WO2019129037A1 - 设备认证方法、空中写卡方法及设备认证装置 - Google Patents

设备认证方法、空中写卡方法及设备认证装置 Download PDF

Info

Publication number
WO2019129037A1
WO2019129037A1 PCT/CN2018/123831 CN2018123831W WO2019129037A1 WO 2019129037 A1 WO2019129037 A1 WO 2019129037A1 CN 2018123831 W CN2018123831 W CN 2018123831W WO 2019129037 A1 WO2019129037 A1 WO 2019129037A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
imsi
written
public key
platform
Prior art date
Application number
PCT/CN2018/123831
Other languages
English (en)
French (fr)
Inventor
袁勇
许蓓蓓
王姗姗
袁瑗
Original Assignee
中移(杭州)信息技术有限公司
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中移(杭州)信息技术有限公司, 中国移动通信集团有限公司 filed Critical 中移(杭州)信息技术有限公司
Publication of WO2019129037A1 publication Critical patent/WO2019129037A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the present disclosure relates to the field of wireless communication technologies, and in particular, to a device authentication method, an air card writing method, and a device authentication device.
  • IoT devices such as electricity meters, water meters, smart home devices.
  • the wearable device is constantly appearing and is connected to the carrier network as a terminal.
  • IoT devices Different from terminals such as smartphones in mobile communication networks, in the Internet of Things, IoT devices are generally in an unattended environment, which is vulnerable to attack and destruction. IoT cards containing user identity information are also easily accessible. Deliberate destruction, or stealing for illegal device access, causing device security issues. Therefore, in order to prevent the use of the special card, it is necessary to verify the identity of the IoT device accessing the network and whether the machine card is separated.
  • the identity of the device is generally verified by setting a fixed password or combining the setting password with an authentication method such as an integrated circuit card or a fingerprint. If the password entered by the user matches the password stored in the authentication platform, it is considered to be a legitimate device. It can be seen that the security of the authentication method is low, and the separation of the card cannot be effectively detected, and the integrated circuit card, fingerprint, etc.
  • the combination of the methods of authentication requires the addition of corresponding identification modules or hardware on the IoT device, which increases the cost of authentication.
  • a device authentication method is needed to improve the security of the IoT device authentication and effectively detect the separation of the card.
  • the authentication platform receives the device authentication request sent by the service platform; the device authentication request includes an international mobile subscriber identity (IMSI) and authentication information of the device to be authenticated, and the authentication information is that the device to be authenticated is based on the device private key of the device. Generated;
  • IMSI international mobile subscriber identity
  • the device public key corresponding to each IMSI stored in the authentication platform is stored by the authentication platform after the device that is to be written successfully generates the IMSI.
  • the authentication platform successfully generates an IMSI for the device to be written, including:
  • the authentication platform receives a write card request sent by the device to be written, and the write card request includes a device identifier of the device to be written and a device public key;
  • the authentication platform generates an IMSI for the device to be written according to the device identifier, and sends the IMSI to the device to be written;
  • the authentication platform confirms that the IMSI successfully writes to the device to be written, the IMSI and the device public key are correspondingly stored.
  • the write request is sent by the device to be written by using the public key of the authentication platform to encrypt the device identifier and the device public key;
  • the device is configured to generate an IMSI for the device to be written according to the device identifier, and send the device to the device to be written, including:
  • the authentication platform generates the IMSI for the device to be authenticated according to the device identifier, and encrypts the IMSI by using the device public key, and then sends the IMSI to the device to be written.
  • the authentication platform before the generating, by the authentication platform, the personalized identifier, the device, the
  • the authentication platform confirms that the device to be authenticated has been successfully bound to the user account according to the device identifier.
  • an air card writing method including:
  • the device to be written to the card sends a write request to the authentication platform, where the write request includes the device identifier of the device to be written and the device public key;
  • the device to be written by the card receives the IMSI generated by the authentication platform according to the device identifier, and writes the IMSI to the device;
  • the device to be written to the card sends a write card confirmation request to the authentication platform, where the write card confirmation request includes an IMSI successfully written by the device to be written.
  • the device that writes the card sends a write request to the authentication platform, including:
  • the device to be written to the device encrypts the device identifier and the device public key by using the public key of the authentication platform, and then sends the device identifier to the authentication platform;
  • the device to be written by the device receives the IMSI generated by the authentication platform according to the device identifier, and writes the IMSI to the device, including:
  • the device to be written by the device uses the device private key to decrypt the IMSI encrypted by the authentication platform by using the device public key, and writes the decrypted IMSI to the device.
  • the present disclosure also provides a device authentication device, the device comprising:
  • a transceiver module configured to receive a device authentication request sent by the service platform, where the device authentication request includes an international mobile subscriber identity (IMSI) and authentication information of the device to be authenticated, where the authentication information is that the device to be authenticated according to the Generated by the device private key;
  • IMSI international mobile subscriber identity
  • An authentication module configured to determine, according to the IMSI and a device public key corresponding to each IMSI stored in the device authentication device, a device public key of the device to be authenticated, and verifying according to the device public key of the device to be authenticated Whether the authentication information is valid, and if valid, sending an authentication success message to the service platform.
  • the device public key corresponding to each IMSI stored in the device authentication device is stored by the device authentication device after the device that is to be written to successfully generate the IMSI.
  • the transceiver module is further configured to:
  • the device authentication device further includes a processing module, configured to:
  • the IMSI and the device public key are correspondingly stored.
  • the write request is sent by the device to be written by using the public key of the device authentication device to encrypt the device identifier and the device public key;
  • the processing module is specifically configured to:
  • processing module is further configured to:
  • the authentication platform confirms that the device to be written has been successfully bound to the user account according to the device identifier.
  • the present disclosure also provides an apparatus, the apparatus comprising:
  • a transceiver module configured to send a write card request to the authentication platform, where the write card request includes a device identifier of the device to be written and a device public key; and, configured to receive, by the authentication platform, the device identifier according to the device identifier IMSI;
  • a processing module configured to write the IMSI to the device
  • the transceiver module is further configured to send a write card confirmation request to the authentication platform, where the write card confirmation request includes an IMSI successfully written by the device to be written.
  • the processing module is further configured to: after the device identifier and the device public key are encrypted by using the public key of the authentication platform, sent to the authentication platform by using the transceiver module;
  • the IMSI of the authentication platform encrypted by the device public key is decrypted by using the device private key, and the decrypted IMSI is written to the device.
  • an authentication device including a memory and a processor, wherein the memory is configured to store program instructions, and the processor is configured to invoke program instructions stored in the memory according to the obtained program. Perform any of the above methods.
  • Another embodiment of the present disclosure provides a computer readable storage medium storing computer executable instructions for causing the computer to perform any of the methods described above.
  • FIG. 1 is a system architecture diagram of a device authentication method according to an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of a device authentication method according to an embodiment of the present disclosure
  • FIG. 3 is a flow chart of interaction corresponding to user registration, account real name authentication, and account and device binding provided in the embodiment of the present disclosure
  • FIG. 4 is a flow chart of interaction when a device performs a card write and an activation operation according to an embodiment of the present disclosure
  • FIG. 5 is a flowchart of interaction between a card writing and an activation operation of the device by the authentication platform and the card writing platform according to an embodiment of the present disclosure
  • FIG. 6 is a flowchart of interaction when authenticating a device according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a device authentication apparatus according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a device according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of an authentication device according to an embodiment of the present disclosure.
  • the device authentication method provided by the embodiment of the present disclosure is applied to device authentication in the Internet of Things.
  • 1 is a system architecture diagram of a device authentication method according to an embodiment of the present disclosure. As shown in FIG. 1 , the system includes an Internet of Things client, an Internet of Things authentication platform, an Internet of Things service platform, and an Internet of Things device. They are referred to as clients, authentication platforms, service platforms, and devices, respectively, and will not be described here.
  • the client can communicate with the authentication platform through a wired or wireless network, and the client can be an application installed on a user's mobile phone, tablet, laptop, and the like, and the disclosure does not do this. Specific restrictions.
  • the client component is provided with a camera component, and can collect device information set in various forms such as a QR code, a barcode, and a device label on the device.
  • the device may be a plurality of types of Internet of Things devices such as a smart water meter, an electric meter, and a parking management module, and the disclosure does not specifically limit this.
  • the device has an IoT card built in.
  • the IoT card can be embedded in the device in the form of hardware or software when the device leaves the factory, or it can be installed inside the device after the device leaves the factory. Specific restrictions.
  • the Internet of Things card in the device in the embodiment of the disclosure is embedded in the device and is not detachable. Therefore, one device has a one-to-one correspondence with the built-in IoT card, and the special card can be used to improve data transmission. Security.
  • the authentication platform may be a server deployed at a communication carrier or a device management organization.
  • the authentication platform may be composed of one physical or virtual server, or may have multiple physical or virtual servers, and multiple physical or virtual servers cooperate to complete the user involved. Management functions in many aspects such as equipment and business.
  • the service platform is specifically a service platform that matches the device type.
  • the service platform may be operated and managed by a communication carrier, and may be operated and managed by a third-party service provider, which is not specifically limited in this disclosure.
  • a person skilled in the art may deploy a corresponding service platform in the system according to the device-related service, and provide a service for providing a specified function to the user.
  • the client can be an application released by the State Grid Corporation.
  • the user can log in to the application to register the account, bind the device, and query the payment.
  • the authentication platform can be used by the server deployed by China Mobile. Supporting communication functions in smart meters and authenticating and managing devices; service platforms can be used by servers deployed by State Grid Corporation to provide users with various types of services such as registering accounts, binding devices, and inquiring fees. And communicate with the device to obtain the power consumption data collected by the device.
  • FIG. 2 is a schematic diagram of a process corresponding to the device authentication method provided by the embodiment of the present disclosure. As shown in FIG. 2, the method includes the following steps:
  • Step S201 The authentication platform receives the device authentication request sent by the service platform.
  • the device authentication request includes an international mobile subscriber identity (IMSI) and authentication information of the device to be authenticated, where the authentication information is that the device to be authenticated according to the Generated by the device private key;
  • IMSI international mobile subscriber identity
  • Step S202 The authentication platform determines the device public key of the device to be authenticated according to the IMSI and the device public key corresponding to each IMSI stored in the authentication platform, according to the device public key of the device to be authenticated. Verifying that the authentication information is valid, and if valid, sending an authentication success message to the service platform.
  • the embodiment of the present disclosure uses an asymmetric key mechanism to authenticate the device, which can effectively improve the security of the device authentication.
  • the authentication information is generated according to the device private key of the device to be authenticated, the device private key is uniquely bound to the device, and the storage is not publicized inside the device, and the authentication platform also stores the device public key corresponding to each IMSI. Therefore, the authentication platform cannot verify the authentication information successfully by using the device public key that matches the IMSI of the device to be authenticated.
  • the IMSI of the device to be authenticated does not match the device private key, that is, the IMSI of the device to be authenticated.
  • the devices to be authenticated do not match themselves, thus effectively detecting the separation of the cards.
