WO2021128989A1 - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
WO2021128989A1
WO2021128989A1 PCT/CN2020/116536 CN2020116536W WO2021128989A1 WO 2021128989 A1 WO2021128989 A1 WO 2021128989A1 CN 2020116536 W CN2020116536 W CN 2020116536W WO 2021128989 A1 WO2021128989 A1 WO 2021128989A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
private key
authentication
encrypted
key
Prior art date
Application number
PCT/CN2020/116536
Other languages
French (fr)
Chinese (zh)
Inventor
唐甜
乔立忠
张梦楠
曹斌
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021128989A1 publication Critical patent/WO2021128989A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • This application relates to the field of secure communication technology, and in particular to an authentication method and device.
  • the method can be used to authenticate the device or the interface on the device when there is a need to open the device or the interface on the device.
  • the device is usually authenticated by a codebook to ensure the security of the device and the information on it. Specifically, multiple passwords are stored in the codebook, and one or more passwords are preset on the device.
  • designated personnel such as debuggers, operation and maintenance personnel, production Personnel, etc.
  • the matching is successful, the device is deemed to have passed the authentication, and the access rights corresponding to the successfully matched password on the device are opened, thus The corresponding important information can be accessed through the use permission that has been opened on the device.
  • the embodiments of the present application provide an authentication method and device.
  • the information sent by the device to be authenticated is encrypted by the authentication tool and decrypted by the device to be authenticated, so that the device to be authenticated is more Secure authentication.
  • an authentication method is provided, which is applied in a scenario that includes a first device and a second device, with the first device as the execution subject, the authentication method may include, for example, the first device receives a transmission from the second device After using the first private key to encrypt the first information, decrypt it according to the first public key to obtain the first information, where the first public key corresponds to the first private key; then, the first device can The information and the locally stored second information are matched and verified to obtain a verification result, and the use authority of the first device is determined according to the verification result. Specifically, when the verification result indicates that the verification is passed, the first device opens the corresponding use right, and when the verification result indicates that the verification fails, the first device does not open the corresponding use right.
  • the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface.
  • the potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
  • the first device may be any device to be authenticated, for example, it may refer to a network device or a single board, or for another example, it may also refer to a debugging interface or a service interface on the device.
  • the second device may refer to an authentication tool with an authentication function.
  • the authentication tool sends the first information encrypted by the first private key to the device where the debugging interface is located and decrypted by the first public key. After the verification is passed, the device where the debugging interface is located will open the The permission to use the debugging interface is for accessing and using the debugging interface.
  • the first private key and the first public key may be generated by the second device; or, the first private key and the first public key may also be configured by the authentication server for the second device.
  • the embodiments of the present application may further include: the first device receives the first public key encrypted by the second private key of the authentication server sent by the second device; the first device uses the locally stored first public key of the authentication server The second public key is used to decrypt the encrypted first public key to obtain the first public key.
  • the first device receives the first public key encrypted by the second private key of the authentication server sent by the second device; the first device uses the locally stored first public key of the authentication server The second public key is used to decrypt the encrypted first public key to obtain the first public key.
  • the second information includes the first random number
  • the embodiment of the present application may further include: the first device sends to the second device A challenge request message, the challenge request message carries the first random number; then, the first device receiving the first information encrypted by the first private key sent by the second device includes: the first device receiving the first information sent by the second device A response message, which carries the first information, and the first information includes a second random number; at this time, the first device performs matching verification on the first information and the locally stored second information, including: Perform matching verification on the first random number and the second random number.
  • the first random number can uniquely identify an authentication to the first device, and the random number is used for authentication to ensure that each authentication can be performed based on the random number generated this time, which can effectively prevent the information of the first device Is copied to prevent replay attacks.
  • the second information may also include first device identification information
  • the first information includes second device identification information
  • the first device identification information is used to uniquely identify the first device
  • the first device Performing matching verification on the first information and the locally stored second information may also include: performing matching verification on the first device identification information and the second device identification information.
  • the first device identification information is a first device ID
  • the second device identification information is a second device ID.
  • the first device has a response to the first information and the locally stored second information
  • Performing matching verification may also include: performing matching verification on the first device ID and the second device ID.
  • the first device identification information is the hash value of the first device ID
  • the second device identification information is the hash value of the second device ID.
  • Performing matching verification on the first information and the locally stored second information may also include: performing matching verification on the hash value of the first device ID and the hash value of the second device ID.
  • the first device ID is used to uniquely identify the first device.
  • the device ID in this embodiment of the application is a non-public ID that can uniquely identify the device.
  • the first device ID is a hardware unique key (English: Hardware Unique Key, which is defined when the first device leaves the factory).
  • HUK hardware unique key
  • the first device ID is obtained by processing the chip identification (English: die Identification, abbreviation: die ID) of the first device and the unique device identification (English: Unique Device Identification, abbreviation: UDI).
  • the decrypted second device ID or the hash value of the second device ID and other second device identification information The device identification information is verified, and the first device is guided to manage its use authority, so as to realize reliable and safe authentication of the first device.
  • the second information may also include target effective information
  • the first information includes actual usage information, where the actual usage information is used to characterize the authentication of the second device on the first device.
  • the first device to perform matching verification on the first information and the locally stored second information may also include: the first device verifies the actual usage information according to the target valid information to determine the first information Whether the second device can continue to be used to authenticate the first device.
  • the first device determines that the actual usage information has not reached the target effective information, it determines that the second device is valid for the first device and can continue to use the second device to authenticate the first device; otherwise, when the first device determines If the actual use information has reached the target effective information, it is determined that the second device is invalid for the first device, and the second device cannot be used to authenticate the first device.
  • the target effective information is the maximum number of times allowed to use the second device for authentication (for example: 5 times); or, the target effective information is the maximum time allowed to use the second device for authentication (for example: 20 hour). In this way, the actual use information carried in the first information is verified through the target effective information stored locally by the first device, guiding the first device to manage its use rights, and realizing reliable and safe authentication of the first device.
  • the first information may further include indication information, the indication information being used to indicate at least one of the following information: the time when the usage right is opened, the interface for opening the usage right, or the usage right is opened Operation.
