WO2016176902A1 - Terminal authentication method, management terminal and application terminal - Google Patents

Terminal authentication method, management terminal and application terminal Download PDF

Info

Publication number
WO2016176902A1
WO2016176902A1 PCT/CN2015/082896 CN2015082896W WO2016176902A1 WO 2016176902 A1 WO2016176902 A1 WO 2016176902A1 CN 2015082896 W CN2015082896 W CN 2015082896W WO 2016176902 A1 WO2016176902 A1 WO 2016176902A1
Authority
WO
WIPO (PCT)
Prior art keywords
target value
digital certificate
terminal
encryption result
management terminal
Prior art date
Application number
PCT/CN2015/082896
Other languages
French (fr)
Chinese (zh)
Inventor
钟焰涛
傅文治
林荣辉
谭中军
Original Assignee
宇龙计算机通信科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 宇龙计算机通信科技(深圳)有限公司 filed Critical 宇龙计算机通信科技(深圳)有限公司
Publication of WO2016176902A1 publication Critical patent/WO2016176902A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of mobile communications technologies, and in particular, to a terminal authentication method, a management terminal, and an application terminal.
  • D2D communication is a new technology that allows terminals to communicate directly by multiplexing cell resources under the control of the system. It can increase the spectrum efficiency of the cellular communication system and reduce the terminal transmission. Power, to a certain extent, solves the problem of lack of spectrum resources in wireless communication systems.
  • D2D communication includes different communication methods such as one-to-one communication and group communication.
  • D2D group communication one user equipment acts as a group manager to establish a group, other user equipments join a group, and end-to-end communication is implemented within the group.
  • the administrator of the group When a user equipment applies to join a communication group, the administrator of the group must authenticate the user equipment.
  • the current authentication method is that the applicant sends his digital certificate to the administrator, and the administrator verifies the digital certificate.
  • the legality of the digital signature if legal, accepts the applicant's application and joins the applicant to the communication group.
  • the digital certificate is easily acquired by other user equipments, once the applicant's digital certificate is stolen by other user equipment and participates in the authentication process, the applicant cannot join the communication group, thereby affecting the security of the authentication process.
  • the embodiment of the invention provides a terminal authentication method, a management terminal and an application terminal, which can improve the security of the authentication process.
  • a first aspect of the embodiments of the present invention provides a terminal authentication method, which may include:
  • the management terminal When the management terminal receives the application that is sent by the application terminal and carries the first digital certificate, joins the group. And the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result;
  • the management terminal sends the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to the The second digital certificate encrypts the second target value to obtain a second encryption result;
  • the management terminal acquires the second encryption result sent by the application terminal, and decrypts the second encryption result to obtain a third target value, and the third target value is compared with the first target value. At the same time, the authentication of the application terminal is passed.
  • the second aspect of the embodiment of the present invention provides another terminal authentication method, which may include:
  • the application terminal sends an application for carrying the first digital certificate of the local end to join the group message to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result;
  • a third aspect of the embodiments of the present invention provides a management terminal, which may include:
  • An encryption unit configured to: when the management terminal receives the application that is sent by the application terminal and carries the first digital certificate, join the group message, and encrypt the first target value according to the first digital certificate to obtain the first encryption result;
  • a sending unit configured to send the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to the The second digital certificate encrypts the second target value to obtain a second encryption result;
  • a decrypting unit configured to acquire the second encryption result sent by the application terminal, and decrypt the second encryption result to obtain a third target value, and the third target value and the first target value The same is true for the authentication of the application terminal.
  • a fourth aspect of the embodiments of the present invention provides an application terminal, which may include:
  • a message sending unit configured to send an application that joins the first digital certificate of the local end to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result
  • a decryption encryption unit configured to receive the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypt the first encryption result to obtain a second target value and according to the first The second digital certificate encrypts the second target value to obtain a second encryption result;
  • a result sending unit configured to send the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and at the third target value When the first target value is the same, the authentication of the local end is performed.
  • the management terminal when the management terminal receives the application that carries the first digital certificate and sends the group message, the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result. And then the management terminal sends the first encryption result and the second digital certificate of the management terminal to the application terminal, and the application terminal decrypts the first encryption result to obtain a second target value, and encrypts the second target value according to the second digital certificate.
  • the second encryption result is that the application terminal sends the second encryption result to the management terminal, the management terminal decrypts the second encryption result to obtain a third target value, and the third terminal value is the same as the first target value, and the authentication is performed on the application terminal.
  • the management terminal completes the authentication process of the application terminal according to the encryption and decryption result, and improves the security of the authentication process.
  • FIG. 1 is a schematic flowchart of a method for authenticating a terminal according to an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of another terminal authentication method according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of still another terminal authentication method according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart diagram of still another terminal authentication method according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a management terminal according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of an encryption unit provided by the embodiment shown in FIG. 5;
  • FIG. 7 is a schematic structural diagram of a decryption unit provided by the embodiment shown in FIG. 5;
  • FIG. 8 is a schematic structural diagram of an application terminal according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of a decryption and encryption unit provided by the embodiment shown in FIG. 8.
  • the terminal authentication method, the management terminal, and the application terminal provided by the embodiment of the present invention can be applied to the scenario in which the management terminal authenticates the application terminal in the D2D communication.
  • the management terminal and the application terminal are not in the network coverage, that is, the current network.
  • the signal difference does not support cellular communication between terminals, and D2D communication can be performed between terminals.
  • the application terminal wants to join the D2D communication group where the management terminal is located and communicates with the group members in the group
  • the management terminal needs to apply for the terminal.
  • the authentication of the authentication process can be implemented by using the embodiment of the present invention to implement authentication of the application terminal by the management terminal, preventing the digital certificate of the application terminal from being intercepted and utilized by other terminals.
  • the digital certificate of the application terminal is acquired by other terminals, the other terminal cannot decrypt the result of the management terminal encryption, and prevents the criminals from joining the group where the management terminal is located.
  • the management terminal and the application terminal provided by the embodiments of the present invention may include, but are not limited to, an electronic device such as a mobile phone, a PAD (tablet computer), and a smart wearable device.
  • the management terminal provided by the embodiment of the present invention is a manager who establishes a group in the D2D communication, and is responsible for authenticating other terminals that apply to join the group, and realizing communication between any two terminals in the group, and the terminals pass the wireless channel. The communication is performed. Therefore, the premise of the embodiment of the present invention is that the frequency of the wireless channel used by the application terminal and the management terminal is the same.
  • the terminal authentication method provided by the embodiment of the present invention will be described in detail below with reference to FIG.
  • FIG. 1 is a schematic flowchart of a method for authenticating a terminal according to an embodiment of the present invention.
  • the method may include steps S101 to S103.
  • the management terminal receives the application that is sent by the application terminal and carries the first digital certificate, the application joins. And the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result.
  • the management terminal may receive an application joining group message sent by the application terminal, where the application joining group message carries a first digital certificate,
  • the first digital certificate is a digital certificate of the application terminal
  • the digital certificate is a file containing the public key owner information and the public key digitally signed by the certificate authority.
  • the simplest certificate contains a public key, a name, and a digital signature from the certificate authority.
  • the digital certificate adopts a public key system, that is, a pair of mutually matching keys are used for encryption and decryption.
  • the management terminal When the management terminal receives the application joining group message, the management terminal first checks whether the digital signature of the first digital certificate is correct, and when the digital signature of the first digital certificate is correct, the management The terminal acquires the public key of the first digital certificate, and encrypts the first target value by using the public key of the first digital certificate to obtain a first encryption result.
  • the first target value is a value arbitrarily selected by the management terminal.
  • the management terminal sends the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to The second digital certificate encrypts the second target value to obtain a second encryption result.
  • the management terminal reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate obtained by the step S101 to the application terminal, where the second digital certificate includes The public key of the second digital certificate.
  • the application terminal receives the first encryption result and the second digital certificate sent by the management terminal, the application terminal performs the first encryption result by using a private key of the first digital certificate of the local end. Decrypting to obtain a second target value, and then the application terminal encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result.
  • the second target value may be the same as the first target value, or may be different.
  • the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, even if the second target value is the same as the first target value, The second encryption result is also different from the first encryption result.
  • the management terminal acquires the second encryption result sent by the application terminal, and decrypts the second encryption result to obtain a third target value, and the third target value and the first target.
  • the authentication of the application terminal is made when the values are the same.
  • the management terminal acquires the second encryption result sent by the application terminal, and reads a private key of the second digital certificate, and then uses the private key of the second digital certificate to the second
  • the encrypted result is decrypted to obtain a third target value.
  • the third target value may be the same as the second target value, and may be different.
  • the application terminal is not attacked by the outside world in sending the second encryption result, the third target value Same as the second target value, otherwise the third target value obtained by the management terminal decryption is not the same as the second target value. Therefore, when the wireless channel between the management terminal and the application terminal does not receive an external attack, the first target value is the same as the third target value.
  • the management terminal adds the application terminal to the group by using the authentication of the application terminal, and notifies the application terminal that the application is successful. It is possible to participate in communication between the groups.
  • the terminal A may not be able to Decrypting the first encryption result with its own private key, or the terminal A may forge the second target value. If the terminal A falsifies the second target value, the second target value is The first target value is different from the first target value, so the management terminal rejects the authentication application for the terminal A, and does not allow the terminal A to join the group, thereby improving the security of the group and the authentication process.
  • the management terminal when the management terminal receives the application that carries the first digital certificate and sends the group message, the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result. And then the management terminal sends the first encryption result and the second digital certificate of the management terminal to the application terminal, and the application terminal decrypts the first encryption result to obtain a second target value, and encrypts the second target value according to the second digital certificate.
  • the second encryption result is that the application terminal sends the second encryption result to the management terminal, the management terminal decrypts the second encryption result to obtain a third target value, and the third terminal value is the same as the first target value, and the authentication is performed on the application terminal.
  • the management terminal completes the authentication process of the application terminal according to the encryption and decryption result, and improves the security of the authentication process.
  • FIG. 2 is a schematic flowchart of another method for authenticating a terminal according to an embodiment of the present invention.
  • the method may include steps S201 to S206.
  • the management terminal may receive an application joining group message sent by the application terminal, where the application joining group message carries a first digital certificate,
  • the first digital certificate is a digital certificate of the application terminal
  • the digital certificate is a file containing the public key owner information and the public key digitally signed by the certificate authority.
  • the simplest certificate contains a public key, a name, and a digital signature from the certificate authority.
  • the digital certificate adopts a public key system, that is, a pair of mutually matching keys are used for encryption and decryption.
  • the management terminal When the management terminal receives the application joining group message, the management terminal first checks whether the digital signature of the first digital certificate is correct, and when the digital signature of the first digital certificate is correct, the management The terminal can perform the subsequent authentication process; when the digital signature of the first digital certificate is incorrect, the management terminal rejects the middle calling terminal to join the group.
  • the management terminal acquires the public key of the first digital certificate, and encrypts the first target value by using the public key of the first digital certificate. An encrypted result.
  • the first digital certificate is a legal digital certificate of the application terminal, and therefore the management terminal acquires the publicity of the first digital certificate. Key, and encrypting the first target value by using the public key of the first digital certificate to obtain a first encryption result.
  • the first target value is a value arbitrarily selected by the management terminal. For example, the first target value is r 1 , the public key of the first digital certificate is pk 1 , and the first encryption result obtained by the management terminal is e 1 .
  • the management terminal reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate to the application terminal, so that the application terminal adopts the first digital certificate.
  • the private key decrypts the first encryption result to obtain a second target value, and encrypts the second target value by using the public key of the second digital certificate to obtain a second encryption result.
  • the management terminal reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate obtained by the step S202 to the application terminal, where the second digital certificate includes The public key of the second digital certificate.
  • the application terminal receives the first encryption result and the second digital certificate sent by the management terminal, the application terminal performs the first encryption result by using a private key of the first digital certificate of the local end. Decrypting to obtain a second target value, and then the application terminal encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result.
  • the public key of the second digital certificate is pk 2
  • the management terminal sends the first encryption result e 1 and pk 2 to the application terminal
  • the second target obtained by the application terminal decrypts
  • the value is r 2
  • the second encrypted result obtained by encryption is e 2 .
  • the second target value may be the same as the first target value, or may be different.
  • the management terminal sends the first encryption result and the second digital certificate, it is not attacked by the outside world. And the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
  • the management terminal acquires a second encryption result sent by the application terminal.
  • the application terminal sends the second encryption result encrypted by using the public key of the second digital certificate to the management terminal, and the management terminal acquires a second encryption result sent by the application terminal.
  • the management terminal reads the private key of the second digital certificate, and decrypts the second encryption result by using a private key of the second digital certificate to obtain a third target value.
  • the result of encrypting with a digital certificate public key can only be decrypted by using the private key of the digital certificate, so the management terminal reads the private key of the second digital certificate, and uses the second number.
  • the private key of the certificate results in the second encryption result to obtain a third target value.
  • the management terminal decrypts the second encryption result e 2 to obtain the third target value r 3 .
  • the third target value may be the same as the second target value, and may be different.
  • the third target value Same as the second target value, otherwise the third target value obtained by the management terminal decrypting The second target value is not the same. Therefore, when the wireless channel between the management terminal and the application terminal does not receive an external attack, the first target value is the same as the third target value.
  • the third target value is the same as the first target value, it may be understood that the wireless channel between the management terminal and the application terminal is not attacked by the outside, and the management terminal passes the The authentication of the application terminal adds the application terminal to the group, and notifies the application terminal that the application is successful, and can participate in communication between the groups.
  • the management terminal when the management terminal receives the application that carries the first digital certificate and sends the group message, the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result. And then the management terminal sends the first encryption result and the second digital certificate of the management terminal to the application terminal, and the application terminal decrypts the first encryption result to obtain a second target value, and encrypts the second target value according to the second digital certificate.
  • the second encryption result is that the application terminal sends the second encryption result to the management terminal, the management terminal decrypts the second encryption result to obtain a third target value, and the third terminal value is the same as the first target value, and the authentication is performed on the application terminal.
  • the management terminal completes the authentication process of the application terminal according to the encryption and decryption result, and improves the security of the authentication process.
  • FIG. 3 is a schematic flowchart of still another method for authenticating a terminal according to an embodiment of the present invention.
  • the method may include steps S301 to S303.
  • the application terminal sends an application requesting the first digital certificate of the local end to join the group message to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result.
  • the second target value may be the same as the first target value, or may be different.
  • the management terminal sends the first encryption result and the second digital certificate, it is not attacked by the outside world. And the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
  • the application terminal sends the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and the third target value is When the first target value is the same, the authentication of the local end is performed.
  • the application terminal sends the second encryption result to the management terminal, and the management terminal uses the private key pair of the second digital certificate when receiving the second encryption result.
  • the third target value may be the same as the second target value, and may be different.
  • the third target value is the same as the second target value, otherwise the third target value obtained by the management terminal decryption is not the same as the second target value. Therefore, when the wireless channel between the management terminal and the application terminal does not receive an external attack, the first target value is the same as the third target value.
  • the application terminal joins the group message to the management terminal by sending an application for carrying the first digital certificate of the local end, and the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result, and applies for the terminal.
  • Receiving a first encryption result sent by the management terminal and a second digital certificate of the management terminal decrypting the first encryption result to obtain a second target value, and encrypting the second target value according to the second digital certificate to obtain a second encryption result
  • the terminal sends the second encryption result to the management terminal, and the management terminal decrypts the second encryption result to obtain a third target value, and implements management by authenticating the application terminal when the third target value is the same as the first target value.
  • the terminal authenticates the application terminal and improves the security of the authentication process.
  • the application terminal receives the first encryption result sent by the management terminal and a second digital certificate of the management terminal.
  • the application terminal reads a private key of the first digital certificate, and decrypts the first encryption result by using a private key of the first digital certificate to obtain the second target value.
  • the application terminal acquires a public key of the second digital certificate, and encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
  • the application terminal sends the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and the third target value is When the first target value is the same, the authentication of the local end is performed.
  • the application terminal joins the group message to the management terminal by sending an application for carrying the first digital certificate of the local end, and the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result, and applies for the terminal.
  • the encryption unit 101 may include a verification unit 1011 and a first encryption unit 1012.
  • the checking unit 1011 first checks whether the digital signature of the first digital certificate is correct, when the first number is When the digital signature of the word certificate is correct, the management terminal can perform the subsequent authentication process; when the digital signature of the first digital certificate is incorrect, the management terminal rejects the application terminal to join the group.
  • a first encryption unit 1012 configured to acquire a public key of the first digital certificate when the digital signature of the first digital certificate is correct, and encrypt the first target value by using a public key of the first digital certificate The first encrypted result is obtained.
  • the first digital certificate is a legal digital certificate of the application terminal, and therefore the first encryption unit 1012 obtains the first The public key of the digital certificate, and encrypting the first target value by using the public key of the first digital certificate to obtain a first encryption result.
  • the first target value is a value arbitrarily selected by the management terminal 10. For example, the first target value is r 1 , the public key of the first digital certificate is pk 1 , and the first encryption result obtained by the first encryption unit 1012 is e 1 .
  • the sending unit 102 reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate encrypted by the first encryption unit 1012 to the application terminal.
  • the second digital certificate includes a public key of the second digital certificate.
  • the application terminal uses the private key of the first digital certificate of the local end to the first encryption result. Decrypting to obtain a second target value, and then the application terminal encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result.
  • the second target value may be the same as the first target value, or may be different.
  • the sending unit 102 When the attack is performed, the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value.
  • the first encryption result is obtained by encrypting a public key of the first digital certificate, and the second encryption result is by the The public key of the second digital certificate is encrypted, and the public key is different, so the second encryption result is different from the first encryption result, even if the second target value is the same as the first target value.
  • the second encryption result is also different from the first encryption result.
  • the decrypting unit 103 is configured to acquire the second encryption result sent by the application terminal, and decrypt the second encryption result to obtain a third target value, and the third target value and the first target
  • the authentication of the application terminal is made when the values are the same.
  • the decryption unit 103 acquires the second encryption result sent by the application terminal, and decrypts the second encryption result to obtain a third target value, and the third target value and the The authentication of the application terminal is performed when the first target value is the same.
  • the decryption unit 103 may include an obtaining unit 1031, a first decryption unit 1032, and an authentication unit 1033.
  • the obtaining unit 1031 is configured to obtain a second encryption result sent by the application terminal.
  • the application terminal sends the second encryption result encrypted by using the public key of the second digital certificate to the management terminal, and the obtaining unit 1031 acquires the second encryption sent by the middle requesting terminal. result.
  • the first decryption unit 1032 is configured to read a private key of the second digital certificate, and decrypt the second encryption result by using a private key of the second digital certificate to obtain a third target value.
  • the authentication unit 1033 is configured to authenticate the application terminal when the third target value is the same as the first target value.
  • FIG. 8 and FIG. 9 are used to perform the method of the embodiment shown in FIG. 3 and FIG. 4 of the present invention.
  • FIG. 3 and FIG. 4 of the present invention are shown. In part, specific technical details are not disclosed, please refer to the embodiment shown in FIG. 3 and FIG. 4 of the present invention.
  • FIG. 8 is a schematic structural diagram of an application terminal according to the present invention.
  • the application terminal 20 may include: a message sending unit 201, a decryption and encrypting unit 202, and a result sending unit 203.
  • the decryption encryption unit 202 is configured to receive the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypt the first encryption result to obtain a second target value and according to the The second digital certificate encrypts the second target value to obtain a second encrypted result.
  • the second target value may be the same as the first target value, or may be different.
  • the management terminal 10 sends the first encryption result and the second digital certificate
  • the external terminal is not received by the outside world.
  • the second target value is the same as the first target value, otherwise the decrypted encryption unit 202 decrypts the obtained second target value and the first target value is a different value. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
  • the receiving unit 2021 is configured to receive the first encryption result sent by the management terminal and the second digital certificate of the management terminal.
  • the second decryption unit 2022 reads the private key of the first digital certificate, and decrypts the first encryption result by using the private key of the first digital certificate to obtain the second target value.
  • the first encryption result is e 1
  • the second target value decrypted by the second decryption unit 2022 is r 2 .
  • a result sending unit 203 configured to send the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and at the third target value
  • the authentication of the local end is performed when the first target value is the same.
  • the result sending unit 203 sends the second encryption result to the management terminal, and the management terminal 10 adopts the private of the second digital certificate when receiving the second encryption result. Decrypting the second encryption result to obtain a third target value, and determining whether the third target value is the same as the first target value, when the third target value is the same as the first target value By the authentication of the application terminal 20.
  • the third target value may be the same as the second target value, and may be different.
  • the result sending unit 203 is not attacked by the outside world in the process of sending the second encryption result, the third The target value is the same as the second target value, otherwise the third target value obtained by the management terminal 10 is not the same as the second target value. Therefore, when the wireless channel between the management terminal 10 and the application terminal 20 does not receive an external attack, the first target value is the same as the third target value.
  • the application terminal joins the group message to the management terminal by sending an application for carrying the first digital certificate of the local end, and the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result, and applies for the terminal.
  • Receiving a first encryption result sent by the management terminal and a second digital certificate of the management terminal decrypting the first encryption result to obtain a second target value, and encrypting the second target value according to the second digital certificate to obtain a second encryption result
  • the application terminal sends the second encryption result to the management terminal, and the management terminal decrypts the second encryption result to obtain a third target value, and implements the management terminal by authenticating the application terminal when the third target value is the same as the first target value. Recognition of the application terminal Certification process and improve the security of the certification process.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

