WO2020259397A1 - Smart lock, security platform and authentication method therefor - Google Patents

Smart lock, security platform and authentication method therefor Download PDF

Info

Publication number
WO2020259397A1
WO2020259397A1 PCT/CN2020/097011 CN2020097011W WO2020259397A1 WO 2020259397 A1 WO2020259397 A1 WO 2020259397A1 CN 2020097011 W CN2020097011 W CN 2020097011W WO 2020259397 A1 WO2020259397 A1 WO 2020259397A1
Authority
WO
WIPO (PCT)
Prior art keywords
platform
security
authentication
smart lock
random sequence
Prior art date
Application number
PCT/CN2020/097011
Other languages
French (fr)
Chinese (zh)
Inventor
彭小斌
Original Assignee
国民技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国民技术股份有限公司 filed Critical 国民技术股份有限公司
Publication of WO2020259397A1 publication Critical patent/WO2020259397A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00571Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the invention relates to the field of smart locks, and more specifically, to a smart lock, a safety platform and an authentication method thereof.
  • the smart lock will not authenticate the security platform before data transmission, and the security platform will not authenticate the smart lock. In this way, the risk of data transmission between the smart lock and the security platform is It will be very high.
  • the smart lock may send data to other security platforms, and the security platform may also send data to other smart locks, causing data leakage; in some other smart locks and security platforms, before data transmission,
  • the smart lock will authenticate the security platform to determine whether it is the target security platform, or the security platform will authenticate the smart lock to determine whether it is the target smart lock, but this authentication method is not highly secure and easily leads to data leakage.
  • the technical problem to be solved by the present invention lies in the high risk that the existing smart lock and the safety platform do not perform authentication before transmitting data or only perform authentication by a single end. Aiming at this technical problem, a smart lock and a safety platform are provided.
  • a smart lock which includes:
  • the first security chip is used to generate a first random sequence and obtain a second random sequence from a security platform through the first communication unit, and encrypt the device authentication plaintext using an authentication key pre-stored on the smart lock side
  • the device authentication code is obtained by processing, and then the device authentication code is transmitted to the security platform through the first communication unit, so that the security platform can authenticate the smart lock;
  • the device authentication plaintext is written by the first communication unit A random sequence and the second random sequence are combined according to the first combination rule;
  • the first security chip is also used to transmit the first random sequence to the security platform through the first communication unit, and pass
  • the first communication unit receives the platform authentication code generated by the security platform based on the first random sequence and the second random sequence, and then uses the authentication key to decrypt the platform authentication code to obtain platform authentication plaintext;
  • the first security chip is further configured to combine the first random sequence and the second random sequence according to a second combination rule to obtain platform authentication plaintext, and compare the platform authentication plaintext with the platform authentication plaintext, and according to the
  • the first communication unit is used to implement data transmission between the first security chip and the security platform.
  • the first communication unit is configured to send the device authentication code and the first random sequence to the security platform together.
  • the first random sequence is a first random number
  • the second random sequence is a second random number
  • the device authentication plaintext is (first random number
  • the platform authentication The plain text is (second random number
  • the first security chip is further configured to perform encryption key-based data transmission with the security platform through the first communication unit after passing the authentication of the security platform.
  • the first security chip is further configured to generate a first process key based on the encryption key, the first random sequence, and the second random sequence, and use the first process key to be sent Encrypt the first data of the security platform, and send the encrypted first data cipher text to the security platform through the first communication unit; the first security chip is also used to based on the encryption key , The first random sequence and the second random sequence generate a second process key, and use the second process key to encrypt the second data sent by the security platform received through the first communication unit The text is decrypted to obtain the second data.
  • the first process key is different from the second process key.
  • the present invention also provides a smart lock authentication method, which is applied to the above smart lock, the smart lock includes: a first security chip and a first communication unit communicatively connected with the first security chip; Methods include:
  • the first security chip generates a first random sequence, and obtains a second random sequence from the security platform through the first communication unit, and encrypts the device authentication plaintext using an authentication key pre-stored on the smart lock side Obtain the device authentication code, and then transmit the device authentication code to the security platform through the first communication unit; wherein the device authentication plaintext consists of the first random sequence and the second random sequence in accordance with the first Combination rules are combined;
  • the first security chip transmits the first random sequence to the security platform through the first communication unit, and receives the security platform based on the first random sequence and the security platform through the first communication unit.
  • the platform authentication code generated by the second random sequence, and then use the authentication key to decrypt the platform authentication code to obtain the platform authentication plaintext;
  • the first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain platform authentication plaintext, compares the platform authentication plaintext with the platform authentication plaintext, and determines the right to the platform according to the comparison result. Whether the certification of the security platform is passed.
  • the present invention also provides a security platform, which includes:
  • the second security chip is used to generate a second random sequence and send the second random sequence to the smart lock through the second communication unit, obtain the first random sequence from the smart lock through the second communication unit, and
  • the smart lock generates a device authentication code based on the first random sequence and the second random sequence, and then uses an authentication key pre-stored on the security platform to decrypt the device authentication code to obtain device authentication Plain text;
  • the second security chip is also used to combine the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plain text; and compare the device authentication plain text and the device authentication plain text According to the comparison result, it is determined whether the authentication of the smart lock is passed;
  • the smart lock is also used to use the authentication key to encrypt the platform authentication plaintext to obtain the platform authentication code, and then to pass the authentication code to the platform through the second communication unit
  • the platform authentication code is transmitted to the smart lock for the smart lock to authenticate the security platform;
  • the platform authentication plaintext is combined by the first random sequence and the second random sequence according to a
  • the second communication unit is used to implement data transmission between the second security chip and the smart lock.
  • the second security chip is further configured to generate a first subkey based on the root key, and then based on the unique identifier of the first security chip of the smart lock received through the second communication unit and the The first subkey generates an authentication key, stores the authentication key, and sends the authentication key to the smart lock through the second communication unit, so that the smart lock stores the authentication key.
  • the second security chip is further configured to generate a second subkey based on the root key, and then based on the unique identifier of the first security chip of the smart lock received through the second communication unit and the The second subkey generates an encryption key, stores the encryption key, and sends the encryption key to the smart lock through the second communication unit, so that the smart lock stores the encryption key.
  • the second security chip is further configured to receive the public key sent by the smart lock through the second communication unit, and use the public key to encrypt the encryption key to obtain the encryption key. And send the encryption key ciphertext to the smart lock through the second communication unit, so that the smart lock uses the private key corresponding to the public key to perform the encryption key ciphertext
  • the encryption key is obtained by decryption and stored.
  • the present invention also provides a security platform authentication method, which is applied to the aforementioned security platform, the security platform comprising: a second security chip and a second communication unit communicatively connected with the second security chip; Methods include:
  • the second security chip generates a second random sequence and sends the second random sequence to the smart lock through the second communication unit, and obtains the first random sequence from the smart lock and the smart lock through the second communication unit.
  • the smart lock generates a device authentication code based on the first random sequence and the second random sequence, and then uses an authentication key pre-stored on the security platform to decrypt the device authentication code to obtain the device authentication plaintext;
  • the second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plain text; and compares the device authentication plain text and the device authentication plain text, and determines according to the comparison result Whether the authentication of the smart lock is passed; the smart lock also uses the authentication key to encrypt the platform authentication plaintext to obtain the platform authentication code, and then transmits the platform authentication code to the station through the second communication unit
  • the smart lock is used for the smart lock to authenticate the security platform; wherein the platform authentication plaintext is obtained by combining the first random sequence and the second random sequence according to a second combination rule.
  • the present invention provides a smart lock, a security platform and an authentication method thereof, aiming at the high risk of not performing authentication before transmitting data between the existing smart lock and the security platform or only performing authentication by a single end
  • the smart lock includes a first security chip and A first communication unit communicatively connected with the first security chip.
  • the security platform includes a second security chip and a second communication unit communicatively connected with the second security chip.
  • the first security chip passes through the first communication unit Send the generated first random sequence to the security platform, the second security chip sends the generated second random sequence to the smart lock through the second communication unit, and the first security chip generates device authentication based on the first random sequence and the second random sequence
  • the code is sent to the security platform for the security platform to authenticate the smart lock.
  • the second security chip generates the platform identification code based on the first random sequence and the second random sequence and sends it to the smart lock for the smart lock to authenticate the security platform. That is, in the present invention, before data transmission between the smart lock and the security platform, the smart lock authenticates the security platform based on the platform authentication code, and the security platform authenticates the smart lock based on the device authentication code, which improves the security of data transmission.
  • Figure 1 is a schematic structural diagram of a smart lock provided by a first embodiment of the present invention
  • FIG. 2 is a schematic diagram of the first structure of the smart lock provided by the first embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a security platform provided by the first embodiment of the present invention.
  • FIG. 4 is a schematic diagram of the first structure of the security platform provided by the first embodiment of the present invention.
  • FIG. 5 is a first schematic diagram of the security platform and smart lock authentication provided by the first embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a second structure of the smart lock provided by the first embodiment of the present invention.
  • FIG. 7 is a schematic diagram of the authentication key generation provided by the first embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a second structure of the security platform provided by the first embodiment of the present invention.
  • FIG. 9 is a second schematic diagram of the security platform and smart lock authentication provided by the first embodiment of the present invention.
  • FIG. 10 is a schematic diagram of encryption key generation provided by the first embodiment of the present invention.
  • FIG. 11 is a schematic diagram of interaction between the security platform and the smart lock provided by the second embodiment of the present invention.
  • this embodiment provides a smart lock and a security platform.
  • the smart lock includes a first security chip 101 and a first communication unit 102 communicatively connected with the first security chip 101.
  • the first security chip 101 and the first communication unit 102 may be directly connected, or, as shown in FIG. 2, the smart lock further includes a first processor 103, and the first processor 103 is connected to the first security chip 101, The first processor 103 is connected to the first communication unit 102, and the first security chip 101 communicates with the first communication unit 102 through the first processor 103.
  • the first communication unit is used to implement data transmission between the first security chip and the security platform.
  • This embodiment also provides an authentication method corresponding to the smart lock, and the method includes:
  • the first security chip generates the first random sequence, and obtains the second random sequence from the security platform through the first communication unit, and uses the authentication key pre-stored on the smart lock side to encrypt the device authentication plaintext to obtain the device authentication code, and then The device authentication code is transmitted to the security platform through the first communication unit; wherein the device authentication plaintext is obtained by combining the first random sequence and the second random sequence according to the first combination rule;
  • the first security chip transmits the first random sequence to the security platform through the first communication unit, and receives the platform authentication code generated by the security platform based on the first random sequence and the second random sequence through the first communication unit, and then uses the authentication key pair Platform authentication code decrypts to obtain platform authentication plaintext;
  • the first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain platform authentication plaintext, compares the platform authentication plaintext with the platform authentication plaintext, and determines whether the authentication of the security platform is passed according to the comparison result.
  • the security platform includes a second security chip 301 and a second communication unit 302 communicatively connected with the second security chip 301.
  • the second security chip 301 and the second communication unit 302 can be directly connected, or, as shown in FIG. 4, the security platform further includes a second processor 303, and the second processor 303 is connected to the second security chip 301, The second processor 303 is connected to the second communication unit 302, and the second security chip 301 communicates with the second communication unit 302 through the second processor 303.
  • the second communication unit is used to realize data transmission between the second security chip and the smart lock.
  • This embodiment also provides a corresponding authentication method of the security platform, which includes:
  • the second security chip generates a second random sequence and sends the second random sequence to the smart lock through the second communication unit, obtains the first random sequence from the smart lock through the second communication unit, and the smart lock is based on the first random sequence and the second random sequence.
  • the device authentication code generated by a random sequence is then used to decrypt the device authentication code with the authentication key pre-stored on the security platform side to obtain the device authentication plaintext;
  • the second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext; and compares the device authentication plaintext with the device authentication plaintext, and determines whether the smart lock is authenticated according to the comparison result; the smart lock
  • the authentication key is also used to encrypt the platform authentication plaintext to obtain the platform authentication code, and then the platform authentication code is transmitted to the smart lock through the second communication unit for the smart lock to authenticate the security platform; among them, the platform authentication plaintext is the first
  • the random sequence and the second random sequence are combined according to the second combination rule.
  • the smart lock Before data transmission, the smart lock will authenticate the security platform, and the security platform will also authenticate the smart lock. Among them, the security platform may authenticate the smart lock after the smart lock successfully authenticates the security platform, or the smart lock may authenticate the security platform after the security platform successfully authenticates the smart lock. The following describes the above two cases.
  • the security platform generates a second random sequence.
  • the second security chip generates a second random sequence, and the second random sequence is formed by a combination of at least one random number. After generating at least one random number, the second security chip may sort the generated random numbers to obtain the second random sequence. For example, after the second security chip generates random numbers 11, 13, and 18, these three random arrays can be synthesized into 111318, or 11-18-13. It should be understood that what are listed here are only two relatively common combinations, and the specific combination and the number of random numbers generated can be set by the developer based on experience.
  • the security platform sends the second random sequence to the smart lock.
  • the second security chip sends the second random sequence to the smart lock through the second communication unit.
  • S503 The smart lock generates a first random sequence.
  • the first security chip generates a first random sequence, where the first security chip may generate the first random sequence after receiving the second random sequence through the first communication unit, or may also generate the first random sequence after receiving the second random sequence through the first communication unit. Before the random sequence, the first random sequence is generated.
  • the first random sequence is formed by a combination of at least one random number, and the first security chip may, after generating at least one random number, sort the generated random numbers to obtain the first random sequence. For details, please refer to the related description of the second random sequence.
  • the smart lock generates a device authentication code.
  • the first security chip After receiving the second random sequence through the first communication unit, the first security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext, and uses the authentication key stored on the smart lock side Encrypt the device authentication plain text to obtain the device authentication code.
  • the first combination rule may be to combine the first random sequence and the second random sequence in a unit of sequence, or to combine the first random sequence and the second random sequence in a unit of random number.
  • the first random sequence includes two random numbers 11 and 04
  • the first random sequence is 1104
  • the second random sequence includes a random number 68
  • the number after combining according to the first combination rule can be 110468, or it can be 116804.
  • the authentication key can be stored in the first security chip, or, as shown in FIG. 6, the smart lock further includes a first memory 104 connected to the first processor 103, and the authentication key can be stored in the first In the memory 104.
  • the authentication key generation process can be:
  • the smart lock sends the unique identifier of the first security chip to the security platform.
  • the first security chip sends its unique identification to the security platform through the first communication unit.
  • the security platform generates a first subkey based on the root key.
  • the root key may be the unique identifier of the second security chip or other keys stored in the second security chip.
  • the second security chip After receiving the unique identifier of the first security chip sent by the smart lock through the second communication unit, the second security chip generates the first subkey based on the root key.
  • the security platform generates and stores an authentication key based on the first subkey and the root key.
  • the second security chip generates an authentication key based on the first subkey and the root key, where the authentication key can be stored in the second security chip, or, as shown in FIG. 8, the security platform further includes a second memory 304 , The second memory 104 is connected to the first processor 303, and the authentication key can be stored in the second memory 304.
  • the security platform sends the authentication key to the smart lock.
  • the second security chip sends the authentication key to the smart lock through the second communication unit.
  • the smart lock stores the authentication key.
  • the smart lock After the smart lock receives the authentication key through the first communication unit, it can be stored in the first security chip or the first memory.
  • the first processor or the first security chip may generate a set of asymmetric keys. It is understandable that regardless of whether the set of asymmetric keys is generated by the first processor Whether it is generated by the first security chip, it can be stored in the first memory or the first security chip.