  • the indication information may be sent by the first device to the second device in the challenge request message, or it may be corresponding indication information specified by the second device according to its own authentication range; it may also be the first device in the challenge request message.
  • the embodiments of the present application also provide a method for authenticating the use right of a first device.
  • This method is applied in a scenario that includes the first device and the second device, and the second device is the execution subject.
  • the right method may include, for example, the second device encrypts the first information by using a first private key stored locally, and sends the first information encrypted by the first private key to the first device, so as to The use authority of the first device is authenticated.
  • the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface.
  • the potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
  • the second device may refer to an authentication tool with an authentication function.
  • the first device may be any device to be authenticated, for example: it may refer to a network device or a single board, or for example: it may also refer to a debugging interface or a service interface on the device.
  • the authentication tool sends the first information encrypted by the first private key to the device where the debugging interface is located and decrypted by the first public key. After the verification is passed, the device where the debugging interface is located will open the The permission to use the debugging interface is for accessing and using the debugging interface.
  • the first private key and the first public key may be generated by the second device; or, the first private key and the first public key may also be configured by the authentication server for the second device.
  • the embodiment of the present application may further include: the second device receives the second public key of the authentication server sent by the authentication server, the first public key encrypted by the second private key, and the second public key encrypted by the second private key.
  • the first private key encrypted by the private key, the second private key corresponds to the second public key; then, the second device uses the second public key to encrypt the second private key
  • the first private key is decrypted to obtain the first private key;
  • the second device may also send the first public key encrypted by the second private key to the first device, so that The first device decrypts the first public key encrypted by the second private key based on the locally stored second public key to obtain the first public key.
  • the first information includes a first random number.
  • the embodiment of the present application may further include: the second device receives the challenge request message sent by the first device, The challenge request message carries the first random number; then, the second device sending the first information encrypted by the first private key to the first device may include: The first device sends a response message, and the response message carries the first random number encrypted by the first private key.
  • the first information may include first device identification information, and the first device identification information is used for identity verification by the first device.
  • the first device identification information is the first device identification ID or the hash value of the first device ID.
  • the embodiment of the present application may further include: the second device matches the first device ID with a locally stored second device ID corresponding to the first device verification.
  • the first information may also include the hash value of the first device ID.
  • the embodiment of the present application may further include: the hash value of the first device ID and the locally stored hash value of the first device ID. The hash value of the second device ID corresponding to a device is matched and verified.
  • the first device ID is a hardware unique key HUK defined when the first device leaves the factory, or the first device ID is processed according to the chip ID die ID of the first device and the unique device ID UDI owned.
  • the first information further includes target valid information, and the target valid information is used by the first device to determine whether the second device can continue to be used for authentication.
  • the embodiment of the present application may further include: The second device updates the actual usage information, and the actual usage information is used to characterize the current use of the second device authentication on the first device; then, the second device updates the information according to the target valid information. The subsequent actual use information is verified to determine whether the second device can continue to be used to authenticate the first device.
  • the target effective information is the maximum number of times that the second device is allowed to perform authentication, then the actual usage information is the actual number of times the first device uses the second device for authentication until the current time;
  • the target valid information is the maximum time allowed to use the second device for authentication, then the actual usage information is the actual usage time from the timing start time of the target valid information to the current moment.
  • the first information may further include indication information, the indication information being used to indicate at least one of the following information: the time when the usage right is opened, the interface for opening the usage right, or the usage right is opened Operation.
  • this application also provides a first device, including a transceiver unit and a processing unit.
  • the transceiving unit is used to perform the transceiving operations in the method provided in the above first aspect; the processing unit is used to perform other operations in addition to the transceiving operations in the above first aspect.
  • the transceiving unit is used to receive the first information encrypted by the first private key sent by the second device; the processing unit is used to The first public key is decrypted to obtain the first information.
  • the processing unit is also used to perform matching verification on the first information and the locally stored second information to obtain a verification result, and the processing unit is further used to obtain the verification result according to the verification result. , To determine the use permission of the first device.
  • an embodiment of the present application also provides a second device, and the second device includes a transceiver unit and a processing unit.
  • the transceiving unit is used to perform the transceiving operation in the method provided in the above second aspect; the processing unit is used to perform other operations in addition to the transceiving operation in the above second aspect.
  • the transceiving unit is configured to send the first information encrypted by the first private key to the first device; the processing unit It is used to encrypt the first information by using the first private key stored locally.
  • an embodiment of the present application also provides a first device, including a communication interface and a processor.
  • the communication interface is used to perform the transceiving operation in the method provided in the foregoing first aspect;
  • the processor is used to perform other operations except the transceiving operation in the method provided in the foregoing first aspect.
  • an embodiment of the present application also provides a second device, including a communication interface and a processor.
  • the communication interface is used to perform the transceiving operation in the method provided in the foregoing second aspect;
  • the processor is used to perform other operations in the method provided in the foregoing second aspect except for the transceiving operation.
  • an embodiment of the present application further provides a first device, and the first device includes a memory and a processor.
  • the memory is used to store program code; the processor is used to run instructions in the program code, so that the first device executes the method provided in the first aspect above.
  • an embodiment of the present application also provides a second device, the second device including a memory and a processor.
  • the memory is used to store program code; the processor is used to run instructions in the program code, so that the first device executes the method provided in the second aspect above.
  • the embodiments of the present application also provide a computer-readable storage medium that stores instructions in the computer-readable storage medium, which when run on a computer, causes the computer to execute the first aspect or the second aspect above.
  • the authentication method provided by the aspect is not limited to:
  • the embodiments of the present application also provide a computer program product, which when running on a computer, causes the computer to execute the authentication method provided in the first or second aspect.
  • an embodiment of the present application also provides a communication system, which includes the first device provided in the third, fifth, or seventh aspect and the fourth, sixth, or first device provided in the third, fifth, or seventh aspect.
  • the second device provided by the eighth aspect.
  • FIG. 1 is a schematic diagram of a network system framework involved in an application scenario in an embodiment of this application;
  • FIG. 2 is a schematic diagram of the authentication process of the device 12 in the scenario of FIG. 1 in an embodiment of the application;
  • FIG. 3 is a schematic flowchart of an authentication method 100 in an embodiment of this application.
