uses the Q A in the received third identity authentication message, and if not, terminates the authentication;
- MacTag B MAC1(MK, ID B , ID A , Q B , Q A );
- the transceiver unit is further configured to send a fourth identity authentication message including the MacTag B to the another device.
- SIG is a digital signature algorithm
- ID A is the identity of the other device
- ID B is the identity of the device
- f is a key calculation function
- KDF is a key derivation algorithm
- MAC1 is a message authentication code calculation method.
- FIG. 2 is a schematic structural view of an apparatus corresponding to the entity A in the present application.
- FIG. 3 is a schematic structural diagram of an apparatus corresponding to the entity B in the present application.
- the application provides an entity identification method and apparatus.
- the present application relates to entity A and entity B.
- the two entities A and B of the communication have respective certificates Cert A , Cert B , private keys CS A , CS B , and the ability to authenticate the validity of the other party's certificate. And has been informed of the other party's identification information.
- the entity authentication method provided by the present application includes the following steps:
- Step 1 the entity A transmits to the authentication entity B a first message comprising
- here means the concatenation between the fields, it does not limit the order of the fields, the same below.
- " cascading field in the present application can be considered to constitute a "field group". It should be noted that the "field group” in the present case is open, except for the example exemplified in the present application. Except for the fields contained in the field group, it is not excluded that other fields can also be included in the "field group”.
- Step 2 After receiving the first identity authentication message from the entity A, the entity B checks the validity of the certificate Cert A in the first identity authentication message, and terminates the authentication if the certificate is invalid.
- Step 4 After receiving the second identity authentication message from the entity B including N A
- Q B The temporary public key of entity A.
- Q B Ruoyi stores, use the Q B stored, otherwise the effectiveness of the Q B of the second message authentication checks received, and if If it is valid, the Q B in the received second identity authentication message is used, and if it is invalid, the authentication is terminated.
- the third identity authentication message of MacTag A is given to entity B.
- Step 7 after receiving the third identity authentication message from the entity A including N A
- Step 8 to check the entity B has already stored the temporary public key of the entity A Q A, Q A Ruoyi stores, using the stored Q A, or effective third authentication check message received in the Q A Sex, if valid, uses Q A in the received third identity authentication message, and if not, terminates the authentication.
- step 4 after receiving the second identity authentication message from the entity B including N A
- the correctness of the field data including:
- the entity A checks whether the random number N A in the received second identity authentication message is consistent with the random number N A sent by the entity B to the entity B. If not, the verification is incorrect.
- entity A checks the validity of Cert B in the second identity authentication message, and if invalid, the verification is incorrect;
- entity A uses the public key CP B of entity B to verify Sig B , and checks whether entity B is legal. If it is not legal, the verification is incorrect.
- the public key CP B of entity B is included in the certificate Cert B of entity B.
- step 7 above after receiving the third identity authentication message from the entity A including N A
- the correctness of the field data including:
- the entity B checks whether the random number N A in the received third identity authentication message is consistent with the last received random number N A , and if not, the verification is incorrect;
- the entity B checks whether the random number N B in the received third identity authentication message is consistent with the random number N B sent by the entity A to the entity A. If not, the verification is incorrect.
- entity B uses the public key CP A of entity A to verify Sig A , and checks whether entity A is legal. If it is not legal, the verification is incorrect.
- the public key CP A of entity A is included in the certificate Cert A of entity A;
- the present application further provides a working method of the entity A for implementing the foregoing method, including the following steps:
- MacTag B MAC1 (MK, ID B , ID A , Q B , Q A ) and compare it with MacTag B in the received fourth identity authentication message. If it is not equal, entity B is considered illegal; if it is equal, entity B is considered to be legal.
- SIG is a digital signature algorithm
- ID A is the identity of entity A
- ID B is the identity of entity B
- f is a key calculation function
- KDF is a key derivation algorithm
- MAC1 is a kind Message authentication code calculation method.
- checking the correctness of the field data in the second identity authentication message include:
- Entity B using B's public key to verify the CP Sig B, the entity B to check the legality, if valid, the authentication is not correct, wherein the public key of the entity B contained in the CP B certificate Cert Control entity B in B;
- the present application further provides a working method of the entity B for implementing the foregoing method, including the following steps:
- MacTag B MAC1 (MK, ID B , ID A , Q B , Q A ), and sends a fourth identity authentication message including MacTag B to entity A.
- SIG is a digital signature algorithm
- ID A is the identity of entity A
- ID B is the identity of entity B
- f is a key calculation function
- KDF is a key derivation algorithm
- MAC1 is a kind Message authentication code calculation method.
- Verifying Sig A by using the public key CP A of the entity A checking whether the entity A is legal. If it is not legal, the verification is incorrect.