  • the device authentication method provided in the embodiment of the present disclosure is applied to the process of communicating and transmitting service data with the service platform after the device is successfully registered and activated.
  • the method before performing the foregoing step S201 to step S202 to perform device authentication, the method further includes: performing user registration, account real name authentication, account and device binding, device writing and activation, and the like through the authentication platform.
  • step S101 includes the client communicating with the authentication platform to perform user registration, account real name authentication, account and device binding, and the like.
  • Step S102 includes the device communicating with the authentication platform to perform card writing and activation operations of the device, step S103.
  • the operation includes the device performing communication with the service platform to process related services and interacting with the service data.
  • Step S104 includes the operation of the service platform to communicate with the authentication platform to authenticate the identity of the device.
  • FIG. 3 exemplarily shows an interaction flowchart when performing user registration, account real name authentication, and account and device binding in the embodiment of the present disclosure.
  • the client Take the client as the application installed in the user's smartphone.
  • the process includes:
  • Step S301 The user accesses the authentication platform through the application, and sends an account registration request to the authentication platform.
  • the account registration request carries the user information input by the user through the application, and requests the authentication platform to register a new account.
  • the user information includes at least the user name and the set password that the user desires.
  • the user may also include other user information required for registering the account in the authentication platform, such as an email address, a home address, a contact number, and the like, in the account registration request to be sent to the authentication platform, and the disclosure does not specifically limit this.
  • Step S302 The authentication platform allocates an account to the user according to the user information in the account registration request, and returns a registration success message to the user after the assignment is successful.
  • Step S303 After successfully registering the account on the authentication platform, the user logs in the authentication platform through the account to upload the identity information for real-name authentication.
  • the identity information uploaded by the user includes the user's ID number, ID card photo, user face photo obtained by using the client's application interface, and the like.
  • the identity information may further include related information or photos such as a user's mobile phone number, a bank card, a driver's license, a diploma, and the like.
  • Step S304 After receiving the identity information uploaded by the user, the authentication platform checks the validity of the identity information, and if valid, binds the identity information to the account of the user.
  • the authentication platform can verify the validity of the user identity information in a variety of ways. For example, check whether the photo uploaded by the user is clear, whether the information in the photo of the ID card can be accurately obtained, whether the ID number uploaded by the user meets the naming regulations of the valid ID number, and whether the name and ID number uploaded by the user are uploaded.
  • the name and ID number in the photo of the ID card are the same. Whether the name and ID number uploaded by the user match the name and ID number in the public security system, whether the photo uploaded by the user is clear, whether it is in the photo of the ID card.
  • the photos are the same person and so on.
  • the authentication platform can also verify the validity of the identity in a similar manner, and details are not described herein again.
  • Step S305 If the identity information of the user is verified, the real name authentication success message is sent to the user.
  • the user may continue to perform the following steps: the client binds the account to the device held by the user, so that the user can access the device held by the client through the client. Relevant data and operate and manage the device.
  • Step S306 The user acquires device information set on the device shell through the client, and sends the device information to the authentication platform.
  • the device information may include an International Mobile Equipment Identity (IMEI), a Message Authentication Code (MAC), a Serial Number (SN), a device name, a device type, and a device. Information such as the factory batch of the equipment.
  • IMEI International Mobile Equipment Identity
  • MAC Message Authentication Code
  • SN Serial Number
  • device name a device name
  • device type a device type
  • device a device.
  • Information such as the factory batch of the equipment.
  • These device information can be placed on the outer casing of the device in various forms such as a QR code, a barcode, or a device tag.
  • the client can access the camera component in the smart terminal through its application interface, scan the QR code, the barcode or the device label, and parse the device information.
  • the client may also collect a photo of the device containing the device information, and then obtain the device information included in the photo by means of image recognition.
  • Step S307 After obtaining the device information, the authentication platform verifies the validity of the device information. If each device information is authentic and valid device information, and multiple device information matches, the device information and the user's account are compared. Bind.
  • Step S308 After the device information is successfully bound to the user account, the device binding success message is fed back to the user.
  • the device is a smart meter
  • the user can log in to the authentication platform through his account to inquire about the electricity bill, pay the electricity fee, and the like.
  • the device is a smart air conditioner, an intelligent robot, a smart rice cooker, etc.
  • the user can also send a control command to the device to remotely control the device.
  • the device can be bound to any of the registered accounts.
  • only the device information may be bound to an account that has been authenticated by a real name, that is, the user may only hold the account whose registration is registered after real name authentication.
  • the device is tied to the account.
  • an IoT card is built in the device, and the device performs wireless communication with the authentication platform through the IoT card.
  • the device is a white card device, after the user successfully binds its user account to the device, the device cannot directly communicate with the authentication platform, but also activates the internal IoT card, and the device and the Internet of Things are stuck. The only binding on the authentication platform.
  • the so-called white card device specifically means that although the device has an IoT card built in, the communication carrier has not set personalized data required for communication for the IoT card, and the personalized data includes an international mobile subscriber identity (International Mobile). Subscriber Identification Number (IMSI), and various authentication keys such as operator variant algorithm configuration field (opc).
  • IMSI international mobile subscriber identity
  • opc operator variant algorithm configuration field
  • FIG. 4 exemplarily shows a flow chart of interaction when the device performs a card writing and activation operation in the embodiment of the present disclosure.
  • the method includes the following steps:
  • Step S401 The device to be written to the card sends a write request to the authentication platform.
  • the write request includes the device identifier of the device to be written and the device public key, and the device to be written by the device encrypts the device identifier and the device public key by using the public key of the authentication platform.
  • the device identifier may be an IMEI code of the device, and the disclosure does not specifically limit this.
  • the device to be written can check the status of the IoT card in the device when the device is powered on. If it is confirmed that the IoT card is not activated, the device is triggered to perform step S401 and access authentication through the air interface. The platform sends a write request after successful access.
  • the public key and the preset private key of the authentication platform are pre-stored in the device to be written, and the device to be written by the device can sign the write request sent to the authentication platform by the preset private key to enhance the device and the authentication.
  • a preset setting of the preset private key may be performed by a person skilled in the art, and multiple devices may share the same preset private key for management.
  • the same preset private key may be set for the same factory batch device, or the preset private key may be set in other manners, which is not specifically limited in this disclosure.
  • each device also has a pair of device public key and device private key
  • the device public key is a device public key that is sent by the device to the authentication platform in the write card request, and is used to authenticate the platform to interact with the device.
  • the encryption is performed, and the private key of the device is externally secreted, and is used to decrypt the information sent by the authentication platform by using the device public key of the device.
  • the asymmetric key encryption mechanism is used to encrypt the information exchanged between the device and the authentication platform, which can effectively improve the protection of key sensitive data during the card writing process.
  • the device public key and the device private key are generated by the device itself after the device is started up, and before the sending of the card write request to the authentication platform is performed in step S401.
  • the embodiment of the present disclosure does not specifically limit the key generation algorithm for generating the device public key/private key.
  • the key generation algorithm ensures that the public/private key generated by the device is unique, or a device The ratio of generating the same public/private key with other devices is as small as possible.
  • Step S402 The authentication platform receives the write request, decrypts the write request according to the private key of the user, obtains the device identifier and the device public key, and verifies the validity of the write request according to the obtained device identifier.
  • the validity of the authentication platform to verify the write request of the device includes: verifying whether the device identifier meets the naming convention of the device identifier of the device type, whether the device identifier is the device identifier of the device that is actually present, and whether the device identifier is successful. Bind the device ID of the user account.
  • the device since the device only confirms that the Internet of Things card is not activated every time the device is powered on, it sends a write request to the authentication platform.
  • the authentication platform In order to avoid the situation that the technicians will successfully activate the IoT card when the device is tested before the device leaves the factory, the authentication platform only confirms that the card-writing request sent by the device that has been successfully bound to the user's account is valid. Write request. In this way, it is possible to effectively avoid the false activation operation of the equipment that is not in the factory test and the equipment that has been shipped but not put into use, and save the communication operator's number resource.
  • Step S403 If the authentication platform verifies that the write card request is valid, the device generates an IMSI code for the device to be written, and stores the device identifier of the device and the IMSI code.
  • the IMSI code generated for the device to be written can be used as the identifier when the IoT card interacts with the authentication platform. Therefore, the IMSI generated by the authentication platform for each device is unique, and the IMSI code of the different device. Different from each other.
  • the authentication platform generates an IMSI code for the device to be written, and may also generate other personalized data for the device to be written, including but not limited to an authentication key such as opc, and the personalized data.
  • the business interaction process between the device and the authentication platform will play an important role, which is a necessary condition for the device to work normally.
  • Step S404 The authentication platform encrypts the generated IMSI by using the device public key, and sends the generated IMSI to the device.
  • the device public key is the device public key that is sent in the write card request by the device to be written in step S401.
  • Step S405 The device to be written by the card decrypts the IMSI encrypted by the authentication platform by using the device private key of the device, and successfully writes the IMSI to the set storage area of the device, and then encrypts the successfully written IMSI by using the public key of the authentication platform. And carried in the write card confirmation request sent to the authentication platform.
  • Step S406 The authentication platform uses its own private key to decrypt the write card confirmation request sent by the device to be written, and obtains the IMSI in which the device to be written is successfully written. If it is determined that the device successfully writes the IMSI and the device is previously If the generated IMSI is consistent, the device is successfully written.
  • Step S407 The authentication platform sends a write success message to the device, and in the write success message, the device is instructed to modify the state of its IoT card to be activated.
  • each interaction between the device and the authentication platform may also carry a signature signed by using its own private key. To further improve the security of data during the card writing process.
  • the authentication platform may be responsible for processing all the tasks such as verifying the device to be written and generating personalized data for the device to be written; or, as another implementation manner, the authentication platform will only be responsible for The device to be written to interact, verify the write request sent by the device to be written, and send personalized data to the device to be written, and the write card platform deployed by the communication carrier is responsible for generating personalized data. Operation, the card writing platform only interacts directly with the authentication platform. In this way, the function separation between the authentication operation and the card writing operation can be realized, and the burden on the authentication platform can be effectively reduced.
  • a specific embodiment of the card writing and activation operation of the device by the authentication platform in the embodiment of the present disclosure is provided.
  • the authentication platform cooperates with the card writing platform to complete the card writing and activation operations of the device, and the device and the device Each interaction between the authentication platforms carries a signature signed with its own private key.
  • FIG. 5 exemplarily shows a flow chart of interaction between a device, an authentication platform, and a writing card platform in a specific embodiment provided by the present disclosure, as shown in FIG. 5, including the following steps:
