WO2020172887A1 - Procédé et appareil de traitement de données, carte à puce, dispositif terminal et serveur - Google Patents

Procédé et appareil de traitement de données, carte à puce, dispositif terminal et serveur Download PDF

Info

Publication number
WO2020172887A1
WO2020172887A1 PCT/CN2019/076583 CN2019076583W WO2020172887A1 WO 2020172887 A1 WO2020172887 A1 WO 2020172887A1 CN 2019076583 W CN2019076583 W CN 2019076583W WO 2020172887 A1 WO2020172887 A1 WO 2020172887A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
authentication
private key
server
terminal device
Prior art date
Application number
PCT/CN2019/076583
Other languages
English (en)
Chinese (zh)
Inventor
何永德
谢翔
傅志敬
孙立林
Original Assignee
云图有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 云图有限公司 filed Critical 云图有限公司
Priority to PCT/CN2019/076583 priority Critical patent/WO2020172887A1/fr
Publication of WO2020172887A1 publication Critical patent/WO2020172887A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the embodiments of this specification relate to the field of computer technology, and in particular to a data processing method, device, smart card, terminal device, and server.
  • a mobile communication system may include a smart card, a network server, and terminal equipment.
  • the smart card can be assigned a user identification code IMSI and a secret key ki when signing a contract (registration).
  • the smart card can store the user identification code IMSI and the key ki.
  • the network server can obtain the user identification code IMSI and the key ki; can generate a random number RAND; can generate a response SRESa according to the key ki and the random number RAND; can identify the user identity
  • the code IMSI is stored correspondingly to the random number RAND and the response SRESa respectively.
  • the smart card may be installed in the terminal device.
  • the terminal device can send a network access request to the network server.
  • the network access request may carry the user identification code IMSI.
  • the network server can receive the network access request; can read the pre-stored random number RAND according to the user identification code IMSI; and can send an authentication request to the terminal device.
  • the random number RAND may be carried in the authentication request.
  • the terminal device may receive the authentication request; may send the authentication request to the smart card.
  • the smart card can receive the authentication request; can generate a response SRESb according to the random number RAND and the key ki; and can send the generated response SRESb to the terminal device.
  • the terminal device may receive the response SRESb; may send the response SRESb to the network server.
  • the network server can receive the response SRESb; can read the pre-stored response SRESa according to the user identification code IMSI; can compare the response SRESb with the response SRESa; if the two are the same, determine the authentication result of the terminal device If the two are not the same, it is determined that the authentication result of the terminal device is a failure.
  • the network side can authenticate the terminal device, but the terminal device cannot authenticate the network side. Since only one-way authentication can be performed in the above-mentioned related technologies, it is possible for mobile users to access illegal networks (for example, pseudo base stations) and thus to steal private information.
  • illegal networks for example, pseudo base stations
  • the purpose of the embodiments of this specification is to provide a data processing method, device, smart card, terminal equipment, and server to realize two-way authentication between the network side and the terminal equipment.
  • a data processing method including: a terminal device sends a first device identifier to a server; the server receives the first device identifier; and according to the first device identifier Generate a device private key; generate an authentication key according to the device private key, the card private key of the smart card, and its own server private key; use the card public key of the smart card to perform the authentication on the device private key and the authentication key respectively Encryption to obtain the device private key ciphertext and the authentication key ciphertext; send the device private key ciphertext and the authentication key ciphertext to the terminal device; the terminal device receives and sends the device private key ciphertext to the smart card And the authentication key ciphertext; the smart card receives the device private key ciphertext and the authentication key ciphertext; uses the card private key to separately authenticate the device private key ciphertext and the authentication key The key ciphertext is decrypted to obtain the device private key
  • a data processing method is provided, which is applied to a terminal device, including: sending a device identification to a server; receiving a device private key ciphertext and an authentication key sent by the server Ciphertext; the device private key ciphertext is obtained by encrypting the device private key; the authentication key ciphertext is obtained by encrypting the authentication key; the device private key and the authentication The right keys are calculated based on the device identification; send the device private key ciphertext and the authentication key ciphertext to the smart card; receive the device private key and the authentication key sent by the smart card; store the The device private key and the authentication key.
  • a data processing device which is applied to a terminal device, and includes: a first sending unit for sending a device identifier to a server; a first receiving unit for receiving The device private key ciphertext and the authentication key ciphertext sent by the server; the device private key ciphertext is obtained by encrypting the device private key; the authentication key ciphertext is obtained by encrypting the authentication key Obtained through encryption; the device private key and the authentication key are both calculated according to the device identification; the second sending unit is used to send the device private key ciphertext and the authentication to the smart card The key ciphertext; the second receiving unit is used to receive the device private key and the authentication key sent by the smart card; the storage unit is used to store the device private key and the authentication key.
  • a terminal device including: a memory, configured to store computer instructions; and a processor, configured to execute the computer instructions to implement the method described in the second aspect Method steps.
  • a data processing method applied to a server including: receiving a first device identifier sent by a terminal device; generating a device private key according to the first device identifier Generate an authentication key according to the device private key, the card private key of the smart card and its own server private key; use the card public key of the smart card to respectively encrypt the device private key and the authentication key to obtain the device Private key ciphertext and authentication key ciphertext; sending the device private key ciphertext and the authentication key ciphertext to the terminal device.