- the public key CP A of the entity A is included in the certificate Cert A of the entity A;
- the present application further provides an apparatus corresponding to the entity A for implementing the foregoing method, including a storage unit 201, a processing unit 202, and a transceiver unit 203, where:
- the storage unit 201 is configured to store the certificate Cert A and the private key CS A ;
- the processing unit 202 is configured to generate a random number N A , a temporary private key d A , and a temporary public key Q A ;
- the transceiver unit 203 is configured to send a first identity authentication message including N A
- the processing unit 202 is further configured to check, according to the received second identity authentication message from the entity B, including N A
- the processing unit 202 is further configured to check whether the temporary public key Q B of the other device has been stored, and if the Q B has been stored, use the stored Q B , otherwise check the received second identity authentication message. The validity of Q B , if valid, uses the Q B in the received second identity authentication message, and if not, terminates the authentication;
- the transceiver unit 203 is further configured to send, to the entity B, a third identity authentication message that includes N A
- SIG is a digital signature algorithm
- ID A is the identity of the device
- ID B is the identity of the other device
- f is a key calculation function
- KDF is a key derivation algorithm
- MAC1 is a message authentication code calculation method.
- the processing unit 202 is further configured to check, according to the received second identity authentication message that includes N A
- the processing unit 202 checks whether the random number N A in the received second identity authentication message is consistent with the random number N A sent by itself to the entity B. If not, the verification is incorrect.
- the processing unit 202 checks the validity of the received Cert B in the second identity authentication message, and if not, the verification is incorrect.
- the processing unit 202 verifies the Sig B by using the public key CP B of the entity B to check whether the entity B is legal. If it is not legal, the verification is incorrect.
- the public key CP B of the entity B is included in the certificate Cert B of the entity B.
- the present application further provides an apparatus corresponding to the entity B for implementing the foregoing method, including a storage unit 301, a processing unit 302, and a transceiver unit 303, where:
- the storage unit 301 is configured to store the certificate Cert B and the private key CS B ;
- the processing unit 302 is configured to generate a random number N B , a temporary private key d B , and a temporary public key Q B ;
- the transceiver unit 303 is configured to receive a first identity authentication message from the entity A that includes the transmission of N A
- the transceiver unit 303 is further configured to send, to the entity A, a second identity authentication message including N A
- the processing unit 302 is further configured to check the received third identity authentication message including N A
- the processing unit 302 is further configured to check whether the temporary public key Q A of the other device has been stored, and if the Q A has been stored, use the stored Q A , otherwise check the received third identity authentication message. The validity of Q A , if valid, uses the Q A in the received third identity authentication message, and if not, terminates the authentication;
- the transceiver unit 303 is further configured to send a fourth identity authentication message including the MacTag B to the entity A.
- SIG is a digital signature algorithm
- ID A is the identity of the other device
- ID B is the identity of the device
- f is a key calculation function
- KDF is a key derivation algorithm
- MAC1 is a message authentication code calculation method.
- the foregoing processing unit 302 is further configured to check, for the third identity authentication message that is received from the entity A, including N A
- MacTag A including:
- the processing unit 302 checks whether the random number N A in the received third identity authentication message is consistent with the last received random number N A , and if not, the verification is incorrect;
- the processing unit 302 checks whether the random number N B in the received third identity authentication message is consistent with the random number N B sent by the user to the entity A. If not, the verification is incorrect.
- the processing unit 302 verifies the Sig A by using the public key CP A of the entity A , and checks whether the entity A is legal. If it is not legal, the verification is incorrect.
- the public key CP A of the entity A is included in the certificate Cert A of the entity A;
- the present application implements identity authentication between entities with key negotiation function based on a symmetric cryptographic algorithm, and the application field is very extensive.
- the present application can be applied to the field of communication based on the air interface, such as radio frequency identification (RFID), sensor network (WSN), near field communication (NFC), contactless card, and wireless local area network (WLAN).
- RFID radio frequency identification
- WSN sensor network
- NFC near field communication
- WLAN wireless local area network
- Entity A and entity B may be readers and tags in the RFID field, nodes in the sensor network, terminal devices in the NFC domain, card readers and cards in the field of contactless card technology, terminals in wireless local area networks, and Access points, etc.
- the first identity authentication message sent by the entity A to the entity B is encapsulated and transmitted by using the ACT_REQ protocol data unit, and the entity B sends
- the second identity authentication message to the entity A is encapsulated and transmitted by using the ACT_RES protocol data unit.
- the third identity authentication message sent by the entity A to the entity B is encapsulated and transmitted by using the VFY_REQ protocol data unit, and the entity B sends the entity to the entity.
- the fourth identity authentication message of A is encapsulated and transmitted by using the VFY_RES protocol data unit, wherein ACT_REQ, ACT_RES, VFY_REQ, and VFY_RES are protocol data unit formats conforming to the standard ISO/IEC 13157-1. After being encapsulated in this way, the technical solution of the present application is more compatible with other existing NFC security mechanisms.
- embodiments of the present application can be provided as a method, system, or computer program.
- Product can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment in combination of software and hardware.