Provided in embodiments of the present invention are a terminal authentication method, management terminal and application terminal. The method comprises: upon receiving a group joining application message carrying a first digital certificate and transmitted by an application terminal, encrypting, according to the first digital certificate, a first target value to obtain a first encryption result; transmitting the first encryption result and a second digital certificate of a local terminal to the application terminal, such that the application terminal decrypts the first encryption result to obtain a second target value, and encrypts, according to the second digital certificate, the second target value to obtain a second encryption result; and acquiring the second encryption result transmitted by the application terminal, decrypting the second encryption result to obtain a third target value, and if the third target value and the first target value are the same, then enabling the application terminal to pass the authentication. The embodiments of the present invention improve security of an authentication process.

Description

一种终端认证方法、管理终端及申请终端Terminal authentication method, management terminal and application terminal
本申请要求于2015年5月6日提交中国专利局、申请号为201510226966.1,发明名称为“一种终端认证方法、管理终端及申请终端”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201510226966.1, entitled "A Terminal Authentication Method, Management Terminal, and Application Terminal" on May 6, 2015, the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本发明涉及移动通信技术领域,具体涉及一种终端认证方法、管理终端及申请终端。The present invention relates to the field of mobile communications technologies, and in particular, to a terminal authentication method, a management terminal, and an application terminal.
背景技术Background technique
设备对设备(Device-to-Device,D2D)通信是一种在系统的控制下,允许终端之间通过复用小区资源直接进行通信的新型技术,它能够增加蜂窝通信系统频谱效率,降低终端发射功率,在一定程度上解决无线通信系统频谱资源匮乏的问题。根据第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)文档对D2D通信的定义,D2D通信包括一对一通信和群组通信等不同通信方式。在D2D群组通信中,一个用户设备充当群组管理者建立群组,其他用户设备加入群组,并在群组内部实现端到端通信。Device-to-Device (D2D) communication is a new technology that allows terminals to communicate directly by multiplexing cell resources under the control of the system. It can increase the spectrum efficiency of the cellular communication system and reduce the terminal transmission. Power, to a certain extent, solves the problem of lack of spectrum resources in wireless communication systems. According to the definition of D2D communication in the 3rd Generation Partnership Project (3GPP) document, D2D communication includes different communication methods such as one-to-one communication and group communication. In D2D group communication, one user equipment acts as a group manager to establish a group, other user equipments join a group, and end-to-end communication is implemented within the group.
当一个用户设备申请加入一个通信群组时,该群组的管理者必须对该用户设备进行身份认证,目前的认证方法是申请者将自己的数字证书发送至管理者,由管理者验证数字证书的数字签名的合法性,若合法则接受申请者的申请,将申请者加入通信群。但是,由于数字证书很容易被其他用户设备获取,一旦申请者的数字证书被其他用户设备盗用并参与认证过程,将导致申请者无法加入该通信群组,从而影响认证过程的安全性。When a user equipment applies to join a communication group, the administrator of the group must authenticate the user equipment. The current authentication method is that the applicant sends his digital certificate to the administrator, and the administrator verifies the digital certificate. The legality of the digital signature, if legal, accepts the applicant's application and joins the applicant to the communication group. However, since the digital certificate is easily acquired by other user equipments, once the applicant's digital certificate is stolen by other user equipment and participates in the authentication process, the applicant cannot join the communication group, thereby affecting the security of the authentication process.
发明内容Summary of the invention
本发明实施例提供一种终端认证方法、管理终端及申请终端,能够提高认证过程的安全性。The embodiment of the invention provides a terminal authentication method, a management terminal and an application terminal, which can improve the security of the authentication process.
本发明实施例第一方面提供一种终端认证方法,可包括:A first aspect of the embodiments of the present invention provides a terminal authentication method, which may include:
当管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组 消息时,所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果;When the management terminal receives the application that is sent by the application terminal and carries the first digital certificate, joins the group. And the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result;
所述管理终端将所述第一加密结果和本端的第二数字证书发送至所述申请终端,以使所述申请终端对所述第一加密结果进行解密得到第二目标值,并根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果;The management terminal sends the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to the The second digital certificate encrypts the second target value to obtain a second encryption result;
所述管理终端获取所述申请终端发送的所述第二加密结果,并对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。The management terminal acquires the second encryption result sent by the application terminal, and decrypts the second encryption result to obtain a third target value, and the third target value is compared with the first target value. At the same time, the authentication of the application terminal is passed.
本发明实施例第二方面提供另一种终端认证方法,可包括:The second aspect of the embodiment of the present invention provides another terminal authentication method, which may include:
申请终端发送携带本端的第一数字证书的申请加入群组消息至管理终端,以使所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果;The application terminal sends an application for carrying the first digital certificate of the local end to join the group message to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result;
所述申请终端接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书,并对所述第一加密结果进行解密得到第二目标值以及根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果;Receiving, by the application terminal, the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypting the first encryption result to obtain a second target value and according to the second number The certificate encrypts the second target value to obtain a second encryption result;
所述申请终端将所述第二加密结果发送至所述管理终端,以使所述管理终端对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对本端的认证。Transmitting, by the application terminal, the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and the third target value and the When the first target value is the same, the authentication of the local end is passed.
本发明实施例第三方面提供一种管理终端,可包括:A third aspect of the embodiments of the present invention provides a management terminal, which may include:
加密单元,用于当管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,根据所述第一数字证书对第一目标值进行加密得到第一加密结果;An encryption unit, configured to: when the management terminal receives the application that is sent by the application terminal and carries the first digital certificate, join the group message, and encrypt the first target value according to the first digital certificate to obtain the first encryption result;
发送单元,用于将所述第一加密结果和本端的第二数字证书发送至所述申请终端,以使所述申请终端对所述第一加密结果进行解密得到第二目标值,并根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果;a sending unit, configured to send the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to the The second digital certificate encrypts the second target value to obtain a second encryption result;
解密单元,用于获取所述申请终端发送的所述第二加密结果,并对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。a decrypting unit, configured to acquire the second encryption result sent by the application terminal, and decrypt the second encryption result to obtain a third target value, and the third target value and the first target value The same is true for the authentication of the application terminal.
本发明实施例第四方面提供一种申请终端,可包括: A fourth aspect of the embodiments of the present invention provides an application terminal, which may include:
消息发送单元,用于发送携带本端的第一数字证书的申请加入群组消息至管理终端,以使所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果;a message sending unit, configured to send an application that joins the first digital certificate of the local end to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result;
解密加密单元,用于接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书,并对所述第一加密结果进行解密得到第二目标值以及根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果;a decryption encryption unit, configured to receive the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypt the first encryption result to obtain a second target value and according to the first The second digital certificate encrypts the second target value to obtain a second encryption result;
结果发送单元,用于将所述第二加密结果发送至所述管理终端,以使所述管理终端对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对本端的认证。a result sending unit, configured to send the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and at the third target value When the first target value is the same, the authentication of the local end is performed.
在本发明实施例中,通过在管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,管理终端根据第一数字证书对第一目标值进行加密得到第一加密结果,然后管理终端将第一加密结果和管理终端的第二数字证书发送至申请终端,申请终端对第一加密结果进行解密得到第二目标值并根据第二数字证书对第二目标值进行加密得到第二加密结果,申请终端将第二加密结果发送至管理终端,管理终端对第二加密结果进行解密得到第三目标值,当第三目标值与第一目标值相同时通过对申请终端的认证,实现管理终端根据加密解密结果完成对申请终端的认证过程,提高认证过程的安全性。In the embodiment of the present invention, when the management terminal receives the application that carries the first digital certificate and sends the group message, the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result. And then the management terminal sends the first encryption result and the second digital certificate of the management terminal to the application terminal, and the application terminal decrypts the first encryption result to obtain a second target value, and encrypts the second target value according to the second digital certificate. The second encryption result is that the application terminal sends the second encryption result to the management terminal, the management terminal decrypts the second encryption result to obtain a third target value, and the third terminal value is the same as the first target value, and the authentication is performed on the application terminal. The management terminal completes the authentication process of the application terminal according to the encryption and decryption result, and improves the security of the authentication process.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图1为本发明实施例提供的一种终端认证方法的流程示意图;FIG. 1 is a schematic flowchart of a method for authenticating a terminal according to an embodiment of the present disclosure;
图2为本发明实施例提供的另一种终端认证方法的流程示意图;2 is a schematic flowchart of another terminal authentication method according to an embodiment of the present invention;
图3为本发明实施例提供的又一种终端认证方法的流程示意图;FIG. 3 is a schematic flowchart of still another terminal authentication method according to an embodiment of the present invention;
图4为本发明实施例提供的又一种终端认证方法的流程示意图;FIG. 4 is a schematic flowchart diagram of still another terminal authentication method according to an embodiment of the present invention;
图5为本发明实施例提供的一种管理终端的结构示意图;FIG. 5 is a schematic structural diagram of a management terminal according to an embodiment of the present disclosure;
图6为图5所示实施例提供的加密单元的结构示意图; 6 is a schematic structural diagram of an encryption unit provided by the embodiment shown in FIG. 5;
图7为图5所示实施例提供的解密单元的结构示意图;7 is a schematic structural diagram of a decryption unit provided by the embodiment shown in FIG. 5;
图8为本发明实施例提供的一种申请终端的结构示意图;FIG. 8 is a schematic structural diagram of an application terminal according to an embodiment of the present disclosure;
图9为图8所示实施例提供的解密加密单元的结构示意图。FIG. 9 is a schematic structural diagram of a decryption and encryption unit provided by the embodiment shown in FIG. 8.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供的一种终端认证方法、管理终端及申请终端,可以应用于D2D通信中管理终端对申请终端认证的场景,例如,管理终端与申请终端均不在网络覆盖范围内,即当前网络信号差不支持终端之间的蜂窝通信,终端之间可以进行D2D通信,申请终端想要加入管理终端所在的D2D通信群组并与群组内的组员进行通信时,管理终端需对申请终端进行认证,应用本发明实施例可以实现管理终端对申请终端的认证,防止申请终端的数字证书被其他终端截取利用,提供认证过程的安全性。在申请终端的数字证书被其他终端获取的情况下,其他终端无法对管理终端加密的结果进行解密,防止不法分子加入管理终端所在的群组。The terminal authentication method, the management terminal, and the application terminal provided by the embodiment of the present invention can be applied to the scenario in which the management terminal authenticates the application terminal in the D2D communication. For example, the management terminal and the application terminal are not in the network coverage, that is, the current network. The signal difference does not support cellular communication between terminals, and D2D communication can be performed between terminals. When the application terminal wants to join the D2D communication group where the management terminal is located and communicates with the group members in the group, the management terminal needs to apply for the terminal. The authentication of the authentication process can be implemented by using the embodiment of the present invention to implement authentication of the application terminal by the management terminal, preventing the digital certificate of the application terminal from being intercepted and utilized by other terminals. When the digital certificate of the application terminal is acquired by other terminals, the other terminal cannot decrypt the result of the management terminal encryption, and prevents the criminals from joining the group where the management terminal is located.
本发明实施例提供的管理终端、申请终端可以包括但不限于手机、PAD(平板电脑)、智能可穿戴设备等电子设备。本发明实施例提供的管理终端为D2D通信中建立群组的管理者,负责对其他申请加入该群组的终端进行认证,实现群组内任意两个终端间的通信,终端之间通过无线信道进行通信,因此本发明实施例的前提条件是申请终端与管理终端使用的无线信道频率相同。The management terminal and the application terminal provided by the embodiments of the present invention may include, but are not limited to, an electronic device such as a mobile phone, a PAD (tablet computer), and a smart wearable device. The management terminal provided by the embodiment of the present invention is a manager who establishes a group in the D2D communication, and is responsible for authenticating other terminals that apply to join the group, and realizing communication between any two terminals in the group, and the terminals pass the wireless channel. The communication is performed. Therefore, the premise of the embodiment of the present invention is that the frequency of the wireless channel used by the application terminal and the management terminal is the same.