  • Step S501 The device to be written to the card sends a write request to the authentication platform.
  • the device to be written first generates its own device public key and device private key, and then encrypts the device IMEI, the device public key, and the timestamp by using the public key of the authentication platform stored in the device, and then uses the device's The preset private key signs the encrypted device IMEI, the device public key, and the timestamp, and carries it in the write request to the authentication platform.
  • Step S502 The authentication platform receives the write request, and verifies the validity of the signature in the write request. If valid, decrypts the write request according to the private key of the authentication platform, obtains the device IMEI and the device public key, and obtains according to the obtained The device IMEI verifies the validity of the write request, and if valid, stores the device IMEI and the device public key.
  • the authentication platform verifies the validity of the signature in the write request using the preset public key that matches the preset private key of the device to be written to.
  • the preset public key corresponding to the preset private key of each device is pre-stored in the authentication platform. Since multiple devices can share one preset private key, the total number of preset private keys is limited. Therefore, the authentication platform can traverse the stored preset public keys one by one to determine a preset public key that matches the preset private key of the device to be written. Alternatively, the authentication platform may obtain the preset public key according to the batch information of the device to be written, and the disclosure does not specifically limit this.
  • the authentication platform will also verify the validity of the write request by:
  • Step S503 If the authentication platform confirms that the write request is valid, send a data generation request to the write card platform to request the write card platform to generate an IMSI and other personalized data, such as an authentication key opc, for the device to be written.
  • Step S504 The card writing platform receives the data generation request, and after generating the IMSI and the personalized data for the device to be written, sends the generated IMSI and the personalized data to the authentication platform.
  • Step S505 The authentication platform stores the IMSI and the personalized data generated by the device to be written, corresponding to the IMEI and the device public key of the device to be written, and the IMSI and the personalized data generated by the device public key encryption. After signing with the private key of the authentication platform, it is sent to the device to be written.
  • Step S506 The device to be written first uses the public key of the authentication platform to verify the validity of the signature. If it is valid, the IMSI and the personalized data sent by the authentication platform are decrypted by using the device private key and written to the device.
  • Step S507 The device to be written to the card successfully encrypts the IMSI and the timestamp, which are encrypted by the public key of the authentication platform, and then signed by the device private key, and then carried in the write card confirmation request and sent to the authentication platform.
  • Step S508 The authentication platform first uses the device public key to verify the validity of the signature in the write confirmation request. If valid, the private key of the authentication platform is used to decrypt the write confirmation request, and the IMSI in which the device to be written is successfully written is obtained. If it is determined that the IMSI successfully written by the device is consistent with the IMSI generated for the device to be written in step S505, it is confirmed that the device writes the card successfully.
  • Step S509 The authentication platform sends a write card success message to the card writing platform to notify the card writing platform to successfully complete the card writing operation of the device to be written.
  • Step S510 The authentication platform sends the status of the device to be written and the IMSI to the device to be written in the card success message by using the private key of the authentication platform to modify the state of the IoT card.
  • each message interaction between the authentication platform and the writing card platform may be used as a message.
  • the encryption processing may also be performed without clearing the plaintext transmission, and the disclosure does not specifically limit this.
  • step S103 after the authentication platform successfully writes and activates the device, the user can utilize the normal use device.
  • the service platform can also verify the identity of the device through the authentication platform.
  • the identity authentication process includes the above steps S201 to S202.
  • FIG. 6 is a flowchart of interaction when authenticating a device according to an embodiment of the present disclosure. As shown in FIG. 6, the method includes the following steps:
  • Step S601 The device to be authenticated sends its corresponding IMSI code, authentication information, and service data to the service platform.
  • the authentication information of the device is generated by the device to be authenticated according to the private key of the device.
  • the authentication information may be a signature issued by the device to be authenticated by using the device private key, or may be other forms of authentication. Information, the disclosure does not limit this.
  • Step S602 After receiving the IMSI, the authentication information, and the service data of the device to be authenticated, the service platform sends a device authentication request to the authentication platform, where the device authentication request includes the IMSI and the authentication information of the device to be authenticated.
  • Step S603 In the same step S201, the authentication platform receives the device authentication request sent by the service platform.
  • Step S604 In the same step S202, the authentication platform searches for the device public key of the device to be authenticated from the device public key corresponding to each IMSI stored in the authentication platform according to the IMSI of the device to be authenticated in the device authentication request. The authentication platform verifies the validity of the authentication information in the device authentication request according to the device public key of the device to be authenticated. If valid, the service platform sends an authentication success message.
  • the authentication platform can verify the validity of the signature by using the device public key of the device to be authenticated.
  • Step S605 After receiving the authentication success message sent by the authentication platform, the service platform processes the service data sent by the device to be authenticated in step S601, and returns a processing result to the device to be authenticated.
  • the device authentication process may also send a device authentication request to the service platform by the device to be authenticated.
  • the device authentication request includes only the IMSI and authentication information of the device, and does not include the device service.
  • the service platform After the service platform receives the device authentication request, the service platform forwards the device authentication request to the authentication platform to trigger the authentication platform to perform the authentication operation.
  • the message interaction between the device, the service platform, and the authentication platform in the device authentication process may also be encrypted by using an agreed key, which is not specifically limited in this disclosure.
  • the embodiment of the present disclosure provides a device authentication method and an air card writing method.
  • the embodiment of the present disclosure further provides an account registration in an Internet of Things system, real-name authentication of an account, and an account and device of the user.
  • FIG. 7 is a schematic structural diagram of a device authentication device according to an embodiment of the present disclosure. As shown in FIG. 7, the device authentication device 700 includes:
  • the transceiver module 701 is configured to receive a device authentication request sent by the service platform, where the device authentication request includes an international mobile subscriber identity (IMSI) and authentication information of the device to be authenticated, where the authentication information is that the device to be authenticated according to the Generated by the device private key;
  • IMSI international mobile subscriber identity
  • the authentication module 702 is configured to determine, according to the IMSI and a device public key corresponding to each IMSI stored in the device authentication device, a device public key of the device to be authenticated, according to the device public key of the device to be authenticated. Verifying that the authentication information is valid, and if valid, sending an authentication success message to the service platform.
  • the device public key corresponding to each IMSI stored in the device authentication device is stored by the device authentication device after the device that is to be written to successfully generate the IMSI.
  • the transceiver module 701 is further configured to:
  • the device authentication device further includes a processing module 703, configured to:
  • the IMSI and the device public key are correspondingly stored.
  • the write request is sent by the device to be written by using the public key of the device authentication apparatus 700 to encrypt the device identifier and the device public key;
  • the processing module 703 is specifically configured to:
  • processing module 703 is further configured to:
  • the authentication platform confirms that the device to be written has been successfully bound to the user account according to the device identifier.
  • FIG. 8 is a schematic structural diagram of a device according to an embodiment of the present disclosure. As shown in FIG. 8, the device 800 includes:
  • the transceiver module 801 is configured to send a write card request to the authentication platform, where the write card request includes a device identifier of the device to be written and a device public key, and is configured to receive the authentication platform according to the device identifier.
  • Generated IMSI
  • a processing module 802 configured to write the IMSI to the device
  • the transceiver module 801 is further configured to send a write card confirmation request to the authentication platform, where the write card confirmation request includes an IMSI successfully written by the device to be written.
  • the processing module 802 is further configured to: after the device identifier and the device public key are encrypted by using the public key of the authentication platform, send to the authentication platform by using the transceiver module;
  • the IMSI of the authentication platform encrypted by the device public key is decrypted by using the device private key, and the decrypted IMSI is written to the device.
  • the embodiment of the present disclosure further provides another authentication device, which may specifically be a desktop computer, a portable computer, a smart phone, a tablet computer, a personal digital assistant (PDA), or the like.
  • the authentication device 900 may include a central processing unit (CPU) 901, a memory 902, an input/output device 903, a bus system 904, and the like.
  • the input device may include a keyboard, a mouse, a touch screen, etc.
  • the output device may include a display device such as a liquid crystal display (LCD), a cathode ray tube (CRT), or the like.
  • LCD liquid crystal display
  • CRT cathode ray tube
  • the memory may include a Read-Only Memory (ROM) and a Random Access Memory (RAM), and provides program instructions and data stored in the memory to the processor.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • the memory may be used to store the program of the above device authentication method.
  • the processor is configured to execute the device authentication method according to the obtained program instruction by calling a program instruction stored in the memory.
  • an embodiment of the present disclosure provides a computer storage medium for storing computer program instructions for use in detecting the terminal, including a program for executing the device authentication method.
  • the computer storage medium may be any available media or data storage device accessible by the computer, including but not limited to magnetic storage (eg, floppy disk, hard disk, magnetic tape, magnetic disk (MO), etc.), optical memory (for example, CD (Compact Disc), DVD (Digital Video Disc), BD (Blu-ray Disc), HVD (High-definition Versatile Disc), and the like, and semiconductor memory (for example, ROM, EPROM (Erasable Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable read only memory), non-volatile memory (NAND FLASH), Solid State Disk (SSD), and the like.
  • magnetic storage eg, floppy disk, hard disk, magnetic tape, magnetic disk (MO), etc.
  • optical memory for example, CD (Compact Disc), DVD (Digital Video Disc), BD (Blu-ray Disc), HVD (High-definition Versatile Disc), and the like
  • semiconductor memory for example, ROM, EPROM
  • An embodiment of the present disclosure provides a device authentication method, including: an authentication platform receiving a device authentication request sent by a service platform, where the device authentication request includes an IMSI and an authentication information of the device to be authenticated; and an IMSI and an authentication platform according to the device to be authenticated
  • the device public key corresponding to each IMSI stored in the device determines the device public key of the device to be authenticated, and verifies whether the authentication information is valid according to the device public key of the device to be authenticated. If valid, sends an authentication success message to the service platform.
  • the embodiment of the present disclosure uses the asymmetric key mechanism to authenticate the device, which can effectively improve the security of the device authentication, and the authentication information is generated according to the device private key of the device to be authenticated, and is stored in the authentication platform.
  • the authentication platform There is a device public key corresponding to each IMSI. Therefore, the authentication platform cannot verify the authentication information by using the device public key that matches the IMSI of the device to be authenticated, and the IMSI of the device to be authenticated does not match the device private key. Thereby the separation of the machine card is effectively detected.
  • embodiments of the present disclosure can be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware aspects. Moreover, the present disclosure may be implemented on one or more computer usable storage media (including but not limited to disk storage, CD-ROM (Compact Disc Read-Only Memory), optical storage, etc.) in which computer usable program code is included. The form of a computer program product.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one flow of the flowchart or in more than two flows and/or block diagrams in one or more blocks.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one flow or more than two or more of the flow diagrams and/or one or more blocks of the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Power Engineering (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)