  • a data processing apparatus applied to a server, including: a receiving unit for receiving a first device identifier sent by a terminal device; a first generating unit for using For generating the device private key according to the first device identification; the second generating unit is used to generate the authentication key according to the device private key, the smart card's private key and its own server private key; the encryption unit is used to use The card public key of the smart card respectively encrypts the device private key and the authentication key to obtain the device private key ciphertext and the authentication key ciphertext; the sending unit is used to send the device private key to the terminal device Ciphertext and the ciphertext of the authentication key.
  • a server including: a memory, configured to store computer instructions; a processor, configured to execute the computer instructions to implement the method according to the fifth aspect step.
  • a data processing method applied to a smart card including: receiving a device private key ciphertext and an authentication key ciphertext sent by a terminal device; the device The private key cipher text is obtained by encrypting the device private key; the authentication key cipher text is obtained by encrypting the authentication key; using its own card private key to separately encrypt the device private key cipher text Decrypt the ciphertext with the authentication key to obtain the device private key and the authentication key; store the authentication key; and send the device private key and the authentication key to a terminal device.
  • a data processing device applied to a smart card including: a receiving unit for receiving a device private key ciphertext and an authentication key ciphertext sent by a terminal device
  • the device private key ciphertext is obtained by encrypting the device private key
  • the authentication key ciphertext is obtained by encrypting the authentication key
  • the decryption unit is used to use its own card private
  • the key respectively decrypts the device private key ciphertext and the authentication key ciphertext to obtain the device private key and the authentication key
  • the storage unit is used to store the authentication key
  • the sending unit is used to Send the device private key and the authentication key to the terminal device.
  • a smart card including: a memory, configured to store computer instructions; a processor, configured to execute the computer instructions to implement the method according to the eighth aspect step.
  • a data processing method which includes: a server based on a held server private key, a terminal device based on the held device private key, and a smart card based on the held card
  • the private key performs multi-party security calculations together to obtain an authentication key; the server authenticates the terminal device based on the authentication key; the terminal device authenticates the server based on the authentication key .
  • a data processing method including: a server based on a held server private key, and a terminal device based on the held device private key and the card private key of the smart card, Perform multi-party security calculations together to obtain an authentication key; the server authenticates the terminal device based on the authentication key; the terminal device authenticates the server based on the authentication key.
  • a data processing method applied to a server including: performing multi-party security calculations based on the server's private key to obtain an authentication key; and based on the authentication secret Key to authenticate the terminal device.
  • a data processing device applied to a server including: a computing unit for performing multi-party secure calculations based on the server's private key to obtain an authentication key;
  • the right unit is configured to authenticate the terminal device based on the authentication key.
  • a server including: a memory, configured to store computer instructions; and a processor, configured to execute the computer instructions to implement the method described in the thirteenth aspect Method steps.
  • a data processing method is provided, which is applied to a terminal device, including: performing multi-party secure calculation based on the device private key to obtain an authentication key; based on the authentication The key is used to authenticate the server.
  • a data processing device applied to a terminal device including: a computing unit, configured to perform multi-party secure calculation based on the device private key to obtain an authentication key;
  • the authentication unit is configured to authenticate the server based on the authentication key.
  • a terminal device including: a memory, configured to store computer instructions; and a processor, configured to execute the computer instructions to implement as described in the sixteenth aspect The method steps described.
  • both the terminal device and the server can obtain the authentication key.
  • the server may authenticate the terminal device based on the authentication key.
  • the terminal device may authenticate the server based on the authentication key. In this way, mutual authentication between the terminal device and the server can be realized.
  • Figure 1 is an authentication flow chart in related technologies
  • FIG. 2 is a schematic diagram of the functional structure of a mobile communication system according to an embodiment of the specification
  • FIG. 3 is a flowchart of a data processing method according to an embodiment of the specification.
  • Fig. 5 is a flowchart of a data processing method according to an embodiment of the specification.
  • Fig. 6 is a flowchart of a data processing method according to an embodiment of the specification.
  • FIG. 7 is a flowchart of a data processing method according to an embodiment of this specification.
  • FIG. 8 is a flowchart of a data processing method according to an embodiment of the specification.
  • Fig. 9 is a flowchart of a data processing method according to an embodiment of the specification.
  • FIG. 10 is a flowchart of a data processing method according to an embodiment of this specification.
  • FIG. 11 is a schematic diagram of the functional structure of a data processing device according to an embodiment of the specification.
  • FIG. 12 is a schematic diagram of the functional structure of a terminal device according to an embodiment of the specification.
  • FIG. 13 is a schematic diagram of the functional structure of a data processing device according to an embodiment of the specification.
  • FIG. 14 is a schematic diagram of the functional structure of a server according to an embodiment of the specification.
  • 15 is a schematic diagram of the functional structure of a data processing device according to an embodiment of the specification.
  • 16 is a schematic diagram of the functional structure of a smart card according to an embodiment of the specification.
  • FIG. 17 is a schematic diagram of the functional structure of a data processing device according to an embodiment of the specification.
  • FIG. 18 is a schematic diagram of the functional structure of a data processing device according to an embodiment of the specification.
  • the key ki is only stored on the smart card. In this way, there is a risk of the smart card being copied and embezzled.
  • the embodiment of this specification provides a mobile communication system.
  • the mobile communication system may include a smart card, terminal equipment, network server and base station server.
  • the smart card may be an integrated circuit card with data processing functions and storage functions, such as a SIM card (Subscriber Identity Module, user identification card), USIM card (Universal Subscriber Identity Module, global user identification card), and UIM card (User Identity Module). Module) and so on.
  • the terminal device may be a device capable of providing users with voice and/or data connectivity, such as a mobile phone (also referred to as a "cellular phone"), a cordless phone, a handheld device, a vehicle-mounted device, a wearable device, and so on.