  • the public key in the asymmetric key is sent to the security platform through the first communication unit.
  • the second security chip uses the public key to encrypt the authentication key to obtain the authentication key cipher text, and sends the authentication key cipher text to the smart lock through the second communication unit.
  • a processor or a first security chip uses the private key corresponding to the public key to decrypt the authentication key cipher text to obtain the authentication key and store it in the first memory Or the first security chip.
  • the smart lock sends the device authentication code to the security platform.
  • the first security chip sends the device authentication code to the security platform through the first communication unit.
  • the smart lock sends the first random sequence to the security platform.
  • the first security chip sends the first random sequence to the security platform through the first communication unit.
  • the first security chip may send the first random sequence and the device authentication code to the security platform through the first communication unit, and the first security chip may also send the device authentication code to the security platform through the first communication unit.
  • the first random sequence is sent to the security platform, or after the device authentication code is sent to the security platform, the first random sequence is sent to the security platform through the first communication unit.
  • the security platform generates a clear text for device certification.
  • the second security chip After receiving the device authentication code and the first random sequence through the second communication unit, the second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext. It should be understood that this The first combination rule at is the same as the first combination rule when the first security chip generating device authenticates plaintext.
  • the security platform decrypts the device authentication code based on the authentication key to obtain the device authentication plaintext.
  • the second security chip uses the authentication key to decrypt the device authentication code to obtain the device authentication plaintext.
  • the authentication key here is the same as the authentication key on the smart lock side.
  • timing relationship between S507 and S508 is not limited in this embodiment, that is, S508 may be implemented after S507 is implemented, or S507 may be implemented after S508 is implemented.
  • the security platform compares the device authentication plain text with the device authentication plain text, and determines whether the smart lock is authenticated according to the comparison result.
  • the second security chip compares the device authentication plain text with the device authentication plain text, and determines whether the smart lock is authenticated according to the comparison result.
  • the security platform After the security platform determines that the smart lock is authenticated, it generates a platform authentication code.
  • the second security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain the platform authentication plaintext, and uses the authentication key stored on the security platform to encrypt the platform authentication plaintext to obtain the platform authentication code.
  • the second combination rule may be to combine the first random sequence and the second random sequence in units of sequence, or it may be to combine the first random sequence and the second random sequence in units of random numbers.
  • the second combination rule is different from the first combination rule. Therefore, the device authentication plaintext generated by the first security chip based on the first combination rule is different from the platform authentication plaintext generated by the second security chip based on the second combination rule.
  • the data certified by the security platform is different.
  • the security platform sends the platform authentication code to the smart lock.
  • the second security chip sends the platform authentication code to the smart lock through the second communication unit.
  • the smart lock decrypts the platform authentication code based on the authentication key to obtain the platform authentication plaintext.
  • the first security chip After receiving the platform authentication code through the first communication unit, the first security chip decrypts the platform authentication code based on the authentication key to obtain the platform authentication plaintext.
  • the smart lock generates platform authentication plaintext based on the second combination rule.
  • the first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain platform authentication plaintext.
  • the second combination rule here is the same as the second combination rule used when the security platform generates platform authentication plaintext.
  • S512 may be implemented after S513, or S513 may be implemented after S512.
  • the smart lock compares the platform authentication plaintext with the platform authentication plaintext, and determines whether the authentication of the security platform is passed according to the comparison result.
  • the first security platform compares the platform authentication plaintext with the platform authentication plaintext, and determines whether the authentication of the security platform is passed according to the comparison result. When the platform authentication plaintext and the platform authentication plaintext are the same, it determines that the authentication of the security platform has passed; the platform authentication plaintext When it is different from the platform authentication plaintext, it is determined that the authentication of the security platform has failed.
  • the smart lock generates a first random sequence.
  • the first security chip generates a first random sequence.
  • first random sequence please refer to the foregoing description.
  • the smart lock sends the first random sequence to the security platform.
  • the first security chip sends the first random sequence to the security platform through the first communication unit.
  • the security platform generates a second random sequence.
  • the second security chip generates a second random sequence, where the second security chip may generate a second random sequence after receiving the first random sequence through the second communication unit, or may also generate the second random sequence after receiving the first random sequence through the second communication unit. Before the random sequence, a second random sequence is generated. For a detailed description of the second random sequence, please refer to the previous description.
  • the security platform generates a platform authentication code.
  • the second security chip After receiving the first random sequence through the second communication unit, the second security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain the platform authentication plaintext, and uses the authentication key to encrypt the platform authentication plaintext Get the platform authentication code.
  • the security platform sends the platform authentication code to the smart lock.
  • the second security chip sends the platform authentication code to the smart lock through the second communication unit.
  • the security platform sends the second random sequence to the smart lock.
  • the second security chip sends the second random sequence to the smart lock through the second communication unit.
  • the second security chip may send the second random sequence and the platform authentication code to the smart lock through the second communication unit.
  • the second security chip may also send the platform authentication code to the smart lock through the second communication unit.
  • the second random sequence is sent to the smart lock, or after the platform authentication code is sent to the smart lock, the second random sequence is sent to the smart lock through the second communication unit.
  • the smart lock generates platform authentication plaintext.
  • the first security chip After receiving the platform authentication code and the first random sequence through the first communication unit, the first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain the platform authentication plaintext.
  • the smart lock decrypts the platform authentication code based on the authentication key to obtain platform authentication plaintext.
  • the first security chip uses the authentication key to decrypt the platform authentication code to obtain the platform authentication plaintext.
  • timing relationship between S908 and S907 is not limited in this embodiment, that is, S908 may be implemented after S907 is implemented, or S907 may be implemented after S908 is implemented.
  • the smart lock compares the platform authentication plain text with the platform authentication plain text, and determines whether the authentication of the security platform is passed according to the comparison result.
  • the first security chip compares the platform authentication plaintext with the platform authentication plaintext, and determines whether the authentication of the security platform is passed according to the comparison result.
  • the smart lock After the smart lock determines that the authentication of the security platform is passed, it generates a device authentication code.
  • the first security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext, and uses the authentication key to encrypt the device authentication plaintext to obtain the device authentication code.
  • the smart lock sends the device identification code to the security platform.
  • the first security chip sends the device authentication code to the security platform through the first communication unit.
  • the security platform decrypts the device authentication code based on the authentication key to obtain the device authentication plaintext.
  • the second security chip After receiving the device authentication code through the second communication unit, the second security chip decrypts the device authentication code based on the authentication key to obtain the device authentication plaintext.
  • the security platform generates a device authentication plaintext based on the first combination rule.
  • the second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext.
  • S912 may be implemented after S913, or S913 may be implemented after S912.
  • the security platform compares the device authentication plain text with the device authentication plain text, and determines whether the smart lock is authenticated according to the comparison result.
  • the second security chip compares the device authentication plaintext with the device authentication plaintext. When the device authentication plaintext and the device authentication plaintext are the same, it determines that the smart lock is authenticated; when the device authentication plaintext and the device authentication plaintext are different, it determines the smart lock The certification failed.
  • the first security chip is also used for data transmission based on the encryption key through the first communication unit and the security platform, that is, the first The security chip will encrypt the data sent to the security platform based on the encryption key, and decrypt the data sent by the security platform received through the first communication unit based on the encryption key. Accordingly, the second security chip will treat the data based on the encryption key The data sent to the smart lock is encrypted, and the data sent by the smart lock received through the second communication unit is decrypted based on the encryption key.
  • the encryption key generation process can be:
  • the smart lock sends the unique identifier of the first security chip to the security platform.
  • the first security chip sends its unique identification to the security platform through the first communication unit.
  • the security platform generates a second subkey based on the root key.
  • the root key may be the unique identifier of the second security chip or other keys stored in the second security chip.
  • the second security chip generates a second subkey based on the root key.
  • the security platform generates and stores an encryption key based on the second subkey and the root key.
  • the second security chip generates an encryption key based on the second subkey and the root key, where the encryption key can be stored in the second security chip or in the second memory.
  • the security platform sends the encryption key to the smart lock.
  • the second security chip sends the encryption key to the smart lock through the second communication unit.
  • the smart lock stores the encryption key.
  • the smart lock After the smart lock receives the encryption key through the first communication unit, it can be stored in the first memory or the first security chip.
  • the second security chip uses the public key to encrypt the encryption key to obtain the encryption key ciphertext, and sends the encryption key ciphertext to the smart through the second communication unit.
  • the smart lock receives the encryption key cipher text through the first communication unit, it uses the private key corresponding to the public key to decrypt the encryption key cipher text to obtain the encryption key and store it in the first memory or first security In the chip.
  • the first security chip may generate the first process key based on at least one of the first random sequence and the second random sequence and the encryption key, and use the first process key to be sent.
  • the second process key is generated by the encryption key, and the second process key is used to decrypt the second data ciphertext sent by the security platform received through the first communication unit to obtain the second data; correspondingly, the second security chip It is also used to generate a first process key based on at least one of the first random sequence and the second random sequence and the encryption key, and use the first process key to pair the first process key sent by the smart lock received through the second communication unit
  • the data ciphertext is decrypted to obtain the first data; the second security chip can generate a second process key based on at least one of the first random sequence
  • the rules for the first security chip to generate the first process key are the same as the rules for the second security chip to generate the first process key, that is, the first process key generated by the first security chip is the same as the second process key.
  • the first process key generated by the security chip is the same;
  • the rule for generating the second process key by the first security chip is the same as the rule for generating the second process key by the second security chip, that is, the second process key generated by the first security chip
  • the process key is the same as the second process key generated by the second security chip.
  • the first process key and the second process key may be the same. In order to improve the security of data transmission, the first process key and the second process key may also be different.
  • the smart lock includes a first security chip, a first communication unit communicatively connected with the first security chip, and a security platform includes a second security chip, and a second communication unit communicatively connected with the second security chip is performing data Before transmission, the smart lock will authenticate the security platform based on the platform authentication code, and the security platform will authenticate the smart lock based on the device authentication code. After both ends are authenticated, data transmission is performed, which solves the problem of smart The problem that the lock and security platform does not perform authentication before data transmission or is only authenticated by a single end, and the security is low, which improves the security of the smart lock and security platform.
  • the smart lock in this embodiment includes a first security chip and a first communication unit communicatively connected with the first security chip.
  • the first communication unit is used to implement data transmission between the first security chip and the security platform.
  • the security platform in this embodiment includes a second security chip, and a second communication unit communicatively connected with the second security chip.
  • the second communication unit is used to realize data transmission between the second security chip and the smart lock.
  • the first security chip generates a set of asymmetric keys.
  • the first security chip sends the unique identifier of the first security chip and the public key in the asymmetric key to the security platform through the first communication unit.
  • the second security chip generates a first subkey and a second subkey based on the root key.
  • the second security chip generates an authentication key and an encryption key, and uses the public key to encrypt the authentication key and the encryption key to obtain a key ciphertext.
  • the second security chip generates an authentication key based on the first subkey and the unique identifier of the first security chip, and generates an encryption key based on the second subkey and the unique identifier of the first security chip.
  • the second security chip sends the key ciphertext to the smart lock through the second communication unit.
  • the first security chip uses the private key corresponding to the public key to decrypt the key ciphertext to obtain the authentication key and the encryption key, and store them in the first security chip.
  • the second security chip generates a second random number.
  • the second security chip sends the second random number to the smart lock through the second communication unit.
  • the first security chip After receiving the second random number through the first communication unit, the first security chip generates a first random number.
  • the first random number and the second random number are both 8-byte random numbers
  • the first security chip generates a device authentication code.
  • the first security chip combines the first random number and the second random number according to the first combination rule to obtain the device authentication plaintext, the device authentication plaintext is (first random number
  • the first security chip sends the device authentication code and the first random number to the security platform through the first communication unit.
  • the second security chip uses the authentication key to decrypt the device authentication code to obtain the device authentication plaintext, and generate the device authentication plaintext.
  • the second security chip combines the first random number and the second random number according to the first combination rule to obtain the device authentication plaintext, where the first combination rule is the same as the first combination rule used when the first security chip generates the device to authenticate the plaintext, so
  • the device authentication plaintext is (first random number
  • the second security chip compares the device authentication plain text with the device authentication plain text.
  • the second security chip determines that the smart lock authentication is successful, and when the comparison result is inconsistent, it determines that the smart lock authentication fails.
  • the second security chip After determining that the smart lock is successfully authenticated, the second security chip generates a platform authentication code.
  • the second security chip After the second security chip determines that the smart lock is successfully authenticated, it combines the first random number and the second random number according to the second combination rule to obtain the platform authentication plaintext, and the platform authentication plaintext is (second random number
  • the second security chip sends the platform authentication code to the smart lock through the second communication unit.
  • the first security chip generates platform authentication plaintext, and uses the authentication key to decrypt the platform authentication code to obtain platform authentication plaintext.
  • the first security chip combines the first random number and the second random number according to the second combination rule to obtain the platform authentication plaintext, where the second combination rule is the same as the second combination rule used when the second security chip generates the platform authentication plaintext, so The platform authentication plaintext is (second random number
  • the first security chip compares the platform authentication plaintext with the platform authentication plaintext.
  • the first security chip After determining that the authentication of the security platform is successful, the first security chip generates a first process key and a second process key.
  • the first security chip uses the encryption key, the first random number and the second random number to generate the first process key, and uses the encryption key, the first random number and the second random number to generate the second process key, where the first The process key is different from the rules for generating the second process key, so the first process key is different from the second process key.
  • the second security chip generates a first process key and a second process key.
  • the rules for the second security chip to generate the first process key are the same as the rules for the first security chip to generate the first process key, and the rules for the second security chip to generate the second process key are the same as those for the first security chip to generate the second process key.
  • the rules are the same.
  • the first security chip uses the first process key to encrypt the first data to obtain the first data ciphertext.
  • the first security chip sends the first data ciphertext to the security platform through the first communication unit.
  • the second security chip uses the first process key to decrypt the ciphertext of the first data received through the second communication unit to obtain the first data.
  • the second security chip uses the second process key to encrypt the second data to obtain the second data ciphertext.
  • the second security chip sends the second data ciphertext to the smart lock through the second transmission unit.
  • the first security chip uses the second process key to decrypt the ciphertext of the second data received through the first communication unit to obtain the second data.
  • the smart lock includes a first security chip, a first communication unit communicatively connected with the first security chip, and a security platform includes a second security chip, and a second communication unit communicatively connected with the second security chip is performing data
  • the security platform will authenticate the smart lock based on the device authentication code
  • the smart lock will authenticate the security platform based on the platform authentication code.
  • data transmission is performed, which solves the existing problem.
  • smart locks and security platforms do not perform authentication before data transmission or are only authenticated by a single end. The security problem is low, which improves the security of data transmission between smart locks and security platforms.
  • the first process key and the second process key are used to encrypt the data, which further improves the security of data transmission between the smart lock and the security platform.