  • FIG. 4 is a schematic flowchart of an authentication method 200 in the scenario of FIG. 1 in an embodiment of this application;
  • FIG. 5 is a schematic flowchart of an authentication method 300 in an embodiment of this application.
  • FIG. 6 is a schematic flowchart of a method 400 for authenticating the use right of a first device in an embodiment of this application;
  • FIG. 7 is a schematic structural diagram of a first device 700 in an embodiment of this application.
  • FIG. 8 is a schematic structural diagram of a second device 800 in an embodiment of this application.
  • FIG. 9 is a schematic structural diagram of a first device 900 in an embodiment of this application.
  • FIG. 10 is a schematic structural diagram of a second device 1000 in an embodiment of this application.
  • FIG. 11 is a schematic structural diagram of a first device 1100 in an embodiment of this application.
  • FIG. 12 is a schematic structural diagram of a second device 1200 in an embodiment of this application.
  • FIG. 13 is a schematic structural diagram of a communication system 1300 in an embodiment of this application.
  • Some important information (for example: hard disk data of the device) is generally stored on the device. This important information is critical to the safety of the device, and certain protective measures need to be taken to ensure the safety of this important information.
  • the device is usually authenticated by a codebook.
  • One or more passwords are preset on the device, and multiple passwords are stored in the codebook.
  • the debugging personnel, operation and maintenance Designated personnel such as personnel, production personnel, enter the password in the codebook into the device, and the device will match the entered password with the preset password.
  • the match is successful, it will be regarded as the authentication of the device passed, and the device will be opened.
  • the use authority corresponding to the successfully matched password so that the corresponding important information can be accessed through the open use authority.
  • the cipher book is controlled by a small number of designated personnel, which can ensure the security of important information stored on the device to a certain extent, the storage, transmission and matching of the cipher book are all in plain text, and the designated personnel with the authority of the cipher book It is more complicated, and it is very easy to leak the password in the codebook by manual management.
  • the method of using the codebook to authenticate the device has low security.
  • the hardware data of a Microsoft notebook is usually encrypted and protected by a two-level key, that is, encrypted by a full volume encryption key (English: Full Volume Encryption Key, abbreviated as: FVEK), and encrypted by a volume master key (English: Volume Master Key).
  • FVEK Full Volume Encryption Key
  • VMK volume master key
  • TPM Trusted Platform Module
  • the attacker It is easy to identify the LPC interface of the exposed TPM, and connect the interface to the logic analyzer through a jumper to directly obtain the VMK, thereby cracking the FVEK encrypted by the VMK, and then cracking the hard disk encrypted by the FVEK Data seriously endangers the safety of the laptop.
  • the embodiment of the present application provides an authentication method.
  • the first device needs to be authenticated.
  • the corresponding usage rights on the first device can be opened for the user to access the first device. Safely access or use the first device within the scope of the open use authority.
  • the first device to be authenticated locally stores the second information and the first public key.
  • the authentication process may specifically include: the first device to be authenticated sends the first device to a second device with authentication function such as an authentication tool.
  • Second information for the second device, the first information sent by the first device is received (the first information may be the same as the second information, or may be different from the second information), based on the first private key pair received
  • the information is encrypted, and the first information encrypted by the first private key is sent to the first device; the first device decrypts according to the first public key to obtain the first information, and the first information and the locally stored first information
  • the second information is matched and verified to obtain a verification result, and then the use authority of the first device is determined according to the verification result.
  • the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface.
  • the potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
  • the network includes: an authentication tool 11 and a device 12.
  • the authentication tool 11 may be a physical entity designed by the manufacturer of the device 12 to authenticate the device 12 that it leaves the factory.
  • the authentication tool 11 stores the private key a locally, and uses the private key a as information. Encryption function.
  • the device 12 can be any device that needs to be authenticated.
  • the device 12 can be a network device such as a router or a switch, a terminal device such as a mobile phone, a laptop, etc., a mobile storage device such as a USB flash drive, or a debugging device. Interface, service interface or single board.
  • the scenario shown in FIG. 1 may also include a certificate authority (English: Certificate Authority, abbreviated as: CA) server 13 for allocating public and private keys to authentication tools to improve the security level of the authentication scenario.
  • CA Certificate Authority
  • the authentication tool 11 stores the private key a in the local secure storage area
  • the device 12 stores the public key A in the local secure storage area
  • the private key a corresponds to the public key A.
  • the authentication process for the device 12 is shown in Fig. 2, which may include: S11, the device 12 generates a random number 1; S12, the device 12 carries the random number 1 in the challenge request message and sends it to the authentication tool 11.
  • the authentication tool 11 uses the private key a to encrypt the received random number 2 (which can be consistent with the random number 1, or inconsistent with the random number 1) to obtain X; S14, the authentication tool 11 carries X in The response message is sent to the device 12; S15, the device 12 uses the public key A to decrypt X to obtain the random number 2; S16, the device 12 compares the random number 1 and the random number 2. If the two are the same, it means that the device 12’s The authentication passed this time, otherwise, it means that the authentication of the device 12 failed this time. In this way, more secure protection of the authentication device 12 is realized.
  • the above-mentioned public key A and private key a can be generated by the authentication tool 11 itself, or distributed by the CA server 13 for the authentication tool 11, which can be specifically determined according to the security requirements of the device 12.
  • the CA server 13 for the authentication tool 11, which can be specifically determined according to the security requirements of the device 12.
  • the CA server 13 may be an offline server relative to the authentication tool 11 and the device 12, requiring a user (for example, a manager of the device 12) to configure the authentication tool 11 and the device 12 through a secure production environment device as a medium;
  • the CA server 13 may also be an online server, which can directly pass the connection established between the CA server 13 and the authentication tool 11 and the connection established between the CA server 13 and the device 12 Connect to interact, no need to be transferred by the user.
  • the local secure storage area of the device in the embodiment of the present application refers to a storage area in the local storage area of the device that cannot be easily accessed or tampered with.
  • the secure storage area can be the one-time programmable memory of the device (English: One-Time Programmable, abbreviated as OTP), and for example: the secure storage area can also be the electrical fuse of the device (English: electrical FUSE, abbreviated as: eFUSE) ), because the content stored in the secure storage area such as OTP or eFUSE cannot be changed, the local secure storage area of the device can store important information reliably and securely.