- the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
Description
Claims (12)
- 一种实体鉴别方法,其特征在于:步骤1,实体A向实体B发送包括NA||CertA的第一身份鉴别消息,其中,NA为实体A产生的随机数,CertA为实体A的证书;步骤2,实体B收到来自实体A的第一身份鉴别消息后,检查第一身份鉴别消息中证书CertA的有效性,若证书无效,则终止鉴别;步骤3,实体B产生随机数NB,利用自身的私钥CSB计算数字签名SigB=SIG(CSB,IDA||IDB||NA||NB||QB),其中SIG为数字签名算法,IDA和IDB分别为实体A和实体B的标识信息,QB为实体B的临时公钥,实体B向实体A发送包括NA||NB||CertB||QB||SigB的第二身份鉴别消息,其中CertB为实体B的证书;步骤4,实体A收到来自实体B的包括NA||NB||CertB||QB||SigB的第二身份鉴别消息后,检查第二身份鉴别消息中字段数据的正确性,若验证不正确,则终止鉴别;步骤5,实体A利用自身的私钥CSA计算实体A的数字签名SigA=SIG(CSA,IDA||IDB||NA||NB||QA),其中QA为实体A的临时公钥;实体A检查是否已存储有实体B的临时公钥QB,若已存储有QB,则使用已存储的QB,否则检查收到的第二身份鉴别消息中的QB的有效性,如果有效,则使用收到的第二身份鉴别消息中的QB,如果无效,则终止鉴别;步骤6,实体A基于ECDH密钥交换协议,利用实体A事先产生的临时私钥dA和实体B的临时公钥QB计算秘密信息z=f(dA,QB),其中f指密钥计算函数,如果计算出错,则终止鉴别,否则,实体A将计算出的秘密信息z转换为字符串Z,计算密钥MK=KDF(NA,NB,Z,IDA,IDB),其中KDF指密钥推导算法,计算消息鉴别码MacTagA=MAC1(MK,IDA,IDB,QA,QB),其中MAC1为一种消息鉴别码计算方法,并发送包括NA||NB||QA||SigA||MacTagA的第三身份鉴别消息给实体B;步骤7,实体B接收到来自实体A的包括NA||NB||QA||SigA||MacTagA的第三身份鉴别消息后,检查第三身份鉴别消息中字段数据的正确性,若验证不正确,则终止鉴别;步骤8,实体B检查是否已存储有实体A的临时公钥QA,若已存储有QA,则使用已存储的QA,否则检查收到的第三身份鉴别消息中的QA的有效性,如果有效,则使用收到的第三身份鉴别消息中的QA,如果无效,则终止鉴别;步骤9,实体B基于ECDH密钥交换协议,利用实体B事先产生的临时私钥dB和实体A的临时公钥QA计算秘密信息z=f(dB,QA),如果计算出错,则终止鉴别,否则,实体B将计算出的秘密信息z转换为字符串Z,并计算密钥MK=KDF(NA,NB,Z,IDA,IDB),计算消息鉴别码MacTagA=MAC1(MK,IDA,IDB,QA,QB),并与收到的实体A发送的第三身份鉴 别消息中的MacTagA进行比较,如果不相等,则终止鉴别;否则,实体B认为实体A合法,并计算消息鉴别码MacTagB=MAC1(MK,IDB,IDA,QB,QA),将包括MacTagB的第四身份鉴别消息发送给实体A;步骤10,实体A收到来自实体B的第四身份鉴别消息后,计算MacTagB=MAC1(MK,IDB,IDA,QB,QA),并与收到的第四身份鉴别消息中的MacTagB进行比较,如果不相等,则认为实体B非法;如果相等,则认为实体B合法。
- 如权利要求1所述的方法,其特征在于,所述步骤4中,实体A收到来自实体B的包括NA||NB||CertB||QB||SigB的第二身份鉴别消息后,检查第二身份鉴别消息中字段数据的正确性,包括:4.1,实体A检查收到的所述第二身份鉴别消息中的随机数NA是否与自己发送给实体B的随机数NA一致,若不一致,则验证不正确;4.2,实体A检查所述第二身份鉴别消息中CertB的有效性,若无效,则验证不正确;4.3,实体A利用实体B的公钥CPB验证SigB,检查实体B是否合法,若不合法,则验证不正确,其中,实体B的公钥CPB包含在实体B的证书CertB中;其中,任何一项验证不正确,则认为对实体A收到的NA||NB||CertB||QB||SigB的验证结果不正确。
- 如权利要求1所述的方法,其特征在于,所述步骤7中,实体B接收到来自实体A的包括NA||NB||QA||SigA||MacTagA的第三身份鉴别消息后,检查第三身份鉴别消息中字段数据的正确性,包括:7.1,实体B检查收到的所述第三身份鉴别消息中的随机数NA是否与上一次收到的随机数NA一致,若不一致,则验证不正确;7.2,实体B检查收到的所述第三身份鉴别消息中的随机数NB是否与自己发送给实体A的随机数NB一致,若不一致,则验证不正确;7.3,实体B利用实体A的公钥CPA验证SigA,检查实体A是否合法,若不合法,则验证不正确,其中,实体A的公钥CPA包含在实体A的证书CertA中;其中,任何一项验证不正确,则认为对实体B收到的包括NA||NB||QA||SigA||MacTagA的验证结果不正确。
- 一种实体A与实体B进行实体鉴别时,实体A的工作方法,其特征在于,所述方法包括如下步骤:产生随机数NA,向实体B发送包括NA||CertA的第一身份鉴别消息,其中,CertA为实体A的证书;收到来自实体B的包括NA||NB||CertB||QB||SigB的第二身份鉴别消息后,检查第二身份鉴别消息中字段数据的正确性,若验证不正确,则终止鉴别;利用自身的私钥CSA和临时公钥QA计算数字签名SigA=SIG(CSA,IDA||IDB||NA||NB||QA);检查是否已存储有实体B的临时公钥QB,若已存储有QB,则使用已存储的QB,否则检查收到的第二身份鉴别消息中的QB的有效性,如果有效,则使用收到的第二身份鉴别消息中的QB,如果无效,则终止鉴别;基于ECDH密钥交换协议,利用事先产生的临时私钥dA和实体B的临时公钥QB计算秘密信息z=f(dA,QB),如果计算出错,则终止鉴别,否则,将计算出的秘密信息z转换为字符串Z,计算密钥MK=KDF(NA,NB,Z,IDA,IDB),其中KDF指密钥推导算法,计算消息鉴别码MacTagA=MAC1(MK,IDA,IDB,QA,QB),并发送包括NA||NB||QA||SigA||MacTagA的第三身份鉴别消息给实体B;收到来自实体B的第四身份鉴别消息后,计算MacTagB=MAC1(MK,IDB,IDA,QB,QA),并与收到的第四身份鉴别消息中的MacTagB进行比较,如果不相等,则认为实体B非法;如果相等,则认为实体B合法;其中,SIG为一种数字签名算法,IDA为实体A的身份标识,IDB为实体B的身份标识,f为一种密钥计算函数,KDF为一种密钥推导算法,MAC1为一种消息鉴别码计算方法。