下面将结合附图1-附图4对本发明实施例提供的终端认证方法进行详细介绍。The terminal authentication method provided by the embodiment of the present invention will be described in detail below with reference to FIG.
请参见图1,为本发明实施例提供的一种终端认证方法的流程示意图,该方法可包括步骤S101-步骤S103。FIG. 1 is a schematic flowchart of a method for authenticating a terminal according to an embodiment of the present invention. The method may include steps S101 to S103.
S101,当管理终端接收到申请终端发送的携带有第一数字证书的申请加入 群组消息时,所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果。S101. When the management terminal receives the application that is sent by the application terminal and carries the first digital certificate, the application joins. And the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result.
具体的,当管理终端与申请终端使用同一无线信道频率时,所述管理终端可接收所述申请终端发送的申请加入群组消息,所述申请加入群组消息携带有第一数字证书,所述第一数字证书为所述申请终端的数字证书,数字证书是一个经证书授权中心数字签名的包含公开密钥拥有者信息以及公开密钥的文件。最简单的证书包含一个公开密钥、名称以及证书授权中心的数字签名。数字证书采用公钥体制,即利用一对互相匹配的密钥进行加密、解密。Specifically, when the management terminal and the application terminal use the same radio channel frequency, the management terminal may receive an application joining group message sent by the application terminal, where the application joining group message carries a first digital certificate, The first digital certificate is a digital certificate of the application terminal, and the digital certificate is a file containing the public key owner information and the public key digitally signed by the certificate authority. The simplest certificate contains a public key, a name, and a digital signature from the certificate authority. The digital certificate adopts a public key system, that is, a pair of mutually matching keys are used for encryption and decryption.
当所述管理终端接收到所述申请加入群组消息时,所述管理终端先检验所述第一数字证书的数字签名是否正确,当所述第一数字证书的数字签名正确时,所述管理终端获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。其中,所述第一目标值由所述管理终端任意选择的一个值。When the management terminal receives the application joining group message, the management terminal first checks whether the digital signature of the first digital certificate is correct, and when the digital signature of the first digital certificate is correct, the management The terminal acquires the public key of the first digital certificate, and encrypts the first target value by using the public key of the first digital certificate to obtain a first encryption result. The first target value is a value arbitrarily selected by the management terminal.
S102,所述管理终端将所述第一加密结果和本端的第二数字证书发送至所述申请终端,以使所述申请终端对所述第一加密结果进行解密得到第二目标值,并根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果。S102, the management terminal sends the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to The second digital certificate encrypts the second target value to obtain a second encryption result.
具体的,所述管理终端读取本端的第二数字证书,并将步骤S101加密得到的所述第一加密结果和所述第二数字证书发送至所述申请终端,所述第二数字证书包括所述第二数字证书的公钥。所述申请终端在接收到所述管理终端发送的所述第一加密结果和所述第二数字证书时,所述申请终端采用本端的第一数字证书的私钥对所述第一加密结果进行解密得到第二目标值,然后所述申请终端采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。其中,所述第二目标值可能与所述第一目标值相同,也可能不相同,当所述管理终端在发送所述第一加密结果和所述第二数字证书的过程中没有受到外界攻击时,所述第二目标值与所述第一目标值相同,否则所述申请终端解密得到的所述第二目标值与所述第一目标值为不同的数值。由于所述第一加密结果是由所述第一数字证书的公钥加密得到,而所述第二加密结果是由所述第二数字证书的公钥加密得到,公钥不同,因此所述第二加密结果与所述第一加密结果不相同,即使在所述第二目标值与所述第一目标值相同的情况下,所述 第二加密结果与所述第一加密结果也不相同。Specifically, the management terminal reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate obtained by the step S101 to the application terminal, where the second digital certificate includes The public key of the second digital certificate. When the application terminal receives the first encryption result and the second digital certificate sent by the management terminal, the application terminal performs the first encryption result by using a private key of the first digital certificate of the local end. Decrypting to obtain a second target value, and then the application terminal encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result. The second target value may be the same as the first target value, or may be different. When the management terminal sends the first encryption result and the second digital certificate, it is not attacked by the outside world. And the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, even if the second target value is the same as the first target value, The second encryption result is also different from the first encryption result.
S103,所述管理终端获取所述申请终端发送的所述第二加密结果,并对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。S103. The management terminal acquires the second encryption result sent by the application terminal, and decrypts the second encryption result to obtain a third target value, and the third target value and the first target. The authentication of the application terminal is made when the values are the same.
具体的,所述管理终端获取所述申请终端发送的所述第二加密结果,并读取所述第二数字证书的私钥,然后采用所述第二数字证书的私钥对所述第二加密结果进行解密得到第三目标值。其中,所述第三目标值与所述第二目标值可能相同,可能不相同,当所述申请终端在发送所述第二加密结果的过程中没有受到外界攻击时,所述第三目标值与所述第二目标值相同,否则所述管理终端解密得到的所述第三目标值与所述第二目标值不相同。因此,当所述管理终端与所述申请终端之间的无线信道没有收到外界攻击时,所述第一目标值与所述第三目标值相同。当所述第三目标值与所述第一目标值相同时,所述管理终端通过对所述申请终端的认证,将所述申请终端加入所述群组,并通知所述申请终端申请成功,可以参与所述群组之间的通信。Specifically, the management terminal acquires the second encryption result sent by the application terminal, and reads a private key of the second digital certificate, and then uses the private key of the second digital certificate to the second The encrypted result is decrypted to obtain a third target value. The third target value may be the same as the second target value, and may be different. When the application terminal is not attacked by the outside world in sending the second encryption result, the third target value Same as the second target value, otherwise the third target value obtained by the management terminal decryption is not the same as the second target value. Therefore, when the wireless channel between the management terminal and the application terminal does not receive an external attack, the first target value is the same as the third target value. When the third target value is the same as the first target value, the management terminal adds the application terminal to the group by using the authentication of the application terminal, and notifies the application terminal that the application is successful. It is possible to participate in communication between the groups.
需要说明的是,在所述申请终端的数字证书被其他终端盗用的情况下,例如所述申请终端的数字证书被终端A盗用参与到本发明实施例的认证过程中,所述终端A可能无法用自己的私钥对所述第一加密结果进行解密,也可能所述终端A伪造所述第二目标值,若所述终端A伪造所述第二目标值,则所述第二目标值便与所述第一目标值不相同,因此所述管理终端拒绝对所述终端A的认证申请,不允许所述终端A加入所述群组,从而提高群组以及认证过程的安全性。It should be noted that, in the case that the digital certificate of the application terminal is stolen by other terminals, for example, the digital certificate of the application terminal is stolen by the terminal A and participates in the authentication process of the embodiment of the present invention, the terminal A may not be able to Decrypting the first encryption result with its own private key, or the terminal A may forge the second target value. If the terminal A falsifies the second target value, the second target value is The first target value is different from the first target value, so the management terminal rejects the authentication application for the terminal A, and does not allow the terminal A to join the group, thereby improving the security of the group and the authentication process.
在本发明实施例中,通过在管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,管理终端根据第一数字证书对第一目标值进行加密得到第一加密结果,然后管理终端将第一加密结果和管理终端的第二数字证书发送至申请终端,申请终端对第一加密结果进行解密得到第二目标值并根据第二数字证书对第二目标值进行加密得到第二加密结果,申请终端将第二加密结果发送至管理终端,管理终端对第二加密结果进行解密得到第三目标值,当第三目标值与第一目标值相同时通过对申请终端的认证,实现管理终端根据加密解密结果完成对申请终端的认证过程,提高认证过程的安全性。 In the embodiment of the present invention, when the management terminal receives the application that carries the first digital certificate and sends the group message, the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result. And then the management terminal sends the first encryption result and the second digital certificate of the management terminal to the application terminal, and the application terminal decrypts the first encryption result to obtain a second target value, and encrypts the second target value according to the second digital certificate. The second encryption result is that the application terminal sends the second encryption result to the management terminal, the management terminal decrypts the second encryption result to obtain a third target value, and the third terminal value is the same as the first target value, and the authentication is performed on the application terminal. The management terminal completes the authentication process of the application terminal according to the encryption and decryption result, and improves the security of the authentication process.
请参见图2,为本发明实施例提供的另一种终端认证方法的流程示意图,该方法可包括步骤S201-步骤S206。FIG. 2 is a schematic flowchart of another method for authenticating a terminal according to an embodiment of the present invention. The method may include steps S201 to S206.
S201,当管理终端接收到申请终端发送的携带有第一数字证书的中请加入群组消息时,所述管理终端检验所述第一数字证书的数字签名是否正确。S201: When the management terminal receives the group message that is sent by the application terminal and carries the first digital certificate, the management terminal checks whether the digital signature of the first digital certificate is correct.
具体的,当管理终端与申请终端使用同一无线信道频率时,所述管理终端可接收所述申请终端发送的申请加入群组消息,所述申请加入群组消息携带有第一数字证书,所述第一数字证书为所述申请终端的数字证书,数字证书是一个经证书授权中心数字签名的包含公开密钥拥有者信息以及公开密钥的文件。最简单的证书包含一个公开密钥、名称以及证书授权中心的数字签名。数字证书采用公钥体制,即利用一对互相匹配的密钥进行加密、解密。Specifically, when the management terminal and the application terminal use the same radio channel frequency, the management terminal may receive an application joining group message sent by the application terminal, where the application joining group message carries a first digital certificate, The first digital certificate is a digital certificate of the application terminal, and the digital certificate is a file containing the public key owner information and the public key digitally signed by the certificate authority. The simplest certificate contains a public key, a name, and a digital signature from the certificate authority. The digital certificate adopts a public key system, that is, a pair of mutually matching keys are used for encryption and decryption.
当所述管理终端接收到所述申请加入群组消息时,所述管理终端先检验所述第一数字证书的数字签名是否正确,当所述第一数字证书的数字签名正确时,所述管理终端才能进行后续的认证过程;当所述第一数字证书的数字签名错误时,所述管理终端拒绝所述中请终端加入所述群组。When the management terminal receives the application joining group message, the management terminal first checks whether the digital signature of the first digital certificate is correct, and when the digital signature of the first digital certificate is correct, the management The terminal can perform the subsequent authentication process; when the digital signature of the first digital certificate is incorrect, the management terminal rejects the middle calling terminal to join the group.
S202,当所述第一数字证书的数字签名正确时,所述管理终端获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。S202. When the digital signature of the first digital certificate is correct, the management terminal acquires the public key of the first digital certificate, and encrypts the first target value by using the public key of the first digital certificate. An encrypted result.
具体的,当所述第一数字证书的数字签名正确时,可以理解的是所述第一数字证书为所述申请终端的合法数字证书,因此所述管理终端获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。其中,所述第一目标值由所述管理终端任意选择的一个值。例如,所述第一目标值为r1,所述第一数字证书的公钥为pk1,所述管理终端加密得到的所述第一加密结果为e1Specifically, when the digital signature of the first digital certificate is correct, it can be understood that the first digital certificate is a legal digital certificate of the application terminal, and therefore the management terminal acquires the publicity of the first digital certificate. Key, and encrypting the first target value by using the public key of the first digital certificate to obtain a first encryption result. The first target value is a value arbitrarily selected by the management terminal. For example, the first target value is r 1 , the public key of the first digital certificate is pk 1 , and the first encryption result obtained by the management terminal is e 1 .
S203,所述管理终端读取本端的第二数字证书,并将所述第一加密结果和所述第二数字证书发送至所述申请终端,以使所述申请终端采用所述第一数字证书的私钥对所述第一加密结果进行解密得到第二目标值,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。S203, the management terminal reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate to the application terminal, so that the application terminal adopts the first digital certificate. The private key decrypts the first encryption result to obtain a second target value, and encrypts the second target value by using the public key of the second digital certificate to obtain a second encryption result.
具体的,所述管理终端读取本端的第二数字证书,并将步骤S202加密得 到的所述第一加密结果和所述第二数字证书发送至所述申请终端,所述第二数字证书包括所述第二数字证书的公钥。所述申请终端在接收到所述管理终端发送的所述第一加密结果和所述第二数字证书时,所述申请终端采用本端的第一数字证书的私钥对所述第一加密结果进行解密得到第二目标值,然后所述申请终端采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。例如,所述第二数字证书的公钥为pk2,所述管理终端将所述第一加密结果e1和pk2发送至所述申请终端,所述申请终端解密得到的所述第二目标值为r2,加密得到的所述第二加密结果为e2Specifically, the management terminal reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate obtained by the step S202 to the application terminal, where the second digital certificate includes The public key of the second digital certificate. When the application terminal receives the first encryption result and the second digital certificate sent by the management terminal, the application terminal performs the first encryption result by using a private key of the first digital certificate of the local end. Decrypting to obtain a second target value, and then the application terminal encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result. For example, the public key of the second digital certificate is pk 2 , the management terminal sends the first encryption result e 1 and pk 2 to the application terminal, and the second target obtained by the application terminal decrypts The value is r 2 , and the second encrypted result obtained by encryption is e 2 .