Abstract

一种设备认证方法、空中写卡方法及设备认证装置,所述设备认证方法包括:认证平台接收业务平台发送的设备认证请求,设备认证请求中包括待认证设备的IMSI和认证信息(S201);根据设备的IMSI以及认证平台存储的各IMSI对应的设备公钥,确定设备的设备公钥,根据设备的设备公钥若验证认证信息有效,则发送认证成功消息(S202)。

Description

设备认证方法、空中写卡方法及设备认证装置
相关申请的交叉引用
本申请主张在2017年12月29日在中国提交的中国专利申请号No.201711481127.X的优先权,其全部内容通过引用包含于此。
技术领域
本公开涉及无线通信技术领域,尤其涉及一种设备认证方法、空中写卡方法及设备认证装置。
背景技术
随着物联网和移动互联网的发展,更多的物联网业务(远程抄表、智能家居等)被引入人们的生活,从而使得更多的物联网设备类型(如电表、水表、智能家居设备、可穿戴设备)不断出现,并作为终端接入到运营商网络中。
与移动通信网络中用户的智能手机等终端不同,在物联网中,物联网设备一般处于无人值守的环境中,容易受到攻击、破坏,设备内包含用户身份信息的物联网卡也容易被人蓄意破坏,或窃取后用于非法设备接入,从而引发设备的安全问题。因此,为了防止专卡它用,有必要将接入网络的物联网设备的身份,以及机卡是否分离进行验证。
相关技术中,一般采用设置固定密码或将设置密码与集成电路卡、指纹等认证方式结合的方式验证设备身份。如果用户输入的密码与认证平台中存储的密码匹配就认为是合法设备,可见,这种认证方式认证的安全性较低,而且并不能有效地检测机卡分离,而与集成电路卡、指纹等方式相结合的认证方式又需要在物联网设备上增加相应的识别模块或硬件,提高了认证成本。
因此,亟需要一种设备认证方法,用以提高物联网设备认证的安全性,有效地检测机卡分离。
发明内容
本公开实施例提供的一种设备认证方法,包括:
认证平台接收业务平台发送的设备认证请求;所述设备认证请求中包括待认证的设备的国际移动用户识别码IMSI和认证信息,所述认证信息是所述待认证的设备根据自身的设备私钥生成的;
所述认证平台根据所述IMSI以及所述认证平台中存储的各IMSI对应的设备公钥,确定所述待认证的设备的设备公钥,根据所述待认证的设备的设备公钥验证所述认证信息是否有效,若有效,则向所述业务平台发送认证成功消息。
可选地,所述认证平台中存储的各IMSI对应的设备公钥是所述认证平台为待写卡的设备成功生成IMSI后存储的。
可选地,所述认证平台为待写卡的设备成功生成IMSI,包括:
所述认证平台接收所述待写卡的设备发送的写卡请求,所述写卡请求中包括所述待写卡的设备的设备标识和设备公钥;
所述认证平台根据所述设备标识为所述待写卡的设备生成IMSI并发送给所述待写卡的设备;
所述认证平台若确认所述IMSI成功写入所述待写卡的设备,则对应存储所述IMSI和所述设备公钥。
可选地,所述写卡请求是所述待写卡的设备利用所述认证平台的公钥对所述设备标识和所述设备公钥进行加密后发送的;
所述认证平台根据所述设备标识为所述待写卡的设备生成IMSI,并发送给所述待写卡的设备,包括:
所述认证平台利用自身的公钥解密所述写卡请求,得到所述设备标识和所述设备公钥;
所述认证平台根据所述设备标识为所述待认证设备生成所述IMSI,并将所述IMSI利用所述设备公钥加密后发送给所述待写卡的设备。
可选地,所述认证平台根据所述设备标识为所述待写卡的设备生成个性化数据之前,还包括:
所述认证平台根据所述设备标识,确认所述待认证设备已与用户账户成功绑定。
基于同样的公开构思,本公开还提供一种空中写卡方法,包括:
待写卡的设备向认证平台发送写卡请求,所述写卡请求中包括所述待写卡的设备的设备标识和设备公钥;
所述待写卡的设备接收所述认证平台根据所述设备标识生成的IMSI,并将所述IMSI写入设备;
所述待写卡的设备向所述认证平台发送写卡确认请求,所述写卡确认请求中包括所述待写卡的设备成功写入的IMSI。
可选地,所述待写卡的设备向认证平台发送写卡请求,包括:
所述待写卡的设备将所述设备标识和设备公钥利用所述认证平台的公钥加密后发送给所述认证平台;
所述待写卡的设备接收所述认证平台根据所述设备标识生成的IMSI,并将所述IMSI写入设备,包括:
所述待写卡的设备利用设备私钥对所述认证平台利用所述设备公钥加密的IMSI进行解密,将解密得到的IMSI写入设备。
基于同样的公开构思,本公开还提供一种设备认证装置,所述装置包括:
收发模块,用于接收业务平台发送的设备认证请求;所述设备认证请求中包括待认证的设备的国际移动用户识别码IMSI和认证信息,所述认证信息是所述待认证的设备根据自身的设备私钥生成的;
认证模块,用于根据所述IMSI以及所述设备认证装置中存储的各IMSI对应的设备公钥,确定所述待认证的设备的设备公钥,根据所述待认证的设备的设备公钥验证所述认证信息是否有效,若有效,则向所述业务平台发送认证成功消息。
可选地,所述设备认证装置中存储的各IMSI对应的设备公钥是所述设备认证装置为待写卡的设备成功生成IMSI后存储的。
可选地,所述收发模块还用于:
接收所述待写卡的设备发送的写卡请求,所述写卡请求中包括所述待写卡的设备的设备标识和设备公钥;
所述设备认证装置中还包括处理模块,用于:
根据所述设备标识为所述待写卡的设备生成IMSI并发送给所述待写卡 的设备;以及,
若确认所述IMSI成功写入所述待写卡的设备,则对应存储所述IMSI和所述设备公钥。
可选地,所述写卡请求是所述待写卡的设备利用所述设备认证装置的公钥对所述设备标识和所述设备公钥进行加密后发送的;
所述处理模块具体用于:
利用自身的公钥解密所述写卡请求,得到所述设备标识和所述设备公钥;
根据所述设备标识为所述待写卡的设备生成所述IMSI,并将所述IMSI利用所述设备公钥加密后发送给所述待写卡的设备。
可选地,所述处理模块还用于:
所述认证平台根据所述设备标识,确认所述待写卡的设备已与用户账户成功绑定。
基于同样的公开构思,本公开还提供一种设备,所述设备包括:
收发模块,用于向认证平台发送写卡请求,所述写卡请求中包括所述待写卡的设备的设备标识和设备公钥;以及,用于接收所述认证平台根据所述设备标识生成的IMSI;
处理模块,用于将所述IMSI写入设备;
所述收发模块,还用于向所述认证平台发送写卡确认请求,所述写卡确认请求中包括所述待写卡的设备成功写入的IMSI。
可选地,所述处理模块还用于将所述设备标识和设备公钥利用所述认证平台的公钥加密后,通过所述收发模块发送给所述认证平台;以及,
利用设备私钥对所述认证平台利用所述设备公钥加密的IMSI进行解密,将解密得到的IMSI写入设备。
本公开另一实施例提供了一种认证设备,其包括存储器和处理器,其中,所述存储器用于存储程序指令,所述处理器用于调用所述存储器中存储的程序指令,按照获得的程序执行上述任一种方法。
本公开另一实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令用于使所述计算机执行上述任一种方法。
附图说明
为了更清楚地说明本公开实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。
图1为本公开实施例中设备认证方法适用的系统架构图;
图2为本公开实施例中提供的一种设备认证方法所对应的流程示意图;
图3为本公开实施例中提供的用户注册、账户实名认证、账户与设备绑定时对应的交互流程图;
图4为本公开实施例中提供的对设备进行写卡与激活操作时的交互流程图;
图5为本公开实施例中提供的由认证平台和写卡平台协作完成设备的写卡与激活操作时的交互流程图;
图6为本公开实施例中提供的对设备进行认证时的交互流程图;
图7为本公开实施例提供的一种设备认证装置的结构示意图;
图8为本公开实施例提供的一种设备的结构示意图;
图9为本公开实施例提供的一种认证设备的结构示意图。
具体实施方式
为了使本公开的目的、技术方案和特点更加清楚,下面将结合附图对本公开作进一步地详细描述,显然,所描述的实施例,仅仅是本公开一部分实施例,而不是全部的实施例。基于本公开中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本公开保护的范围。
下面结合说明书附图对本公开实施例做进一步详细描述。
本公开实施例提供的设备认证方法,应用于物联网中的设备认证。图1为本公开实施例中的设备认证方法适用的系统架构图,如图1所示,所述系统中包括物联网客户端、物联网认证平台、物联网业务平台以及物联网设备, 下文将分别简称为客户端、认证平台、业务平台及设备,此后不再赘述。
其中,客户端可通过有线或无线网络与认证平台进行通信,该客户端可以为安装在用户的手机、平板电脑、笔记本电脑等多种类型的智能终端上的应用程序,本公开对此不做具体限制。可选的,该客户端中设置有摄像头组件,能够采集设备上以二维码、条形码、设备标签等多种形式设置的设备信息。
设备可以为如智能水表、电表、停车管理模块等多种类型的物联网设备,本公开对此不做具体限制。该设备中内置有物联网卡,该物联网卡可以是设备出厂时就以硬件或软件的形式嵌入在设备中的,也可以是设备出厂后才安装到设备内部的,本公开对此不做具体限制。可选的,本公开实施例中的设备中的物联网卡内嵌在设备内部,且不可拆卸,如此,一台设备与其内置的物联网卡一一对应,可实现专卡专用,提高数据传输的安全性。
认证平台可为部署在通信运营商或设备管理机构处的服务器,该认证平台可由一台物理或虚拟服务器构成,也可以有多台物理或虚拟服务器构成,多台物理或虚拟服务器协同完成涉及用户、设备及业务等多方面的管理功能。
由于设备的类型的不同,相关的物联网业务也不同,业务平台具体为与设备类型相匹配的业务平台。本公开实施例中,该业务平台可以由通信运营商来运营和管理,可以由第三方的业务提供方来运营和管理,本公开对此不做具体限制。本领域技术人员可根据设备相关的业务,在系统中部署相应的业务平台,用于为用户提供指定功能的服务。
例如,若设备为智能电表,则客户端可以为国家电网公司发布的应用,用户可登陆该应用进行注册账户、绑定设备、查询缴费等操作;认证平台可以为中国移动公司部署的服务器,用于为智能电表中的通信功能提供支持,并对设备进行认证和管理;业务平台可以为国家电网公司部署的服务器用于为用户提供如注册账户、绑定设备、查询缴费等多种类型的服务,并与设备通信获取设备采集的用电数据等。
图2中示例性地给出了本公开实施例提供的设备认证方法所对应的流程示意图,如图2所示,该方法包括如下步骤:
步骤S201:认证平台接收业务平台发送的设备认证请求;所述设备认证 请求中包括待认证的设备的国际移动用户识别码IMSI和认证信息,所述认证信息是所述待认证的设备根据自身的设备私钥生成的;
步骤S202:所述认证平台根据所述IMSI以及所述认证平台中存储的各IMSI对应的设备公钥,确定所述待认证的设备的设备公钥,根据所述待认证的设备的设备公钥验证所述认证信息是否有效,若有效,则向所述业务平台发送认证成功消息。
可见,本公开实施例采用不对称密钥机制对设备进行认证,可有效提高设备认证的安全性。此外,由于认证信息是根据待认证的设备自身的设备私钥生成的,设备私钥与设备唯一绑定,存储在设备内部不公开,而认证平台中又存储有各个IMSI对应的设备公钥,因此,认证平台利用其存储的与待认证的设备的IMSI匹配的设备公钥,无法成功验证认证信息,则说明待认证的设备的IMSI与其设备私钥不匹配,即待认证的设备的IMSI与待认证设备自身并不匹配,从而有效地检测到机卡分离。