- 如权利要求4所述的方法,其特征在于,所述收到来自实体B的包括NA||NB||CertB||QB||SigB的第二身份鉴别消息后,检查第二身份鉴别消息中字段数据的正确性,包括:检查收到的所述第二身份鉴别消息中的随机数NA是否与自己发送给实体B的随机数NA一致,若不一致,则验证不正确;检查收到的所述第二身份鉴别消息中CertB的有效性,若无效,则验证不正确;利用实体B的公钥CPB验证SigB,检查实体B是否合法,若不合法,则验证不正确,其中,实体B的公钥CPB包含在实体B的证书CertB中;其中,任何一项验证不正确,则认为对收到的NA||NB||CertB||QB||SigB的验证结果不正确。
- 一种实体A与实体B进行实体鉴别时,实体B的工作方法,其特征在于,所述方法包括如下步骤:收到来自实体A的包括NA||CertA的第一身份鉴别消息后,检查第一身份鉴别消息中证书CertA的有效性,若证书无效,则终止鉴别;产生随机数NB,利用自身的私钥CSB和临时公钥QB计算数字签名SigB=SIG(CSB,IDA||IDB||NA||NB||QB),向实体A发送包括NA||NB||CertB||QB||SigB的第二身份鉴别消息,其中CertB为证书;接收到来自实体A的包括NA||NB||QA||SigA||MacTagA第三身份鉴别消息后,检查第三身份鉴别消息中字段数据的正确性,若验证不正确,则终止鉴别;检查是否已存储有实体A的临时公钥QA,若已存储有QA,则使用已存储的QA,否则检查收到的第三身份鉴别消息中的QA的有效性,如果有效,则使用收到的第三身份鉴别消息中的QA,如果无效,则终止鉴别;基于ECDH密钥交换协议,利用事先产生的临时私钥dB和实体A的临时公钥QA计算秘密信息z=f(dB,QA),如果计算出错,则终止鉴别,否则,将计算出的秘密信息z转换为字符串Z,并计算密钥MK=KDF(NA,NB,Z,IDA,IDB),计算消息鉴别码MacTagA=MAC1(MK,IDA,IDB,QA,QB),并与收到的实体A发送的第三身份鉴别消息中的MacTagA进行比较,如果不相等,则终止鉴别;否则,认为实体A合法,并计算消息鉴别码MacTagB=MAC1(MK,IDB,IDA,QB,QA),将包括MacTagB的第四身份鉴别消息发送给实体A;其中,SIG为一种数字签名算法,IDA为实体A的身份标识,IDB为实体B的身份标识,f为一种密钥计算函数,KDF为一种密钥推导算法,MAC1为一种消息鉴别码计算方法。
- 如权利要求6所述的方法,其特征在于,所述收到来自实体A的包括NA||NB||QA||SigA||MacTagA第三身份鉴别消息后,检查第三身份鉴别消息中字段数据的正确性,包括:检查收到的所述第三身份鉴别消息中的随机数NA是否与上一次收到的随机数NA一致,若不一致,则验证不正确;检查收到的所述第三身份鉴别消息中的随机数NB是否与自己发送给实体A的随机数NB一致,若不一致,则验证不正确;利用实体A的公钥CPA验证SigA,检查实体A是否合法,若不合法,则验证不正确,其中,实体A的公钥CPA包含在实体A的证书CertA中;其中,任何一项验证不正确,则认为对收到的NA||NB||QA||SigA||MacTagA的验证结果不正确。
- 一种装置,用于与另一装置进行实体鉴别,所述装置包括存储单元、处理单元及收发单元,其特征在于:存储单元用于存储所述装置的证书CertA、私钥CSA;处理单元用于产生随机数NA、临时私钥dA和临时公钥QA;收发单元用于向所述另一装置发送包括NA||CertA的第一身份鉴别消息;还用于接收所述另一装置发送的包括NA||NB||CertB||QB||SigB的第二身份鉴别消息;处理单元还用于对收到的来自所述另一装置的包括NA||NB||CertB||QB||SigB的第二身份鉴别消息进行检查,若验证不正确,则终止鉴别;处理单元还用于利用私钥CSA和临时公钥QA计算数字签名SigA=SIG(CSA, IDA||IDB||NA||NB||QA);处理单元还用于检查是否已存储有所述另一装置的临时公钥QB,若已存储有QB,则使用已存储的QB,否则检查收到的第二身份鉴别消息中的QB的有效性,如果有效,则使用收到的第二身份鉴别消息中的QB,如果无效,则终止鉴别;处理单元还用于基于ECDH密钥交换协议,利用dA和所述另一装置的临时公钥QB计算秘密信息z=f(dA,QB),计算正确时将计算出的秘密信息z转换为字符串Z,计算密钥MK=KDF(NA,NB,Z,IDA,IDB),计算消息鉴别码MacTagA=MAC1(MK,IDA,IDB,QA,QB);收发单元还用于向所述另一装置发送包括NA||NB||QA||SigA||MacTagA的第三身份鉴别消息,并用于接收所述另一装置发送的包括MacTagB的第四身份鉴别消息;处理单元还用于计算MacTagB=MAC1(MK,IDB,IDA,QB,QA),然后将计算得到的MacTagB与所述另一装置发来的MacTagB进行比较,如果相等,则认为所述另一装置身份合法;其中,SIG为一种数字签名算法,IDA为所述装置的身份标识,IDB为所述另一装置的身份标识,f为一种密钥计算函数,KDF为一种密钥推导算法,MAC1为一种消息鉴别码计算方法。
- 如权利要求9所述的装置,其特征在于,所述的处理单元还用于对收到的来自所述另一装置的包括NA||NB||CertB||QB||SigB的第二身份鉴别消息进行检查,包括:处理单元检查收到的所述第二身份鉴别消息中的随机数NA是否与自己发送给所述另一装置的随机数NA一致,若不一致,则验证不正确;处理单元检查收到的所述第二身份鉴别消息中CertB的有效性,若无效,则验证不正确;处理单元利用所述另一装置的公钥CPB验证SigB,检查所述另一装置是否合法,若不合法,则验证不正确,其中,所述另一装置的公钥CPB包含在所述另一装置的证书CertB中;其中,任何一项验证不正确,则认为对收到的NA||NB||CertB||QB||SigB的验证结果不正确。