  • the local secure storage area of the authentication tool 11 can be reliable and secure.
  • the local secure storage area of the device 12 can save the public key A reliably and securely.
  • FIG. 3 is a schematic flowchart of an authentication method 100 in an embodiment of this application.
  • the method 100 is applied to a network including a device 1 and a device 2, where the device 1 has a public key 1 stored in advance.
  • the method 100 can be executed first to authenticate the device 1.
  • the method 100 can be applied to the network shown in FIG. 1, the device 1 can be the device 12, and the device 2 can be the authentication tool 11.
  • the method 100 may include the following S101 to S106, for example:
  • S101 Device 2 receives information 1 sent by device 1.
  • device 2 refers to the physical entity used to authenticate the device 1 to be authenticated, also known as an authentication tool, used to authenticate the device to be authenticated, and determine whether to open the right to use the device to be authenticated .
  • the device 2 may include an authentication interface, which is used to establish a connection with the device 1 to be authenticated.
  • the authentication interface may be a wired interface, such as a universal serial bus (English: Universal Serial Bus, abbreviated as: USB) interface or Joint Test Action Group (English: Joint Test Action Group, JTAG for short) interface; or, the authentication interface may also be a wireless interface, such as Bluetooth.
  • Device 1 refers to the device to be authenticated.
  • the device to be authenticated can be a network device, such as a switch, a router, or a terminal device, such as a mobile phone, a laptop, or a mobile storage device.
  • a device, such as a USB flash drive can also be an interface, such as a debugging interface, a service interface, or a single board.
  • Information 1 may include: random number 2 received by device 2.
  • the device 1 When the device 1 needs to perform authentication, it can generate the random number 1 corresponding to the second authentication, and save the random number 2 in the local secure storage area of the device 1.
  • the random number 1 can uniquely identify an authentication to device 1, and use random numbers for authentication to ensure that each authentication can be performed based on the random number generated this time, which can effectively prevent the information of device 1 from being copied. Replay attack.
  • device 1 may send a challenge request message to device 2, and the challenge request message carries the random number 1.
  • S102 may specifically be: device 2 receives the challenge request message and obtains a random number from it. Number 2, it is understandable that if the challenge request message is correct in the transmission process, random number 2 and random number 1 are consistent, otherwise, random number 2 may also be inconsistent with random number 1.
  • the information 1 may also include: the device identification information 2 corresponding to the device 1 received by the device 2, and the device identification information 2 may be used to uniquely identify the device 1.
  • the device identification information 2 may be a device identification (English: Identification, abbreviation: ID) 2 or a hash value of the device ID2.
  • the device 1 stores the device ID1 or the hash value of the device ID1 of the device 1.
  • the device ID1 can be an identifier that can uniquely identify the device 1.
  • the hash value of the device ID1 is the hash obtained by the hash calculation of the device ID1 value.
  • the device ID1 may be a non-public identification of the device 1 to the outside.
  • the device ID1 can be the hardware unique key (English: Hardware Unique Key, abbreviated as HUK) defined when the device 1 leaves the factory; for another example: the device ID1 can also be a unique device identification based on the device 1 (English: Unique Device) Identification (abbreviation: UDI) and the identification obtained by the chip identification (English: die Identification, abbreviation: die ID) in the device 1.
  • UDI Unique Device Identification
  • die ID chip identification
  • the use of device ID1 or the hash value of device ID1 for authentication can effectively control the authentication authority of device 2. That is, after an attacker or user obtains the public key, they can only attack or use device 1, but cannot use this
  • the public key authenticates other devices and develops corresponding usage rights, minimizing security risks and improving the security protection of devices.
  • the information 1 may also include target valid information, which is used by the device 1 to determine whether the device 2 can continue to be used for authentication.
  • the target validity information may specifically be the maximum number of times allowed to use device 2 for authentication (for example: 5 times), or the maximum time allowed to use device 2 for authentication (for example: 1 day), so as to refer to the validity of the target
  • the information limits the effective use times or duration of the device 2 so that the device 2 is controlled to be used within a safe range.
  • the information 1 may also include indication information, which is used to indicate at least one of the following information: the time when the use authority is opened (for example: the time when the use authority is opened It can be accessed within 2 hours), interfaces with open access rights (for example: open 3 debugging interfaces on device 1, or open debug interface 1 and debugging interface 2 on device 1) or open access operations (for example : Allow read operation on device 1, or allow write operation on device 1).
  • indication information is used to indicate at least one of the following information: the time when the use authority is opened (for example: the time when the use authority is opened It can be accessed within 2 hours), interfaces with open access rights (for example: open 3 debugging interfaces on device 1, or open debug interface 1 and debugging interface 2 on device 1) or open access operations (for example : Allow read operation on device 1, or allow write operation on device 1).
  • device 1 may not specify the authentication scope, that is, the indication information is not included in information 1, and the authentication scope is configured by device 2, or no configuration is performed. After the authentication is
  • the private key 1 is pre-stored in the local secure storage space of the device 2, and the device 2 establishes a connection with the device 1 through its authentication interface.
  • device 1 may send a challenge request message to device 2, and the challenge request message received by device 2 carries information 1.
  • the challenge request message may only include the content of the challenge request message itself.
  • the challenge request message includes: challenge type, key type, key number, and challenge field length
  • information 1 only includes: challenge type , Key type, key number, and challenge field length.
  • the challenge type is predefined by device 1 and device 2 and used to indicate the role of the challenge request message. For example, when the value of the challenge type field is 0x5AAA555A, it means that the challenge request message is used to indicate the authentication of device 1 .
  • the key classification is used to indicate the type of the key pair currently used. For example, when the value of the key classification field is 0x07, it means that the authentication key pair is currently used.
  • the key classification field is 0x09, which means that the remote attestation key pair is currently being used.
  • the key number is used to indicate the specific key pair currently in use, that is, the key pair corresponding to the public key 1 stored locally.
  • the authentication key pair can include 16 key pairs, which are allocated to different products. Or when different interfaces are used to prevent a certain key pair from being leaked, another key pair can be allowed to be used, and the impact range will not be too large.
  • the length of the challenge field can be used for signal verification to prevent problems such as loss of information sent during the transmission of the challenge request message.