需要说明的是,本公开实施例中提供的设备认证方法应用于设备成功注册和激活后,与业务平台进行通信、传输业务数据的过程中。本公开实施例中,在执行上述步骤S201至步骤S202进行设备认证之前,还包括通过认证平台进行用户注册、账户实名认证、账户与设备绑定、设备写卡与激活等操作。
如图1所示,步骤S101包括客户端与认证平台通信进行用户注册、账户实名认证、账户与设备绑定等操作,步骤S102包括设备与认证平台通信进行设备的写卡与激活操作,步骤S103包括设备与业务平台进行通信处理相关业务、交互业务数据的操作,步骤S104包括业务平台与认证平台进行通信,对设备的身份进行认证的操作。
对应步骤S101,图3示例性给出了本公开实施例中进行用户注册、账户实名认证、账户与设备绑定时的交互流程图。以客户端为用户智能手机中安装的应用为例,如图3所示,该过程具体包括:
步骤S301:用户通过该应用访问认证平台,向认证平台发送账户注册请求。其中,该账户注册请求中携带有用户通过应用输入的自身的用户信息,向认证平台请求注册一个新的账户。
在此步骤中,用户信息至少包括用户期望的用户名和设置的密码。此外,用户还可将认证平台中注册账户所需的其他用户信息如电子邮箱、家庭住址、联系电话等包含在账户注册请求中发送给认证平台,本公开对此不做具体限制。
步骤S302:认证平台根据账户注册请求中的用户信息为用户分配账户,并在分配成功后向用户返回注册成功消息。
步骤S303:用户在认证平台上成功注册账户后,通过该账户登陆认证平台上传身份信息进行实名认证。
在此步骤中,用户上传的身份信息包括用户的身份证号、身份证照片、利用客户端的应用程序接口获取的用户脸部照片等等。可选的,身份信息还可进一步包括例如用户的手机号码、银行卡、驾驶证、学历证书等相关的信息或照片。
步骤S304:认证平台接收到用户上传的身份信息后,校验身份信息的有效性,若有效,则将身份信息与用户的账户绑定。
在此步骤中,认证平台可通过多种方式校验用户身份信息的有效性。例如,检查用户上传的身份证照片是否清晰、是否可准确获取身份证照片中的信息,用户上传的身份证号是否符合有效身份证号的命名规定,用户上传的姓名、身份证号是否与上传的身份证照片中的姓名、身份证号一致,用户上传的姓名、身份证号是否与公安系统中的姓名、身份证号相匹配,用户上传的脸部照片是否清晰、是否与身份证照片中的照片为同一人等等。
若身份信息中进一步包括手机号码、银行卡、驾驶证、学历证书等信息,则认证平台也可通过相似的方式来校验身份的有效性,此处不再赘述。
步骤S305:若用户的身份信息校验通过,则向用户发送实名认证成功消息。
进一步地,用户经过账户注册和实名认证的步骤之后,还可继续执行如下步骤,通过客户端将账户与用户持有的设备绑定,如此,用户便可通过客户端访问其所持有的设备相关的数据,并对该设备进行操作和管理。
步骤S306:用户通过客户端获取设备外壳上设置的设备信息,并发送给认证平台。
此步骤中,设备信息可包括设备的国际移动设备身份码(International Mobile Equipment Identity,IMEI)、消息认证码(Message Authentication Code,MAC)和序列号(Serial Number,SN)、设备名称、设备类型、设备的出厂批次等信息。
这些设备信息可以二维码、条形码或设备标签等多种形式设置在设备的外壳上。可选的,客户端可通过其应用程序接口访问智能终端中的摄像头组件,扫描二维码、条形码或设备标签,并解析得到设备信息。或者,客户端也可先采集包含设备信息的设备照片,再通过图像识别的方式,获取照片中包含的设备信息。
步骤S307:认证平台获取到设备信息后,校验设备信息的有效性,若各项设备信息均是真实有效的设备信息,且多项设备信息之间相匹配,则将设备信息与用户的账户绑定。
步骤S308:成功将设备信息与用户账户绑定后,向用户反馈设备绑定成功消息。
举例来说,若设备为智能电表,则将设备与用户账户绑定后,用户可通过其账户登录认证平台查询电费账单、缴存电费等等。若设备为智能空调、智能机器人、智能电饭煲等家居设备,用户通过其账户登录认证平台后,还可向设备发送控制指令对设备进行远程控制。
本公开实施例中,可将设备与已注册的任一账户绑定。可选的,为了提高设备的安全性,可仅将设备信息与已进行过实名认证的账户绑定,也就是说,用户只有将其注册的账户进行实名认证后,才可将其持有的设备与账户绑定。
本公开实施例中,设备中内置有物联网卡,设备通过该物联网卡与认证平台进行无线通信。但是由于设备为白卡设备,用户将其用户账户与设备成功绑定后,设备并不能直接与认证平台进行通信,还要对其内部的物联网卡进行激活操作,将设备与物联网卡在认证平台上唯一绑定。所谓白卡设备具体是指,虽然该设备内置有物联网卡,但是通信运营商还未给该物联网卡设置通信所需的个性化数据,这些个性化数据包括国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI),以及运营商鉴 权密钥(operator variant algorithm configuration field,opc)等各类鉴权密钥。
对应步骤S102,图4示例性给出了本公开实施例中对设备进行写卡与激活操作时的交互流程图,如图4所示,包括如下步骤:
步骤S401:待写卡的设备向认证平台发送写卡请求。
在此步骤中,写卡请求中包括待写卡的设备的设备标识以及设备公钥,并且待写卡的设备利用认证平台的公钥对上述设备标识和设备公钥进行了加密。该设备标识可为设备的IMEI码,本公开对此不做具体限制。
本公开实施例中,待写卡的设备可在开机启动时,检查该设备中的物联网卡的状态,若确认该物联网卡没有激活,则触发设备执行步骤S401,通过空中接口接入认证平台,并在成功接入后发送写卡请求。
待写卡的设备中预先存储有认证平台的公钥和预置私钥,待写卡的设备可通过该预置私钥对其发送给认证平台的写卡请求进行签名,以增强设备与认证平台之间交互的安全性。本公开实施例中,本领域技术人员可对上述预置私钥进行具体的设置,且为了便于管理,多台设备可共用同一预置私钥。例如,可为同一出厂批次的设备设置相同的预置私钥,或者也可以采用其他方式设置预置私钥,本公开对此不做具体限制。
此外,每台设备还具有一对设备公钥和设备私钥,该设备公钥即是设备携带在写卡请求中发送给认证平台的设备公钥,用于认证平台对后续与设备交互的信息进行加密,该设备私钥对外保密,用于解密认证平台利用设备的设备公钥发送的信息。本公开实施例中,采用不对称密钥加密机制对设备与认证平台之间交互的信息进行加密可有效提高写卡过程中关键敏感数据的保护。
具体的,该设备公钥和设备私钥是设备开机启动之后,执行步骤S401向认证平台发送写卡请求之前,设备自己生成的。本公开实施例对生成设备公钥/私钥的密钥生成算法不做具体限制,可选的,该密钥生成算法可确保为设备生成的公钥/私钥具有唯一性,或者某一设备与其他设备生成相同公钥/私钥的比率尽量小。
步骤S402:认证平台接收写卡请求,根据自身的私钥解密写卡请求,获取其中的设备标识和设备公钥,并根据获取到的设备标识,验证写卡请求的 有效性。
在此步骤中,认证平台验证写卡请求的有效性具体包括:验证设备标识是否符合该设备类型的设备标识的命名规定、设备标识是否为真实存在的设备的设备标识、设备标识是否为已经成功绑定用户账户的设备标识。
本公开实施例中,由于设备每次开机启动时只要确认物联网卡未被激活,就会向认证平台发送写卡请求。为了避免在设备出厂前,相关技术人员对设备测试时为设备上电也会成功激活物联网卡的情况,认证平台仅将已与用户的账户成功绑定的设备发送的写卡请求确认为有效的写卡请求。如此,可有效避免对未出厂处于测试中的设备,以及已出厂但未投入使用的设备的误激活操作,节省通信运营商的号码资源。
步骤S403:认证平台若验证写卡请求有效,则为该待写卡的设备生成IMSI码,并将该设备的设备标识和IMSI码对应存储。
在此步骤中,为待写卡的设备生成的IMSI码可作为其物联网卡与认证平台交互时的标识,因而,认证平台为每台设备生成的IMSI都是唯一的,不同设备的IMSI码互不相同。
本公开实施例中,认证平台为待写卡的设备生成IMSI码的同时,还可为该待写卡的设备生成其他个性化数据,包括但是不限于opc等鉴权密钥,这些个性化数据在设备与认证平台的业务交互过程将起到重要作用,是设备可正常工作的必要条件。
步骤S404:认证平台利用设备公钥对生成的IMSI进行加密,并发送给设备。
在此步骤中,设备公钥即是步骤S401中待写卡的设备携带在写卡请求中发送的设备公钥。
步骤S405:待写卡的设备利用自身的设备私钥解密认证平台加密发送的IMSI,并将该IMSI成功写入设备的设定存储区后,利用认证平台的公钥加密成功写入的IMSI,并携带在写卡确认请求中发送给认证平台。
步骤S406:认证平台利用自身的私钥解密待写卡的设备发送的写卡确认请求,获取其中该待写卡的设备成功写入的IMSI,若确定设备成功写入的IMSI与之前为该设备生成的IMSI一致,则确认该设备写卡成功。
步骤S407:认证平台发送写卡成功消息给设备,并在写卡成功消息中指示该设备将其物联网卡的状态修改为已激活。
需要说明的是,由于设备以及认证平台均具有自身的一对公/私钥,因此,在上述写卡过程中,设备与认证平台的每次交互中还可携带有利用自身私钥签发的签名,进一步提高写卡过程中数据的安全性。
此外,在上述步骤S102中,认证平台可以负责处理对待写卡的设备进行验证、为待写卡的设备生成个性化数据等全部任务;或者,作为另外一种实现方式,认证平台将仅负责与待写卡的设备进行交互,验证待写卡的设备发送的写卡请求、为待写卡的设备发送个性化数据等操作,而由通信运营商布署的写卡平台负责生成个性化数据的操作,该写卡平台仅与认证平台直接交互。如此,可实现认证操作与写卡操作的功能分离,有效减轻认证平台的负担。
下面给出本公开实施例中认证平台对设备进行写卡和激活操作的一个具体实施例,在该具体实施例中,认证平台与写卡平台协作完成设备的写卡与激活操作,而且设备与认证平台的之间的每次交互时均携带有利用自身私钥签发的签名。
图5示例性示出了本公开提供的具体实施例中设备、认证平台与写卡平台进行写卡与激活操作时的交互流程图,如图5中所示,包括如下步骤:
步骤S501:待写卡的设备向认证平台发送写卡请求。
在此步骤中,待写卡的设备首先生成自身的设备公钥和设备私钥,随后利用设备中存储的认证平台的公钥对设备IMEI、设备公钥和时间戳进行加密,接着用设备的预置私钥对加密后的设备IMEI、设备公钥和时间戳签名,并携带在写卡请求中发送给认证平台。
步骤S502:认证平台接收写卡请求,验证写卡请求中签名的有效性,若有效,则根据认证平台的私钥解密写卡请求,获取其中的设备IMEI和设备公钥,并根据获取到的设备IMEI,验证写卡请求的有效性,若有效,则对应存储该设备IMEI和设备公钥。
在此步骤中,认证平台利用与待写卡的设备的预置私钥相匹配的预置公钥验证写卡请求中签名的有效性。本公开实施例中,认证平台中预先存储有 各个设备的预置私钥所对应的预置公钥,由于多台设备可共用一个预置私钥,预置私钥的总数量是有限的,因此,认证平台可对其存储的预置公钥逐一遍历从而确定出与待写卡的设备的预置私钥相匹配的预置公钥。或者,认证平台还可根据待写卡的设备的批次信息获取预置公钥,本公开对此不做具体限制。