  • the network server may be used to provide communication services, and may specifically include one or more functional units.
  • the network server may be a network and switching subsystem (Network Switching Subsystem, NSS) server, and may specifically include a mobile service switching center (Mobile Service Switching Center, MSC), a visitor location register (Visitor Location Register, VLR), One or more of a home location register (Home Location Register, HLR) and an authentication center (Authentication Center, AUC).
  • NSS Network Switching Subsystem
  • MSC Mobile Service Switching Center
  • VLR visitor location register
  • HLR Home Location Register
  • AUC authentication center
  • the base station server may be used to provide data transmission service between the terminal device and the network server.
  • the base station server may be a base station system (Base Station System, BSS) server.
  • BSS Base Station System
  • the smart card may be installed on the terminal device.
  • the terminal device can perform wireless communication with the network server.
  • the terminal device may perform wireless communication with the network server through the transparent transmission of the base station server.
  • the wireless communication can use any of a variety of communication standards, protocols and technologies, including but not limited to Global System for Mobile Communications (GSM), Wideband Code Division Multiple Access (W-CDMA), Code Division Multiple Access (CDMA) ), Time Division Multiple Access (TDMA) and so on.
  • GSM Global System for Mobile Communications
  • W-CDMA Wideband Code Division Multiple Access
  • CDMA Code Division Multiple Access
  • TDMA Time Division Multiple Access
  • the smart card may be assigned a user identification code (International Mobile Subscriber Identity, IMSI) and a public-private key pair when signing a contract (registration).
  • the user identification code can be used to distinguish mobile users.
  • the public-private key pair of the smart card may include a card public key and a card private key. In this way, the smart card can store the user identification code, the card private key, and the card public key.
  • the card private key may be expressed as sk1
  • the card public key may be expressed as pk1.
  • the network server can obtain the user identification code, the card private key, and the card public key; and can generate a public-private key pair of the terminal device and its own public-private key pair.
  • the public-private key pair of the terminal device may include a device public key and a device private key.
  • the public-private key pair of the server may include a server public key and a server private key.
  • the network server can associate the user identification code with the card public key, the card private key, the device public key, the device private key, the server public key, and the server private key.
  • the server private key may be expressed as sk2
  • the server public key may be expressed as pk2
  • the device private key may be expressed as sk3
  • the device public key may be expressed as pk3.
  • the network server may generate a random number as an authentication random number (RAND); may store the user identification code and the authentication random number correspondingly; and may generate authentication response data according to the authentication random number ( SRES); the user identification code and the authentication response data can be stored correspondingly.
  • RAND authentication random number
  • SRES authentication random number
  • the network server may use the A3 algorithm (an encryption algorithm) to generate the authentication response data according to the card private key and the authentication random number.
  • This specification provides an embodiment of the data processing method. This embodiment can be applied to a smart card activation scenario, and can include the following steps.
  • Step S11 The terminal device sends the first device identifier to the server.
  • Step S12 The server receives the first device identification; and generates a device private key according to the first device identification.
  • the first device identifier may be used to identify the terminal device, for example, may be the serial number (International Mobile Equipment Identity, IMEI) of the terminal device.
  • the server may be used to provide communication services, for example, may be the previous web server.
  • a smart card may be installed in the terminal device.
  • the terminal device can send a network access request to the server.
  • the user identification code may be carried in the network access request.
  • the terminal device may send a network access request to the server after being turned on.
  • the server can correspondingly store the user identification code and the authentication random number.
  • the server can receive the network access request; can read the pre-stored authentication random number according to the user identification code; and can send the authentication random number to the terminal device.
  • the terminal device can receive the authentication random number; can send the authentication random number to the smart card.
  • the smart card can receive the authentication random number; can generate authentication response data according to the authentication random number; and can send the authentication response data to a terminal device.
  • the smart card may use the A3 algorithm to generate the authentication response data according to its own card private key and the authentication random number.
  • the terminal device may receive the authentication response data; may send the authentication response data and the first device identifier to the server.
  • the server can correspondingly store the user identification code and the authentication response data.
  • the server can receive the authentication response data and the first device identification; can read the pre-stored authentication response data according to the user identity identification; can combine the received authentication response data with the read authentication response
  • the data is compared; if they are the same, the device private key can be generated according to the first device identifier; if they are not the same, the network access request can be ignored.
  • the server may generate the public-private key pair of the terminal device according to the first device identifier.
  • the public-private key pair of the terminal device may include a device private key and a device public key.
  • the device private key generated by the server may be expressed as sk3'
  • the device public key generated by the server may be expressed as pk3'.
  • the server can detect whether the user identification code meets a preset condition.
  • the preset condition may include: the user identification code is not bound to a device identification; the user identification code is bound to a second device identification, and the second device identification is different from the first device identification. If the preset condition is met, the server may generate a device private key according to the first device identification. If the preset conditions are not met, the server considers that the smart card is already in the activated state; the steps related to the activation scenario can be ended.
  • the server when it is detected that the user identification code is not bound to the device identification, the server considers the smart card to be used for the first time; the user identification code and the first device identification may also be bound. In this way, the binding of the smart card and the terminal device can be realized, and the smart card can be prevented from being stolen and used on other terminal devices.