Abstract

Disclosed in the present invention are a smart lock, a security platform and an authentication method therefor. The smart lock comprises a first security chip and a first communication unit communicatively connected to the first security chip, and before performing data transmission with a security platform, the smart lock performs bidirectional authentication with the security platform by means of the first security chip and the first communication unit, thereby solving the problem in the prior art of high risk caused by no authentication being performed or authentication being performed only at a single end before data transmission between a smart lock and a security platform, and improving the security of data transmission between the smart lock and the security platform. Also disclosed in the present invention is a security platform. The security platform comprises a second security chip and a second communication unit, and before data transmission with a smart lock, the security platform performs bidirectional verification with the smart lock by means of the second security chip and the second communication unit, thereby improving the security of data transmission between the security platform and the smart lock.

Description

一种智能锁、安全平台及其认证方法Intelligent lock, safety platform and authentication method thereof 技术领域Technical field
本发明涉及智能锁领域,更具体地说,涉及一种智能锁、安全平台及其认证方法。The invention relates to the field of smart locks, and more specifically, to a smart lock, a safety platform and an authentication method thereof.
背景技术Background technique
现有的一些智能锁及安全平台,在进行数据传输前,智能锁不会对安全平台进行认证,安全平台也不会对智能锁进行认证,这样,智能锁与安全平台进行数据传输的风险就会很高,智能锁有可能将数据发送给了其他安全平台,安全平台也有可能将数据发送给了其他智能锁,造成数据泄露;在其他一些智能锁及安全平台中,在进行数据传输前,智能锁会对安全平台进行认证,确定是否为目标安全平台,或者安全平台会对智能锁进行认证,确定是否为目标智能锁,但是这种认证方式安全性不高,容易导致数据泄露。For some existing smart locks and security platforms, the smart lock will not authenticate the security platform before data transmission, and the security platform will not authenticate the smart lock. In this way, the risk of data transmission between the smart lock and the security platform is It will be very high. The smart lock may send data to other security platforms, and the security platform may also send data to other smart locks, causing data leakage; in some other smart locks and security platforms, before data transmission, The smart lock will authenticate the security platform to determine whether it is the target security platform, or the security platform will authenticate the smart lock to determine whether it is the target smart lock, but this authentication method is not highly secure and easily leads to data leakage.
发明内容Summary of the invention
本发明要解决的技术问题在于现有智能锁与安全平台传输数据前不进行认证或只由单端进行认证风险高的问题,针对该技术问题,提供一种智能锁及安全平台。The technical problem to be solved by the present invention lies in the high risk that the existing smart lock and the safety platform do not perform authentication before transmitting data or only perform authentication by a single end. Aiming at this technical problem, a smart lock and a safety platform are provided.
为解决上述技术问题,本发明提供一种智能锁,所述智能锁包括:In order to solve the above technical problems, the present invention provides a smart lock, which includes:
第一安全芯片以及与所述第一安全芯片通信连接的第一通信单元;A first security chip and a first communication unit communicatively connected with the first security chip;
所述第一安全芯片用于生成第一随机序列并通过所述第一通信单元获取来自安全平台的第二随机序列,采用预先存储在所述智能锁侧的认证密钥对设备鉴别明文进行加密处理得到设备鉴别码,然后将所述设备鉴别码通过所述第一通信单元传输给所述安全平台,以供所述安全平台对所述智能锁进行认证;所述设备鉴别明文由所述第一随机序列和所述第二随机序列按照第一组合规则组合得到;所述第一安全芯片还用于将所述第一随机序列通过所述第一通信单元传输给所述安全平台,并通过所述第一通信单元接收所述安全平台基于所述第一随机序列和所述第二随机序列生成的平台鉴别码,然后采用所述认证密钥对所述平台鉴别码解密得到平台鉴别明文;所述第一安全芯片还用于按照第二组合规则对所述第一随机序列和所述第二随机序列进行组合得到平台认证明文,并比较所述平台认证明文和平台鉴别明文,根据比较结果确定对所述安全平台的认证是否通过;The first security chip is used to generate a first random sequence and obtain a second random sequence from a security platform through the first communication unit, and encrypt the device authentication plaintext using an authentication key pre-stored on the smart lock side The device authentication code is obtained by processing, and then the device authentication code is transmitted to the security platform through the first communication unit, so that the security platform can authenticate the smart lock; the device authentication plaintext is written by the first communication unit A random sequence and the second random sequence are combined according to the first combination rule; the first security chip is also used to transmit the first random sequence to the security platform through the first communication unit, and pass The first communication unit receives the platform authentication code generated by the security platform based on the first random sequence and the second random sequence, and then uses the authentication key to decrypt the platform authentication code to obtain platform authentication plaintext; The first security chip is further configured to combine the first random sequence and the second random sequence according to a second combination rule to obtain platform authentication plaintext, and compare the platform authentication plaintext with the platform authentication plaintext, and according to the comparison result Determine whether the authentication of the security platform is passed;
所述第一通信单元用于实现所述第一安全芯片与所述安全平台间的数据传输。The first communication unit is used to implement data transmission between the first security chip and the security platform.
可选的,所述第一通信单元用于将所述设备鉴别码和所述第一随机序列一同发送给所述安全平台。Optionally, the first communication unit is configured to send the device authentication code and the first random sequence to the security platform together.
可选的,所述第一随机序列为第一随机数,所述第二随机序列为第二随机数,所述设备鉴别明文为(第一随机数|第二随机数),所述平台认证明文为(第二随机数|第一随机数)。Optionally, the first random sequence is a first random number, the second random sequence is a second random number, the device authentication plaintext is (first random number|second random number), and the platform authentication The plain text is (second random number|first random number).
可选的,所述第一安全芯片还用于在对所述安全平台的认证通过后通过所述第一通信单元与所述安全平台进行基于加密密钥的数据传输。Optionally, the first security chip is further configured to perform encryption key-based data transmission with the security platform through the first communication unit after passing the authentication of the security platform.
可选的,所述第一安全芯片还用于基于所述加密密钥、所述第一随机序列和所述第二随机序列生成第一过程密钥,采用所述第一过程密钥对待发送给所述安全平台的第一数据进行加密,并将加密所得第一数据密文通过所述第一通信单元发送给所述安全平台;所述第一安全芯片还用于基于所述加密密钥、所述第一随机序列和所述第二随机序列生成第二过程密钥,并采用所述第二过程密钥对通过所述第一通信单元接收的所述安全平台发送的第二数据密文进行解密得到第二数据。Optionally, the first security chip is further configured to generate a first process key based on the encryption key, the first random sequence, and the second random sequence, and use the first process key to be sent Encrypt the first data of the security platform, and send the encrypted first data cipher text to the security platform through the first communication unit; the first security chip is also used to based on the encryption key , The first random sequence and the second random sequence generate a second process key, and use the second process key to encrypt the second data sent by the security platform received through the first communication unit The text is decrypted to obtain the second data.
可选的,所述第一过程密钥与所述第二过程密钥不同。Optionally, the first process key is different from the second process key.
进一步地,本发明还提供了一种智能锁认证方法,应用于上述的智能锁,所述智能锁包括:第一安全芯片以及与所述第一安全芯片通信连接的第一通信单元;所述方法包括:Further, the present invention also provides a smart lock authentication method, which is applied to the above smart lock, the smart lock includes: a first security chip and a first communication unit communicatively connected with the first security chip; Methods include:
所述第一安全芯片生成第一随机序列,并通过所述第一通信单元获取来自安全平台的第二随机序列,采用预先存储在所述智能锁侧的认证密钥对设备鉴别明文进行加密处理得到设备鉴别码,然后将所述设备鉴别码通过所述第一通信单元传输给所述安全平台;其中,所述设备鉴别明文由所述第一随机序列和所述第二随机序列按照第一组合规则组合得到;The first security chip generates a first random sequence, and obtains a second random sequence from the security platform through the first communication unit, and encrypts the device authentication plaintext using an authentication key pre-stored on the smart lock side Obtain the device authentication code, and then transmit the device authentication code to the security platform through the first communication unit; wherein the device authentication plaintext consists of the first random sequence and the second random sequence in accordance with the first Combination rules are combined;
所述第一安全芯片将所述第一随机序列通过所述第一通信单元传输给所述安全平台,并通过所述第一通信单元接收所述安全平台基于所述第一随机序列和所述第二随机序列生成的平台鉴别码,然后采用所述认证密钥对所述平台鉴别码解密得到平台鉴别明文;The first security chip transmits the first random sequence to the security platform through the first communication unit, and receives the security platform based on the first random sequence and the security platform through the first communication unit. The platform authentication code generated by the second random sequence, and then use the authentication key to decrypt the platform authentication code to obtain the platform authentication plaintext;
所述第一安全芯片按照第二组合规则对所述第一随机序列和所述第二随机序列进行组合得到平台认证明文,并比较所述平台认证明文和平台鉴别明文,根据比较结果确定对所述安全平台的认证是否通过。The first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain platform authentication plaintext, compares the platform authentication plaintext with the platform authentication plaintext, and determines the right to the platform according to the comparison result. Whether the certification of the security platform is passed.
进一步地,本发明还提供了一种安全平台,所述安全平台包括:Further, the present invention also provides a security platform, which includes:
第二安全芯片以及与所述第二安全芯片通信连接的第二通信单元;A second security chip and a second communication unit communicatively connected with the second security chip;
所述第二安全芯片用于生成第二随机序列并通过所述第二通信单元将所述第二随机序列发送给智能锁,通过所述第二通信单元获取来自智能锁的第一随机序列以及所述智能锁基于 所述第一随机序列和所述第二随机序列生成的设备鉴别码,然后采用预先存储在所述安全平台侧的认证密钥对所述设备鉴别码进行解密处理得到设备鉴别明文;所述第二安全芯片还用于按照第一组合规则对所述第一随机序列和所述第二随机序列进行组合得到设备认证明文;并比较所述设备认证明文和所述设备鉴别明文,根据比较结果确定对所述智能锁的认证是否通过;所述智能锁还用于采用所述认证密钥对平台鉴别明文进行加密处理得到平台鉴别码,然后通过所述第二通信单元将所述平台鉴别码传输给所述智能锁,以供所述智能锁对所述安全平台进行认证;所述平台鉴别明文由所述第一随机序列和所述第二随机序列按照第二组合规则组合得到;The second security chip is used to generate a second random sequence and send the second random sequence to the smart lock through the second communication unit, obtain the first random sequence from the smart lock through the second communication unit, and The smart lock generates a device authentication code based on the first random sequence and the second random sequence, and then uses an authentication key pre-stored on the security platform to decrypt the device authentication code to obtain device authentication Plain text; the second security chip is also used to combine the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plain text; and compare the device authentication plain text and the device authentication plain text According to the comparison result, it is determined whether the authentication of the smart lock is passed; the smart lock is also used to use the authentication key to encrypt the platform authentication plaintext to obtain the platform authentication code, and then to pass the authentication code to the platform through the second communication unit The platform authentication code is transmitted to the smart lock for the smart lock to authenticate the security platform; the platform authentication plaintext is combined by the first random sequence and the second random sequence according to a second combination rule get;
所述第二通信单元用于实现所述第二安全芯片与所述智能锁间的数据传输。The second communication unit is used to implement data transmission between the second security chip and the smart lock.
可选的,所述第二安全芯片还用于基于根密钥生成第一子密钥,然后基于通过所述第二通信单元接收的所述智能锁的第一安全芯片的唯一标识以及所述第一子密钥生成认证密钥,存储所述认证密钥并通过所述第二通信单元将所述认证密钥发送给所述智能锁,以供所述智能锁存储所述认证密钥。Optionally, the second security chip is further configured to generate a first subkey based on the root key, and then based on the unique identifier of the first security chip of the smart lock received through the second communication unit and the The first subkey generates an authentication key, stores the authentication key, and sends the authentication key to the smart lock through the second communication unit, so that the smart lock stores the authentication key.
可选的,所述第二安全芯片还用于基于根密钥生成第二子密钥,然后基于通过所述第二通信单元接收的所述智能锁的第一安全芯片的唯一标识以及所述第二子密钥生成加密密钥,存储所述加密密钥并通过所述第二通信单元将所述加密密钥发送给所述智能锁,以供所述智能锁存储所述加密密钥。Optionally, the second security chip is further configured to generate a second subkey based on the root key, and then based on the unique identifier of the first security chip of the smart lock received through the second communication unit and the The second subkey generates an encryption key, stores the encryption key, and sends the encryption key to the smart lock through the second communication unit, so that the smart lock stores the encryption key.
可选的,所述第二安全芯片还用于通过所述第二通信单元接收所述智能锁发送的公钥,采用所述公钥对所述加密密钥进行加密处理后得到加密密钥密文,并通过所述第二通信单元将所述加密密钥密文发送给所述智能锁,以供所述智能锁采用与所述公钥对应的私钥对所述加密密钥密文进行解密得到所述加密密钥并存储。Optionally, the second security chip is further configured to receive the public key sent by the smart lock through the second communication unit, and use the public key to encrypt the encryption key to obtain the encryption key. And send the encryption key ciphertext to the smart lock through the second communication unit, so that the smart lock uses the private key corresponding to the public key to perform the encryption key ciphertext The encryption key is obtained by decryption and stored.
进一步地,本发明还提供了一种安全平台认证方法,应用于上述的安全平台,所述安全平台包括:第二安全芯片以及与所述第二安全芯片通信连接的第二通信单元;所述方法包括:Further, the present invention also provides a security platform authentication method, which is applied to the aforementioned security platform, the security platform comprising: a second security chip and a second communication unit communicatively connected with the second security chip; Methods include:
所述第二安全芯片生成第二随机序列并通过所述第二通信单元将所述第二随机序列发送给智能锁,通过所述第二通信单元获取来自智能锁的第一随机序列以及所述智能锁基于所述第一随机序列和所述第二随机序列生成的设备鉴别码,然后采用预先存储在所述安全平台侧的认证密钥对所述设备鉴别码进行解密处理得到设备鉴别明文;The second security chip generates a second random sequence and sends the second random sequence to the smart lock through the second communication unit, and obtains the first random sequence from the smart lock and the smart lock through the second communication unit. The smart lock generates a device authentication code based on the first random sequence and the second random sequence, and then uses an authentication key pre-stored on the security platform to decrypt the device authentication code to obtain the device authentication plaintext;
所述第二安全芯片按照第一组合规则对所述第一随机序列和所述第二随机序列进行组合得到设备认证明文;并比较所述设备认证明文和所述设备鉴别明文,根据比较结果确定对所述智能锁的认证是否通过;所述智能锁还采用所述认证密钥对平台鉴别明文进行加密处理得 到平台鉴别码,然后通过所述第二通信单元将所述平台鉴别码传输给所述智能锁,以供所述智能锁对所述安全平台进行认证;其中,所述平台鉴别明文由所述第一随机序列和所述第二随机序列按照第二组合规则组合得到。The second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plain text; and compares the device authentication plain text and the device authentication plain text, and determines according to the comparison result Whether the authentication of the smart lock is passed; the smart lock also uses the authentication key to encrypt the platform authentication plaintext to obtain the platform authentication code, and then transmits the platform authentication code to the station through the second communication unit The smart lock is used for the smart lock to authenticate the security platform; wherein the platform authentication plaintext is obtained by combining the first random sequence and the second random sequence according to a second combination rule.
有益效果Beneficial effect
本发明提供一种智能锁、安全平台及其认证方法,针对现有智能锁与安全平台传输数据前不进行认证或只由单端进行认证风险高的问题,该智能锁包括第一安全芯片以及与第一安全芯片通信连接的第一通信单元,该安全平台包括第二安全芯片以及与第二安全芯片通信连接的第二通信单元,在进行数据传输前,第一安全芯片通过第一通信单元将生成的第一随机序列发送给安全平台,第二安全芯片通过第二通信单元将生成的第二随机序列发送给智能锁,第一安全芯片基于第一随机序列和第二随机序列生成设备鉴别码发送给安全平台,以供安全平台对智能锁进行认证,第二安全芯片基于第一随机序列和第二随机序列生成平台鉴别码发送给智能锁,以供智能锁对安全平台进行认证,也即,本发明中,智能锁与安全平台进行数据传输前,智能锁会基于平台鉴别码对安全平台进行认证,安全平台会基于设备鉴别码对智能锁进行认证,提高了数据传输的安全性。The present invention provides a smart lock, a security platform and an authentication method thereof, aiming at the high risk of not performing authentication before transmitting data between the existing smart lock and the security platform or only performing authentication by a single end, the smart lock includes a first security chip and A first communication unit communicatively connected with the first security chip. The security platform includes a second security chip and a second communication unit communicatively connected with the second security chip. Before data transmission, the first security chip passes through the first communication unit Send the generated first random sequence to the security platform, the second security chip sends the generated second random sequence to the smart lock through the second communication unit, and the first security chip generates device authentication based on the first random sequence and the second random sequence The code is sent to the security platform for the security platform to authenticate the smart lock. The second security chip generates the platform identification code based on the first random sequence and the second random sequence and sends it to the smart lock for the smart lock to authenticate the security platform. That is, in the present invention, before data transmission between the smart lock and the security platform, the smart lock authenticates the security platform based on the platform authentication code, and the security platform authenticates the smart lock based on the device authentication code, which improves the security of data transmission.