其中,所述第二目标值可能与所述第一目标值相同,也可能不相同,当所述管理终端在发送所述第一加密结果和所述第二数字证书的过程中没有受到外界攻击时,所述第二目标值与所述第一目标值相同,否则所述申请终端解密得到的所述第二目标值与所述第一目标值为不同的数值。由于所述第一加密结果是由所述第一数字证书的公钥加密得到,而所述第二加密结果是由所述第二数字证书的公钥加密得到,公钥不同,因此所述第二加密结果与所述第一加密结果不相同,即使在所述第二目标值与所述第一目标值相同的情况下,所述第二加密结果与所述第一加密结果也不相同。The second target value may be the same as the first target value, or may be different. When the management terminal sends the first encryption result and the second digital certificate, it is not attacked by the outside world. And the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
S204,所述管理终端获取所述申请终端发送的第二加密结果。S204. The management terminal acquires a second encryption result sent by the application terminal.
具体的,所述申请终端将采用所述第二数字证书的公钥加密的所述第二加密结果发送至所述管理终端,所述管理终端获取所述申请终端发送的第二加密结果。Specifically, the application terminal sends the second encryption result encrypted by using the public key of the second digital certificate to the management terminal, and the management terminal acquires a second encryption result sent by the application terminal.
S205,所述管理终端读取所述第二数字证书的私钥,并采用所述第二数字证书的私钥对所述第二加密结果进行解密得到第三目标值。S205. The management terminal reads the private key of the second digital certificate, and decrypts the second encryption result by using a private key of the second digital certificate to obtain a third target value.
具体的,针对采用某个数字证书公钥加密的结果只能用该数字证书的私钥才能解密,因此所述管理终端读取所述第二数字证书的私钥,并采用所述第二数字证书的私钥对所述第二加密结果进行结果得到第三目标值。例如,所述管理终端对所述第二加密结果e2进行解密得到所述第三目标值为r3Specifically, the result of encrypting with a digital certificate public key can only be decrypted by using the private key of the digital certificate, so the management terminal reads the private key of the second digital certificate, and uses the second number. The private key of the certificate results in the second encryption result to obtain a third target value. For example, the management terminal decrypts the second encryption result e 2 to obtain the third target value r 3 .
其中,所述第三目标值与所述第二目标值可能相同,可能不相同,当所述申请终端在发送所述第二加密结果的过程中没有受到外界攻击时,所述第三目标值与所述第二目标值相同,否则所述管理终端解密得到的所述第三目标值与 所述第二目标值不相同。因此,当所述管理终端与所述申请终端之间的无线信道没有收到外界攻击时,所述第一目标值与所述第三目标值相同。The third target value may be the same as the second target value, and may be different. When the application terminal is not attacked by the outside world in sending the second encryption result, the third target value Same as the second target value, otherwise the third target value obtained by the management terminal decrypting The second target value is not the same. Therefore, when the wireless channel between the management terminal and the application terminal does not receive an external attack, the first target value is the same as the third target value.
S206,当所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。S206. Pass the authentication of the application terminal when the third target value is the same as the first target value.
具体的,当所述第三目标值与所述第一目标值相同时,可以理解的是所述管理终端与所述申请终端之间的无线信道没有受到外界的攻击,所述管理终端通过对所述申请终端的认证,将所述申请终端加入所述群组,并通知所述申请终端申请成功,可以参与所述群组之间的通信。Specifically, when the third target value is the same as the first target value, it may be understood that the wireless channel between the management terminal and the application terminal is not attacked by the outside, and the management terminal passes the The authentication of the application terminal adds the application terminal to the group, and notifies the application terminal that the application is successful, and can participate in communication between the groups.
在本发明实施例中,通过在管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,管理终端根据第一数字证书对第一目标值进行加密得到第一加密结果,然后管理终端将第一加密结果和管理终端的第二数字证书发送至申请终端,申请终端对第一加密结果进行解密得到第二目标值并根据第二数字证书对第二目标值进行加密得到第二加密结果,申请终端将第二加密结果发送至管理终端,管理终端对第二加密结果进行解密得到第三目标值,当第三目标值与第一目标值相同时通过对申请终端的认证,实现管理终端根据加密解密结果完成对申请终端的认证过程,提高认证过程的安全性。In the embodiment of the present invention, when the management terminal receives the application that carries the first digital certificate and sends the group message, the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result. And then the management terminal sends the first encryption result and the second digital certificate of the management terminal to the application terminal, and the application terminal decrypts the first encryption result to obtain a second target value, and encrypts the second target value according to the second digital certificate. The second encryption result is that the application terminal sends the second encryption result to the management terminal, the management terminal decrypts the second encryption result to obtain a third target value, and the third terminal value is the same as the first target value, and the authentication is performed on the application terminal. The management terminal completes the authentication process of the application terminal according to the encryption and decryption result, and improves the security of the authentication process.
请参见图3,为本发明实施例提供的又一种终端认证方法的流程示意图,该方法可包括步骤S301-步骤S303。FIG. 3 is a schematic flowchart of still another method for authenticating a terminal according to an embodiment of the present invention. The method may include steps S301 to S303.
S301,申请终端发送携带本端的第一数字证书的申请加入群组消息至管理终端,以使所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果。S301. The application terminal sends an application requesting the first digital certificate of the local end to join the group message to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result.
具体的,申请终端想要加入管理终端所创建的群组,需向所述管理终端发送申请加入群组消息,并将本端的第一数字证书一同发送至所述管理终端。所述管理终端在接收到所述申请加入群组消息时,先检验所述第一数字证书的数字签名是否正确,当所述第一数字证书的数字签名正确时,所述管理终端获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。其中,所述第一目标值由所述管理终端任意选择的一个值。例如,所述第一目标值为r1,所述第一数字证书的公钥为pk1,所述管 理终端加密得到的所述第一加密结果为e1Specifically, the application terminal wants to join the group created by the management terminal, and sends an application to join the group message to the management terminal, and sends the first digital certificate of the local end to the management terminal. When receiving the application to join the group message, the management terminal first checks whether the digital signature of the first digital certificate is correct. When the digital signature of the first digital certificate is correct, the management terminal acquires the The public key of the first digital certificate, and encrypting the first target value by using the public key of the first digital certificate to obtain a first encryption result. The first target value is a value arbitrarily selected by the management terminal. For example, the first target value is r 1 , the public key of the first digital certificate is pk 1 , and the first encryption result obtained by the management terminal is e 1 .
S302,所述申请终端接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书,并对所述第一加密结果进行解密得到第二目标值以及根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果。S302. The application terminal receives the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypts the first encryption result to obtain a second target value and according to the first The second digital certificate encrypts the second target value to obtain a second encrypted result.
具体的,所述申请终端接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书。所述申请终端读取所述第一数字证书的私钥,并采用所述第一数字证书的私钥对所述第一加密结果进行解密得到所述第二目标值。所述申请终端获取所述第二数字证书的公钥,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。例如,所述第二数字证书的公钥为pk2,所述申请终端接收所述管理终端发送的所述第一加密结果e1和pk2,所述申请终端20解密得到的所述第二目标值为r2,加密得到的所述第二加密结果为e2Specifically, the application terminal receives the first encryption result sent by the management terminal and the second digital certificate of the management terminal. The application terminal reads the private key of the first digital certificate, and decrypts the first encryption result by using the private key of the first digital certificate to obtain the second target value. The application terminal acquires the public key of the second digital certificate, and encrypts the second target value by using the public key of the second digital certificate to obtain a second encryption result. For example, the public key of the second digital certificate is pk 2 , the application terminal receives the first encryption result e 1 and pk 2 sent by the management terminal, and the second obtained by the application terminal 20 decrypts The target value is r 2 , and the second encrypted result obtained by encryption is e 2 .
其中,所述第二目标值可能与所述第一目标值相同,也可能不相同,当所述管理终端在发送所述第一加密结果和所述第二数字证书的过程中没有受到外界攻击时,所述第二目标值与所述第一目标值相同,否则所述申请终端解密得到的所述第二目标值与所述第一目标值为不同的数值。由于所述第一加密结果是由所述第一数字证书的公钥加密得到,而所述第二加密结果是由所述第二数字证书的公钥加密得到,公钥不同,因此所述第二加密结果与所述第一加密结果不相同,即使在所述第二目标值与所述第一目标值相同的情况下,所述第二加密结果与所述第一加密结果也不相同。The second target value may be the same as the first target value, or may be different. When the management terminal sends the first encryption result and the second digital certificate, it is not attacked by the outside world. And the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
S303,所述申请终端将所述第二加密结果发送至所述管理终端,以使所述管理终端对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对本端的认证。S303. The application terminal sends the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and the third target value is When the first target value is the same, the authentication of the local end is performed.
具体的,所述申请终端将所述第二加密结果发送至所述管理终端,所述管理终端在接收到所述第二加密结果时便会采用所述第二数字证书的私钥对所述第二加密结果进行解密得到第三目标值,并判断所述第三目标值与所述第一目标值是否相同,在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。其中,所述第三目标值与所述第二目标值可能相同,可能不相同,当所述申请终端在发送所述第二加密结果的过程中没有受到外界攻击时,所述 第三目标值与所述第二目标值相同,否则所述管理终端解密得到的所述第三目标值与所述第二目标值不相同。因此,当所述管理终端与所述申请终端之间的无线信道没有收到外界攻击时,所述第一目标值与所述第三目标值相同。Specifically, the application terminal sends the second encryption result to the management terminal, and the management terminal uses the private key pair of the second digital certificate when receiving the second encryption result. Decrypting the second encryption result to obtain a third target value, and determining whether the third target value is the same as the first target value, and when the third target value is the same as the first target value, Apply for terminal certification. The third target value may be the same as the second target value, and may be different. When the application terminal is not attacked by the outside world during the process of sending the second encryption result, The third target value is the same as the second target value, otherwise the third target value obtained by the management terminal decryption is not the same as the second target value. Therefore, when the wireless channel between the management terminal and the application terminal does not receive an external attack, the first target value is the same as the third target value.
在本发明实施例中,申请终端通过发送携带本端的第一数字证书的申请加入群组消息至管理终端,管理终端根据第一数字证书对第一目标值进行加密得到第一加密结果,申请终端接收管理终端发送的第一加密结果和管理终端的第二数字证书,并对第一加密结果进行解密得到第二目标值以及根据第二数字证书对第二目标值进行加密得到第二加密结果,中请终端将第二加密结果发送至管理终端,管理终端对第二加密结果进行解密得到第三目标值,并在第三目标值与第一目标值相同时通过对申请终端的认证,实现管理终端对申请终端的认证过程,并提高认证过程的安全性。In the embodiment of the present invention, the application terminal joins the group message to the management terminal by sending an application for carrying the first digital certificate of the local end, and the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result, and applies for the terminal. Receiving a first encryption result sent by the management terminal and a second digital certificate of the management terminal, decrypting the first encryption result to obtain a second target value, and encrypting the second target value according to the second digital certificate to obtain a second encryption result, The terminal sends the second encryption result to the management terminal, and the management terminal decrypts the second encryption result to obtain a third target value, and implements management by authenticating the application terminal when the third target value is the same as the first target value. The terminal authenticates the application terminal and improves the security of the authentication process.
请参见图4,为本发明实施例提供的又一种终端认证方法的流程示意图,该方法可包括步骤S401-步骤S405。FIG. 4 is a schematic flowchart of still another method for authenticating a terminal according to an embodiment of the present invention. The method may include steps S401 to S405.
S401,申请终端发送携带本端的第一数字证书的中请加入群组消息至管理终端,以使所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果。S401. The application terminal sends a group message to the management terminal to send the first digital certificate of the local end, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result.
具体的,申请终端想要加入管理终端所创建的群组,需向所述管理终端发送申请加入群组消息,并将本端的第一数字证书一同发送至所述管理终端。所述管理终端在接收到所述申请加入群组消息时,先检验所述第一数字证书的数字签名是否正确,当所述第一数字证书的数字签名正确时,所述管理终端获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。其中,所述第一目标值由所述管理终端任意选择的一个值。例如,所述第一目标值为r1,所述第一数字证书的公钥为pk1,所述管理终端加密得到的所述第一加密结果为e1Specifically, the application terminal wants to join the group created by the management terminal, and sends an application to join the group message to the management terminal, and sends the first digital certificate of the local end to the management terminal. When receiving the application to join the group message, the management terminal first checks whether the digital signature of the first digital certificate is correct. When the digital signature of the first digital certificate is correct, the management terminal acquires the The public key of the first digital certificate, and encrypting the first target value by using the public key of the first digital certificate to obtain a first encryption result. The first target value is a value arbitrarily selected by the management terminal. For example, the first target value is r 1 , the public key of the first digital certificate is pk 1 , and the first encryption result obtained by the management terminal is e 1 .
S402,所述申请终端接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书。S402. The application terminal receives the first encryption result sent by the management terminal and a second digital certificate of the management terminal.
S403,所述申请终端读取所述第一数字证书的私钥,并采用所述第一数字证书的私钥对所述第一加密结果进行解密得到所述第二目标值。 S403. The application terminal reads a private key of the first digital certificate, and decrypts the first encryption result by using a private key of the first digital certificate to obtain the second target value.
其中,所述第二目标值可能与所述第一目标值相同,也可能不相同,当所述管理终端在发送所述第一加密结果和所述第二数字证书的过程中没有受到外界攻击时,所述第二目标值与所述第一目标值相同,否则所述申请终端解密得到的所述第二目标值与所述第一目标值为不同的数值。The second target value may be the same as the first target value, or may be different. When the management terminal sends the first encryption result and the second digital certificate, it is not attacked by the outside world. And the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value.