  • the challenge request message can also add a field to carry at least one of the random number 1, the device ID1, and the hash value of the device ID1.
  • the Information 1 not only includes the content of the challenge request message itself, but also includes at least one of the random number 2, the device ID2, and the hash value of the device ID2.
  • device 1 sends the challenge request message to device 2 and device 2 receives the challenge request message, no error occurs, then random number 2 is consistent with random number 1, device ID2 is consistent with device ID1, and device ID2
  • the hash value of is the same as the hash value of device ID1.
  • the information 1 not only includes the content of the challenge request message itself, It also includes indication information or target valid information; or, on this basis, information 1 may also include: at least one of a random number 2, a device ID2, and a hash value of the device ID2.
  • device 1 sends a challenge request message to device 2 to instruct device 2 to perform authentication for device 1.
  • device 2 After receiving the challenge request message, device 2 obtains information 1 by parsing the challenge request message, which provides a data basis for device 1 authentication.
  • the device 2 encrypts the information 1 according to the private key 1.
  • the private key 1 is a private key stored in the local secure storage space of the device 2 and is used to encrypt the information 1 received by the device 2 when the device 1 is authenticated.
  • the device 2 can use the public and private key generated by itself to authenticate the device 1. Then, the private key 1 can be generated by the device 2 based on an internal algorithm and stored locally. In this example, the device 2 also needs to send the public key 1 corresponding to the private key 1 to the device 1 before performing the following S105, so that the device 1 saves the public key 1 in the local secure storage space.
  • information 1 when information 1 includes the content of the challenge request message itself and random number 2, information 1 may specifically include: the challenge type encrypted by the private key 1, the random number encrypted by the private key 1, the key type encrypted by the private key 1, The key number encrypted by private key 1 and the length of the challenge field encrypted by private key 1.
  • device 2 in order to improve the security level, can also apply for a public-private key pair from device 3 to authenticate device 1. Then, the private key 1 can be assigned by device 3 to device 2. Private key.
  • the device 3 may be, for example, an authentication server with a high security level such as a CA server.
  • the process of sending a public-private key pair from device 3 to device 2 may include, for example: S21, device 2 sends a request message to device 3 for requesting device 3 to send a public-private key pair for authenticating device 1; S22: In response to the request message, device 3 determines the private key 1 and corresponding public key 1 to be sent to device 2, and, in order to further improve security, device 3 uses its own private key 2 to combine private key 1 and public key 1 is encrypted; S23, device 2 receives the private key 2 sent by device 3, and the corresponding public key 2; S24, device 2 receives the private key 2 sent by device 3, encrypted private key 1 and private key 2 encrypted public key 1; S25 , The device 2 uses the public key 2 to decrypt the private key 1 encrypted by the private key 2 to obtain the private key 1, and save the private
  • the device 1 locally pre-stores the public key 2 corresponding to the private key 2 on the device 3, so that during subsequent authentication, the device 2 sends the public key 1 encrypted by the private key 2 to the device 1, and the device 1 uses the locally stored public key 2
  • the public key 2 decrypts the public key 1 encrypted by the private key 2, and saves the public key 1 obtained after decryption locally to provide a data basis for authentication.
  • device 3 can send public key 2, private key 1 encrypted by private key 2, and public key 1 encrypted by private key 2 to
  • the mode of the device 2 can be determined according to whether the device 3 is an offline server or an online server.
  • the user can copy public key 2 from device 3 through a secure production environment device, and configure public key 2 to device 1 through the secure production environment device; 3
  • the device 3 can directly send the public key 2 to the device 1 through the connection established between the two.
  • the device 3 is offline relative to the device 2, the user can submit the above request message on the device 3.
  • the user copies the public key 2 and the private key encrypted by the private key 2 from the device 3 through a secure production environment device
  • public key 1 encrypted by 1 and private key 2 configure public key 2, private key 1 encrypted by private key 2 and public key 1 encrypted by private key 2 to device 2 through a secure production environment device; when device 3 is opposite When the device 2 is online, the device 3 can directly send the public key 2, the private key 1 encrypted by the private key 2 and the public key 1 encrypted by the private key 2 to the device 2 through the connection established between the two.
  • the device 3 can carry the public key 2, the private key 1 encrypted by the private key 2, and the public key 1 encrypted by the private key 2, in a message, and feed it back to the device 2.
  • the device 3 can carry the public key 2 in one message, carry the private key 1 encrypted by the private key 2 and the public key 1 encrypted by the private key 2 in another message, and feed them back to Equipment 2.
  • the device 2 can also store locally a list of device identification information responsible for authentication, and all the devices identified in the list can be the objects of the device 2 authentication. After device 2 receives information 1, it can first perform matching verification on the device identification information 2 with the locally saved device identification information list, if it matches, execute S102, otherwise, it is determined that device 1 is not the target of device 2 authentication , Suspend this authentication.
  • S102 may include the device ID2 or the device ID2.
  • the information 1 with the hash value of is encrypted and sent to the device 1, so that different devices 1 can determine whether to authenticate themselves based on the device ID or the hash value of the device ID in the received encrypted information 1; or , S102 can also remove the device ID2 or the hash value of the device ID2 in the information 1, and then encrypt the remaining information 1 and send it to the device 1. That is, the information 1 does not include the device ID 2 or the device encrypted by the private key 1 The hash value of ID2.
  • the device 2 can also store actual effective information locally, and the actual effective information is used to characterize the current use of the device 2 to authenticate the device 1. After device 2 receives information 1, it can update the actual use information first, and then perform matching verification on the target effective information and the updated actual use information. If they match (that is, the actual use information of device 2 does not reach the target effective information), S102 is executed, otherwise, it is determined that the device 2 is invalid and the device 1 cannot be authenticated. After the device 2 fails, the manufacturer of the device 1 can reset the actual valid information of the device 2 to restore the authentication function of the device 2 to the device 1.
  • the target effective information is the maximum number of times that device 2 is allowed to perform authentication (for example: 5 times)
  • the actual use information is the actual number of times that device 1 has used device 2 to perform authentication (for example: 3). Times)
  • device 2 receives information 1 again it can add one to the actual number of uses, and determine whether the new actual number of uses is less than or equal to the target effective information, if so, execute S102, otherwise, stop using device 2 Device 1 authenticates and prompts that device 2 is invalid.