- 一种装置,用于与另一装置进行实体鉴别,所述装置包括存储单元、处理单元及收发单元,其特征在于:存储单元用于存储所述装置的证书CertB、私钥CSB;处理单元用于产生随机数NB、临时私钥dB和临时公钥QB;收发单元用于接收来自所述另一装置的包括NA||CertA的发送的第一身份鉴别消息;处理单元用于检查收到的来自所述另一装置的第一身份鉴别消息中证书CertA的有效性,若证书无效,则终止鉴别,还用于利用私钥CSB和临时公钥QB计算数字签名 SigB=SIG(CSB,IDA||IDB||NA||NB||QB);收发单元还用于向所述另一装置发送包括NA||NB||CertB||QB||SigB的第二身份鉴别消息,并用于接收所述另一装置发送的包括NA||NB||QA||SigA||MacTagA的第三身份鉴别消息;处理单元还用于对收到的包括NA||NB||QA||SigA||MacTagA的第三身份鉴别消息进行检查,若验证不正确,则终止鉴别;处理单元还用于检查是否已存储有所述另一装置的临时公钥QA,若已存储有QA,则使用已存储的QA,否则检查收到的第三身份鉴别消息中的QA的有效性,如果有效,则使用收到的第三身份鉴别消息中的QA,如果无效,则终止鉴别;处理单元还用于基于ECDH密钥交换协议,利用临时私钥dB和所述所述另一装置的临时公钥QA计算秘密信息z=f(dB,QA),计算正确时将计算出的秘密信息z转换为字符串Z,并计算密钥MK=KDF(NA,NB,Z,IDA,IDB),计算消息鉴别码MacTagA=MAC1(MK,IDA,IDB,QA,QB),然后将计算得到的MacTagA与所述另一装置发来的MacTagA进行比较,如果相等,则认为所述另一装置身份合法,并计算消息鉴别码MacTagB=MAC1(MK,IDB,IDA,QB,QA);收发单元还用于向所述另一装置发送包括MacTagB的第四身份鉴别消息;其中,SIG为一种数字签名算法,IDA为所述另一装置的身份标识,IDB为所述装置的身份标识,f为一种密钥计算函数,KDF为一种密钥推导算法,MAC1为一种消息鉴别码计算方法。
- 如权利要求10所述的装置,其特征在于,所述处理单元还用于对收到的来自所述另一装置的包括NA||NB||QA||SigA||MacTagA的第三身份鉴别消息进行检查,包括:处理单元检查收到的所述第三身份鉴别消息中的随机数NA是否与上一次收到的随机数NA一致,若不一致,则验证不正确;处理单元检查收到的所述第三身份鉴别消息中的随机数NB是否与自己发送给所述另一装置的随机数NB一致,若不一致,则验证不正确;处理单元利用所述另一装置的公钥CPA验证SigA,检查所述另一装置是否合法,若不合法,则验证不正确,其中,所述另一装置的公钥CPA包含在所述另一装置的证书CertA中;其中,任何一项验证不正确,则认为对收到的NA||NB||QA||SigA||MacTagA的验证结果不正确。
- 如权利要求1-11中任意一项所述的方法或装置,其特征在于,所述第一身份鉴别消息是利用ACT_REQ协议数据单元进行封装后传输的,所述第二身份鉴别消息是利用ACT_RES协议数据单元进行封装后传输的,所述第三身份鉴别消息是利用VFY_REQ协议数据单元进行封装后传输的,所述第四身份鉴别消息是利用VFY_RES协议数据单元进 行封装后传输的,其中,ACT_REQ、ACT_RES、VFY_REQ及VFY_RES是符合标准ISO/IEC13157-1定义的协议数据单元格式。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020167030523A KR101856682B1 (ko) | 2014-03-31 | 2015-03-27 | 엔티티의 인증 방법 및 장치 |
EP15772431.1A EP3128696B1 (en) | 2014-03-31 | 2015-03-27 | Entity authentication method and device |
ES15772431T ES2768963T3 (es) | 2014-03-31 | 2015-03-27 | Procedimiento y dispositivo de autenticación de entidad |
JP2016559840A JP2017517915A (ja) | 2014-03-31 | 2015-03-27 | エンティティの認証方法及び装置 |
US15/122,806 US10389702B2 (en) | 2014-03-31 | 2015-03-27 | Entity authentication method and device with Elliptic Curve Diffie Hellman (ECDH) key exchange capability |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410126328.8 | 2014-03-31 | ||
CN201410126328.8A CN104954130B (zh) | 2014-03-31 | 2014-03-31 | 一种实体鉴别方法及装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015149658A1 true WO2015149658A1 (zh) | 2015-10-08 |
Family
ID=54168509
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/075285 WO2015149658A1 (zh) | 2014-03-31 | 2015-03-27 | 一种实体鉴别方法及装置 |
Country Status (7)
Country | Link |
---|---|
US (1) | US10389702B2 (zh) |
EP (1) | EP3128696B1 (zh) |
JP (1) | JP2017517915A (zh) |
KR (1) | KR101856682B1 (zh) |
CN (1) | CN104954130B (zh) |
ES (1) | ES2768963T3 (zh) |