附图说明Description of the drawings
下面将结合附图及实施例对本发明作进一步说明,附图中:The present invention will be further described below in conjunction with the accompanying drawings and embodiments. In the accompanying drawings:
图1为本发明第一实施例提供的智能锁的结构示意图;Figure 1 is a schematic structural diagram of a smart lock provided by a first embodiment of the present invention;
图2为本发明第一实施例提供的智能锁的第一结构示意图2 is a schematic diagram of the first structure of the smart lock provided by the first embodiment of the present invention
图3为本发明第一实施例提供的安全平台的结构示意图;FIG. 3 is a schematic structural diagram of a security platform provided by the first embodiment of the present invention;
图4为本发明第一实施例提供的安全平台的第一结构示意图;4 is a schematic diagram of the first structure of the security platform provided by the first embodiment of the present invention;
图5为本发明第一实施例提供的安全平台与智能锁认证第一示意图;5 is a first schematic diagram of the security platform and smart lock authentication provided by the first embodiment of the present invention;
图6为本发明第一实施例提供的智能锁的第二结构示意图;6 is a schematic diagram of a second structure of the smart lock provided by the first embodiment of the present invention;
图7为本发明第一实施例提供的认证密钥生成示意图;7 is a schematic diagram of the authentication key generation provided by the first embodiment of the present invention;
图8为本发明第一实施例提供的安全平台的第二结构示意图;8 is a schematic diagram of a second structure of the security platform provided by the first embodiment of the present invention;
图9为本发明第一实施例提供的安全平台与智能锁认证第二示意图;9 is a second schematic diagram of the security platform and smart lock authentication provided by the first embodiment of the present invention;
图10为本发明第一实施例提供的加密密钥生成示意图;10 is a schematic diagram of encryption key generation provided by the first embodiment of the present invention;
图11为本发明第二实施例提供的安全平台与智能锁交互示意图。FIG. 11 is a schematic diagram of interaction between the security platform and the smart lock provided by the second embodiment of the present invention.
具体实施方式Detailed ways
为了使本发明的内容更容易被理解,下面通过具体实施方式结合附图对本发明作进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the content of the present invention easier to understand, the present invention will be further described in detail below through specific embodiments in conjunction with the accompanying drawings. It should be understood that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention.
实施例一:Example one:
为了解决现有智能锁与安全芯片间进行数据传输前无认证或只进行单端认证导致安全性低的问题,本实施例提供一种智能锁及安全平台。In order to solve the problem of low security due to no authentication or only single-ended authentication before data transmission between the existing smart lock and the security chip, this embodiment provides a smart lock and a security platform.
请参见图1所示,该智能锁包括第一安全芯片101,与第一安全芯片101通信连接的第一通信单元102。As shown in FIG. 1, the smart lock includes a first security chip 101 and a first communication unit 102 communicatively connected with the first security chip 101.
其中,第一安全芯片101和第一通信单元102可以直接连接,或,请参见图2所示,该智能锁还包括第一处理器103,第一处理器103与第一安全芯片101连接,第一处理器103与第一通信单元102连接,第一安全芯片101通过第一处理器103与第一通信单元102进行通信。Wherein, the first security chip 101 and the first communication unit 102 may be directly connected, or, as shown in FIG. 2, the smart lock further includes a first processor 103, and the first processor 103 is connected to the first security chip 101, The first processor 103 is connected to the first communication unit 102, and the first security chip 101 communicates with the first communication unit 102 through the first processor 103.
该第一通信单元用于实现第一安全芯片与安全平台间的数据传输。The first communication unit is used to implement data transmission between the first security chip and the security platform.
本实施例还提供了该智能锁相应的认证方法,该方法包括:This embodiment also provides an authentication method corresponding to the smart lock, and the method includes:
第一安全芯片生成第一随机序列,并通过第一通信单元获取来自安全平台的第二随机序列,采用预先存储在智能锁侧的认证密钥对设备鉴别明文进行加密处理得到设备鉴别码,然后将设备鉴别码通过第一通信单元传输给安全平台;其中,设备鉴别明文由第一随机序列和第二随机序列按照第一组合规则组合得到;The first security chip generates the first random sequence, and obtains the second random sequence from the security platform through the first communication unit, and uses the authentication key pre-stored on the smart lock side to encrypt the device authentication plaintext to obtain the device authentication code, and then The device authentication code is transmitted to the security platform through the first communication unit; wherein the device authentication plaintext is obtained by combining the first random sequence and the second random sequence according to the first combination rule;
第一安全芯片将第一随机序列通过第一通信单元传输给安全平台,并通过第一通信单元接收安全平台基于第一随机序列和第二随机序列生成的平台鉴别码,然后采用认证密钥对平台鉴别码解密得到平台鉴别明文;The first security chip transmits the first random sequence to the security platform through the first communication unit, and receives the platform authentication code generated by the security platform based on the first random sequence and the second random sequence through the first communication unit, and then uses the authentication key pair Platform authentication code decrypts to obtain platform authentication plaintext;
第一安全芯片按照第二组合规则对第一随机序列和第二随机序列进行组合得到平台认证明文,并比较平台认证明文和平台鉴别明文,根据比较结果确定对安全平台的认证是否通过。The first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain platform authentication plaintext, compares the platform authentication plaintext with the platform authentication plaintext, and determines whether the authentication of the security platform is passed according to the comparison result.
请参见图3所示,该安全平台包括第二安全芯片301,与第二安全芯片301通信连接的第二通信单元302。As shown in FIG. 3, the security platform includes a second security chip 301 and a second communication unit 302 communicatively connected with the second security chip 301.
其中,第二安全芯片301和第二通信单元302可以直接连接,或,请参见图4所示,该安全平台还包括第二处理器303,第二处理器303与第二安全芯片301连接,第二处理器303与第二通信单元302连接,第二安全芯片301通过第二处理器303与第二通信单元302进行通信。Wherein, the second security chip 301 and the second communication unit 302 can be directly connected, or, as shown in FIG. 4, the security platform further includes a second processor 303, and the second processor 303 is connected to the second security chip 301, The second processor 303 is connected to the second communication unit 302, and the second security chip 301 communicates with the second communication unit 302 through the second processor 303.
该第二通信单元用于实现第二安全芯片与智能锁间的数据传输。The second communication unit is used to realize data transmission between the second security chip and the smart lock.
本实施例还提供了该安全平台相应的认证方法,该方法包括:This embodiment also provides a corresponding authentication method of the security platform, which includes:
第二安全芯片生成第二随机序列并通过第二通信单元将第二随机序列发送给智能锁,通过第二通信单元获取来自智能锁的第一随机序列以及智能锁基于第一随机序列和第二随机序列生成的设备鉴别码,然后采用预先存储在安全平台侧的认证密钥对设备鉴别码进行解密处理得到设备鉴别明文;The second security chip generates a second random sequence and sends the second random sequence to the smart lock through the second communication unit, obtains the first random sequence from the smart lock through the second communication unit, and the smart lock is based on the first random sequence and the second random sequence. The device authentication code generated by a random sequence is then used to decrypt the device authentication code with the authentication key pre-stored on the security platform side to obtain the device authentication plaintext;
第二安全芯片按照第一组合规则对第一随机序列和第二随机序列进行组合得到设备认证明文;并比较设备认证明文和设备鉴别明文,根据比较结果确定对智能锁的认证是否通过;智能锁还采用认证密钥对平台鉴别明文进行加密处理得到平台鉴别码,然后通过第二通信单元将平台鉴别码传输给智能锁,以供智能锁对安全平台进行认证;其中,平台鉴别明文由第一随机序列和第二随机序列按照第二组合规则组合得到。The second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext; and compares the device authentication plaintext with the device authentication plaintext, and determines whether the smart lock is authenticated according to the comparison result; the smart lock The authentication key is also used to encrypt the platform authentication plaintext to obtain the platform authentication code, and then the platform authentication code is transmitted to the smart lock through the second communication unit for the smart lock to authenticate the security platform; among them, the platform authentication plaintext is the first The random sequence and the second random sequence are combined according to the second combination rule.
在进行数据传输前,智能锁会对安全平台进行认证,安全平台也会对智能锁进行认证。其中,可以在智能锁对安全平台认证成功之后,安全平台再对智能锁进行认证,或可以在安全平台对智能锁认证成功之后,智能锁再对安全平台进行认证。下面针对上述两种情况进行说明。Before data transmission, the smart lock will authenticate the security platform, and the security platform will also authenticate the smart lock. Among them, the security platform may authenticate the smart lock after the smart lock successfully authenticates the security platform, or the smart lock may authenticate the security platform after the security platform successfully authenticates the smart lock. The following describes the above two cases.
安全平台对智能锁认证成功之后,智能锁再对安全平台进行认证,其详细过程请参见图5所示:After the security platform successfully authenticates the smart lock, the smart lock then authenticates the security platform. The detailed process is shown in Figure 5:
S501、安全平台生成第二随机序列。S501. The security platform generates a second random sequence.
第二安全芯片生成第二随机序列,第二随机序列由至少一个随机数组合而成,第二安全芯片可以在生成至少一个随机数后,将生成的随机数进行排序得到第二随机序列。例如,第二安全芯片在生成随机数11、13、18之后,可以将这三个随机数组合成111318,或11-18-13。应当理解的是,这里所列举的只是两种比较常见的组合方式,具体的组合方式以及生成随机数的个数可以由开发人员根据经验设置。The second security chip generates a second random sequence, and the second random sequence is formed by a combination of at least one random number. After generating at least one random number, the second security chip may sort the generated random numbers to obtain the second random sequence. For example, after the second security chip generates random numbers 11, 13, and 18, these three random arrays can be synthesized into 111318, or 11-18-13. It should be understood that what are listed here are only two relatively common combinations, and the specific combination and the number of random numbers generated can be set by the developer based on experience.
S502、安全平台将第二随机序列发送给智能锁。S502. The security platform sends the second random sequence to the smart lock.
第二安全芯片通过第二通信单元将第二随机序列发送给智能锁。The second security chip sends the second random sequence to the smart lock through the second communication unit.
S503、智能锁生成第一随机序列。S503: The smart lock generates a first random sequence.
第一安全芯片生成第一随机序列,其中,第一安全芯片可以在通过第一通信单元接收到第二随机序列之后,再生成第一随机序列,也可以在通过第一通信单元接收到第二随机序列之前,生成第一随机序列。第一随机序列由至少一个随机数组合而成,第一安全芯片可以在生成至少一个随机数后,将生成的随机数进行排序得到第一随机序列。具体的,可以参见第 二随机序列的相关描述。The first security chip generates a first random sequence, where the first security chip may generate the first random sequence after receiving the second random sequence through the first communication unit, or may also generate the first random sequence after receiving the second random sequence through the first communication unit. Before the random sequence, the first random sequence is generated. The first random sequence is formed by a combination of at least one random number, and the first security chip may, after generating at least one random number, sort the generated random numbers to obtain the first random sequence. For details, please refer to the related description of the second random sequence.
S504、智能锁生成设备鉴别码。S504. The smart lock generates a device authentication code.
第一安全芯片在通过第一通信单元接收到第二随机序列后,按照第一组合规则对第一随机序列和第二随机序列进行组合得到设备鉴别明文,采用存储在智能锁侧的认证密钥对设备鉴别明文进行加密得到设备鉴别码。After receiving the second random sequence through the first communication unit, the first security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext, and uses the authentication key stored on the smart lock side Encrypt the device authentication plain text to obtain the device authentication code.
其中,第一组合规则可以是将第一随机序列和第二随机序列以序列为单位进行组合,也可以是将第一随机序列和第二随机序列以随机数为单位进行组合。例如,在第一随机序列包括两个随机数11和04,第一随机序列为1104,第二随机序列包括一个随机数68时,按照第一组合规则组合后的数可以是110468,也可以是116804。Wherein, the first combination rule may be to combine the first random sequence and the second random sequence in a unit of sequence, or to combine the first random sequence and the second random sequence in a unit of random number. For example, when the first random sequence includes two random numbers 11 and 04, the first random sequence is 1104, and the second random sequence includes a random number 68, the number after combining according to the first combination rule can be 110468, or it can be 116804.
认证密钥可以存储在第一安全芯片中,或,请参见图6所示,智能锁还包括第一存储器104,第一存储器104与第一处理器103连接,认证密钥可以存储在第一存储器104中。The authentication key can be stored in the first security chip, or, as shown in FIG. 6, the smart lock further includes a first memory 104 connected to the first processor 103, and the authentication key can be stored in the first In the memory 104.
其中,请参见图7所示,认证密钥的生成过程可以是:Among them, as shown in Figure 7, the authentication key generation process can be:
S701、智能锁将第一安全芯片的唯一标识发送给安全平台。S701. The smart lock sends the unique identifier of the first security chip to the security platform.
第一安全芯片通过第一通信单元将其唯一标识发送给安全平台。The first security chip sends its unique identification to the security platform through the first communication unit.
S702、安全平台生成基于根密钥生成第一子密钥。S702. The security platform generates a first subkey based on the root key.
其中,根密钥可以第二安全芯片的唯一标识或存储在第二安全芯片中的其他密钥。Wherein, the root key may be the unique identifier of the second security chip or other keys stored in the second security chip.
第二安全芯片在通过第二通信单元接收到智能锁发送的第一安全芯片的唯一标识后,基于根密钥生成第一子密钥。After receiving the unique identifier of the first security chip sent by the smart lock through the second communication unit, the second security chip generates the first subkey based on the root key.
S 703、安全平台基于第一子密钥和根密钥生成认证密钥并存储。S703. The security platform generates and stores an authentication key based on the first subkey and the root key.
第二安全芯片基于第一子密钥和根密钥生成认证密钥,其中可以将认证密钥存储在第二安全芯片中,或,请参见图8所示,安全平台还包括第二存储器304,第二存储器104与第一处理器303连接,认证密钥可以存储在第二存储器304中。The second security chip generates an authentication key based on the first subkey and the root key, where the authentication key can be stored in the second security chip, or, as shown in FIG. 8, the security platform further includes a second memory 304 , The second memory 104 is connected to the first processor 303, and the authentication key can be stored in the second memory 304.
S704、安全平台将认证密钥发送给智能锁。S704. The security platform sends the authentication key to the smart lock.
第二安全芯片通过第二通信单元将认证密钥发送给智能锁。The second security chip sends the authentication key to the smart lock through the second communication unit.
S705、智能锁存储认证密钥。S705. The smart lock stores the authentication key.
智能锁通过第一通信单元接收到认证密钥后,可以将其存储在第一安全芯片或第一存储器中。After the smart lock receives the authentication key through the first communication unit, it can be stored in the first security chip or the first memory.
其中,为了保证认证密钥在传输过程中的安全性,第一处理器或第一安全芯片可以生成一组非对称密钥,可以理解的是,无论该组非对称密钥由第一处理器还是由第一安全芯片产生,都可以将其存储在第一存储器或第一安全芯片中。在生成非对称密钥后,通过第一通信 单元将非对称密钥中的公钥发送给安全平台。第二安全芯片在通过第二通信单元接收到公钥后,采用公钥对认证密钥进行加密得到认证密钥密文,并通过第二通信单元将认证密钥密文发送给智能锁,第一处理器或第一安全芯片在通过第一通信单元接收到认证密钥密文后,采用公钥对应的私钥对认证密钥密文进行解密得到认证密钥并将其存储在第一存储器或第一安全芯片中。Among them, in order to ensure the security of the authentication key in the transmission process, the first processor or the first security chip may generate a set of asymmetric keys. It is understandable that regardless of whether the set of asymmetric keys is generated by the first processor Whether it is generated by the first security chip, it can be stored in the first memory or the first security chip. After the asymmetric key is generated, the public key in the asymmetric key is sent to the security platform through the first communication unit. After receiving the public key through the second communication unit, the second security chip uses the public key to encrypt the authentication key to obtain the authentication key cipher text, and sends the authentication key cipher text to the smart lock through the second communication unit. After receiving the authentication key cipher text through the first communication unit, a processor or a first security chip uses the private key corresponding to the public key to decrypt the authentication key cipher text to obtain the authentication key and store it in the first memory Or the first security chip.
S505、智能锁将设备鉴别码发送给安全平台。S505. The smart lock sends the device authentication code to the security platform.