  • the target valid information is the longest time allowed to use the device 2 for authentication (for example: 24 hours)
  • the actual usage information is from the timing start time of the target valid information to the current time
  • the actual use time for example: 10 hours
  • the device 2 receives information 1 it can update the actual use time to the time elapsed from the timing start time of the target effective information to the current time (for example, : 12 hours), and judge whether the new actual use time reaches the target effective information, if not, execute S102, if yes, stop using the device 2 to authenticate the device 1 and prompt the device 2 to be invalid.
  • S102 may encrypt the message 1 including the target valid information and send it to the device 1; or, in S102, after removing the target valid information in the message 1, the The remaining information 1 is encrypted and sent to the device 1, that is, the information 1 does not include the target effective information encrypted by the public key 1.
  • the information 1 can also carry the updated actual usage information in the information 1 and send it to the device 1, so that the device 1 can reconfirm whether the device 2 is valid based on the actual usage information and the target valid information stored locally.
  • device 2 can encrypt information 1 including instruction information and send it to device 1; or, if information 1 includes instruction information, device 2 can also store its responsible counterpart locally. Device 1 performs the authentication range of authentication. Then, after device 2 receives information 1, it can first match and verify the indication information with the authentication range of device 1 stored locally, and then correspond to the matched authentication range The instruction information is encrypted based on the private key 1 and then sent to the device 1 as part of the information 1.
  • the device 2 locally stores the authentication scope that it is responsible for authenticating the device 1, Then, after device 2 receives information 1, it can encrypt the indication information corresponding to the authentication scope stored locally based on private key 1 and then send it to device 1 as a part of information 1; or, if information 1 does not include indication information , And device 2 does not store the authentication scope responsible for authenticating device 1 locally, then S102 can be executed directly, and the instruction information is not included in message 1, and device 1 can open device 1’s default settings according to its default settings. Use permissions.
  • S103 The device 2 sends the information 1 encrypted by the private key 1 to the device 1.
  • S104 The device 1 receives the information 1 encrypted by the private key 1 sent by the device 2.
  • device 2 may carry information 1 in a response message corresponding to the challenge request message and send it to device 1.
  • the device 2 may use the public key 1 encrypted by the private key 2 and the encrypted content of the information 1 as the information 1 at the same time, and send it to the device 1 in a response message.
  • information 1 encrypted by private key 1 may specifically include: public key encrypted by private key 2, challenge type encrypted by private key 1, and encryption by private key 1.
  • the random number 2 the key type encrypted by private key 1, the key number encrypted by private key 1, and the length of the challenge field encrypted by private key 1.
  • the device 2 may also separately send the public key 1 encrypted by the private key 2 to the device 1, and carry the information 1 in the response message and send it to the device 1.
  • the information 1 encrypted by the private key 1 may specifically include: the challenge type encrypted by the private key 1, the device ID encrypted by the private key 1, and the secret encrypted by the private key 1.
  • the device 2 sends the public key 1 encrypted by the private key 2 to the device 1 through a message other than the message of the transmission information 1.
  • the information 1 encrypted by the private key 1 in the response message may specifically include: the challenge type encrypted by the private key 1, the key type encrypted by the private key 1, and the private key 1 encrypted The length of the challenge field encrypted by the key number and private key 1.
  • the information 1 encrypted by the private key 1 in the response message may specifically include: the challenge type encrypted by the private key 1, the random number encrypted by the private key 1, 2, the private key 1Encrypted key type, private key 1 encrypted key number, and private key 1 encrypted challenge field length.
  • the information 1 encrypted by private key 1 in the response message may specifically include: encrypted by private key 1 Challenge type, identification information 2 encrypted by private key 1 (for example: device ID 2 encrypted by private key 1 or hash value of device ID 2 encrypted by private key 1), key type encrypted by private key 1, and secret encrypted by private key 1.
  • the information 1 encrypted by the private key 1 in the response message may specifically include: the challenge type encrypted by the private key 1, the instruction information encrypted by the private key 1, and the private key 1 encryption The key type, the key number encrypted by private key 1, and the length of the challenge field encrypted by private key 1.
  • information 1 may also include one or more of random number 2, device identification information 2, and indication information.
  • indication information, random number 2 and device identification information 2 the information 1 encrypted by private key 1 in the response message may specifically include: challenge type encrypted by private key 1, private key 1 encrypted random number 2, private key 1 encrypted device identification information 2, private key 1 encrypted instruction information, private key 1 encrypted key type, private key 1 encrypted key number, and private key 1 encrypted challenge field length.
  • device 2 sends a response message to device 1.
  • device 1 parses the response message to obtain information 1 encrypted by device 2 with its private key 1, which provides data for authenticating device 1 basis.
  • S105 Device 1 performs decryption according to public key 1 to obtain information 1.
  • the device 1 compares the information 1 with the locally stored information 2 to obtain a verification result, and determines the use right of the device 1 according to the verification result.
  • the decrypted information 1 by the device 1 may include: challenge type, key type, key number, and challenge field length.
  • S106 may specifically be: if the device 1 locally stores the content of the challenge request message itself, then the decrypted content of the challenge request message itself can be compared with the content of the challenge request message itself stored locally.
  • S105 to S106 may specifically be: as long as the public key 1 is used By decrypting to obtain information 1, it can be determined that the authentication of the device 1 is passed and the use right of the device 1 is opened; otherwise, it is determined that the authentication of the device 1 has failed.
  • information 1 includes the content of the challenge request message itself and random number 2
  • the information 1 decrypted by device 1 may include: challenge type, random number 2, key type, key number, and challenge field length .
  • device 1 judges whether the random number 1 stored locally and the random number 2 in the information 1 are consistent, if they are consistent, it determines that the use authority of device 1 is opened; otherwise, it determines that device 1 authenticates. Right to fail.
  • information 1 includes the content of the challenge request message itself and device identification information 2
  • the information 1 decrypted by device 1 may include: challenge type, device identification information 2, key type, key number, and challenge The length of the field.
  • it can specifically be: Device 1 determines whether the locally stored device identification information 1 and the device identification information 2 in the information 1 are consistent, if they are consistent, then the use authority of the device 1 is opened, otherwise, the device is determined 1Authentication failed.