WO (1) | WO2015149658A1 (zh) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3941101A1 (en) | 2015-05-22 | 2022-01-19 | Huawei Device Co., Ltd. | Cryptographic unit for public key infrastructure (pki) operations |
US9596079B1 (en) * | 2016-04-14 | 2017-03-14 | Wickr Inc. | Secure telecommunications |
JP7096998B2 (ja) * | 2018-08-21 | 2022-07-07 | 村田機械株式会社 | 通信許容相手登録方法 |
CN110879879B (zh) * | 2018-09-05 | 2023-08-22 | 航天信息股份有限公司 | 物联网身份认证方法、装置、电子设备、系统及存储介质 |
CN110636504B (zh) * | 2019-10-24 | 2022-09-06 | 飞天诚信科技股份有限公司 | 一种轻量级鉴别方法及系统 |
CN114760043A (zh) * | 2020-12-26 | 2022-07-15 | 西安西电捷通无线网络通信股份有限公司 | 一种身份鉴别方法和装置 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101159639A (zh) * | 2007-11-08 | 2008-04-09 | 西安西电捷通无线网络通信有限公司 | 一种单向接入认证方法 |
CN101984577A (zh) * | 2010-11-12 | 2011-03-09 | 西安西电捷通无线网络通信股份有限公司 | 匿名实体鉴别方法及系统 |
CN102014386A (zh) * | 2010-10-15 | 2011-04-13 | 西安西电捷通无线网络通信股份有限公司 | 一种基于对称密码算法的实体鉴别方法及系统 |
Family Cites Families (41)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2870163B2 (ja) * | 1990-09-07 | 1999-03-10 | 松下電器産業株式会社 | 認証機能付き鍵配送方式 |
JP2948294B2 (ja) * | 1990-09-20 | 1999-09-13 | 松下電器産業株式会社 | 認証機能付き鍵配送システムにおける端末 |
US6367009B1 (en) * | 1998-12-17 | 2002-04-02 | International Business Machines Corporation | Extending SSL to a multi-tier environment using delegation of authentication and authority |
EP1124350A1 (en) | 1999-08-20 | 2001-08-16 | Sony Corporation | Information transmission system and method, drive device and access method, information recording medium, device and method for producing recording medium |
JP3880419B2 (ja) * | 2002-02-21 | 2007-02-14 | 日本電信電話株式会社 | 無線アクセスネットワーク、無線マルチホップネットワーク、認証サーバ、基地局及び無線端末 |
AU2003244310A1 (en) | 2002-06-19 | 2004-03-11 | Advanced Computer Systems, Inc. | Inter-authentication method and device |
KR100520116B1 (ko) * | 2003-05-16 | 2005-10-10 | 삼성전자주식회사 | 모바일 애드 혹 상의 암호화를 위한 노드간 키 분배 방법및 이를 이용한 네트워크 장치 |
CN100544249C (zh) | 2004-10-29 | 2009-09-23 | 大唐移动通信设备有限公司 | 移动通信用户认证与密钥协商方法 |
CN100389555C (zh) * | 2005-02-21 | 2008-05-21 | 西安西电捷通无线网络通信有限公司 | 一种适合有线和无线网络的接入认证方法 |
WO2006091844A1 (en) * | 2005-02-25 | 2006-08-31 | Qualcomm Incorporated | Small public-key based digital signatures for authentication |
US7836306B2 (en) * | 2005-06-29 | 2010-11-16 | Microsoft Corporation | Establishing secure mutual trust using an insecure password |
US7791451B2 (en) | 2006-10-17 | 2010-09-07 | International Business Machines Corporation | Methods, systems, and computer program products for providing mutual authentication for radio frequency identification (RFID) security |
CN101242323B (zh) | 2007-02-06 | 2010-12-08 | 华为技术有限公司 | 设备间管道的建立方法和家庭网络系统 |
US7907735B2 (en) | 2007-06-15 | 2011-03-15 | Koolspan, Inc. | System and method of creating and sending broadcast and multicast data |