S404,所述申请终端获取所述第二数字证书的公钥,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。S404. The application terminal acquires a public key of the second digital certificate, and encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result.
具体的,所述申请终端获取所述第二数字证书的公钥,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。由于所述第一加密结果是由所述第一数字证书的公钥加密得到,而所述第二加密结果是由所述第二数字证书的公钥加密得到,公钥不同,因此所述第二加密结果与所述第一加密结果不相同,即使在所述第二目标值与所述第一目标值相同的情况下,所述第二加密结果与所述第一加密结果也不相同。Specifically, the application terminal acquires a public key of the second digital certificate, and encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
S405,所述申请终端将所述第二加密结果发送至所述管理终端,以使所述管理终端对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对本端的认证。S405. The application terminal sends the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and the third target value is When the first target value is the same, the authentication of the local end is performed.
具体的,所述申请终端将所述第二加密结果发送至所述管理终端,所述管理终端在接收到所述第二加密结果时便会采用所述第二数字证书的私钥对所述第二加密结果进行解密得到第三目标值,并判断所述第三目标值与所述第一目标值是否相同,在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。其中,所述第三目标值与所述第二目标值可能相同,可能不相同,当所述申请终端在发送所述第二加密结果的过程中没有受到外界攻击时,所述第三目标值与所述第二目标值相同,否则所述管理终端解密得到的所述第三目标值与所述第二目标值不相同。因此,当所述管理终端与所述申请终端之间的无线信道没有收到外界攻击时,所述第一目标值与所述第三目标值相同。Specifically, the application terminal sends the second encryption result to the management terminal, and the management terminal uses the private key pair of the second digital certificate when receiving the second encryption result. Decrypting the second encryption result to obtain a third target value, and determining whether the third target value is the same as the first target value, and when the third target value is the same as the first target value, Apply for terminal certification. The third target value may be the same as the second target value, and may be different. When the application terminal is not attacked by the outside world in sending the second encryption result, the third target value Same as the second target value, otherwise the third target value obtained by the management terminal decryption is not the same as the second target value. Therefore, when the wireless channel between the management terminal and the application terminal does not receive an external attack, the first target value is the same as the third target value.
在本发明实施例中,申请终端通过发送携带本端的第一数字证书的申请加入群组消息至管理终端,管理终端根据第一数字证书对第一目标值进行加密得到第一加密结果,申请终端接收管理终端发送的第一加密结果和管理终端的第二数字证书,并对第一加密结果进行解密得到第二目标值以及根据第二数字证书对第二目标值进行加密得到第二加密结果,申请终端将第二加密结果发送至 管理终端,管理终端对第二加密结果进行解密得到第三目标值,并在第三目标值与第一目标值相同时通过对申请终端的认证,实现管理终端对申请终端的认证过程,并提高认证过程的安全性。In the embodiment of the present invention, the application terminal joins the group message to the management terminal by sending an application for carrying the first digital certificate of the local end, and the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result, and applies for the terminal. Receiving a first encryption result sent by the management terminal and a second digital certificate of the management terminal, decrypting the first encryption result to obtain a second target value, and encrypting the second target value according to the second digital certificate to obtain a second encryption result, The application terminal sends the second encryption result to The management terminal decrypts the second encryption result to obtain a third target value, and authenticates the application terminal when the third target value is the same as the first target value, thereby implementing the authentication process of the management terminal to the application terminal, and improving The security of the certification process.
下面将结合附图5-附图7对本发明实施例提供的管理终端进行详细介绍。需要说明的是,附图5-附图7所示的管理终端,用于执行本发明图1和图2所示实施例的方法,为了便于说明,仅示出了与本发明实施例相关的部分,具体技术细节未揭示的,请参照本发明图1和图2所示的实施例。The management terminal provided by the embodiment of the present invention will be described in detail below with reference to FIG. 5 to FIG. It should be noted that the management terminal shown in FIG. 5 to FIG. 7 is used to perform the method of the embodiment shown in FIG. 1 and FIG. 2 of the present invention. For the convenience of description, only the embodiments related to the embodiment of the present invention are shown. In part, specific technical details are not disclosed, please refer to the embodiment shown in FIG. 1 and FIG. 2 of the present invention.
请参见图5,为本发明提供的一种管理终端的结构示意图;该管理终端10可包括:加密单元101、发送单元102和解密单元103。FIG. 5 is a schematic structural diagram of a management terminal according to the present invention. The management terminal 10 may include an encryption unit 101, a sending unit 102, and a decryption unit 103.
加密单元101,用于当管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,根据所述第一数字证书对第一目标值进行加密得到第一加密结果。The encryption unit 101 is configured to: when the management terminal receives the application to join the group message that is sent by the application terminal and carries the first digital certificate, encrypt the first target value according to the first digital certificate to obtain the first encryption result.
具体实现中,当所述管理终端10与申请终端使用同一无线信道频率时,所述管理终端10可接收所述申请终端发送的申请加入群组消息,所述申请加入群组消息携带有第一数字证书,所述第一数字证书为所述申请终端的数字证书,数字证书是一个经证书授权中心数字签名的包含公开密钥拥有者信息以及公开密钥的文件。最简单的证书包含一个公开密钥、名称以及证书授权中心的数字签名。数字证书采用公钥体制,即利用一对互相匹配的密钥进行加密、解密。In a specific implementation, when the management terminal 10 and the application terminal use the same radio channel frequency, the management terminal 10 may receive an application joining group message sent by the application terminal, where the application joining group message carries the first And a digital certificate, wherein the first digital certificate is a digital certificate of the application terminal, and the digital certificate is a file that is digitally signed by the certificate authority and includes public key owner information and a public key. The simplest certificate contains a public key, a name, and a digital signature from the certificate authority. The digital certificate adopts a public key system, that is, a pair of mutually matching keys are used for encryption and decryption.
当所述管理终端10接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,所述加密单元101根据所述第一数字证书对第一目标值进行加密得到第一加密结果。When the management terminal 10 receives the application that is sent by the application terminal and carries the first digital certificate to join the group message, the encryption unit 101 encrypts the first target value according to the first digital certificate to obtain the first encryption result. .
请参见图6,为图5所示实施例提供的加密单元的结构示意图;所述加密单元101可包括检验单元1011和第一加密单元1012。Referring to FIG. 6, a schematic structural diagram of an encryption unit provided in the embodiment shown in FIG. 5; the encryption unit 101 may include a verification unit 1011 and a first encryption unit 1012.
检验单元1011,用于当管理终端接收到申请终端发送的携带有第一数字证书的中请加入群组消息时,检验所述第一数字证书的数字签名是否正确。The checking unit 1011 is configured to check whether the digital signature of the first digital certificate is correct when the management terminal receives the group message that is sent by the application terminal and carries the first digital certificate.
具体实现中,当所述管理终端10接收到所述申请加入群组消息时,所述检验单元1011先检验所述第一数字证书的数字签名是否正确,当所述第一数 字证书的数字签名正确时,所述管理终端才能进行后续的认证过程;当所述第一数字证书的数字签名错误时,所述管理终端拒绝所述申请终端加入所述群组。In a specific implementation, when the management terminal 10 receives the application joining group message, the checking unit 1011 first checks whether the digital signature of the first digital certificate is correct, when the first number is When the digital signature of the word certificate is correct, the management terminal can perform the subsequent authentication process; when the digital signature of the first digital certificate is incorrect, the management terminal rejects the application terminal to join the group.
第一加密单元1012,用于当所述第一数字证书的数字签名正确时,获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。a first encryption unit 1012, configured to acquire a public key of the first digital certificate when the digital signature of the first digital certificate is correct, and encrypt the first target value by using a public key of the first digital certificate The first encrypted result is obtained.
具体实现中,当所述第一数字证书的数字签名正确时,可以理解的是所述第一数字证书为所述申请终端的合法数字证书,因此所述第一加密单元1012获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。其中,所述第一目标值由所述管理终端10任意选择的一个值。例如,所述第一目标值为r1,所述第一数字证书的公钥为pk1,所述第一加密单元1012加密得到的所述第一加密结果为e1In a specific implementation, when the digital signature of the first digital certificate is correct, it can be understood that the first digital certificate is a legal digital certificate of the application terminal, and therefore the first encryption unit 1012 obtains the first The public key of the digital certificate, and encrypting the first target value by using the public key of the first digital certificate to obtain a first encryption result. The first target value is a value arbitrarily selected by the management terminal 10. For example, the first target value is r 1 , the public key of the first digital certificate is pk 1 , and the first encryption result obtained by the first encryption unit 1012 is e 1 .
发送单元102,用于将所述第一加密结果和本端的第二数字证书发送至所述申请终端,以使所述申请终端对所述第一加密结果进行解密得到第二目标值,并根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果。The sending unit 102 is configured to send the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to The second digital certificate encrypts the second target value to obtain a second encryption result.
具体实现中,所述发送单元102读取本端的第二数字证书,并将所述第一加密单元1012加密得到的所述第一加密结果和所述第二数字证书发送至所述申请终端,所述第二数字证书包括所述第二数字证书的公钥。所述申请终端在接收到所述发送单元102发送的所述第一加密结果和所述第二数字证书时,所述申请终端采用本端的第一数字证书的私钥对所述第一加密结果进行解密得到第二目标值,然后所述申请终端采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。例如,所述第二数字证书的公钥为pk2,所述发送单元102将所述第一加密结果e1和pk2发送至所述申请终端,所述申请终端解密得到的所述第二目标值为r2,加密得到的所述第二加密结果为e2In a specific implementation, the sending unit 102 reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate encrypted by the first encryption unit 1012 to the application terminal. The second digital certificate includes a public key of the second digital certificate. When the application terminal receives the first encryption result and the second digital certificate sent by the sending unit 102, the application terminal uses the private key of the first digital certificate of the local end to the first encryption result. Decrypting to obtain a second target value, and then the application terminal encrypts the second target value by using a public key of the second digital certificate to obtain a second encryption result. For example, the public key of the second digital certificate is pk 2 , the sending unit 102 sends the first encryption result e 1 and pk 2 to the application terminal, and the second obtained by the application terminal decrypts The target value is r 2 , and the second encrypted result obtained by encryption is e 2 .
其中,所述第二目标值可能与所述第一目标值相同,也可能不相同,当所述发送单元102在发送所述第一加密结果和所述第二数字证书的过程中没有受到外界攻击时,所述第二目标值与所述第一目标值相同,否则所述申请终端解密得到的所述第二目标值与所述第一目标值为不同的数值。由于所述第一加密结果是由所述第一数字证书的公钥加密得到,而所述第二加密结果是由所述 第二数字证书的公钥加密得到,公钥不同,因此所述第二加密结果与所述第一加密结果不相同,即使在所述第二目标值与所述第一目标值相同的情况下,所述第二加密结果与所述第一加密结果也不相同。The second target value may be the same as the first target value, or may be different. When the sending unit 102 is not in the process of transmitting the first encryption result and the second digital certificate, When the attack is performed, the second target value is the same as the first target value, otherwise the second target value obtained by the application terminal decryption is different from the first target value. Since the first encryption result is obtained by encrypting a public key of the first digital certificate, and the second encryption result is by the The public key of the second digital certificate is encrypted, and the public key is different, so the second encryption result is different from the first encryption result, even if the second target value is the same as the first target value. The second encryption result is also different from the first encryption result.
解密单元103,用于获取所述申请终端发送的所述第二加密结果,并对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。The decrypting unit 103 is configured to acquire the second encryption result sent by the application terminal, and decrypt the second encryption result to obtain a third target value, and the third target value and the first target The authentication of the application terminal is made when the values are the same.
具体实现中,所述解密单元103获取所述申请终端发送的所述第二加密结果,并对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。In a specific implementation, the decryption unit 103 acquires the second encryption result sent by the application terminal, and decrypts the second encryption result to obtain a third target value, and the third target value and the The authentication of the application terminal is performed when the first target value is the same.
请参见图7,为图5所示实施例提供的解密单元的结构示意图;所述解密单元103可包括获取单元1031、第一解密单元1032和认证单元1033。Referring to FIG. 7, a schematic structural diagram of a decryption unit provided in the embodiment shown in FIG. 5; the decryption unit 103 may include an obtaining unit 1031, a first decryption unit 1032, and an authentication unit 1033.
获取单元1031,用于获取所述申请终端发送的第二加密结果。The obtaining unit 1031 is configured to obtain a second encryption result sent by the application terminal.
具体实现中,所述申请终端将采用所述第二数字证书的公钥加密的所述第二加密结果发送至所述管理终端,所述获取单元1031获取所述中请终端发送的第二加密结果。In a specific implementation, the application terminal sends the second encryption result encrypted by using the public key of the second digital certificate to the management terminal, and the obtaining unit 1031 acquires the second encryption sent by the middle requesting terminal. result.
第一解密单元1032,用于读取所述第二数字证书的私钥,并采用所述第二数字证书的私钥对所述第二加密结果进行解密得到第三目标值。The first decryption unit 1032 is configured to read a private key of the second digital certificate, and decrypt the second encryption result by using a private key of the second digital certificate to obtain a third target value.