  • the server When it is detected that the user identification code is bound to the second device identification, the server considers that the smart card has replaced the terminal device; it can also cancel the binding relationship between the user identification code and the second device identification ; The user identification code and the first device identification can be bound. In this way, terminal equipment can be replaced.
  • the server may also send an identification key acquisition request to the terminal device.
  • the terminal device can receive the identity recognition key acquisition request; can send the identity recognition key to the server.
  • the identification key may be, for example, a PIN (Personal Identification Number) code.
  • the identity recognition key may also be a password that can be input by the user, such as a login password.
  • the server may receive the identification key; may verify the identification key; if the verification is passed, the user identification code and the first device identification may be bound, or may be cancelled The binding relationship between the user identification code and the second device identification, and the user identification code and the first device identification are bound.
  • the server can store the user identification code corresponding to the device public key and the device private key respectively.
  • the stored device private key can be expressed as sk3, and the stored device public key can be expressed as pk3.
  • the server can also use the device public key generated in step S12 to update the pre-stored device public key; and can use the device private key generated in step S12 to update the pre-stored device private key.
  • the device private key generated in step S12 can be expressed as sk3'
  • the device public key generated in step S12 can be expressed as pk3'.
  • the server can use the device private key sk3' to update the device private key sk3, and can use the device public key pk3' to update the device public key pk3.
  • Step S13 The server generates an authentication key according to the device private key, the card private key of the smart card, and its own server private key.
  • the server can store the user identification code corresponding to the card private key and the server private key respectively.
  • the server can read the pre-stored card private key and server private key according to the user identification code; it can generate an authentication key according to the generated device private key, the read card private key, and the read server private key.
  • the server may generate a specific private key according to the device private key, the card private key, and the server private key; and may generate the specific public key as the authentication key according to the specific private key.
  • the read card private key can be represented as sk1
  • the read server private key can be represented as sk2
  • the generated device private key can be represented as sk3'.
  • the server may calculate the specific public key pk as the authentication key according to the specific private key sk.
  • Step S14 The server encrypts the device private key and the authentication key to obtain the device private key ciphertext and the authentication key ciphertext.
  • the server can store the user identification code and the card public key correspondingly through the signing process. In this way, the server can read the pre-stored card public key according to the user identity; the read card public key can be used to respectively encrypt the device private key and the authentication key to obtain the device private key Cipher text and authentication key cipher text.
  • Step S15 The server sends the device private key ciphertext and the authentication key ciphertext to the terminal device.
  • Step S16 The terminal device receives and sends the device private key ciphertext and the authentication key ciphertext to the smart card.
  • Step S17 The smart card receives the device private key ciphertext and the authentication key ciphertext; decrypts the device private key ciphertext and the authentication key ciphertext to obtain the device private key and the authentication key key.
  • the smart card can obtain the card private key through the signing process.
  • the smart card can receive the device private key ciphertext and the authentication key ciphertext; the card private key can be used to decrypt the device private key ciphertext and the authentication key ciphertext respectively , Get the device private key and authentication key.
  • Step S18 The smart card stores the authentication key, and sends the device private key and the authentication key to the terminal device.
  • Step S19 The terminal device receives and stores the device private key and the authentication key.
  • the terminal device may store the device private key and the authentication key in a Trusted Execution Environment (TEE).
  • TEE Trusted Execution Environment
  • the terminal device can obtain the device private key and the authentication key
  • the smart card can obtain the card private key and the authentication key
  • the server can obtain the server private key and the authentication key, which is the subsequent authentication process. to offer comfort.
  • this embodiment can store the device private key, the card private key, and the server private key on three different media respectively, thereby reducing the risk of the smart card being copied and misused.
  • This specification provides another embodiment of the data processing method.
  • This embodiment takes the terminal device in the embodiment described in FIG. 3 as the main body, and may include the following steps.
  • Step S21 Send the device identification to the server.
  • Step S22 Receive the device private key ciphertext and the authentication key ciphertext sent by the server.
  • the device private key ciphertext is obtained by encrypting the device private key.
  • the authentication key ciphertext is obtained by encrypting the authentication key. Both the device private key and the authentication key are calculated according to the device identifier;
  • Step S23 Send the device private key ciphertext and the authentication key ciphertext to the smart card.
  • Step S24 Receive the device private key and authentication key sent by the smart card.
  • Step S25 Store the device private key and the authentication key.
  • This specification provides another embodiment of the data processing method.
  • This embodiment takes the server in the embodiment described in FIG. 3 as the main body, and may include the following steps.
  • Step S31 Receive the first device identifier sent by the terminal device.
  • Step S32 Generate a device private key according to the first device identification.
  • Step S33 Generate an authentication key according to the device private key, the card private key of the smart card, and the server private key of itself.
  • Step S34 Use the card public key of the smart card to respectively encrypt the device private key and the authentication key to obtain the device private key ciphertext and the authentication key ciphertext.
  • Step S35 Send the device private key ciphertext and the authentication key ciphertext to the terminal device.
  • This specification provides another embodiment of the data processing method.
  • This embodiment takes the smart card in the embodiment described in FIG. 3 as the main body, and may include the following steps.
  • Step S41 Receive the device private key ciphertext and the authentication key ciphertext sent by the terminal device.