第一安全芯片通过第一通信单元将设备鉴别码发送给安全平台。The first security chip sends the device authentication code to the security platform through the first communication unit.
S506、智能锁将第一随机序列发送给安全平台。S506. The smart lock sends the first random sequence to the security platform.
第一安全芯片通过第一通信单元将第一随机序列发送给安全平台。The first security chip sends the first random sequence to the security platform through the first communication unit.
其中,第一安全芯片可以通过第一通信单元将第一随机序列和设备鉴别码一同发送给安全平台,第一安全芯片也可以在将设备鉴别码发送给安全平台之前,通过第一通信单元将第一随机序列发送给安全平台,也可以在将设备鉴别码发送给安全平台之后,通过第一通信单元将第一随机序列发送给安全平台。The first security chip may send the first random sequence and the device authentication code to the security platform through the first communication unit, and the first security chip may also send the device authentication code to the security platform through the first communication unit. The first random sequence is sent to the security platform, or after the device authentication code is sent to the security platform, the first random sequence is sent to the security platform through the first communication unit.
S507、安全平台生成设备认证明文。S507. The security platform generates a clear text for device certification.
第二安全芯片在通过第二通信单元接收到设备鉴别码和第一随机序列后,按照第一组合规则对第一随机序列和第二随机序列进行组合得到设备认证明文,应当理解的是,此处的第一组合规则与第一安全芯片生成设备鉴别明文时的第一组合规则相同。After receiving the device authentication code and the first random sequence through the second communication unit, the second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext. It should be understood that this The first combination rule at is the same as the first combination rule when the first security chip generating device authenticates plaintext.
S508、安全平台基于认证密钥对设备鉴别码进行解密得到设备鉴别明文。S508. The security platform decrypts the device authentication code based on the authentication key to obtain the device authentication plaintext.
第二安全芯片采用认证密钥对设备鉴别码进行解密得到设备鉴别明文。此处的认证密钥与智能锁侧的认证密钥相同。The second security chip uses the authentication key to decrypt the device authentication code to obtain the device authentication plaintext. The authentication key here is the same as the authentication key on the smart lock side.
应当理解的是,S507与S508的时序关系本实施例并不做限制,即可以在实施S507后再实施S508,也可以在实施S508之后再实施S507。It should be understood that the timing relationship between S507 and S508 is not limited in this embodiment, that is, S508 may be implemented after S507 is implemented, or S507 may be implemented after S508 is implemented.
S509、安全平台将设备认证明文和设备鉴别明文进行比较,根据比较结果确定对智能锁的认证是否通过。S509. The security platform compares the device authentication plain text with the device authentication plain text, and determines whether the smart lock is authenticated according to the comparison result.
第二安全芯片将设备认证明文和设备鉴别明文进行比较,根据比较结果确定对智能锁的认证是否通过。The second security chip compares the device authentication plain text with the device authentication plain text, and determines whether the smart lock is authenticated according to the comparison result.
在设备认证明文和设备鉴别明文相同时,确定对智能锁的认证通过,在设备认证明文和设备鉴别明文不同时,确定对智能锁的认证失败。When the device authentication plaintext and the device authentication plaintext are the same, it is determined that the authentication of the smart lock is passed, and when the device authentication plaintext and the device authentication plaintext are different, it is determined that the authentication of the smart lock has failed.
S510、安全平台确定对智能锁的认证通过后,生成平台鉴别码。S510. After the security platform determines that the smart lock is authenticated, it generates a platform authentication code.
第二安全芯片按照第二组合规则对第一随机序列和第二随机序列进行组合得到平台鉴别 明文,采用存储在安全平台侧的认证密钥对平台鉴别明文进行加密得到平台鉴别码。需要说明的是,第二组合规则可以是将第一随机序列和第二随机序列以序列为单位进行组合,也可以是将第一随机序列和第二随机序列以随机数为单位进行组合,为了提升安全性,第二组合规则与第一组合规则不同,因此第一安全芯片基于第一组合规则生成的设备鉴别明文与第二安全芯片基于第二组合规则生成的平台鉴别明文不同,智能锁与安全平台认证的数据不同。The second security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain the platform authentication plaintext, and uses the authentication key stored on the security platform to encrypt the platform authentication plaintext to obtain the platform authentication code. It should be noted that the second combination rule may be to combine the first random sequence and the second random sequence in units of sequence, or it may be to combine the first random sequence and the second random sequence in units of random numbers. To improve security, the second combination rule is different from the first combination rule. Therefore, the device authentication plaintext generated by the first security chip based on the first combination rule is different from the platform authentication plaintext generated by the second security chip based on the second combination rule. The data certified by the security platform is different.
S511、安全平台将平台鉴别码发送给智能锁。S511. The security platform sends the platform authentication code to the smart lock.
第二安全芯片通过第二通信单元将平台鉴别码发送给智能锁。The second security chip sends the platform authentication code to the smart lock through the second communication unit.
S512、智能锁基于认证密钥对平台鉴别码进行解密得到平台鉴别明文。S512. The smart lock decrypts the platform authentication code based on the authentication key to obtain the platform authentication plaintext.
第一安全芯片通过第一通信单元接收到平台鉴别码后,基于认证密钥对平台鉴别码进行解密得到平台鉴别明文。After receiving the platform authentication code through the first communication unit, the first security chip decrypts the platform authentication code based on the authentication key to obtain the platform authentication plaintext.
S513、智能锁基于第二组合规则生成平台认证明文。S513. The smart lock generates platform authentication plaintext based on the second combination rule.
第一安全芯片按照第二组合规则对第一随机序列和第二随机序列进行组合得到平台认证明文。需要说明的是,此处的第二组合规则与安全平台生成平台鉴别明文时使用的第二组合规则相同。The first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain platform authentication plaintext. It should be noted that the second combination rule here is the same as the second combination rule used when the security platform generates platform authentication plaintext.
S512和S513的时序关系本实施例不做限定,即可以在实施例S513后实施例S512,或在实施S512后实施S513。The timing relationship between S512 and S513 is not limited in this embodiment. That is, S512 may be implemented after S513, or S513 may be implemented after S512.
S514、智能锁将平台认证明文和平台鉴别明文进行比较,根据比较结果确定对安全平台的认证是否通过。S514. The smart lock compares the platform authentication plaintext with the platform authentication plaintext, and determines whether the authentication of the security platform is passed according to the comparison result.
第一安全平台将平台认证明文和平台鉴别明文进行比较,根据比较结果确定对安全平台的认证是否通过,在平台认证明文和平台鉴别明文相同时,确定对安全平台的认证通过;在平台认证明文和平台鉴别明文不同时,确定对安全平台的认证失败。The first security platform compares the platform authentication plaintext with the platform authentication plaintext, and determines whether the authentication of the security platform is passed according to the comparison result. When the platform authentication plaintext and the platform authentication plaintext are the same, it determines that the authentication of the security platform has passed; the platform authentication plaintext When it is different from the platform authentication plaintext, it is determined that the authentication of the security platform has failed.
智能锁对安全平台认证成功之后,安全平台再对智能锁进行认证,其详细过程请参见图9所示:After the smart lock has successfully authenticated the security platform, the security platform will then authenticate the smart lock. The detailed process is shown in Figure 9:
S901、智能锁生成第一随机序列。S901. The smart lock generates a first random sequence.
第一安全芯片生成第一随机序列,第一随机序列的详细说明请参见前面的叙述。The first security chip generates a first random sequence. For a detailed description of the first random sequence, please refer to the foregoing description.
S902、智能锁将第一随机序列发送给安全平台。S902. The smart lock sends the first random sequence to the security platform.
第一安全芯片通过第一通信单元将第一随机序列发送给安全平台。The first security chip sends the first random sequence to the security platform through the first communication unit.
S903、安全平台生成第二随机序列。S903. The security platform generates a second random sequence.
第二安全芯片生成第二随机序列,其中,第二安全芯片可以在通过第二通信单元接收到第一随机序列之后,再生成第二随机序列,也可以在通过第二通信单元接收到第一随机序列 之前,生成第二随机序列。第二随机序列的详细说明请参见前面的叙述。The second security chip generates a second random sequence, where the second security chip may generate a second random sequence after receiving the first random sequence through the second communication unit, or may also generate the second random sequence after receiving the first random sequence through the second communication unit. Before the random sequence, a second random sequence is generated. For a detailed description of the second random sequence, please refer to the previous description.
S904、安全平台生成平台鉴别码。S904. The security platform generates a platform authentication code.
第二安全芯片在通过第二通信单元接收到第一随机序列后,按照第二组合规则对第一随机序列和第二随机序列进行组合得到平台鉴别明文,采用认证密钥对平台鉴别明文进行加密得到平台鉴别码。After receiving the first random sequence through the second communication unit, the second security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain the platform authentication plaintext, and uses the authentication key to encrypt the platform authentication plaintext Get the platform authentication code.
其中,第二组合规则和认证密钥的详细说明请参见前面的叙述。For the detailed description of the second combination rule and authentication key, please refer to the previous description.
S905、安全平台将平台鉴别码发送给智能锁。S905. The security platform sends the platform authentication code to the smart lock.
第二安全芯片通过第二通信单元将平台鉴别码发送给智能锁。The second security chip sends the platform authentication code to the smart lock through the second communication unit.
S906、安全平台将第二随机序列发送给智能锁。S906. The security platform sends the second random sequence to the smart lock.
第二安全芯片通过第二通信单元将第二随机序列发送给智能锁。The second security chip sends the second random sequence to the smart lock through the second communication unit.
其中,第二安全芯片可以通过第二通信单元将第二随机序列和平台鉴别码一同发送给智能锁,第二安全芯片也可以在将平台鉴别码发送给智能锁之前,通过第二通信单元将第二随机序列发送给智能锁,也可以在将平台鉴别码发送给智能锁之后,通过第二通信单元将第二随机序列发送给智能锁。The second security chip may send the second random sequence and the platform authentication code to the smart lock through the second communication unit. The second security chip may also send the platform authentication code to the smart lock through the second communication unit. The second random sequence is sent to the smart lock, or after the platform authentication code is sent to the smart lock, the second random sequence is sent to the smart lock through the second communication unit.
S907、智能锁生成平台认证明文。S907. The smart lock generates platform authentication plaintext.
第一安全芯片在通过第一通信单元接收待平台鉴别码和第一随机序列后,按照第二组合规则对第一随机序列和第二随机序列进行组合得到平台认证明文。After receiving the platform authentication code and the first random sequence through the first communication unit, the first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain the platform authentication plaintext.
S908、智能锁基于认证密钥对平台鉴别码进行解密得到平台鉴别明文。S908. The smart lock decrypts the platform authentication code based on the authentication key to obtain platform authentication plaintext.
第一安全芯片采用认证密钥对平台鉴别码进行解密得到平台鉴别明文。The first security chip uses the authentication key to decrypt the platform authentication code to obtain the platform authentication plaintext.
应当理解的是,S908与S907的时序关系本实施例并不做限制,即可以在实施S907后实施S908,也可以在实施S908之后再实施S907。It should be understood that the timing relationship between S908 and S907 is not limited in this embodiment, that is, S908 may be implemented after S907 is implemented, or S907 may be implemented after S908 is implemented.
S909、智能锁将平台认证明文和平台鉴别明文进行比较,根据比较结果确定对安全平台的认证是否通过。S909. The smart lock compares the platform authentication plain text with the platform authentication plain text, and determines whether the authentication of the security platform is passed according to the comparison result.
第一安全芯片将平台认证明文和平台鉴别明文进行比较,根据比较结果确定对安全平台的认证是否通过。The first security chip compares the platform authentication plaintext with the platform authentication plaintext, and determines whether the authentication of the security platform is passed according to the comparison result.
在平台认证明文和平台鉴别明文相同时,确定对安全平台的认证通过,在平台认证明文和平台鉴别明文不同时,确定对安全平台的认证失败。When the platform authentication plaintext and the platform authentication plaintext are the same, it is determined that the authentication of the security platform is passed, and when the platform authentication plaintext and the platform authentication plaintext are different, it is determined that the authentication of the security platform has failed.
S910、智能锁确定对安全平台的认证通过后,生成设备鉴别码。S910. After the smart lock determines that the authentication of the security platform is passed, it generates a device authentication code.
第一安全芯片按照第一组合规则对第一随机序列和第二随机序列进行组合得到设备鉴别明文,采用认证密钥对设备鉴别明文进行加密得到设备鉴别码。The first security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext, and uses the authentication key to encrypt the device authentication plaintext to obtain the device authentication code.
S911、智能锁将设备鉴别码发送给安全平台。S911. The smart lock sends the device identification code to the security platform.
第一安全芯片通过第一通信单元将设备鉴别码发送给安全平台。The first security chip sends the device authentication code to the security platform through the first communication unit.
S912、安全平台基于认证密钥对设备鉴别码进行解密得到设备鉴别明文。S912. The security platform decrypts the device authentication code based on the authentication key to obtain the device authentication plaintext.
第二安全芯片通过第二通信单元接收到设备鉴别码后,基于认证密钥对设备鉴别码进行解密得到设备鉴别明文。After receiving the device authentication code through the second communication unit, the second security chip decrypts the device authentication code based on the authentication key to obtain the device authentication plaintext.
S913、安全平台基于第一组合规则生成设备认证明文。S913. The security platform generates a device authentication plaintext based on the first combination rule.
第二安全芯片按照第一组合规则对第一随机序列和第二随机序列进行组合得到设备认证明文。The second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plaintext.
S912和S913的时序关系本实施例不做限定,即可以在实施例S913后实施例S912,或在实施S912后实施S913。The timing relationship between S912 and S913 is not limited in this embodiment, that is, S912 may be implemented after S913, or S913 may be implemented after S912.
S914、安全平台将设备认证明文和设备鉴别明文进行比较,根据比较结果确定对智能锁的认证是否通过。S914. The security platform compares the device authentication plain text with the device authentication plain text, and determines whether the smart lock is authenticated according to the comparison result.
第二安全芯片将设备认证明文和设备鉴别明文进行比较,在设备认证明文和设备鉴别明文相同时,确定对智能锁的认证通过;在设备认证明文和设备鉴别明文不同时,确定对智能锁的认证没有通过。The second security chip compares the device authentication plaintext with the device authentication plaintext. When the device authentication plaintext and the device authentication plaintext are the same, it determines that the smart lock is authenticated; when the device authentication plaintext and the device authentication plaintext are different, it determines the smart lock The certification failed.
在智能锁对安全平台的认证通过,且安全平台对智能锁的认证通过后,第一安全芯片还用于通过第一通信单元与安全平台进行基于加密密钥的数据传输,也就是说第一安全芯片会基于加密密钥对待发送给安全平台的数据进行加密,基于加密密钥对通过第一通信单元接收的安全平台发送的数据进行解密,相应的,第二安全芯片会基于加密密钥对待发送给智能锁的数据进行加密,基于加密密钥对通过第二通信单元接收的智能锁发送的数据进行解密。After the smart lock has passed the authentication of the security platform and the security platform has passed the authentication of the smart lock, the first security chip is also used for data transmission based on the encryption key through the first communication unit and the security platform, that is, the first The security chip will encrypt the data sent to the security platform based on the encryption key, and decrypt the data sent by the security platform received through the first communication unit based on the encryption key. Accordingly, the second security chip will treat the data based on the encryption key The data sent to the smart lock is encrypted, and the data sent by the smart lock received through the second communication unit is decrypted based on the encryption key.
其中,请参见图10所示,加密密钥的生成过程可以是:Among them, as shown in Figure 10, the encryption key generation process can be:
S1001、智能锁将第一安全芯片的唯一标识发送给安全平台。S1001. The smart lock sends the unique identifier of the first security chip to the security platform.
第一安全芯片通过第一通信单元将其唯一标识发送给安全平台。The first security chip sends its unique identification to the security platform through the first communication unit.
S1002、安全平台基于根密钥生成第二子密钥。S1002. The security platform generates a second subkey based on the root key.
其中,根密钥可以第二安全芯片的唯一标识或存储在第二安全芯片中的其他密钥。Wherein, the root key may be the unique identifier of the second security chip or other keys stored in the second security chip.
第二安全芯片基于根密钥生成第二子密钥。The second security chip generates a second subkey based on the root key.
S 1003、安全平台基于第二子密钥和根密钥生成加密密钥并存储。S 1003. The security platform generates and stores an encryption key based on the second subkey and the root key.
第二安全芯片基于第二子密钥和根密钥生成加密密钥,其中可以将加密密钥存储在第二安全芯片中,或,存储在第二存储器中。The second security chip generates an encryption key based on the second subkey and the root key, where the encryption key can be stored in the second security chip or in the second memory.
S1004、安全平台将加密密钥发送给智能锁。S1004. The security platform sends the encryption key to the smart lock.