具体实现中,针对采用某个数字证书公钥加密的结果只能用该数字证书的私钥才能解密,因此所述第一解密单元1032读取所述第二数字证书的私钥,并采用所述第二数字证书的私钥对所述第二加密结果进行结果得到第三目标值。例如,所述第一解密单元1032对所述第二加密结果e2进行解密得到所述第三目标值为r3In a specific implementation, the result of encrypting with a digital certificate public key can only be decrypted by using the private key of the digital certificate, so the first decryption unit 1032 reads the private key of the second digital certificate, and adopts the The private key of the second digital certificate results in the second encryption result to obtain a third target value. For example, the first decryption unit 1032 decrypts the second encryption result e 2 to obtain the third target value r 3 .
其中,所述第三目标值与所述第二目标值可能相同,可能不相同,当所述申请终端在发送所述第二加密结果的过程中没有受到外界攻击时,所述第三目标值与所述第二目标值相同,否则所述第一解密单元1032解密得到的所述第三目标值与所述第二目标值不相同。因此,当所述管理终端与所述申请终端之间的无线信道没有收到外界攻击时,所述第一目标值与所述第三目标值相同。The third target value may be the same as the second target value, and may be different. When the application terminal is not attacked by the outside world in sending the second encryption result, the third target value Same as the second target value, otherwise the third target value obtained by the first decryption unit 1032 is not the same as the second target value. Therefore, when the wireless channel between the management terminal and the application terminal does not receive an external attack, the first target value is the same as the third target value.
认证单元1033,用于当所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。 The authentication unit 1033 is configured to authenticate the application terminal when the third target value is the same as the first target value.
具体实现中,当所述第三目标值与所述第一目标值相同时,可以理解的是所述管理终端与所述申请终端之间的无线信道没有受到外界的攻击,所述认证单元1033通过对所述申请终端的认证,将所述申请终端加入所述群组,并通知所述申请终端申请成功,可以参与所述群组之间的通信。In a specific implementation, when the third target value is the same as the first target value, it can be understood that the wireless channel between the management terminal and the application terminal is not attacked by the outside world, and the authentication unit 1033 The application terminal is added to the group by the authentication of the application terminal, and the application terminal is notified that the application is successful, and the communication between the groups may be participated.
在本发明实施例中,通过在管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,管理终端根据第一数字证书对第一目标值进行加密得到第一加密结果,然后管理终端将第一加密结果和管理终端的第二数字证书发送至申请终端,申请终端对第一加密结果进行解密得到第二目标值并根据第二数字证书对第二目标值进行加密得到第二加密结果,申请终端将第二加密结果发送至管理终端,管理终端对第二加密结果进行解密得到第三目标值,当第三目标值与第一目标值相同时通过对申请终端的认证,实现管理终端根据加密解密结果完成对申请终端的认证过程,提高认证过程的安全性。In the embodiment of the present invention, when the management terminal receives the application that carries the first digital certificate and sends the group message, the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result. And then the management terminal sends the first encryption result and the second digital certificate of the management terminal to the application terminal, and the application terminal decrypts the first encryption result to obtain a second target value, and encrypts the second target value according to the second digital certificate. The second encryption result is that the application terminal sends the second encryption result to the management terminal, the management terminal decrypts the second encryption result to obtain a third target value, and the third terminal value is the same as the first target value, and the authentication is performed on the application terminal. The management terminal completes the authentication process of the application terminal according to the encryption and decryption result, and improves the security of the authentication process.
下面将结合附图8和附图9对本发明实施例提供的申请终端进行详细介绍。需要说明的是,附图8和附图9所示的申请终端,用于执行本发明图3和图4所示实施例的方法,为了便于说明,仅示出了与本发明实施例相关的部分,具体技术细节未揭示的,请参照本发明图3和图4所示的实施例。The application terminal provided by the embodiment of the present invention will be described in detail below with reference to FIG. 8 and FIG. It should be noted that the application terminals shown in FIG. 8 and FIG. 9 are used to perform the method of the embodiment shown in FIG. 3 and FIG. 4 of the present invention. For the convenience of description, only the embodiments related to the embodiments of the present invention are shown. In part, specific technical details are not disclosed, please refer to the embodiment shown in FIG. 3 and FIG. 4 of the present invention.
请参见图8,为本发明提供的一种申请终端的结构示意图;该申请终端20可包括:消息发送单元201、解密加密单元202和结果发送单元203。FIG. 8 is a schematic structural diagram of an application terminal according to the present invention. The application terminal 20 may include: a message sending unit 201, a decryption and encrypting unit 202, and a result sending unit 203.
消息发送单元201,用于发送携带本端的第一数字证书的申请加入群组消息至管理终端,以使所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果。The message sending unit 201 is configured to send an application that joins the first digital certificate of the local end to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result. .
具体实现中,所述申请终端20想要加入管理终端所创建的群组,需所述消息发送单元201向所述管理终端10发送申请加入群组消息,并将本端的第一数字证书一同发送至所述管理终端10。所述管理终端10在接收到所述申请加入群组消息时,先检验所述第一数字证书的数字签名是否正确,当所述第一数字证书的数字签名正确时,所述管理终端获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。其中,所述第一目标值由所述管理终端任意选择的一个值。例如,所述第一目标 值为r1,所述第一数字证书的公钥为pk1,所述管理终端加密得到的所述第一加密结果为e1In a specific implementation, the application terminal 20 wants to join the group created by the management terminal, and the message sending unit 201 sends an application to join the group message to the management terminal 10, and sends the first digital certificate of the local end together. To the management terminal 10. When receiving the application to join the group message, the management terminal 10 first checks whether the digital signature of the first digital certificate is correct. When the digital signature of the first digital certificate is correct, the management terminal acquires Decoding a public key of the first digital certificate, and encrypting the first target value by using a public key of the first digital certificate to obtain a first encryption result. The first target value is a value arbitrarily selected by the management terminal. For example, the first target value is r 1 , the public key of the first digital certificate is pk 1 , and the first encryption result obtained by the management terminal is e 1 .
解密加密单元202,用于接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书,并对所述第一加密结果进行解密得到第二目标值以及根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果。The decryption encryption unit 202 is configured to receive the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypt the first encryption result to obtain a second target value and according to the The second digital certificate encrypts the second target value to obtain a second encrypted result.
具体实现中,所述解密加密单元202接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书,并对所述第一加密结果进行解密得到第二目标值以及根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果。In a specific implementation, the decryption and encryption unit 202 receives the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypts the first encryption result to obtain a second target value and Encrypting the second target value according to the second digital certificate to obtain a second encryption result.
其中,所述第二目标值可能与所述第一目标值相同,也可能不相同,当所述管理终端10在发送所述第一加密结果和所述第二数字证书的过程中没有受到外界攻击时,所述第二目标值与所述第一目标值相同,否则所述解密加密单元202解密得到的所述第二目标值与所述第一目标值为不同的数值。由于所述第一加密结果是由所述第一数字证书的公钥加密得到,而所述第二加密结果是由所述第二数字证书的公钥加密得到,公钥不同,因此所述第二加密结果与所述第一加密结果不相同,即使在所述第二目标值与所述第一目标值相同的情况下,所述第二加密结果与所述第一加密结果也不相同。The second target value may be the same as the first target value, or may be different. When the management terminal 10 sends the first encryption result and the second digital certificate, the external terminal is not received by the outside world. When attacking, the second target value is the same as the first target value, otherwise the decrypted encryption unit 202 decrypts the obtained second target value and the first target value is a different value. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
请参见图9,为图8所示实施例提供的解密加密单元的结构示意图;所述解密加密单元202可包括接收单元2021、第二解密单元2022和第二加密单元2023。Referring to FIG. 9, a schematic structural diagram of a decryption encryption unit provided in the embodiment shown in FIG. 8; the decryption encryption unit 202 may include a receiving unit 2021, a second decryption unit 2022, and a second encryption unit 2023.
接收单元2021,用于接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书。The receiving unit 2021 is configured to receive the first encryption result sent by the management terminal and the second digital certificate of the management terminal.
具体实现中,所述接收单元2021接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书。In a specific implementation, the receiving unit 2021 receives the first encryption result sent by the management terminal and the second digital certificate of the management terminal.
第二解密单元2022,用于读取所述第一数字证书的私钥,并采用所述第一数字证书的私钥对所述第一加密结果进行解密得到所述第二目标值。The second decryption unit 2022 is configured to read a private key of the first digital certificate, and decrypt the first encryption result by using a private key of the first digital certificate to obtain the second target value.
具体实现中,所述第二解密单元2022读取所述第一数字证书的私钥,并采用所述第一数字证书的私钥对所述第一加密结果进行解密得到所述第二目标值。例如,所述第一加密结果为e1,所述第二解密单元2022解密得到的所 述第二目标值为r2In a specific implementation, the second decryption unit 2022 reads the private key of the first digital certificate, and decrypts the first encryption result by using the private key of the first digital certificate to obtain the second target value. . For example, the first encryption result is e 1 , and the second target value decrypted by the second decryption unit 2022 is r 2 .
第二加密单元2023,用于获取所述第二数字证书的公钥,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。The second encryption unit 2023 is configured to obtain a public key of the second digital certificate, and encrypt the second target value by using a public key of the second digital certificate to obtain a second encryption result.
具体实现中,所述第二加密单元2023获取所述第二数字证书的公钥,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。由于所述第一加密结果是由所述第一数字证书的公钥加密得到,而所述第二加密结果是由所述第二数字证书的公钥加密得到,公钥不同,因此所述第二加密结果与所述第一加密结果不相同,即使在所述第二目标值与所述第一目标值相同的情况下,所述第二加密结果与所述第一加密结果也不相同。In a specific implementation, the second encryption unit 2023 obtains the public key of the second digital certificate, and encrypts the second target value by using the public key of the second digital certificate to obtain a second encryption result. Since the first encryption result is obtained by encrypting the public key of the first digital certificate, and the second encryption result is obtained by encrypting the public key of the second digital certificate, the public key is different, so the first The second encryption result is different from the first encryption result, and the second encryption result is different from the first encryption result even if the second target value is the same as the first target value.
结果发送单元203,用于将所述第二加密结果发送至所述管理终端,以使所述管理终端对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对本端的认证。a result sending unit 203, configured to send the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and at the third target value The authentication of the local end is performed when the first target value is the same.
具体实现中,所述结果发送单元203将所述第二加密结果发送至所述管理终端,所述管理终端10在接收到所述第二加密结果时便会采用所述第二数字证书的私钥对所述第二加密结果进行解密得到第三目标值,并判断所述第三目标值与所述第一目标值是否相同,在所述第三目标值与所述第一目标值相同时通过对所述申请终端20的认证。其中,所述第三目标值与所述第二目标值可能相同,可能不相同,当所述结果发送单元203在发送所述第二加密结果的过程中没有受到外界攻击时,所述第三目标值与所述第二目标值相同,否则所述管理终端10解密得到的所述第三目标值与所述第二目标值不相同。因此,当所述管理终端10与所述申请终端20之间的无线信道没有收到外界攻击时,所述第一目标值与所述第三目标值相同。In a specific implementation, the result sending unit 203 sends the second encryption result to the management terminal, and the management terminal 10 adopts the private of the second digital certificate when receiving the second encryption result. Decrypting the second encryption result to obtain a third target value, and determining whether the third target value is the same as the first target value, when the third target value is the same as the first target value By the authentication of the application terminal 20. The third target value may be the same as the second target value, and may be different. When the result sending unit 203 is not attacked by the outside world in the process of sending the second encryption result, the third The target value is the same as the second target value, otherwise the third target value obtained by the management terminal 10 is not the same as the second target value. Therefore, when the wireless channel between the management terminal 10 and the application terminal 20 does not receive an external attack, the first target value is the same as the third target value.
在本发明实施例中,申请终端通过发送携带本端的第一数字证书的申请加入群组消息至管理终端,管理终端根据第一数字证书对第一目标值进行加密得到第一加密结果,申请终端接收管理终端发送的第一加密结果和管理终端的第二数字证书,并对第一加密结果进行解密得到第二目标值以及根据第二数字证书对第二目标值进行加密得到第二加密结果,申请终端将第二加密结果发送至管理终端,管理终端对第二加密结果进行解密得到第三目标值,并在第三目标值与第一目标值相同时通过对申请终端的认证,实现管理终端对申请终端的认 证过程,并提高认证过程的安全性。In the embodiment of the present invention, the application terminal joins the group message to the management terminal by sending an application for carrying the first digital certificate of the local end, and the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result, and applies for the terminal. Receiving a first encryption result sent by the management terminal and a second digital certificate of the management terminal, decrypting the first encryption result to obtain a second target value, and encrypting the second target value according to the second digital certificate to obtain a second encryption result, The application terminal sends the second encryption result to the management terminal, and the management terminal decrypts the second encryption result to obtain a third target value, and implements the management terminal by authenticating the application terminal when the third target value is the same as the first target value. Recognition of the application terminal Certification process and improve the security of the certification process.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。One of ordinary skill in the art can understand that all or part of the process of implementing the foregoing embodiments can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
以上所揭露的仅为本发明较佳实施例而已,当然不能以此来限定本发明之权利范围,因此依本发明权利要求所作的等同变化,仍属本发明所涵盖的范围。 The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and thus equivalent changes made in the claims of the present invention are still within the scope of the present invention.