  • the device private key ciphertext is obtained by encrypting the device private key.
  • the authentication key ciphertext is obtained by encrypting the authentication key.
  • Step S42 Use its own card private key to decrypt the device private key cipher text and the authentication key cipher text respectively to obtain the device private key and the authentication key.
  • Step S43 Store the authentication key.
  • Step S44 Send the device private key and the authentication key to the terminal device.
  • Step S51 Based on the server private key held by the server, the terminal device based on the held device private key, and the smart card based on the held card private key, perform multi-party security calculations to obtain an authentication key.
  • Secure Muti-Party Computation is an algorithm to protect data privacy.
  • Multiple participants can use secure multi-party computing technology to perform collaborative calculations and obtain calculation results without leaking their own data.
  • n ⁇ 2; x 1 ,...,x n are the data of the participants P 1 ,...,P n respectively; y is the calculation result.
  • the participants P 1 ,..., P n can all obtain the calculation result y.
  • the server can obtain the server private key, the terminal device can obtain the device private key, and the smart card can obtain the card private key.
  • the server may use the server private key as an input parameter
  • the terminal device may use the device private key as an input parameter
  • the smart card may use the card private key as an input parameter to jointly perform multi-party security calculations.
  • the server, the terminal device and the smart card can all obtain the calculation result.
  • the calculation result may specifically include a signature key.
  • the server may be used to provide communication services, for example, may be the previous web server.
  • a smart card may be installed in the terminal device.
  • the terminal device may send a service processing request to the server.
  • the service processing request may be, for example, a voice call request or a data connection request.
  • the server may receive the service processing request; may send an authentication request to the terminal device.
  • the terminal device can receive the authentication request; can send the authentication request to the smart card.
  • the server may use the server private key as an input parameter
  • the terminal device may use the device private key as an input parameter
  • the smart card may use the card private key as an input parameter to jointly perform multi-party security calculations.
  • the server after receiving the service processing request, the server may calculate the time interval between the current time and the time when the last authentication passed; under the condition that the time interval reaches a preset time interval, An authentication request can be sent to the terminal device.
  • Step S52 The server authenticates the terminal device based on the authentication key.
  • the server may obtain the authentication key in advance through the activation process. In this way, the server can compare the calculated authentication key with the preset authentication key; if they are the same, it can determine that the authentication result of the terminal device is successful, so as to allow the terminal device to access; if If they are not the same, it can be determined that the authentication result of the terminal device is a failure, so as to deny the access of the terminal device.
  • Step S53 The terminal device authenticates the server based on the authentication key.
  • the terminal device can obtain the authentication key in advance through the activation process. In this way, the terminal can compare the calculated authentication key with the preset authentication key; if they are the same, the server is considered to be a legitimate server, and the communication network corresponding to the server is secure. The authentication result of the server is successful; if they are not the same, the server is considered to be an illegal server, and the communication network corresponding to the server is insecure, and the authentication result of the server can be determined to be a failure.
  • the smart card may authenticate the terminal device based on the authentication key. Specifically, as mentioned above, the smart card can obtain the authentication key in advance through the activation process. In this way, the smart card can compare the calculated authentication key with the preset authentication key; if they are the same, determine that the authentication result of the terminal device is successful; if not, determine the authentication of the terminal device The result is failure.
  • both the terminal device and the server can obtain the authentication key.
  • the server may authenticate the terminal device based on the authentication key.
  • the terminal device may authenticate the server based on the authentication key. In this way, mutual authentication between the terminal device and the server can be realized.
  • Step S61 Based on the server private key held by the server, and the terminal device based on the held device private key and the card private key of the smart card, jointly perform multi-party security calculations to obtain an authentication key.
  • the server may be used to provide communication services, for example, may be the previous web server.
  • a smart card may be installed in the terminal device.
  • the terminal device may send a service processing request to the server.
  • the service processing request may be, for example, a voice call request or a data connection request.
  • the server may receive the service processing request; may send an authentication request to the terminal device.
  • the terminal device may receive the authentication request.
  • the server can obtain the server private key
  • the terminal device can obtain the device private key
  • the smart card can obtain the card private key.
  • the terminal device may send a key acquisition request to the smart card.
  • the smart card can receive the key acquisition request; can send the card private key to the terminal device.
  • the terminal device can receive the card private key.
  • the terminal device may use the device private key and the card private key as input parameters, and the server may use the server private key as input parameters to jointly perform multi-party security calculations. Both the server and the terminal device can obtain the calculation result.
  • the calculation result may specifically include a signature key.
  • Step S62 The server authenticates the terminal device based on the authentication key.
  • Step S63 The terminal device authenticates the server based on the authentication key.
  • the terminal device and the server can obtain the authentication key respectively.
  • the server may authenticate the terminal device based on the authentication key.
  • the terminal device can authenticate the server based on the authentication key. In this way, mutual authentication between the terminal device and the server can be realized.
  • the terminal device in view of the weak computing power of the smart card, in order to improve the efficiency of multi-party secure computing, the terminal device can obtain the card private key of the smart card, so that the terminal device and the server participate in the multi-party secure computing, avoiding the smart card from directly participating in the multi-party secure computing.
  • This specification provides another embodiment of the data processing method. This embodiment can be applied to authentication scenarios. This embodiment takes the server as the execution subject, and may include the following steps.