第二安全芯片通过第二通信单元将加密密钥发送给智能锁。The second security chip sends the encryption key to the smart lock through the second communication unit.
S1005、智能锁存储加密密钥。S1005. The smart lock stores the encryption key.
智能锁通过第一通信单元接收到加密密钥后,可以将其存储在第一存储器或第一安全芯片中。After the smart lock receives the encryption key through the first communication unit, it can be stored in the first memory or the first security chip.
其中,为了保证加密密钥在传输过程中的安全性,第二安全芯片采用公钥对加密密钥进行加密得到加密密钥密文,并通过第二通信单元将加密密钥密文发送给智能锁,智能锁在通过第一通信单元接收到加密密钥密文后,采用公钥对应的私钥对加密密钥密文进行解密得到加密密钥并将其存储在第一存储器或第一安全芯片中。Among them, in order to ensure the security of the encryption key during transmission, the second security chip uses the public key to encrypt the encryption key to obtain the encryption key ciphertext, and sends the encryption key ciphertext to the smart through the second communication unit. After the smart lock receives the encryption key cipher text through the first communication unit, it uses the private key corresponding to the public key to decrypt the encryption key cipher text to obtain the encryption key and store it in the first memory or first security In the chip.
进一步地,为了提高数据传输的安全性,第一安全芯片可基于第一随机序列和第二随机序列中的至少一种以及加密密钥生成第一过程密钥,采用第一过程密钥对待发送给安全平台的第一数据进行加密,并将加密所得第一数据密文通过第一通信单元发送给安全平台;第一安全芯片还用于基于第一随机序列和第二随机序列中的至少一种以及加密密钥生成第二过程密钥,并采用第二过程密钥对通过第一通信单元接收的安全平台发送的第二数据密文进行解密得到第二数据;相应的,第二安全芯片还用于基于第一随机序列和第二随机序列中的至少一种以及加密密钥生成第一过程密钥,并采用第一过程密钥对通过第二通信单元接收的智能锁发送的第一数据密文进行解密得到第一数据;第二安全芯片可基于第一随机序列和第二随机序列中的至少一种以及加密密钥生成第二过程密钥,采用第二过程密钥对待发送给智能锁的第二数据进行加密,并将加密所得第二数据密文通过第二通信单元发送给智能锁。应当理解的是,第一安全芯片生成第一过程密钥的规则与第二安全芯片生成第一过程密钥的规则相同,也就是说,第一安全芯片生成的第一过程密钥与第二安全芯片生成的第一过程密钥相同;第一安全芯片生成第二过程密钥的规则与第二安全芯片生成第二过程密钥的规则相同,也就是说,第一安全芯片生成的第二过程密钥与第二安全芯片生成的第二过程密钥相同。其中,第一过程密钥与第二过程密钥可以相同,为了提高数据传输的安全性,第一过程密钥与第二过程密钥也可以不同。Further, in order to improve the security of data transmission, the first security chip may generate the first process key based on at least one of the first random sequence and the second random sequence and the encryption key, and use the first process key to be sent. Encrypt the first data of the security platform, and send the encrypted first data cipher text to the security platform through the first communication unit; the first security chip is also configured to be based on at least one of the first random sequence and the second random sequence The second process key is generated by the encryption key, and the second process key is used to decrypt the second data ciphertext sent by the security platform received through the first communication unit to obtain the second data; correspondingly, the second security chip It is also used to generate a first process key based on at least one of the first random sequence and the second random sequence and the encryption key, and use the first process key to pair the first process key sent by the smart lock received through the second communication unit The data ciphertext is decrypted to obtain the first data; the second security chip can generate a second process key based on at least one of the first random sequence and the second random sequence and the encryption key, and use the second process key to be sent to The second data of the smart lock is encrypted, and the encrypted second data ciphertext is sent to the smart lock through the second communication unit. It should be understood that the rules for the first security chip to generate the first process key are the same as the rules for the second security chip to generate the first process key, that is, the first process key generated by the first security chip is the same as the second process key. The first process key generated by the security chip is the same; the rule for generating the second process key by the first security chip is the same as the rule for generating the second process key by the second security chip, that is, the second process key generated by the first security chip The process key is the same as the second process key generated by the second security chip. The first process key and the second process key may be the same. In order to improve the security of data transmission, the first process key and the second process key may also be different.
本实施例中,智能锁包括第一安全芯片,与第一安全芯片通信连接的第一通信单元,安全平台包括第二安全芯片,与第二安全芯片通信连接的第二通信单元,在进行数据传输前,智能锁会基于平台鉴别码对安全平台进行认证,安全平台会基于设备鉴别码对对智能锁进行认证,在两端认证都通过后,进行数据传输,解决了现有技术中,智能锁与安全平台在进行数据传输前不进行认证或只由单端进行认证安全性低的问题,提高了智能锁与安全平台的安全性。In this embodiment, the smart lock includes a first security chip, a first communication unit communicatively connected with the first security chip, and a security platform includes a second security chip, and a second communication unit communicatively connected with the second security chip is performing data Before transmission, the smart lock will authenticate the security platform based on the platform authentication code, and the security platform will authenticate the smart lock based on the device authentication code. After both ends are authenticated, data transmission is performed, which solves the problem of smart The problem that the lock and security platform does not perform authentication before data transmission or is only authenticated by a single end, and the security is low, which improves the security of the smart lock and security platform.
实施例二Example two
本实施例中的智能锁包括第一安全芯片,与第一安全芯片通信连接的第一通信单元。The smart lock in this embodiment includes a first security chip and a first communication unit communicatively connected with the first security chip.
该第一通信单元用于实现第一安全芯片与安全平台间的数据传输。The first communication unit is used to implement data transmission between the first security chip and the security platform.
本实施例中的安全平台包括第二安全芯片,与第二安全芯片通信连接的第二通信单元。The security platform in this embodiment includes a second security chip, and a second communication unit communicatively connected with the second security chip.
该第二通信单元用于实现第二安全芯片与智能锁间的数据传输。The second communication unit is used to realize data transmission between the second security chip and the smart lock.
智能锁与安全芯片进行交互的过程请参见图11所示:The interaction process between the smart lock and the security chip is shown in Figure 11:
S1101、第一安全芯片生成一组非对称密钥。S1101. The first security chip generates a set of asymmetric keys.
S1102、第一安全芯片通过第一通信单元将第一安全芯片的唯一标识和非对称密钥中的公钥发送给安全平台。S1102. The first security chip sends the unique identifier of the first security chip and the public key in the asymmetric key to the security platform through the first communication unit.
S1103、第二安全芯片基于根密钥生成第一子密钥和第二子密钥。S1103. The second security chip generates a first subkey and a second subkey based on the root key.
S1104、第二安全芯片生成认证密钥和加密密钥,采用公钥对认证密钥和加密密钥进行加密得到密钥密文。S1104. The second security chip generates an authentication key and an encryption key, and uses the public key to encrypt the authentication key and the encryption key to obtain a key ciphertext.
第二安全芯片基于第一子密钥和第一安全芯片的唯一标识生成认证密钥,基于第二子密钥和第一安全芯片的唯一标识生成加密密钥。The second security chip generates an authentication key based on the first subkey and the unique identifier of the first security chip, and generates an encryption key based on the second subkey and the unique identifier of the first security chip.
S1105、第二安全芯片通过第二通信单元将密钥密文发送给智能锁。S1105. The second security chip sends the key ciphertext to the smart lock through the second communication unit.
S1106、第一安全芯片采用与公钥对应的私钥对密钥密文进行解密得到认证密钥和加密密钥并存储在第一安全芯片中。S1106. The first security chip uses the private key corresponding to the public key to decrypt the key ciphertext to obtain the authentication key and the encryption key, and store them in the first security chip.
S1107、第二安全芯片生成第二随机数。S1107. The second security chip generates a second random number.
S1108、第二安全芯片通过第二通信单元将第二随机数发送给智能锁。S1108. The second security chip sends the second random number to the smart lock through the second communication unit.
S1109、第一安全芯片在通过第一通信单元接收第二随机数后,生成第一随机数。S1109. After receiving the second random number through the first communication unit, the first security chip generates a first random number.
其中,第一随机数和第二随机数均为8字节随机数Among them, the first random number and the second random number are both 8-byte random numbers
S1110、第一安全芯片生成设备鉴别码。S1110. The first security chip generates a device authentication code.
第一安全芯片按照第一组合规则对第一随机数和第二随机数进行组合得到设备鉴别明文,设备鉴别明文为(第一随机数|第二随机数),第一安全芯片采用认证密钥对设备鉴别明文加密得到设备鉴别码。The first security chip combines the first random number and the second random number according to the first combination rule to obtain the device authentication plaintext, the device authentication plaintext is (first random number|second random number), and the first security chip uses the authentication key Encrypt the device authentication plaintext to obtain the device authentication code.
S1111、第一安全芯片通过第一通信单元将设备鉴别码和第一随机数一同发送给安全平台。S1111. The first security chip sends the device authentication code and the first random number to the security platform through the first communication unit.
S1112、第二安全芯片采用认证密钥对设备鉴别码进行解密得到设备鉴别明文,生成设备认证明文。S1112. The second security chip uses the authentication key to decrypt the device authentication code to obtain the device authentication plaintext, and generate the device authentication plaintext.
第二安全芯片按照第一组合规则对第一随机数和第二随机数进行组合得到设备认证明文,其中第一组合规则与第一安全芯片生成设备鉴别明文时使用的第一组合规则相同,因此设备认证明文为(第一随机数|第二随机数)。The second security chip combines the first random number and the second random number according to the first combination rule to obtain the device authentication plaintext, where the first combination rule is the same as the first combination rule used when the first security chip generates the device to authenticate the plaintext, so The device authentication plaintext is (first random number|second random number).
S1113、第二安全芯片对设备认证明文和设备鉴别明文进行比较。S1113. The second security chip compares the device authentication plain text with the device authentication plain text.
第二安全芯片在比较结果为一致时,确定对智能锁认证成功,在比较结果为不一致时,确定对智能锁认证失败。When the comparison result is consistent, the second security chip determines that the smart lock authentication is successful, and when the comparison result is inconsistent, it determines that the smart lock authentication fails.
S1114、第二安全芯片在确定对智能锁认证成功后,生成平台鉴别码。S1114. After determining that the smart lock is successfully authenticated, the second security chip generates a platform authentication code.
第二安全芯片在确定对智能锁认证成功后,按照第二组合规则对第一随机数和第二随机数进行组合得到平台鉴别明文,平台鉴别明文为(第二随机数|第一随机数),采用认证密钥对平台鉴别明文进行加密得到平台鉴别码。After the second security chip determines that the smart lock is successfully authenticated, it combines the first random number and the second random number according to the second combination rule to obtain the platform authentication plaintext, and the platform authentication plaintext is (second random number|first random number) , Use the authentication key to encrypt the platform authentication plaintext to obtain the platform authentication code.
S1115、第二安全芯片通过第二通信单元将平台鉴别码发送给智能锁。S1115. The second security chip sends the platform authentication code to the smart lock through the second communication unit.
S1116、第一安全芯片生成平台认证明文,采用认证密钥对平台鉴别码解密得到平台鉴别明文。S1116. The first security chip generates platform authentication plaintext, and uses the authentication key to decrypt the platform authentication code to obtain platform authentication plaintext.
第一安全芯片按照第二组合规则对第一随机数和第二随机数进行组合得到平台认证明文,其中第二组合规则与第二安全芯片生成平台鉴别明文时使用的第二组合规则相同,因此平台认证明文为(第二随机数|第一随机数)。The first security chip combines the first random number and the second random number according to the second combination rule to obtain the platform authentication plaintext, where the second combination rule is the same as the second combination rule used when the second security chip generates the platform authentication plaintext, so The platform authentication plaintext is (second random number|first random number).
S1117、第一安全芯片对平台认证明文和平台鉴别明文进行比较。S1117. The first security chip compares the platform authentication plaintext with the platform authentication plaintext.
在比较结果为一致时,确定对安全平台认证成功,在比较结果为不一致时,确定对安全平台认证失败。When the comparison result is consistent, it is determined that the security platform authentication is successful, and when the comparison result is inconsistent, it is determined that the security platform authentication has failed.
S1118、第一安全芯片在确定对安全平台认证成功后,生成第一过程密钥和第二过程密钥。S1118. After determining that the authentication of the security platform is successful, the first security chip generates a first process key and a second process key.
第一安全芯片采用加密密钥、第一随机数和第二随机数生成第一过程密钥,采用加密密钥、第一随机数和第二随机数生成第二过程密钥,其中生成第一过程密钥与生成第二过程密钥的规则不同,因此第一过程密钥与第二过程密钥不同。The first security chip uses the encryption key, the first random number and the second random number to generate the first process key, and uses the encryption key, the first random number and the second random number to generate the second process key, where the first The process key is different from the rules for generating the second process key, so the first process key is different from the second process key.
S1119、第二安全芯片生成第一过程密钥和第二过程密钥。S1119. The second security chip generates a first process key and a second process key.
第二安全芯片生成第一过程密钥的规则与第一安全芯片生成第一过程密钥的规则相同,第二安全芯片生成第二过程密钥的规则与第一安全芯片生成第二过程密钥的规则相同。The rules for the second security chip to generate the first process key are the same as the rules for the first security chip to generate the first process key, and the rules for the second security chip to generate the second process key are the same as those for the first security chip to generate the second process key. The rules are the same.
S1120、第一安全芯片采用第一过程密钥对第一数据进行加密得到第一数据密文。S1120. The first security chip uses the first process key to encrypt the first data to obtain the first data ciphertext.
S1121、第一安全芯片通过第一通信单元将第一数据密文发送给安全平台。S1121, the first security chip sends the first data ciphertext to the security platform through the first communication unit.
S1122、第二安全芯片采用第一过程密钥对通过第二通信单元接收的第一数据密文进行解密得到第一数据。S1122, the second security chip uses the first process key to decrypt the ciphertext of the first data received through the second communication unit to obtain the first data.
S1123、第二安全芯片采用第二过程密钥对第二数据进行加密得到第二数据密文。S1123. The second security chip uses the second process key to encrypt the second data to obtain the second data ciphertext.
S1124、第二安全芯片通过第二传输单元将第二数据密文发送给智能锁。S1124. The second security chip sends the second data ciphertext to the smart lock through the second transmission unit.
S1125、第一安全芯片采用第二过程密钥对通过第一通信单元接收的第二数据密文进行解密得到第二数据。S1125. The first security chip uses the second process key to decrypt the ciphertext of the second data received through the first communication unit to obtain the second data.
应当理解的是,本实施例中只是以线实施例S1120在实施S1123为例进行解释,在其他实施例中,也可以先实施S1123,再实施S1120。It should be understood that, in this embodiment, only the line embodiment S1120 is implemented in S1123 for explanation. In other embodiments, S1123 may be implemented first, and then S1120 is implemented.
本实施例中,智能锁包括第一安全芯片,与第一安全芯片通信连接的第一通信单元,安全平台包括第二安全芯片,与第二安全芯片通信连接的第二通信单元,在进行数据传输前,安全平台会基于设备鉴别码对智能锁进行认证,且认证成功后,智能锁会基于平台鉴别码对安全平台进行认证,在对安全平台认证成功后,进行数据传输,解决了现有技术中,智能锁与安全平台在进行数据传输前不进行认证或只由单端进行认证安全性低的问题,提高了智能锁与安全平台进行数据传输的安全性,且智能锁与安全平台在进行数据传输时,会采用第一过程钥和第二过程密钥对数据进行加密,进一步提高了智能锁与安全平台进行数据传输的安全性。In this embodiment, the smart lock includes a first security chip, a first communication unit communicatively connected with the first security chip, and a security platform includes a second security chip, and a second communication unit communicatively connected with the second security chip is performing data Before transmission, the security platform will authenticate the smart lock based on the device authentication code, and after the authentication is successful, the smart lock will authenticate the security platform based on the platform authentication code. After the security platform is successfully authenticated, data transmission is performed, which solves the existing problem. In technology, smart locks and security platforms do not perform authentication before data transmission or are only authenticated by a single end. The security problem is low, which improves the security of data transmission between smart locks and security platforms. During data transmission, the first process key and the second process key are used to encrypt the data, which further improves the security of data transmission between the smart lock and the security platform.
上面结合附图对本发明的实施例进行了描述,但是本发明并不局限于上述的具体实施方式,上述的具体实施方式仅仅是示意性的,而不是限制性的,本领域的普通技术人员在本发明的启示下,在不脱离本发明宗旨和权利要求所保护的范围情况下,还可做出很多形式,这些均属于本发明的保护之内。The embodiments of the present invention are described above with reference to the accompanying drawings, but the present invention is not limited to the above-mentioned specific embodiments. The above-mentioned specific embodiments are only illustrative and not restrictive. Those of ordinary skill in the art are Under the enlightenment of the present invention, many forms can be made without departing from the purpose of the present invention and the protection scope of the claims, and these all fall within the protection of the present invention.