  • the information 1 decrypted by the device 1 may include: challenge type, indication information, key type, key number, and challenge field length.
  • the instruction information obtained after decryption can be compared with the instruction information stored locally, and if they are consistent, the device 1’s information is opened according to the instruction information. Use permission, otherwise, it is determined that the authentication of device 1 has failed; or, if device 1 does not store the indication information locally, the indication information can be regarded as the authentication range configured by device 2 for device 1.
  • S105 to S106 may specifically be: As long as the public key 1 is used to decrypt the information 1, it can be determined that the authentication of the device 1 is passed, and the use authority of the device 1 is opened according to the instruction information; otherwise, it is determined that the authentication of the device 1 has failed.
  • the information 1 may also include one or more of the random number 2, the device identification information 2, and the indication information.
  • the information 1 includes the content of the challenge request message itself, the instruction information, the random number 2 and the identification information 2, for S106, it can be specifically: the device 1 judges the random number 1 stored locally and the random number in the information 1 2 Whether they are consistent, if they are inconsistent, it is determined that the authentication of device 1 has failed; if they are consistent, continue to determine whether the locally stored device identification information 1 and the device identification information 2 in the information 1 are consistent, if they are inconsistent, determine the device 1 Authentication failed; if they are consistent, take the indication information carried in the challenged request message stored locally in device 1 as an example, continue to compare whether the indication information obtained after decryption is consistent with the indication information stored locally, if they are inconsistent, determine the device 1 The authentication fails; if they are consistent, the use authority of the device 1 is opened according to the instruction information and the device identification information
  • Device 1 can be a network device or a single board. Taking Device 1 as a network device as an example, as an example, when the results of the comparison processes in S106 are consistent, the network device opens the use rights of all interfaces on it; or, when When the results of the comparison processes in S106 are inconsistent, the network device does not open the use right of any interface on it. As another example, the information 1 also carries indication information, such as a debugging interface ID.
  • the network device can open the corresponding usage rights according to the indication information, for example: Open the use right of the debugging interface corresponding to the debugging interface ID; or, when the results of the comparison processes in S106 are inconsistent, the network device does not open the use right of any interface on it.
  • Device 1 can also refer to a debugging interface or service interface on a certain device.
  • the device can open the corresponding debugging interface or service interface on it.
  • the device may not open the use right of the debugging interface or the service interface.
  • device 3 for the scenario where device 3 configures a public-private key pair for device 2 with a higher security level, device 3, as an absolutely secure device, also has the ability to update device 3’s own public and private keys and revoke the allocation for device 2
  • the ability of public and private keys makes it more flexible and controllable to use device 2 as an authentication tool to authenticate device 1.
  • the device 3 determines that its public key 2 and private key 2 are not sufficiently secure, and there may be a certain security risk, it is determined that the public key 2 and the private key 2 are invalid.
  • the embodiment of the present application may further include: S31, the device 3 Enable private key 4 and corresponding public key 4; S32, device 3 uses private key 4 to encrypt public key 1 and private key 1 respectively; S33, device 3 uses public key 4 and private key 4 to respectively encrypt public key 1 And using private key 4 to configure private key 1 to device 2; S34, device 2 uses public key 4 to decrypt private key 1 using private key 4 to obtain private key 1 and save it in the local secure storage space of device 2 In; S35, device 1 sends a challenge request message to device 2; S36, device 2 sends a response message 1 to device 1, the response message 1 at least includes: challenge type, public key 4, key type, key number and challenge The field length.
  • the device 3 determines that the public key 1 and the private key 1 allocated to the device 2 are not secure enough and there may be a certain security risk, it is determined that the public key 1 and the private key 1 are invalid.
  • the embodiment of the application may also Including: S41, device 3 redistributes private key 3 and corresponding public key 3 for device 2; S42, device 3 uses private key 2 to encrypt public key 3 and private key 3 respectively; S43, device 3 encrypts public key 2, Use private key 2 to separately configure public key 3 and private key 2 to private key 3 to device 2; S44, device 2 uses public key 2 to decrypt private key 3 using private key 2 to obtain private key 3 and Save it in the local secure storage space of device 2. In this way, the device 3 realizes the revocation and update of the public key and the private key used for authentication on the device 2, so that the device 2 can authenticate the device 1 more securely and reliably.
  • device 3 determines that its public key 2 and private key 2 are not secure enough, and the public key 1 and private key 1 allocated by device 3 to device 2 are also not secure enough, there may be a certain security risk, determine the The public key 2, the private key 2, the public key 1, and the private key 1 are all invalid.
  • the embodiment of this application may also include: S51, the device 3 activates the user private key 4 and the corresponding public key 4, and redistributes the private key for the device 2 3 and the corresponding public key 3; S52, device 3 uses private key 4 to encrypt public key 3 and private key 3 respectively; S53, device 3 uses public key 4 and private key 4 to public key 3 and private key respectively 4 Configure the private key 3 to the device 2 respectively; S54, the device 2 uses the public key 4 to decrypt the private key 3 with the private key 4 to obtain the private key 3 and save it in the local secure storage space of the device 2; S55, Device 1 sends a challenge request message to device 2; S56, device 2 sends a response message 2 to device 1, and the response message 2 includes at least: challenge type, public key 4, key type, key number, and challenge field length.
  • the value of the challenge type field in response message 2 is used to instruct device 1 to update the public key corresponding to device 3 saved on it; S57, device 1 deletes public key 2 or sets public key 2 as a prohibited public key, and Corresponding to save the public key 4.
  • device 3 can update the public key saved on device 1, and revoke and update the public and private keys used for authentication on device 2, so that device 2 can perform more secure and reliable operations on device 1. Authentication.
  • the device 1 to be authenticated sends information 2 to the device 2 with authentication function such as an authentication tool; the device 2 performs the authentication on the received information 1 based on the private key 1. Encrypt and send the information 1 encrypted with the private key 1 to the device 1. The device 1 decrypts the information according to the public key 1 to obtain the information 1. By comparing the information 1 and the locally stored information 2, the use authority of the device 1 is determined. In this way, through the encryption and decryption technology and the device 2 dedicated to authenticating the device 1, the device 2 can authenticate the device 1 to be authenticated, which overcomes the current protection of the device through the codebook or the exposed pad of the interface. 1 The hidden safety hazards that exist during security ensure that the protection of the device 1 to be authenticated is safer and more reliable.