  • Step S71 Perform multi-party security calculation based on the server private key to obtain an authentication key.
  • the input parameters of the multi-party secure calculation include the server private key of the server, the device private key of the terminal device, and the card private key of the smart card.
  • the multi-party secure calculation may be jointly executed by the server, terminal device and smart card.
  • the server can obtain the server private key
  • the terminal device can obtain the device private key
  • the smart card can obtain the card private key.
  • the server may use the server private key as an input parameter
  • the terminal device may use the device private key as an input parameter
  • the smart card may use the card private key as an input parameter to jointly perform multi-party security calculations.
  • the server, the terminal device and the smart card can all obtain the calculation result.
  • the calculation result may specifically include a signature key.
  • the multi-party secure computing may be performed jointly by the server and the terminal device.
  • the terminal device may send a key acquisition request to the smart card.
  • the smart card can receive the key acquisition request; can send the card private key to the terminal device.
  • the terminal device can receive the card private key.
  • the terminal device may use the device private key and the card private key as input parameters, and the server may use the server private key as input parameters to jointly perform multi-party security calculations. Both the server and the terminal device can obtain the calculation result.
  • the calculation result may specifically include a signature key.
  • Step S72 Perform authentication on the terminal device based on the authentication key.
  • This specification provides another embodiment of the data processing method. This embodiment can be applied to authentication scenarios. This embodiment takes the terminal device as the execution subject, and may include the following steps.
  • Step S81 Perform multi-party security calculation based on the device private key to obtain an authentication key.
  • the input parameters of the multi-party secure calculation include the server private key of the server, the device private key of the terminal device, and the card private key of the smart card.
  • the multi-party secure calculation may be jointly executed by the server, terminal device and smart card.
  • the server can obtain the server private key
  • the terminal device can obtain the device private key
  • the smart card can obtain the card private key.
  • the server may use the server private key as an input parameter
  • the terminal device may use the device private key as an input parameter
  • the smart card may use the card private key as an input parameter to jointly perform multi-party security calculations.
  • the server, the terminal device and the smart card can all obtain the calculation result.
  • the calculation result may specifically include a signature key.
  • the multi-party secure computing may be performed jointly by the server and the terminal device.
  • the terminal device may send a key acquisition request to the smart card.
  • the smart card can receive the key acquisition request; can send the card private key to the terminal device.
  • the terminal device can receive the card private key.
  • the terminal device may use the device private key and the card private key as input parameters, and the server may use the server private key as input parameters to jointly perform multi-party security calculations. Both the server and the terminal device can obtain the calculation result.
  • the calculation result may specifically include a signature key.
  • Step S82 Authenticate the server based on the authentication key.
  • the embodiment of this specification provides a data processing device applied to terminal equipment, including:
  • the first sending unit 91 is configured to send a device identifier to the server
  • the first receiving unit 92 is configured to receive the device private key ciphertext and the authentication key ciphertext sent by the server; the device private key ciphertext is obtained by encrypting the device private key; the authentication key The ciphertext is obtained by encrypting the authentication key; the device private key and the authentication key are both calculated according to the device identification;
  • the second sending unit 93 is configured to send the device private key ciphertext and the authentication key ciphertext to the smart card;
  • the second receiving unit 94 is configured to receive the device private key and authentication key sent by the smart card;
  • the storage unit 95 is used to store the device private key and the authentication key.
  • the embodiment of this specification provides a terminal device.
  • the terminal device may include a memory and a processor.
  • the memory can be implemented in any suitable way.
  • the memory may be a read-only memory, a mechanical hard disk, a solid state hard disk, or a U disk.
  • the memory can be used to store computer instructions.
  • the processor can be implemented in any suitable way.
  • the processor may take the form of a microprocessor or a processor and a computer-readable medium, logic gates, switches, application specific integrated circuits ( Application Specific Integrated Circuit (ASIC), programmable logic controller and embedded microcontroller form, etc.
  • ASIC Application Specific Integrated Circuit
  • the processor may execute the computer instructions to implement the following steps: send the device identification to the server; receive the device private key ciphertext and the authentication key ciphertext sent by the server; the device private key ciphertext is obtained by The authentication key is obtained by encrypting the key; the authentication key ciphertext is obtained by encrypting the authentication key; the device private key and the authentication key are both calculated based on the device identification;
  • the smart card sends the device private key ciphertext and the authentication key ciphertext; receives the device private key and the authentication key sent by the smart card; and stores the device private key and the authentication key.
  • the embodiment of this specification provides a data processing device applied to a server, including:
  • the receiving unit 101 is configured to receive a first device identifier sent by a terminal device
  • the first generating unit 102 is configured to generate a device private key according to the first device identification
  • the second generating unit 103 is configured to generate an authentication key according to the device private key, the card private key of the smart card, and its own server private key;
  • the encryption unit 104 is configured to use the card public key of the smart card to respectively encrypt the device private key and the authentication key to obtain the device private key ciphertext and the authentication key ciphertext;
  • the sending unit 105 is configured to send the device private key ciphertext and the authentication key ciphertext to the terminal device.
  • the embodiment of this specification provides a server.
  • the server may include a memory and a processor.
  • the memory can be implemented in any suitable way.
  • the memory may be a read-only memory, a mechanical hard disk, a solid state hard disk, or a U disk.
  • the memory can be used to store computer instructions.
  • the processor can be implemented in any suitable way.