若验证签名有效,认证平台还将通过如下方式验证写卡请求的有效性:
验证设备IMEI是否符合该设备类型的设备IMEI的命名规定、设备IMEI是否为真实存在的设备的设备标识、设备IMEI是否已经成功绑定用户账户。
步骤S503:若认证平台确认写卡请求有效,则向写卡平台发送数据生成请求,以请求写卡平台为待写卡的设备生成IMSI和其他个性化数据,如鉴权密钥opc等等。
步骤S504:写卡平台接收数据生成请求,为待写卡设备生成IMSI和个性化数据后,将生成的IMSI和个性化数据发送给认证平台。
步骤S505:认证平台将为该待写卡的设备生成的IMSI和个性化数据,与该待写卡的设备的IMEI、设备公钥对应存储,通过设备公钥加密生成的IMSI和个性化数据,利用认证平台的私钥签名后发送给待写卡的设备。
步骤S506:待写卡的设备首先利用认证平台的公钥验证签名的有效性,若有效,则利用自身的设备私钥解密认证平台发送的IMSI和个性化数据,并将其写入设备。
步骤S507:待写卡的设备将成功写入的IMSI、时间戳利用认证平台的公钥加密,再利用设备私钥签名后,携带在写卡确认请求中发送给认证平台。
步骤S508:认证平台首先利用设备公钥验证写卡确认请求中签名的有效性,若有效,则利用认证平台的私钥解密写卡确认请求,获取其中待写卡的设备成功写入的IMSI。若确定设备成功写入的IMSI与在步骤S505中为该待写卡的设备生成的IMSI一致,则确认该设备写卡成功。
步骤S509:认证平台向写卡平台发送写卡成功消息,以告知写卡平台成功完成对待写卡的设备的写卡操作。
步骤S510:认证平台将该待写卡的设备的状态和IMSI利用认证平台的私钥签名后携带在写卡成功消息中发送给待写卡的设备,以修改该物联网卡 的状态。
需要说明的是,作为一种可选的实现方式,在认证平台与写卡平台协作完成设备的写卡与激活操作的场景中,认证平台与写卡平台之间的每次消息交互可进行消息的加密处理,也可明文传输不进行加密处理,本公开对此不做具体限制。
对应步骤S103,当认证平台成功对设备进行写卡和激活后,用户便可利用正常使用设备。设备使用过程中,与业务平台的通信过程中,业务平台还可通过认证平台对设备的身份进行验证。该身份认证过程即包括上述步骤S201至步骤S202。
图6为本公开实施例中提供的对设备进行认证时的交互流程图,如图6所示,包括如下步骤:
步骤S601:待认证的设备将其对应的IMSI码、认证信息和业务数据发送给业务平台。
在此步骤中,设备的认证信息是待认证的设备根据自身的设备私钥生成的,该认证信息可以为待认证的设备利用自身的设备私钥签发的签名,或者也可以为其他形式的认证信息,本公开对此不做限制。
步骤S602:业务平台接收到待认证的设备的IMSI、认证信息和业务数据后,向认证平台发送设备认证请求,该设备认证请求中包括待认证的设备的IMSI和认证信息。
步骤S603:同步骤S201,认证平台接收业务平台发送的设备认证请求。
步骤S604:同步骤S202,认证平台根据设备认证请求中待认证的设备的IMSI,从认证平台中存储的各IMSI对应的设备公钥中,查找出待认证的设备的设备公钥。认证平台根据待认证的设备的设备公钥验证设备认证请求中认证信息的有效性,若有效,则业务平台发送认证成功消息。
在此步骤中,若认证信息为待认证的设备利用设备私钥签发的签名,则认证平台可用待认证的设备的设备公钥验证签名的有效性。
步骤S605:业务平台接收认证平台发送的认证成功消息后,对待认证的设备在步骤S601中发送的业务数据进行处理,并向待认证的设备返回处理结果。
需要说明的是,设备认证的过程也可以由待认证的设备主动向业务平台发送设备认证请求,在这一场景下,设备认证请求中仅包括设备的IMSI、认证信息,并不包括设备的业务数据,业务平台接收到该设备认证请求后,将设备认证请求转发到认证平台,以触发认证平台执行认证操作。
本公开实施例,设备认证过程中设备、业务平台、认证平台之间的消息交互也可以采用约定的密钥进行加密处理,本公开对此不做具体限制。
如此,本公开实施例提供了一种设备认证方法、空中写卡方法,结合上述方法,本公开实施例还提供了在物联网系统中注册账户、对账户进行实名认证、将用户的账户与设备绑定、对设备写卡激活、验证设备身份的完整的智能化流程,从而为物联网设备的广泛部署提供便利。
基于同样的公开构思,本公开实施例还提供一种设备认证装置,图7为本公开实施例中提供的一种设备认证装置的结构示意图,如图7所示,该设备认证装置700包括:
收发模块701,用于接收业务平台发送的设备认证请求;所述设备认证请求中包括待认证的设备的国际移动用户识别码IMSI和认证信息,所述认证信息是所述待认证的设备根据自身的设备私钥生成的;
认证模块702,用于根据所述IMSI以及所述设备认证装置中存储的各IMSI对应的设备公钥,确定所述待认证的设备的设备公钥,根据所述待认证的设备的设备公钥验证所述认证信息是否有效,若有效,则向所述业务平台发送认证成功消息。
可选地,所述设备认证装置中存储的各IMSI对应的设备公钥是所述设备认证装置为待写卡的设备成功生成IMSI后存储的。
可选地,所述收发模块701还用于:
接收所述待写卡的设备发送的写卡请求,所述写卡请求中包括所述待写卡的设备的设备标识和设备公钥;
所述设备认证装置中还包括处理模块703,用于:
根据所述设备标识为所述待写卡的设备生成IMSI并发送给所述待写卡的设备;以及,
若确认所述IMSI成功写入所述待写卡的设备,则对应存储所述IMSI和 所述设备公钥。
可选地,所述写卡请求是所述待写卡的设备利用所述设备认证装置700的公钥对所述设备标识和所述设备公钥进行加密后发送的;
所述处理模块703具体用于:
利用自身的公钥解密所述写卡请求,得到所述设备标识和所述设备公钥;
根据所述设备标识为所述待写卡的设备生成所述IMSI,并将所述IMSI利用所述设备公钥加密后发送给所述待写卡的设备。
可选地,所述处理模块703还用于:
所述认证平台根据所述设备标识,确认所述待写卡的设备已与用户账户成功绑定。
本公开实施例还提供一种设备,图8为本公开实施例中提供的一种设备结构示意图,如图8所示,该设备800包括:
收发模块801,用于向认证平台发送写卡请求,所述写卡请求中包括所述待写卡的设备的设备标识和设备公钥;以及,用于接收所述认证平台根据所述设备标识生成的IMSI;
处理模块802,用于将所述IMSI写入设备;
所述收发模块801,还用于向所述认证平台发送写卡确认请求,所述写卡确认请求中包括所述待写卡的设备成功写入的IMSI。
可选地,所述处理模块802还用于将所述设备标识和设备公钥利用所述认证平台的公钥加密后,通过所述收发模块发送给所述认证平台;以及,
利用设备私钥对所述认证平台利用所述设备公钥加密的IMSI进行解密,将解密得到的IMSI写入设备。
基于同样的公开构思,本公开实施例还提供另一种认证设备,该认证设备具体可以为桌面计算机、便携式计算机、智能手机、平板电脑、个人数字助理(Personal Digital Assistant,PDA)等。如图9所示,该认证设备900可以包括中央处理器(Center Processing Unit,CPU)901、存储器902、输入/输出设备903及总线系统904等。其中,输入设备可以包括键盘、鼠标、触摸屏等,输出设备可以包括显示设备,如液晶显示器(Liquid Crystal Display,LCD)、阴极射线管(Cathode Ray Tube,CRT)等。
存储器可以包括只读存储器(Read-Only Memory,ROM)和随机存取存储器(Random Access Memory,RAM),并向处理器提供存储器中存储的程序指令和数据。在本公开实施例中,存储器可以用于存储上述设备认证方法的程序。
处理器通过调用存储器存储的程序指令,处理器用于按照获得的程序指令执行上述设备认证方法。
基于同样的公开构思,本公开实施例提供了一种计算机存储介质,用于储存为上述检测终端所用的计算机程序指令,其包含用于执行上述设备认证方法的程序。
所述计算机存储介质可以是计算机能够存取的任何可用介质或数据存储设备,包括但不限于磁性存储器(例如软盘、硬盘、磁带、磁光盘(Magneto-optical Disk,MO)等)、光学存储器(例如CD(Compact Disc)、DVD(Digital Video Disc)、BD(Blu-ray Disc)、HVD(High-definition Versatile Disc)等)、以及半导体存储器(例如ROM、EPROM(Erasable Programmable Read-Only Memory)、EEPROM(Electrically Erasable Programmable read only memory)、非易失性存储器(NAND FLASH)、固态硬盘(Solid State Disk,SSD))等。
由上述内容可以看出:
本公开实施例提供了一种设备认证方法,包括:认证平台接收业务平台发送的设备认证请求,该设备认证请求中包括待认证设备的IMSI和认证信息;根据待认证的设备的IMSI以及认证平台中存储的各IMSI对应的设备公钥,确定待认证的设备的设备公钥,根据待认证的设备的设备公钥验证认证信息是否有效,若有效,则向所述业务平台发送认证成功消息。可见,本公开实施例采用不对称密钥机制对设备进行认证,可有效提高设备认证的安全性,而且由于认证信息是根据待认证的设备自身的设备私钥生成的,而认证平台中又存储有各个IMSI对应的设备公钥,因此,认证平台利用其存储的与待认证的设备的IMSI匹配的设备公钥无法成功验证认证信息,则说明待认证的设备的IMSI与其设备私钥不匹配,从而有效地检测到机卡分离。
本领域内的技术人员应明白,本公开的实施例可提供为方法、系统、或 计算机程序产品。因此,本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本公开可采用在一个或两个以上其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM(Compact Disc Read-Only Memory)、光学存储器等)上实施的计算机程序产品的形式。
本公开是参照根据本公开实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或两个以上流程和/或方框图一个方框或两个以上方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或两个以上流程和/或方框图一个方框或两个以上方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或两个以上流程和/或方框图一个方框或两个以上方框中指定的功能的步骤。
尽管已描述了本公开的可选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括可选实施例以及落入本公开范围的所有变更和修改。
显然,本领域的技术人员可以对本公开进行各种改动和变型而不脱离本公开的精神和范围。这样,倘若本公开的这些修改和变型属于本公开权利要求及其等同技术的范围之内,则本公开也意图包含这些改动和变型在内。