JP5132222B2 (ja) * | 2007-08-13 | 2013-01-30 | 株式会社東芝 | クライアント装置、サーバ装置及びプログラム |
US20090094372A1 (en) | 2007-10-05 | 2009-04-09 | Nyang Daehun | Secret user session managing method and system under web environment, recording medium recorded program executing it |
CN100553193C (zh) * | 2007-10-23 | 2009-10-21 | 西安西电捷通无线网络通信有限公司 | 一种基于可信第三方的实体双向鉴别方法及其系统 |
CN100488099C (zh) | 2007-11-08 | 2009-05-13 | 西安西电捷通无线网络通信有限公司 | 一种双向接入认证方法 |
CN100495964C (zh) * | 2007-12-03 | 2009-06-03 | 西安西电捷通无线网络通信有限公司 | 一种轻型接入认证方法 |
FR2925245B1 (fr) * | 2007-12-12 | 2010-06-11 | Sagem Securite | Controle d'une entite a controler par une entite de controle |
CN101222328B (zh) * | 2007-12-14 | 2010-11-03 | 西安西电捷通无线网络通信股份有限公司 | 一种实体双向鉴别方法 |
EP2073430B1 (en) | 2007-12-21 | 2013-07-24 | Research In Motion Limited | Methods and systems for secure channel initialization transaction security based on a low entropy shared secret |
CN101232378B (zh) * | 2007-12-29 | 2010-12-08 | 西安西电捷通无线网络通信股份有限公司 | 一种无线多跳网络的认证接入方法 |
US8503679B2 (en) * | 2008-01-23 | 2013-08-06 | The Boeing Company | Short message encryption |
EP2120393A1 (en) | 2008-05-14 | 2009-11-18 | Nederlandse Centrale Organisatie Voor Toegepast Natuurwetenschappelijk Onderzoek TNO | Shared secret verification method |
CN101286844B (zh) * | 2008-05-29 | 2010-05-12 | 西安西电捷通无线网络通信有限公司 | 一种支持快速切换的实体双向鉴别方法 |
CN101364875B (zh) | 2008-09-12 | 2010-08-11 | 西安西电捷通无线网络通信有限公司 | 一种实现实体的公钥获取、证书验证及双向鉴别的方法 |
CN101364876B (zh) | 2008-09-12 | 2011-07-06 | 西安西电捷通无线网络通信股份有限公司 | 一种实现实体的公钥获取、证书验证及鉴别的方法 |
CN101754213B (zh) | 2008-11-28 | 2012-11-14 | 爱思开电讯投资(中国)有限公司 | 保证应用安全的智能卡、终端设备、鉴权服务器及其方法 |
US20100153731A1 (en) * | 2008-12-17 | 2010-06-17 | Information And Communications University | Lightweight Authentication Method, System, and Key Exchange Protocol For Low-Cost Electronic Devices |
US8705740B2 (en) * | 2008-12-30 | 2014-04-22 | King Fahd University Of Petroleum And Minerals | Elliptic curve-based message authentication code system and method |
CN101645899B (zh) | 2009-05-27 | 2011-08-17 | 西安西电捷通无线网络通信股份有限公司 | 基于对称加密算法的双向认证方法及系统 |
CN101631114B (zh) * | 2009-08-19 | 2011-09-21 | 西安西电捷通无线网络通信股份有限公司 | 一种基于公钥证书的身份鉴别方法及其系统 |
WO2011039460A2 (fr) * | 2009-09-30 | 2011-04-07 | France Telecom | Procede et dispositifs de communications securisees dans un reseau de telecommunications |
CN101853369B (zh) | 2010-04-01 | 2012-09-26 | 西北工业大学 | 基于随机哈希的双向认证方法 |
CN103155481A (zh) * | 2010-10-15 | 2013-06-12 | 塞尔蒂卡姆公司 | 具有消息恢复的数字签名的认证加密 |
US9100382B2 (en) * | 2012-03-20 | 2015-08-04 | Qualcomm Incorporated | Network security configuration using short-range wireless communication |
US9124433B2 (en) * | 2012-12-28 | 2015-09-01 | Vasco Data Security, Inc. | Remote authentication and transaction signatures |