Claims (12)

  1. 一种终端认证方法,其特征在于,包括:A terminal authentication method, comprising:
    当管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果;When the management terminal receives the application that is sent by the application terminal and carries the first digital certificate to join the group message, the management terminal encrypts the first target value according to the first digital certificate to obtain the first encryption result;
    所述管理终端将所述第一加密结果和本端的第二数字证书发送至所述申请终端,以使所述申请终端对所述第一加密结果进行解密得到第二目标值,并根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果;The management terminal sends the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to the The second digital certificate encrypts the second target value to obtain a second encryption result;
    所述管理终端获取所述申请终端发送的所述第二加密结果,并对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。The management terminal acquires the second encryption result sent by the application terminal, and decrypts the second encryption result to obtain a third target value, and the third target value is compared with the first target value. At the same time, the authentication of the application terminal is passed.
  2. 根据权利要求1所述的方法,其特征在于,所述当管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果,包括:The method according to claim 1, wherein the management terminal receives the group message carrying the first digital certificate sent by the application terminal, and the management terminal according to the first digital certificate pair The first target value is encrypted to obtain the first encrypted result, including:
    当管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,所述管理终端检验所述第一数字证书的数字签名是否正确;When the management terminal receives the application that is sent by the application terminal and carries the first digital certificate to join the group message, the management terminal checks whether the digital signature of the first digital certificate is correct;
    当所述第一数字证书的数字签名正确时,所述管理终端获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。When the digital signature of the first digital certificate is correct, the management terminal acquires the public key of the first digital certificate, and encrypts the first target value by using the public key of the first digital certificate to obtain the first encryption. result.
  3. 根据权利要求2所述的方法,其特征在于,所述管理终端将所述第一加密结果和本端的第二数字证书发送至所述申请终端,以使所述申请终端对所述第一加密结果进行解密得到第二目标值,并根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果,具体包括:The method according to claim 2, wherein the management terminal sends the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal encrypts the first The result is decrypted to obtain a second target value, and the second target value is encrypted according to the second digital certificate to obtain a second encryption result, which specifically includes:
    所述管理终端读取本端的第二数字证书,并将所述第一加密结果和所述第二数字证书发送至所述申请终端,以使所述申请终端采用所述第一数字证书的私钥对所述第一加密结果进行解密得到第二目标值,并采用所述第二数字证书 的公钥对所述第二目标值进行加密得到第二加密结果。The management terminal reads the second digital certificate of the local end, and sends the first encryption result and the second digital certificate to the application terminal, so that the application terminal adopts the private of the first digital certificate. Decrypting the first encryption result to obtain a second target value, and using the second digital certificate The public key encrypts the second target value to obtain a second encrypted result.
  4. 根据权利要求3所述的方法,其特征在于,所述管理终端获取所述申请终端发送的所述第二加密结果,并对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证,包括:The method according to claim 3, wherein the management terminal acquires the second encryption result sent by the application terminal, and decrypts the second encryption result to obtain a third target value, and The authentication of the application terminal when the third target value is the same as the first target value includes:
    所述管理终端获取所述申请终端发送的第二加密结果;The management terminal acquires a second encryption result sent by the application terminal;
    所述管理终端读取所述第二数字证书的私钥,并采用所述第二数字证书的私钥对所述第二加密结果进行解密得到第三目标值;The management terminal reads the private key of the second digital certificate, and decrypts the second encryption result by using the private key of the second digital certificate to obtain a third target value;
    当所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。The authentication of the application terminal is performed when the third target value is the same as the first target value.
  5. 一种终端认证方法,其特征在于,包括:A terminal authentication method, comprising:
    申请终端发送携带本端的第一数字证书的申请加入群组消息至管理终端,以使所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果;The application terminal sends an application for carrying the first digital certificate of the local end to join the group message to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result;
    所述申请终端接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书,并对所述第一加密结果进行解密得到第二目标值以及根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果;Receiving, by the application terminal, the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypting the first encryption result to obtain a second target value and according to the second number The certificate encrypts the second target value to obtain a second encryption result;
    所述申请终端将所述第二加密结果发送至所述管理终端,以使所述管理终端对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对本端的认证。Transmitting, by the application terminal, the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and the third target value and the When the first target value is the same, the authentication of the local end is passed.
  6. 根据权利要求5所述的方法,其特征在于,所述申请终端接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书,并对所述第一加密结果进行解密得到第二目标值以及根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果,包括:The method according to claim 5, wherein the application terminal receives the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and performs the first encryption result Decrypting to obtain a second target value and encrypting the second target value according to the second digital certificate to obtain a second encryption result, including:
    所述申请终端接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书;The application terminal receives the first encryption result sent by the management terminal and a second digital certificate of the management terminal;
    所述申请终端读取所述第一数字证书的私钥,并采用所述第一数字证书的 私钥对所述第一加密结果进行解密得到所述第二目标值;The application terminal reads a private key of the first digital certificate, and adopts the first digital certificate Decrypting the first encryption result by the private key to obtain the second target value;
    所述申请终端获取所述第二数字证书的公钥,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。The application terminal acquires the public key of the second digital certificate, and encrypts the second target value by using the public key of the second digital certificate to obtain a second encryption result.
  7. 一种管理终端,其特征在于,包括:A management terminal, comprising:
    加密单元,用于当管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,根据所述第一数字证书对第一目标值进行加密得到第一加密结果;An encryption unit, configured to: when the management terminal receives the application that is sent by the application terminal and carries the first digital certificate, join the group message, and encrypt the first target value according to the first digital certificate to obtain the first encryption result;
    发送单元,用于将所述第一加密结果和本端的第二数字证书发送至所述申请终端,以使所述申请终端对所述第一加密结果进行解密得到第二目标值,并根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果;a sending unit, configured to send the first encryption result and the second digital certificate of the local end to the application terminal, so that the application terminal decrypts the first encryption result to obtain a second target value, and according to the The second digital certificate encrypts the second target value to obtain a second encryption result;
    解密单元,用于获取所述申请终端发送的所述第二加密结果,并对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。a decrypting unit, configured to acquire the second encryption result sent by the application terminal, and decrypt the second encryption result to obtain a third target value, and the third target value and the first target value The same is true for the authentication of the application terminal.
  8. 根据权利要求7所述的管理终端,其特征在于,所述加密单元包括:The management terminal according to claim 7, wherein the encryption unit comprises:
    检验单元,用于当管理终端接收到申请终端发送的携带有第一数字证书的申请加入群组消息时,检验所述第一数字证书的数字签名是否正确;The checking unit is configured to: when the management terminal receives the application that is sent by the application terminal and carries the first digital certificate to join the group message, check whether the digital signature of the first digital certificate is correct;
    第一加密单元,用于当所述第一数字证书的数字签名正确时,获取所述第一数字证书的公钥,并采用所述第一数字证书的公钥对第一目标值进行加密得到第一加密结果。a first encryption unit, configured to acquire a public key of the first digital certificate when the digital signature of the first digital certificate is correct, and encrypt the first target value by using a public key of the first digital certificate The first encryption result.
  9. 根据权利要求8所述的管理终端,其特征在于,所述发送单元具体用于读取本端的第二数字证书,并将所述第一加密结果和所述第二数字证书发送至所述申请终端,以使所述申请终端采用所述第一数字证书的私钥对所述第一加密结果进行解密得到第二目标值,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。The management terminal according to claim 8, wherein the sending unit is configured to read a second digital certificate of the local end, and send the first encryption result and the second digital certificate to the application a terminal, so that the application terminal decrypts the first encryption result by using a private key of the first digital certificate to obtain a second target value, and uses the public key of the second digital certificate to the second target The value is encrypted to obtain the second encrypted result.
  10. 根据权利要求9所述的管理终端,其特征在于,所述解密单元包括: The management terminal according to claim 9, wherein the decryption unit comprises:
    获取单元,用于获取所述申请终端发送的第二加密结果;An obtaining unit, configured to acquire a second encryption result sent by the application terminal;
    第一解密单元,用于读取所述第二数字证书的私钥,并采用所述第二数字证书的私钥对所述第二加密结果进行解密得到第三目标值;a first decryption unit, configured to read a private key of the second digital certificate, and decrypt the second encryption result by using a private key of the second digital certificate to obtain a third target value;
    认证单元,用于当所述第三目标值与所述第一目标值相同时通过对所述申请终端的认证。And an authentication unit, configured to authenticate the application terminal when the third target value is the same as the first target value.
  11. 一种申请终端,其特征在于,包括:An application terminal, comprising:
    消息发送单元,用于发送携带本端的第一数字证书的申请加入群组消息至管理终端,以使所述管理终端根据所述第一数字证书对第一目标值进行加密得到第一加密结果;a message sending unit, configured to send an application that joins the first digital certificate of the local end to the management terminal, so that the management terminal encrypts the first target value according to the first digital certificate to obtain a first encryption result;
    解密加密单元,用于接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书,并对所述第一加密结果进行解密得到第二目标值以及根据所述第二数字证书对所述第二目标值进行加密得到第二加密结果;a decryption encryption unit, configured to receive the first encryption result sent by the management terminal and the second digital certificate of the management terminal, and decrypt the first encryption result to obtain a second target value and according to the first The second digital certificate encrypts the second target value to obtain a second encryption result;
    结果发送单元,用于将所述第二加密结果发送至所述管理终端,以使所述管理终端对所述第二加密结果进行解密得到第三目标值,并在所述第三目标值与所述第一目标值相同时通过对本端的认证。a result sending unit, configured to send the second encryption result to the management terminal, so that the management terminal decrypts the second encryption result to obtain a third target value, and at the third target value When the first target value is the same, the authentication of the local end is performed.
  12. 根据权利要求11所述的申请终端,其特征在于,所述解密加密单元包括:The application terminal according to claim 11, wherein the decryption encryption unit comprises:
    接收单元,用于接收所述管理终端发送的所述第一加密结果和所述管理终端的第二数字证书;a receiving unit, configured to receive the first encryption result sent by the management terminal and a second digital certificate of the management terminal;
    第二解密单元,用于读取所述第一数字证书的私钥,并采用所述第一数字证书的私钥对所述第一加密结果进行解密得到所述第二目标值;a second decryption unit, configured to read a private key of the first digital certificate, and decrypt the first encryption result by using a private key of the first digital certificate to obtain the second target value;
    第二加密单元,用于获取所述第二数字证书的公钥,并采用所述第二数字证书的公钥对所述第二目标值进行加密得到第二加密结果。 And a second encryption unit, configured to acquire a public key of the second digital certificate, and encrypt the second target value by using a public key of the second digital certificate to obtain a second encryption result.
PCT/CN2015/082896 2015-05-06 2015-06-30 Terminal authentication method, management terminal and application terminal WO2016176902A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510226966.1A CN105578457B (en) 2015-05-06 2015-05-06 A kind of terminal authentication method, management terminal and application terminal
CN201510226966.1 2015-05-06