Claims (11)

  1. 一种设备认证方法,应用于物联网中的设备认证,所述方法包括:
    认证平台接收业务平台发送的设备认证请求;所述设备认证请求中包括待认证的设备的国际移动用户识别码IMSI和认证信息,所述认证信息是所述待认证的设备根据自身的设备私钥生成的;
    所述认证平台根据所述IMSI以及所述认证平台中存储的各IMSI对应的设备公钥,确定所述待认证的设备的设备公钥,根据所述待认证的设备的设备公钥验证所述认证信息是否有效,若有效,则向所述业务平台发送认证成功消息。
  2. 根据权利要求1所述的方法,其中,所述认证平台中存储的各IMSI对应的设备公钥是所述认证平台为待写卡的设备成功生成IMSI后存储的。
  3. 根据权利要求2所述的方法,其中,所述认证平台为待写卡的设备成功生成IMSI,包括:
    所述认证平台接收所述待写卡的设备发送的写卡请求,所述写卡请求中包括所述待写卡的设备的设备标识和设备公钥;
    所述认证平台根据所述设备标识为所述待写卡的设备生成IMSI并发送给所述待写卡的设备;
    所述认证平台若确认所述IMSI成功写入所述待写卡的设备,则对应存储所述IMSI和所述设备公钥。
  4. 根据权利要求3所述的方法,其中,所述写卡请求是所述待写卡的设备利用所述认证平台的公钥对所述设备标识和所述设备公钥进行加密后发送的;
    所述认证平台根据所述设备标识为所述待写卡的设备生成IMSI,并发送给所述待写卡的设备,包括:
    所述认证平台利用自身的公钥解密所述写卡请求,得到所述设备标识和所述设备公钥;
    所述认证平台根据所述设备标识为所述待写卡的设备生成所述IMSI,并将所述IMSI利用所述设备公钥加密后发送给所述待写卡的设备。
  5. 根据权利要求4所述的方法,所述认证平台根据所述设备标识为所述待写卡的设备生成所述IMSI之前,所述方法还包括:
    所述认证平台根据所述设备标识,确认所述待写卡的设备已与用户账户成功绑定。
  6. 一种空中写卡方法,应用于物联网中的设备写卡,所述方法包括:
    待写卡的设备向认证平台发送写卡请求,所述写卡请求中包括所述待写卡的设备的设备标识和设备公钥;
    所述待写卡的设备接收所述认证平台根据所述设备标识生成的IMSI,并将所述IMSI写入设备;
    所述待写卡的设备向所述认证平台发送写卡确认请求,所述写卡确认请求中包括所述待写卡的设备成功写入的IMSI。
  7. 根据权利要求6所述的方法,其中,所述待写卡的设备向认证平台发送写卡请求,包括:
    所述待写卡的设备将所述设备标识和设备公钥利用所述认证平台的公钥加密后发送给所述认证平台;
    所述待写卡的设备接收所述认证平台根据所述设备标识生成的IMSI,并将所述IMSI写入设备,包括:
    所述待写卡的设备利用设备私钥对所述认证平台利用所述设备公钥加密的IMSI进行解密,将解密得到的IMSI写入设备。
  8. 一种设备认证装置,包括:
    收发模块,用于接收业务平台发送的设备认证请求;所述设备认证请求中包括待认证的设备的国际移动用户识别码IMSI和认证信息,所述认证信息是所述待认证的设备根据自身的设备私钥生成的;
    认证模块,用于根据所述IMSI以及所述认证平台中存储的各IMSI对应的设备公钥,确定所述待认证的设备的设备公钥,根据所述待认证的设备的设备公钥验证所述认证信息是否有效,若有效,则向所述业务平台发送认证成功消息。
  9. 一种设备,包括:
    收发模块,用于向认证平台发送写卡请求,所述写卡请求中包括所述待 写卡的设备的设备标识和设备公钥;
    处理模块,用于接收所述认证平台根据所述设备标识生成的IMSI,并将所述IMSI写入设备;
    所述收发模块,还用于向所述认证平台发送写卡确认请求,所述写卡确认请求中包括所述待写卡的设备成功写入的IMSI。
  10. 一种认证设备,包括:
    存储器,用于存储程序指令;
    处理器,用于调用所述存储器中存储的程序指令,按照获得的程序执行如权利要求1至7中任一项所述的方法。
  11. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于使所述计算机执行如权利要求1至7中任一项所述的方法。
PCT/CN2018/123831 2017-12-29 2018-12-26 设备认证方法、空中写卡方法及设备认证装置 WO2019129037A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711481127.XA CN109992949B (zh) 2017-12-29 2017-12-29 一种设备认证方法、空中写卡方法及设备认证装置
CN201711481127.X 2017-12-29