  • the processor may take the form of a microprocessor or a processor and a computer-readable medium, logic gates, switches, application specific integrated circuits ( Application Specific Integrated Circuit (ASIC), programmable logic controller and embedded microcontroller form, etc.
  • ASIC Application Specific Integrated Circuit
  • the processor may execute the computer instructions to implement the following steps: receiving a first device identification sent by a terminal device; generating a device private key according to the first device identification; according to the device private key, the card private key of the smart card, and The server private key generates the authentication key; the card public key of the smart card is used to encrypt the device private key and the authentication key respectively to obtain the device private key ciphertext and the authentication key ciphertext; to the terminal The device sends the device private key ciphertext and the authentication key ciphertext.
  • the embodiment of this specification provides a data processing device applied to a smart card, including:
  • the receiving unit 111 is configured to receive the device private key ciphertext and the authentication key ciphertext sent by the terminal device; the device private key ciphertext is obtained by encrypting the device private key; the authentication key ciphertext The text is obtained by encrypting the authentication key;
  • the decryption unit 112 is configured to use its card private key to decrypt the device private key ciphertext and the authentication key ciphertext respectively to obtain the device private key and the authentication key;
  • the storage unit 113 is configured to store the authentication key
  • the sending unit 114 is configured to send the device private key and the authentication key to the terminal device.
  • the embodiment of this specification provides a smart card.
  • the smart card may include a memory and a processor.
  • the memory can be implemented in any suitable way.
  • the memory may be a read-only memory, a mechanical hard disk, a solid state hard disk, or a U disk.
  • the memory can be used to store computer instructions.
  • the processor can be implemented in any suitable way.
  • the processor may take the form of a microprocessor or a processor and a computer-readable medium, logic gates, switches, application specific integrated circuits ( Application Specific Integrated Circuit (ASIC), programmable logic controller and embedded microcontroller form, etc.
  • ASIC Application Specific Integrated Circuit
  • the processor may execute the computer instructions to implement the following steps: receive the device private key ciphertext and the authentication key ciphertext sent by the terminal device; the device private key ciphertext is obtained by encrypting the device private key The authentication key ciphertext is obtained by encrypting the authentication key; using its own card private key to decrypt the device private key ciphertext and the authentication key ciphertext respectively to obtain the device Private key and authentication key; store the authentication key; send the device private key and the authentication key to a terminal device.
  • the embodiment of this specification provides a data processing device applied to a server, including:
  • the calculation unit 121 is configured to perform multi-party security calculations based on the server private key to obtain an authentication key
  • the authentication unit 122 is configured to authenticate the terminal device based on the authentication key.
  • the embodiment of this specification provides a server.
  • the server may include a memory and a processor.
  • the memory can be implemented in any suitable way.
  • the memory may be a read-only memory, a mechanical hard disk, a solid state hard disk, or a U disk.
  • the memory can be used to store computer instructions.
  • the processor can be implemented in any suitable way.
  • the processor may take the form of a microprocessor or a processor and a computer-readable medium, logic gates, switches, application specific integrated circuits that store computer-readable program codes (such as software or firmware) executable by the (micro)processor ( Application Specific Integrated Circuit (ASIC), programmable logic controller and embedded microcontroller form, etc.
  • the processor may execute the computer instructions to implement the following steps: perform multi-party secure calculation based on the server private key to obtain an authentication key; and based on the authentication key, authenticate the terminal device.
  • the embodiment of this specification provides a data processing device applied to terminal equipment, including:
  • the calculation unit 131 is configured to perform multi-party security calculations based on the device private key to obtain an authentication key
  • the authentication unit 132 is configured to authenticate the server based on the authentication key.
  • the embodiment of this specification provides a terminal device.
  • the terminal device may include a memory and a processor.
  • the memory can be implemented in any suitable way.
  • the memory may be a read-only memory, a mechanical hard disk, a solid state hard disk, or a U disk.
  • the memory can be used to store computer instructions.
  • the processor can be implemented in any suitable way.
  • the processor may take the form of a microprocessor or a processor and a computer-readable medium, logic gates, switches, application specific integrated circuits ( Application Specific Integrated Circuit (ASIC), programmable logic controller and embedded microcontroller form, etc.
  • the processor may execute the computer instructions to implement the following steps: perform multi-party secure calculation based on the private key of the device to obtain an authentication key; and authenticate the server based on the authentication key.
  • a programmable logic device Programmable Logic Device, PLD
  • FPGA Field Programmable Gate Array
  • HDL Hardware Description Language
  • a typical implementation device is a computer.
  • the computer may be, for example, a personal computer, a laptop computer, a cell phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Any combination of these devices.
  • This manual can be used in many general or special computer system environments or configurations.
  • program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types.
  • This specification can also be practiced in distributed computing environments, in which tasks are performed by remote processing devices connected through a communication network.
  • program modules can be located in local and remote computer storage media including storage devices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé et un appareil de traitement de données, une carte à puce, un dispositif terminal et un serveur. Dans le procédé selon l'invention : un serveur, en fonction d'une clé privée qu'il contient, et un dispositif terminal, en fonction d'une clé privée de dispositif qu'il contient, ainsi qu'une carte à puce, en fonction d'une clé privée qu'elle contient, effectuent collectivement un calcul de sécurité multipartite pour obtenir une clé d'authentification ; en fonction de ladite clé d'authentification, le serveur authentifie le dispositif terminal ; en fonction de la clé d'authentification, le dispositif terminal authentifie le serveur.
PCT/CN2019/076583 2019-02-28 2019-02-28 Procédé et appareil de traitement de données, carte à puce, dispositif terminal et serveur WO2020172887A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/076583 WO2020172887A1 (fr) 2019-02-28 2019-02-28 Procédé et appareil de traitement de données, carte à puce, dispositif terminal et serveur