Publications (1)

Publication Number Publication Date
WO2016176902A1 true WO2016176902A1 (en) 2016-11-10

Family

ID=55888014

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/082896 WO2016176902A1 (en) 2015-05-06 2015-06-30 Terminal authentication method, management terminal and application terminal

Country Status (2)

Country Link
CN (1) CN105578457B (en)
WO (1) WO2016176902A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106332000B (en) * 2016-08-15 2020-01-10 宇龙计算机通信科技(深圳)有限公司 Terminal position information acquisition method and device
CN110071911A (en) * 2019-03-20 2019-07-30 北京龙鼎源科技股份有限公司 The method and device of information transferring method and device, certificate update

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101090316A (en) * 2006-06-16 2007-12-19 普天信息技术研究院 Identify authorization method between storage card and terminal equipment at off-line state
CN101571979A (en) * 2009-06-15 2009-11-04 北京握奇数据系统有限公司 Smart card, outlets device, system and using method
EP2663051A1 (en) * 2012-05-07 2013-11-13 Industrial Technology Research Institute Authentication system for device-to-device communication and authentication method therefore
CN103905209A (en) * 2014-04-30 2014-07-02 殷爱菡 Mutual authentication method based on NTRUSign passive optical network access

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101192927B (en) * 2006-11-28 2012-07-11 中兴通讯股份有限公司 Authorization based on identity confidentiality and multiple authentication method
CN101442411A (en) * 2008-12-23 2009-05-27 中国科学院计算技术研究所 Identification authentication method between peer-to-peer user nodes in P2P network
CN101562519B (en) * 2009-05-27 2011-11-30 广州杰赛科技股份有限公司 Digital certificate management method of user packet communication network and user terminal for accessing into user packet communication network
CN102036235A (en) * 2009-09-28 2011-04-27 西门子(中国)有限公司 Device and method for identity authentication
CN102480713B (en) * 2010-11-25 2014-05-28 中国移动通信集团河南有限公司 Method, system and device for communication between sink node and mobile communication network
CN102111411A (en) * 2011-01-21 2011-06-29 南京信息工程大学 Method for switching encryption safety data among peer-to-peer user nodes in P2P network
CN102404347A (en) * 2011-12-28 2012-04-04 南京邮电大学 Mobile internet access authentication method based on public key infrastructure
CN103354637B (en) * 2013-07-22 2016-03-02 全渝娟 A kind of internet-of-things terminal M2M communication encrypting method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101090316A (en) * 2006-06-16 2007-12-19 普天信息技术研究院 Identify authorization method between storage card and terminal equipment at off-line state
CN101571979A (en) * 2009-06-15 2009-11-04 北京握奇数据系统有限公司 Smart card, outlets device, system and using method
EP2663051A1 (en) * 2012-05-07 2013-11-13 Industrial Technology Research Institute Authentication system for device-to-device communication and authentication method therefore
CN103905209A (en) * 2014-04-30 2014-07-02 殷爱菡 Mutual authentication method based on NTRUSign passive optical network access

Also Published As

Publication number Publication date
CN105578457B (en) 2019-04-12
CN105578457A (en) 2016-05-11

Similar Documents

Publication Publication Date Title
US10812969B2 (en) System and method for configuring a wireless device for wireless network access
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US10841784B2 (en) Authentication and key agreement in communication network
US10003966B2 (en) Key configuration method and apparatus
KR101350538B1 (en) Enhanced security for direct link communications
US8831224B2 (en) Method and apparatus for secure pairing of mobile devices with vehicles using telematics system
US10567165B2 (en) Secure key transmission protocol without certificates or pre-shared symmetrical keys
KR101490214B1 (en) Systems and methods for encoding exchanges with a set of shared ephemeral key data
WO2017114123A1 (en) Key configuration method and key management center, and network element
US9344455B2 (en) Apparatus and method for sharing a hardware security module interface in a collaborative network
WO2019041802A1 (en) Discovery method and apparatus based on service-oriented architecture
WO2019034014A1 (en) Method and apparatus for access authentication
TW201345217A (en) Identity management with local functionality
CN112640385B (en) non-SI device and SI device for use in SI system and corresponding methods
CN103795966B (en) A kind of security video call implementing method and system based on digital certificate
WO2021120924A1 (en) Method and device for certificate application
CN113556227A (en) Network connection management method and device, computer readable medium and electronic equipment
CN108353279A (en) A kind of authentication method and Verification System
WO2016176902A1 (en) Terminal authentication method, management terminal and application terminal
WO2016003310A1 (en) Bootstrapping a device to a wireless network
CN113543131A (en) Network connection management method and device, computer readable medium and electronic equipment
TWI641271B (en) Access authentication method, UE and access equipment
TW202215813A (en) Electronic device and method for encrypted communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15891154

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11/04/2018)

122 Ep: pct application non-entry in european phase

Ref document number: 15891154

Country of ref document: EP

Kind code of ref document: A1