Publications (1)

Publication Number Publication Date
WO2019129037A1 true WO2019129037A1 (zh) 2019-07-04

Family

ID=67066619

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/123831 WO2019129037A1 (zh) 2017-12-29 2018-12-26 设备认证方法、空中写卡方法及设备认证装置

Country Status (2)

Country Link
CN (1) CN109992949B (zh)
WO (1) WO2019129037A1 (zh)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830251A (zh) * 2019-11-22 2020-02-21 国网四川省电力公司经济技术研究院 泛在电力物联网环境下的用电信息安全传输步骤与方法
CN112437427A (zh) * 2019-08-26 2021-03-02 中国移动通信有限公司研究院 写卡方法、装置、设备及计算机可读存储介质
CN113469676A (zh) * 2021-06-11 2021-10-01 深圳市雪球科技有限公司 一种同步空中个人化指令执行状态的方法、装置和服务器
CN116015959A (zh) * 2023-01-03 2023-04-25 重庆长安汽车股份有限公司 实名认证方法、装置、电子设备及存储介质
CN118282673A (zh) * 2024-06-04 2024-07-02 杭州宇泛智能科技股份有限公司 多源异构设备数据一致性处理方法

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535858A (zh) * 2019-08-29 2019-12-03 广东电网有限责任公司 一种智能电表认证系统及方法
CN111787044A (zh) * 2019-12-23 2020-10-16 北京沃东天骏信息技术有限公司 物联网终端平台
CN111356124B (zh) * 2020-02-17 2021-03-05 深圳杰睿联科技有限公司 eSIM激活方法、系统以及计算机可读存储介质
CN113852957A (zh) * 2020-06-09 2021-12-28 中国移动通信有限公司研究院 安全服务器、sp服务器、终端、安全授权方法及系统
CN112351421B (zh) * 2020-09-14 2024-02-06 深圳Tcl新技术有限公司 数据传输的控制方法、控制设备以及计算机存储介质
CN114615652B (zh) * 2020-12-04 2024-06-07 中国移动通信有限公司研究院 物联网空中写卡方法、辅助方法、装置及通信设备
CN112887409B (zh) * 2021-01-27 2022-05-17 珠海格力电器股份有限公司 一种数据处理系统、方法、装置、设备和存储介质
CN117955740B (zh) * 2024-03-26 2024-07-19 长城信息股份有限公司 一种设备安全认证方法及系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547437A (zh) * 2009-04-30 2009-09-30 东信和平智能卡股份有限公司 电信智能卡、空中写卡系统及空中写卡方法
CN104185176A (zh) * 2014-08-28 2014-12-03 中国联合网络通信集团有限公司 一种物联网虚拟用户识别模块卡远程初始化方法及系统
CN104244227A (zh) * 2013-06-09 2014-12-24 中国移动通信集团公司 一种物联网系统中终端接入认证的方法及装置
CN105101194A (zh) * 2014-04-28 2015-11-25 华为技术有限公司 终端安全认证方法、装置及系统
CN106131768A (zh) * 2016-06-28 2016-11-16 广州二六三移动通信有限公司 一种漫游号码空中写卡的方法、系统及平台
CN106302354A (zh) * 2015-06-05 2017-01-04 北京壹人壹本信息科技有限公司 一种身份认证方法和装置

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771680B (zh) * 2008-12-29 2013-03-13 中国移动通信集团公司 一种向智能卡写入数据的方法、系统以及远程写卡终端
CN102457374A (zh) * 2010-10-18 2012-05-16 卓望数码技术(深圳)有限公司 一种移动终端的安全认证方法及系统
CN102523578B (zh) * 2011-12-09 2015-02-25 北京握奇数据系统有限公司 空中写卡方法、装置及系统
US20130311330A1 (en) * 2012-05-15 2013-11-21 Jonathan E. Ramaci Systems, methods, and computer program products for the receipt of transaction offers
US9762590B2 (en) * 2014-04-17 2017-09-12 Duo Security, Inc. System and method for an integrity focused authentication service
CN106302544A (zh) * 2016-10-18 2017-01-04 深圳市金立通信设备有限公司 一种安全验证方法和系统
CN107071762A (zh) * 2017-06-16 2017-08-18 苏州蜗牛数字科技股份有限公司 智能终端现场写卡方法及系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547437A (zh) * 2009-04-30 2009-09-30 东信和平智能卡股份有限公司 电信智能卡、空中写卡系统及空中写卡方法
CN104244227A (zh) * 2013-06-09 2014-12-24 中国移动通信集团公司 一种物联网系统中终端接入认证的方法及装置
CN105101194A (zh) * 2014-04-28 2015-11-25 华为技术有限公司 终端安全认证方法、装置及系统
CN104185176A (zh) * 2014-08-28 2014-12-03 中国联合网络通信集团有限公司 一种物联网虚拟用户识别模块卡远程初始化方法及系统
CN106302354A (zh) * 2015-06-05 2017-01-04 北京壹人壹本信息科技有限公司 一种身份认证方法和装置
CN106131768A (zh) * 2016-06-28 2016-11-16 广州二六三移动通信有限公司 一种漫游号码空中写卡的方法、系统及平台

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112437427A (zh) * 2019-08-26 2021-03-02 中国移动通信有限公司研究院 写卡方法、装置、设备及计算机可读存储介质
CN112437427B (zh) * 2019-08-26 2023-03-31 中国移动通信有限公司研究院 写卡方法、装置、设备及计算机可读存储介质
CN110830251A (zh) * 2019-11-22 2020-02-21 国网四川省电力公司经济技术研究院 泛在电力物联网环境下的用电信息安全传输步骤与方法
CN110830251B (zh) * 2019-11-22 2023-04-21 国网四川省电力公司经济技术研究院 一种泛在电力物联网环境下用电信息安全传输的方法
CN113469676A (zh) * 2021-06-11 2021-10-01 深圳市雪球科技有限公司 一种同步空中个人化指令执行状态的方法、装置和服务器
CN113469676B (zh) * 2021-06-11 2024-02-02 深圳市雪球科技有限公司 一种同步空中个人化指令执行状态的方法、装置和服务器
CN116015959A (zh) * 2023-01-03 2023-04-25 重庆长安汽车股份有限公司 实名认证方法、装置、电子设备及存储介质
CN116015959B (zh) * 2023-01-03 2024-06-11 重庆长安汽车股份有限公司 实名认证方法、装置、电子设备及存储介质
CN118282673A (zh) * 2024-06-04 2024-07-02 杭州宇泛智能科技股份有限公司 多源异构设备数据一致性处理方法

Also Published As

Publication number Publication date
CN109992949A (zh) 2019-07-09
CN109992949B (zh) 2021-04-16

Similar Documents

Publication Publication Date Title
WO2019129037A1 (zh) 设备认证方法、空中写卡方法及设备认证装置
JP7043701B2 (ja) ソフトウェアアプリケーションの信頼を最初に確立し、かつ定期的に確認するシステム及び方法
US10021113B2 (en) System and method for an integrity focused authentication service
CN110417797B (zh) 认证用户的方法及装置
CN110324276B (zh) 一种登录应用的方法、系统、终端和电子设备
CN109150548B (zh) 一种数字证书签名、验签方法及系统、数字证书系统
KR101418799B1 (ko) 모바일용 오티피 서비스 제공 시스템
US9762567B2 (en) Wireless communication of a user identifier and encrypted time-sensitive data
JP2014529964A (ja) モバイル機器経由の安全なトランザクション処理のシステムおよび方法
JP2018532301A (ja) 本人認証方法及び装置
CN109600223A (zh) 验证方法、激活方法、装置、设备及存储介质
WO2015160711A1 (en) Service authorization using auxiliary device
CN110073387A (zh) 证实通信设备与用户之间的关联
US11373762B2 (en) Information communication device, authentication program for information communication device, and authentication method
CN103051451A (zh) 安全托管执行环境的加密认证
KR101210260B1 (ko) 통합센터를 이용한 유심칩기반 모바일 오티피 인증장치 및 인증방법
CN108200078A (zh) 签名认证工具的下载安装方法及终端设备
CA3135088A1 (en) System and method for providing secure data access
JP5781678B1 (ja) 電子データ利用システム、携帯端末装置、及び電子データ利用システムにおける方法
CN117857071A (zh) 使用钱包卡的密码验证
US20230116566A1 (en) Method and apparatus for managing application
US10313132B2 (en) Method and system for importing and exporting configurations
KR20200089562A (ko) 공유된 키를 등록하기 위한 방법 및 장치
KR101628615B1 (ko) 보안운영체제를 이용한 안심서명 제공 방법
EP3373182B1 (en) Method and system for importing and exporting configurations

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18895563

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18895563

Country of ref document: EP

Kind code of ref document: A1