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/076583 WO2020172887A1 (fr) 2019-02-28 2019-02-28 Procédé et appareil de traitement de données, carte à puce, dispositif terminal et serveur

Publications (1)

Publication Number Publication Date
WO2020172887A1 true WO2020172887A1 (fr) 2020-09-03

Family

ID=72238744

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/076583 WO2020172887A1 (fr) 2019-02-28 2019-02-28 Procédé et appareil de traitement de données, carte à puce, dispositif terminal et serveur

Country Status (1)

Country Link
WO (1) WO2020172887A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112232639A (zh) * 2020-09-22 2021-01-15 支付宝(杭州)信息技术有限公司 统计方法、装置和电子设备
CN113051623A (zh) * 2021-03-11 2021-06-29 华控清交信息科技(北京)有限公司 一种数据处理方法、装置和电子设备
CN113434891A (zh) * 2021-07-07 2021-09-24 建信金融科技有限责任公司 一种数据融合方法、装置、设备及系统
CN113795022A (zh) * 2021-09-14 2021-12-14 浙江海高思通信科技有限公司 公网对讲机加密通信方法及公网对讲系统
CN115086072A (zh) * 2022-07-20 2022-09-20 紫光同芯微电子有限公司 一种智能卡攻击测试方法及装置
CN115941336A (zh) * 2022-12-12 2023-04-07 支付宝(杭州)信息技术有限公司 数据的处理方法、装置及设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103906052A (zh) * 2012-12-26 2014-07-02 中国移动通信集团公司 一种移动终端认证方法、业务访问方法及设备
CN104811303A (zh) * 2014-01-24 2015-07-29 北京中传数广技术有限公司 双向认证的方法、装置及系统
US20160086159A1 (en) * 2014-09-24 2016-03-24 Stmicroelectronics, Inc. Application identifier (aid) prioritization of security module applications
CN108366069A (zh) * 2018-02-26 2018-08-03 北京赛博兴安科技有限公司 一种双向认证方法和系统
CN108512846A (zh) * 2018-03-30 2018-09-07 北京邮电大学 一种终端与服务器之间的双向认证方法和装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103906052A (zh) * 2012-12-26 2014-07-02 中国移动通信集团公司 一种移动终端认证方法、业务访问方法及设备
CN104811303A (zh) * 2014-01-24 2015-07-29 北京中传数广技术有限公司 双向认证的方法、装置及系统
US20160086159A1 (en) * 2014-09-24 2016-03-24 Stmicroelectronics, Inc. Application identifier (aid) prioritization of security module applications
CN108366069A (zh) * 2018-02-26 2018-08-03 北京赛博兴安科技有限公司 一种双向认证方法和系统
CN108512846A (zh) * 2018-03-30 2018-09-07 北京邮电大学 一种终端与服务器之间的双向认证方法和装置

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112232639A (zh) * 2020-09-22 2021-01-15 支付宝(杭州)信息技术有限公司 统计方法、装置和电子设备
CN112232639B (zh) * 2020-09-22 2023-06-30 支付宝(杭州)信息技术有限公司 统计方法、装置和电子设备
CN113051623A (zh) * 2021-03-11 2021-06-29 华控清交信息科技(北京)有限公司 一种数据处理方法、装置和电子设备
CN113434891A (zh) * 2021-07-07 2021-09-24 建信金融科技有限责任公司 一种数据融合方法、装置、设备及系统
CN113434891B (zh) * 2021-07-07 2022-09-02 建信金融科技有限责任公司 一种数据融合方法、装置、设备及系统
CN113795022A (zh) * 2021-09-14 2021-12-14 浙江海高思通信科技有限公司 公网对讲机加密通信方法及公网对讲系统
CN115086072A (zh) * 2022-07-20 2022-09-20 紫光同芯微电子有限公司 一种智能卡攻击测试方法及装置
CN115941336A (zh) * 2022-12-12 2023-04-07 支付宝(杭州)信息技术有限公司 数据的处理方法、装置及设备

Similar Documents

Publication Publication Date Title
WO2020172887A1 (fr) Procédé et appareil de traitement de données, carte à puce, dispositif terminal et serveur
JP6979420B2 (ja) 通信デバイスとネットワークデバイスとの間の通信におけるセキュリティ構成
CN107409133B (zh) 一种具有完全前向保密的认证与密钥协商的方法以及设备
US8260259B2 (en) Mutual authentication with modified message authentication code
KR102369847B1 (ko) 가입자 식별 모듈 풀링
US20160119143A1 (en) User identity authenticating method, terminal, and server
CN106922216B (zh) 用于无线通信的装置、方法和存储介质
US10015673B2 (en) Cellular device authentication
US20060206710A1 (en) Network assisted terminal to SIM/UICC key establishment
JP4234718B2 (ja) 移動通信加入者認証の安全な伝送方法
CN110417797A (zh) 认证用户的方法及装置
KR20160078426A (ko) 무선 직접통신 네트워크에서 비대칭 키를 사용하여 아이덴티티를 검증하기 위한 방법 및 장치
JP2008512966A (ja) 区別されたランダムチャレンジを用いて認証をブートストラップすること
CN107454035B (zh) 一种身份认证的方法及装置
CN101621794A (zh) 一种无线应用服务系统的安全认证实现方法
CN104521213A (zh) 网络认证规程中的认证挑战参数的操纵和恢复
WO2019214351A1 (fr) Procédé et dispositif de traitement de message
KR20160143333A (ko) 이중 채널을 이용한 이중 인증 방법
CN114189343A (zh) 互相认证的方法和装置
US20080307234A1 (en) Use of mobile communication network credentials to protect the transfer of posture data
CN109586899B (zh) 信令操作及其指示方法、装置及计算机存储介质
CN110999215A (zh) 安全设备访问令牌
CN109787998B (zh) 数据处理方法、装置、智能卡、终端设备和服务器
KR101329789B1 (ko) 모바일 디바이스의 데이터베이스 암호화 방법
KR101298216B1 (ko) 복수 카테고리 인증 시스템 및 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19916607

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19916607

Country of ref document: EP

Kind code of ref document: A1