Claims (12)

  1. 一种智能锁,其特征在于,所述智能锁包括:第一安全芯片以及与所述第一安全芯片通信连接的第一通信单元;A smart lock, characterized in that, the smart lock includes: a first security chip and a first communication unit communicatively connected with the first security chip;
    所述第一安全芯片用于生成第一随机序列并通过所述第一通信单元获取来自安全平台的第二随机序列,采用预先存储在所述智能锁侧的认证密钥对设备鉴别明文进行加密处理得到设备鉴别码,然后将所述设备鉴别码通过所述第一通信单元传输给所述安全平台,以供所述安全平台对所述智能锁进行认证;The first security chip is used to generate a first random sequence and obtain a second random sequence from a security platform through the first communication unit, and encrypt the device authentication plaintext using an authentication key pre-stored on the smart lock side The device authentication code is obtained through processing, and then the device authentication code is transmitted to the security platform through the first communication unit, so that the security platform can authenticate the smart lock;
    所述设备鉴别明文由所述第一随机序列和所述第二随机序列按照第一组合规则组合得到;The device authentication plaintext is obtained by combining the first random sequence and the second random sequence according to a first combination rule;
    所述第一安全芯片还用于将所述第一随机序列通过所述第一通信单元传输给所述安全平台,并通过所述第一通信单元接收所述安全平台基于所述第一随机序列和所述第二随机序列生成的平台鉴别码,然后采用所述认证密钥对所述平台鉴别码解密得到平台鉴别明文;The first security chip is further configured to transmit the first random sequence to the security platform through the first communication unit, and receive the security platform based on the first random sequence through the first communication unit And the platform authentication code generated by the second random sequence, and then use the authentication key to decrypt the platform authentication code to obtain the platform authentication plaintext;
    所述第一安全芯片还用于按照第二组合规则对所述第一随机序列和所述第二随机序列进行组合得到平台认证明文,并比较所述平台认证明文和平台鉴别明文,根据比较结果确定对所述安全平台的认证是否通过;The first security chip is further configured to combine the first random sequence and the second random sequence according to a second combination rule to obtain platform authentication plaintext, and compare the platform authentication plaintext with the platform authentication plaintext, and according to the comparison result Determine whether the authentication of the security platform is passed;
    所述第一通信单元用于实现所述第一安全芯片与所述安全平台间的数据传输。The first communication unit is used to implement data transmission between the first security chip and the security platform.
  2. 如权利要求1所述的智能锁,其特征在于,所述第一通信单元用于将所述设备鉴别码和所述第一随机序列一同发送给所述安全平台。The smart lock according to claim 1, wherein the first communication unit is used to send the device authentication code and the first random sequence to the security platform together.
  3. 如权利要求1所述的智能锁,其特征在于,所述第一随机序列为第一随机数,所述第二随机序列为第二随机数,所述设备鉴别明文为(第一随机数|第二随机数),所述平台认证明文为(第二随机数|第一随机数)。The smart lock of claim 1, wherein the first random sequence is a first random number, the second random sequence is a second random number, and the device authentication plaintext is (first random number| Second random number), the platform authentication plaintext is (second random number|first random number).
  4. 如权利要求1-3任一项所述的智能锁,其特征在于,所述第一安全芯片还用于在对所述安全平台的认证通过后通过所述第一通信单元与所述安全平台进行基于加密密钥的数据传输。The smart lock according to any one of claims 1 to 3, wherein the first security chip is also used to pass the first communication unit and the security platform after the authentication of the security platform is passed. Perform data transmission based on encryption keys.
  5. 如权利要求4所述的智能锁,其特征在于,所述第一安全芯片还用于基于所述加密密钥、所述第一随机序列和所述第二随机序列生成第一过程密钥,采用所述第一过程密钥对待发送给所述安全平台的第一数据进行加密,并将加密所得第一数据密文通过所述第一通信单元发送给所述安全平台;所述第一安全芯片还用于基于所述加密密钥、所述第一随机序列和所述第二随机序列生成第二过程密钥,并采用所述第二过程密钥对通过所述第一通信单元接收的所述安全平台发送的第二数据密文进行解密得到第二数据。The smart lock of claim 4, wherein the first security chip is further configured to generate a first process key based on the encryption key, the first random sequence, and the second random sequence, The first process key is used to encrypt the first data to be sent to the security platform, and the encrypted first data ciphertext is sent to the security platform through the first communication unit; the first security The chip is also used to generate a second process key based on the encryption key, the first random sequence, and the second random sequence, and use the second process key pair to be received through the first communication unit The second data ciphertext sent by the security platform is decrypted to obtain the second data.
  6. 如权利要求5所述的智能锁,其特征在于,所述第一过程密钥与所述第二过程密钥不同。5. The smart lock of claim 5, wherein the first process key is different from the second process key.
  7. 一种智能锁认证方法,其特征在于,应用于如权利要求1-6任一项所述的智能锁,所述智能锁包括:第一安全芯片以及与所述第一安全芯片通信连接的第一通信单元;所述方法包括:A smart lock authentication method, characterized in that it is applied to the smart lock according to any one of claims 1-6, the smart lock comprising: a first security chip and a first security chip communicatively connected with the first security chip A communication unit; the method includes:
    所述第一安全芯片生成第一随机序列,并通过所述第一通信单元获取来自安全平台的第二随机序列,采用预先存储在所述智能锁侧的认证密钥对设备鉴别明文进行加密处理得到设备鉴别码,然后将所述设备鉴别码通过所述第一通信单元传输给所述安全平台;其中,所述设备鉴别明文由所述第一随机序列和所述第二随机序列按照第一组合规则组合得到;The first security chip generates a first random sequence, and obtains a second random sequence from the security platform through the first communication unit, and encrypts the device authentication plaintext using an authentication key pre-stored on the smart lock side Obtain the device authentication code, and then transmit the device authentication code to the security platform through the first communication unit; wherein the device authentication plaintext consists of the first random sequence and the second random sequence in accordance with the first Combination rules are combined;
    所述第一安全芯片将所述第一随机序列通过所述第一通信单元传输给所述安全平台,并通过所述第一通信单元接收所述安全平台基于所述第一随机序列和所述第二随机序列生成的平台鉴别码,然后采用所述认证密钥对所述平台鉴别码解密得到平台鉴别明文;The first security chip transmits the first random sequence to the security platform through the first communication unit, and receives the security platform based on the first random sequence and the security platform through the first communication unit. The platform authentication code generated by the second random sequence, and then use the authentication key to decrypt the platform authentication code to obtain the platform authentication plaintext;
    所述第一安全芯片按照第二组合规则对所述第一随机序列和所述第二随机序列进行组合得到平台认证明文,并比较所述平台认证明文和平台鉴别明文,根据比较结果确定对所述安全平台的认证是否通过。The first security chip combines the first random sequence and the second random sequence according to the second combination rule to obtain platform authentication plaintext, compares the platform authentication plaintext with the platform authentication plaintext, and determines the right to the platform according to the comparison result. Whether the certification of the security platform is passed.
  8. 一种安全平台,其特征在于,所述安全平台包括:第二安全芯片以及与所述第二安全芯片通信连接的第二通信单元;A security platform, wherein the security platform includes: a second security chip and a second communication unit communicatively connected with the second security chip;
    所述第二安全芯片用于生成第二随机序列并通过所述第二通信单元将所述第二随 机序列发送给智能锁,通过所述第二通信单元获取来自智能锁的第一随机序列以及所述智能锁基于所述第一随机序列和所述第二随机序列生成的设备鉴别码,然后采用预先存储在所述安全平台侧的认证密钥对所述设备鉴别码进行解密处理得到设备鉴别明文;The second security chip is used to generate a second random sequence and send the second random sequence to the smart lock through the second communication unit, obtain the first random sequence from the smart lock through the second communication unit, and The smart lock generates a device authentication code based on the first random sequence and the second random sequence, and then uses an authentication key pre-stored on the security platform to decrypt the device authentication code to obtain device authentication Plaintext
    所述第二安全芯片还用于按照第一组合规则对所述第一随机序列和所述第二随机序列进行组合得到设备认证明文;并比较所述设备认证明文和所述设备鉴别明文,根据比较结果确定对所述智能锁的认证是否通过;所述智能锁还用于采用所述认证密钥对平台鉴别明文进行加密处理得到平台鉴别码,然后通过所述第二通信单元将所述平台鉴别码传输给所述智能锁,以供所述智能锁对所述安全平台进行认证;The second security chip is further configured to combine the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plain text; and compare the device authentication plain text and the device authentication plain text, according to The result of the comparison determines whether the authentication of the smart lock is passed; the smart lock is also used to use the authentication key to encrypt the platform authentication plaintext to obtain the platform authentication code, and then to pass the platform authentication code through the second communication unit The authentication code is transmitted to the smart lock for the smart lock to authenticate the security platform;
    所述平台鉴别明文由所述第一随机序列和所述第二随机序列按照第二组合规则组合得到;The platform identification plaintext is obtained by combining the first random sequence and the second random sequence according to a second combination rule;
    所述第二通信单元用于实现所述第二安全芯片与所述智能锁间的数据传输。The second communication unit is used to implement data transmission between the second security chip and the smart lock.
  9. 如权利要求8所述的安全平台,其特征在于,所述第二安全芯片还用于基于根密钥生成第一子密钥,然后基于通过所述第二通信单元接收的所述智能锁的第一安全芯片的唯一标识以及所述第一子密钥生成认证密钥,存储所述认证密钥并通过所述第二通信单元将所述认证密钥发送给所述智能锁,以供所述智能锁存储所述认证密钥。The security platform according to claim 8, wherein the second security chip is further used to generate a first subkey based on the root key, and then based on the smart lock received through the second communication unit The unique identifier of the first security chip and the first subkey generate an authentication key, store the authentication key, and send the authentication key to the smart lock through the second communication unit for the The smart lock stores the authentication key.
  10. 如权利要求8或9所述的安全平台,其特征在于,所述第二安全芯片还用于基于根密钥生成第二子密钥,然后基于通过所述第二通信单元接收的所述智能锁的第一安全芯片的唯一标识以及所述第二子密钥生成加密密钥,存储所述加密密钥并通过所述第二通信单元将所述加密密钥发送给所述智能锁,以供所述智能锁存储所述加密密钥。The security platform according to claim 8 or 9, wherein the second security chip is further configured to generate a second subkey based on the root key, and then based on the smart key received through the second communication unit The unique identifier of the first security chip of the lock and the second subkey generate an encryption key, store the encryption key, and send the encryption key to the smart lock through the second communication unit to For the smart lock to store the encryption key.
  11. 如权利要求10所述的安全平台,其特征在于,所述第二安全芯片还用于通过所述第二通信单元接收所述智能锁发送的公钥,采用所述公钥对所述加密密钥进行加密处理后得到加密密钥密文,并通过所述第二通信单元将所述加密密钥密文发送给所述智能锁,以供所述智能锁采用与所述公钥对应的私钥对所述加密密钥密文进行解密得到所述加密密钥并存储。The security platform of claim 10, wherein the second security chip is further configured to receive a public key sent by the smart lock through the second communication unit, and use the public key to encrypt the encryption After the key is encrypted, the encryption key ciphertext is obtained, and the encryption key ciphertext is sent to the smart lock through the second communication unit, so that the smart lock can adopt the private key corresponding to the public key. The key decrypts the encryption key ciphertext to obtain the encryption key and store it.
  12. 一种安全平台认证方法,其特征在于,应用于如权利要求8-11任一项所述的安全平台,所述安全平台包括:第二安全芯片以及与所述第二安全芯片通信连接的第二 通信单元;所述方法包括:A security platform authentication method, characterized by being applied to the security platform according to any one of claims 8-11, the security platform comprising: a second security chip and a second security chip communicatively connected with the second security chip Two communication unit; the method includes:
    所述第二安全芯片生成第二随机序列并通过所述第二通信单元将所述第二随机序列发送给智能锁,通过所述第二通信单元获取来自智能锁的第一随机序列以及所述智能锁基于所述第一随机序列和所述第二随机序列生成的设备鉴别码,然后采用预先存储在所述安全平台侧的认证密钥对所述设备鉴别码进行解密处理得到设备鉴别明文;The second security chip generates a second random sequence and sends the second random sequence to the smart lock through the second communication unit, and obtains the first random sequence from the smart lock and the smart lock through the second communication unit. The smart lock generates a device authentication code based on the first random sequence and the second random sequence, and then uses an authentication key pre-stored on the security platform to decrypt the device authentication code to obtain the device authentication plaintext;
    所述第二安全芯片按照第一组合规则对所述第一随机序列和所述第二随机序列进行组合得到设备认证明文;并比较所述设备认证明文和所述设备鉴别明文,根据比较结果确定对所述智能锁的认证是否通过;所述智能锁还采用所述认证密钥对平台鉴别明文进行加密处理得到平台鉴别码,然后通过所述第二通信单元将所述平台鉴别码传输给所述智能锁,以供所述智能锁对所述安全平台进行认证;其中,所述平台鉴别明文由所述第一随机序列和所述第二随机序列按照第二组合规则组合得到。The second security chip combines the first random sequence and the second random sequence according to the first combination rule to obtain the device authentication plain text; and compares the device authentication plain text and the device authentication plain text, and determines according to the comparison result Whether the authentication of the smart lock is passed; the smart lock also uses the authentication key to encrypt the platform authentication plaintext to obtain the platform authentication code, and then transmits the platform authentication code to the station through the second communication unit The smart lock is used for the smart lock to authenticate the security platform; wherein the platform authentication plaintext is obtained by combining the first random sequence and the second random sequence according to a second combination rule.
PCT/CN2020/097011 2019-06-26 2020-06-19 Smart lock, security platform and authentication method therefor WO2020259397A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910563194.9 2019-06-26
CN201910563194.9A CN112152963B (en) 2019-06-26 2019-06-26 Intelligent lock, security platform and authentication method thereof