JP6428601B2 (ja) * | 2013-03-29 | 2018-11-28 | ソニー株式会社 | 集積回路、通信方法、コンピュータプログラム及び通信装置 |
US8971540B2 (en) * | 2013-05-30 | 2015-03-03 | CertiVox Ltd. | Authentication |
US9350550B2 (en) * | 2013-09-10 | 2016-05-24 | M2M And Iot Technologies, Llc | Power management and security for wireless modules in “machine-to-machine” communications |
-
2014
- 2014-03-31 CN CN201410126328.8A patent/CN104954130B/zh active Active
-
2015
- 2015-03-27 KR KR1020167030523A patent/KR101856682B1/ko active IP Right Grant
- 2015-03-27 WO PCT/CN2015/075285 patent/WO2015149658A1/zh active Application Filing
- 2015-03-27 JP JP2016559840A patent/JP2017517915A/ja active Pending
- 2015-03-27 EP EP15772431.1A patent/EP3128696B1/en active Active
- 2015-03-27 ES ES15772431T patent/ES2768963T3/es active Active
- 2015-03-27 US US15/122,806 patent/US10389702B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101159639A (zh) * | 2007-11-08 | 2008-04-09 | 西安西电捷通无线网络通信有限公司 | 一种单向接入认证方法 |
CN102014386A (zh) * | 2010-10-15 | 2011-04-13 | 西安西电捷通无线网络通信股份有限公司 | 一种基于对称密码算法的实体鉴别方法及系统 |
CN101984577A (zh) * | 2010-11-12 | 2011-03-09 | 西安西电捷通无线网络通信股份有限公司 | 匿名实体鉴别方法及系统 |
Also Published As
Publication number | Publication date |
---|---|
CN104954130B (zh) | 2019-08-20 |
KR101856682B1 (ko) | 2018-06-19 |
US10389702B2 (en) | 2019-08-20 |
ES2768963T3 (es) | 2020-06-24 |
EP3128696B1 (en) | 2019-11-20 |
EP3128696A1 (en) | 2017-02-08 |
CN104954130A (zh) | 2015-09-30 |
JP2017517915A (ja) | 2017-06-29 |
KR20160140880A (ko) | 2016-12-07 |
EP3128696A4 (en) | 2017-04-05 |
US20170085557A1 (en) | 2017-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2021203815B2 (en) | Methods for secure cryptogram generation | |
WO2015149658A1 (zh) | 一种实体鉴别方法及装置 | |
KR101931894B1 (ko) | 사전-공유 키에 기초한 개체 인증 방법 및 디바이스 | |
US11636478B2 (en) | Method of performing authentication for a transaction and a system thereof | |
CA2969332C (en) | A method and device for authentication | |
JP5537129B2 (ja) | 認証システム、認証方法およびプログラム | |
CN104780049B (zh) | 一种安全读写数据的方法 | |
CN104915689B (zh) | 一种智能卡信息处理方法 | |
Lee et al. | Design of a simple user authentication scheme using QR-code for mobile device | |
EP3035589A1 (en) | Security management system for authenticating a token by a service provider server | |
KR20110050931A (ko) | Rfid 시스템에서의 상호 인증 장치 및 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15772431 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15122806 Country of ref document: US |
|
REEP | Request for entry into the european phase |
Ref document number: 2015772431 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015772431 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2016559840 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 20167030523 Country of ref document: KR Kind code of ref document: A |