Publications (1)

Publication Number Publication Date
WO2020259397A1 true WO2020259397A1 (en) 2020-12-30

Family

ID=73870079

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/097011 WO2020259397A1 (en) 2019-06-26 2020-06-19 Smart lock, security platform and authentication method therefor

Country Status (3)

Country Link
CN (1) CN112152963B (en)
TW (1) TW202105222A (en)
WO (1) WO2020259397A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640474A (en) * 2022-05-19 2022-06-17 润芯微科技(江苏)有限公司 Safety authentication and encryption method for automobile separated type cabin

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072096A (en) * 2007-05-31 2007-11-14 北京威讯紫晶科技有限公司 Data safety transmission method for wireless sensor network
US20090256676A1 (en) * 2008-04-14 2009-10-15 The Eastern Company Smart lock system
CN106971441A (en) * 2017-04-28 2017-07-21 深圳星普森信息技术有限公司 A kind of method for unlocking, door lock, key and lockset
CN108171831A (en) * 2017-12-22 2018-06-15 武汉瑞纳捷电子技术有限公司 A kind of bidirectional safe authentication method based on NFC mobile phone and smart lock
CN109410406A (en) * 2018-11-14 2019-03-01 北京华大智宝电子系统有限公司 A kind of authorization method, device and system
CN109448197A (en) * 2018-12-18 2019-03-08 杭州高锦科技有限公司 A kind of cloud intelligent lock system and key management method based on multi-enciphering mode

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102800141B (en) * 2012-07-24 2015-10-28 东信和平科技股份有限公司 A kind of access control method based on two-way authentication and system
CN105184929B (en) * 2015-09-30 2018-09-14 深圳市章陈融通科技有限公司 Intelligent door lock control method and device
WO2018076365A1 (en) * 2016-10-31 2018-05-03 美的智慧家居科技有限公司 Key negotiation method and device
CN108683674A (en) * 2018-05-22 2018-10-19 深圳中泰智丰物联网科技有限公司 Verification method, device, terminal and the computer readable storage medium of door lock communication

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072096A (en) * 2007-05-31 2007-11-14 北京威讯紫晶科技有限公司 Data safety transmission method for wireless sensor network
US20090256676A1 (en) * 2008-04-14 2009-10-15 The Eastern Company Smart lock system
CN106971441A (en) * 2017-04-28 2017-07-21 深圳星普森信息技术有限公司 A kind of method for unlocking, door lock, key and lockset
CN108171831A (en) * 2017-12-22 2018-06-15 武汉瑞纳捷电子技术有限公司 A kind of bidirectional safe authentication method based on NFC mobile phone and smart lock
CN109410406A (en) * 2018-11-14 2019-03-01 北京华大智宝电子系统有限公司 A kind of authorization method, device and system
CN109448197A (en) * 2018-12-18 2019-03-08 杭州高锦科技有限公司 A kind of cloud intelligent lock system and key management method based on multi-enciphering mode

Also Published As

Publication number Publication date
CN112152963B (en) 2024-04-09
CN112152963A (en) 2020-12-29
TW202105222A (en) 2021-02-01

Similar Documents

Publication Publication Date Title
JP6138333B2 (en) Master key encryption function for transmitter and receiver pairing as a countermeasure to thwart key recovery attacks
TWI489847B (en) Data encryption method, data verification method and electronic apparatus
JP5845393B2 (en) Cryptographic communication apparatus and cryptographic communication system
JP6477695B2 (en) KEY EXCHANGE SYSTEM, KEY EXCHANGE METHOD, KEY EXCHANGE DEVICE, ITS CONTROL METHOD AND CONTROL PROGRAM
KR101874721B1 (en) Identity authentication system, apparatus, and method, and identity authentication request apparatus
CN109543434B (en) Block chain information encryption method, decryption method, storage method and device
KR20140122188A (en) Method for detecting a manipulation of a sensor and/or sensor data of the sensor
RU2005104945A (en) EFFECTIVE ENCRYPTION AND AUTHENTICATION FOR DATA PROCESSING SYSTEMS
CN108199835A (en) A kind of multi-party joint private key decryption method and system
JP2006333095A (en) Method, system, device, and program for encrypted communication
US10154016B1 (en) Devices for transmitting and communicating randomized data utilizing sub-channels
CN104902138B (en) Encryption/deciphering system and its control method
CN105871550A (en) System for realizing digital signal encryption transmission
CN103986583A (en) Dynamic encryption method and encryption communication system thereof
CN105187382A (en) Multi-factor identity authentication method for preventing library collision attacks
CN105791258A (en) Data transmission method, terminal and open platform
CN104243493A (en) Network identity authentication method and system
JPH09312643A (en) Key sharing method and ciphering communication method
CN114338213A (en) Temperature-assisted authentication system and authentication method thereof
WO2020259397A1 (en) Smart lock, security platform and authentication method therefor
CN102916810A (en) Method, system and apparatus for authenticating sensor
KR101602803B1 (en) The encryption and decryption Method of using to polarization
CN111510416A (en) Data information transmission method, electronic device and readable storage medium
JP5586758B1 (en) Dynamic encryption key generation system
CN103634113B (en) Encryption and decryption method and device with user/equipment identity authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20832109

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20832109

Country of ref document: EP

Kind code of ref document: A1