  • the authentication process of the method 200 in this embodiment may include, for example:
  • S201 The user 14 submits a request message on the CA server 13, and the request message is used to request the CA server 13 to allocate a public and private key to the authentication tool 11.
  • the user 14 may also be a safe production line automation equipment that automatically performs all operations performed by the user 14.
  • the CA server 13 generates a private key b and a corresponding public key B for the authentication tool 11.
  • the CA server 13 uses its own private key d to encrypt the private key b and the public key B respectively.
  • the CA server 13 configures the public key D corresponding to the private key d to the switch through the user 14.
  • the CA server 13 configures the public key D, the private key b encrypted by the private key d, and the public key B encrypted by the private key d to the authentication tool 11 through the user 14.
  • the authentication tool 11 uses the public key D to decrypt the private key b encrypted by the private key d, and obtains and saves the private key b.
  • the switch sends a challenge request message 1 to the authentication tool 11.
  • the challenge request message 1 carries a random number X1.
  • the authentication tool 11 uses the locally stored private key b to encrypt the information in the challenge request message 1, and generates a response message 1 including X2 encrypted by the private key b, where X2 is the random number received by the authentication tool 11 .
  • the authentication tool 11 sends the public key B encrypted with the private key d to the switch.
  • S212 The switch uses the public key D stored locally to decrypt the public key B encrypted with the private key d, and obtains and saves the public key B.
  • S213 The switch uses the public key B to decrypt the information in the response message 1 to obtain X2, which is obtained by the public key B decrypting X2 encrypted with the private key b.
  • S214 The switch compares whether X2 and the locally stored random number X1 are consistent, if they are consistent, execute S215, otherwise, execute S216.
  • S216 The switch determines to suspend the authentication process, and reports an authentication error to the CA server 13.
  • the authentication tool is implemented through the interaction between the encryption and decryption technology, the CA server 13, a server with a higher security level, and the authentication tool 11 that is specifically used to authenticate the switch, and the switch. 11
  • the management of the use authority of the debugging interface 12 on the switch realizes more secure protection of the key interface on the switch.
  • FIG. 5 shows a schematic flowchart of an authentication method 300 in an embodiment of the present application.
  • the method 300 is applied in a scenario that includes a first device and a second device, and the first device is the execution subject.
  • the authentication method 300 For example, it can include:
  • S301 Receive the first information encrypted by the first private key and sent by the second device.
  • S302 Decrypt according to the first public key to obtain the first information, where the first public key corresponds to the first private key;
  • S304 Determine the use right of the first device according to the verification result.
  • the first device can be device 1 in method 100, then the second device is device 2 in method 100, the first private key is private key 1 in method 100, and the first public key is public key in method 100.
  • Key 1 the first information is information 1 in method 100, and the second information is information 2 in method 100.
  • the first device may also be the debugging interface 12 of the switch in the method 200, then the second device is the authentication tool 11 in the method 200, the first private key is the private key b in the method 200, and the first public key
  • the first information includes the random number X2 encrypted by the private key b in the method 100
  • the second information includes the random number X1 in the method 100.
  • the first device opens the corresponding use right, and when the verification result indicates that the verification fails, the first device does not open the corresponding use right.
  • the encryption and decryption technology and the second device with authentication function the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface.
  • the potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
  • the first device may be any device to be authenticated, for example, it may refer to a network device or a single board, or for another example, it may also refer to a debugging interface or a service interface on the device.
  • the second device may refer to an authentication tool with an authentication function.
  • the authentication tool sends the first information encrypted by the first private key to the device where the debugging interface is located and decrypted by the first public key. After the verification is passed, the device where the debugging interface is located will open the The permission to use the debugging interface is for accessing and using the debugging interface.
  • the first private key and the first public key may be generated by the second device; or, the first private key and the first public key may also be configured by the authentication server for the second device.
  • the method 300 may further include: the first device receives the first public key encrypted by the second private key of the authentication server sent by the second device; and the first device uses the second public key of the authentication server stored locally. Key to decrypt the encrypted first public key to obtain the first public key. In this way, encrypting the first public key by a server with a higher security level, which is the authentication server, is more secure and reliable than storing the first public key directly on the first device.
  • the second information may include the first random number.
  • the method 300 may further include: sending a challenge request message to the second device, where the challenge request message carries the first random number; then, S301 may specifically Including: the first device receives a response message sent by the second device, the response message carries the first information, and the first information includes a second random number; in this case, S303 may specifically include: A random number and the second random number are matched and verified.
  • the first random number can uniquely identify an authentication to the first device, and the random number is used for authentication to ensure that each authentication can be performed based on the random number generated this time, which can effectively prevent the information of the first device Is copied to prevent replay attacks.
  • the second information may further include first device identification information, the first information includes second device identification information, and the first device identification information is used to uniquely identify the first device, then, S303 Specifically, it may further include: performing matching verification on the first device identification information and the second device identification information.
  • the first device identification information is a first device ID
  • the second device identification information is a second device ID.
  • S303 may specifically include: comparing the first device ID and the second device ID Perform matching verification.
  • the first device identification information is the hash value of the first device ID
  • the second device identification information is the hash value of the second device ID.
  • S303 may specifically include: The hash value of one device ID and the hash value of the second device ID are matched and verified.
  • the device ID in this embodiment of the application is a non-public ID that can uniquely identify the device, for example: the first device ID is the hardware unique key HUK defined when the first device leaves the factory, another example is: The device ID is obtained by processing the die ID of the first device and the unique device identifier UDI. In this way, the first device ID or the hash value of the first device ID stored locally by the first device is used to verify the second device ID or the hash value of the second device ID obtained after decryption, so as to realize the reliability of the first device And secure authentication.
  • the second information may also include target valid information, and the first information includes actual usage information, where the actual usage information is used to characterize that the second device authentication is currently used on the first device.
  • S303 may specifically include: the first device verifies the actual usage information according to the target valid information to determine whether the second device can continue to be used to authenticate the first device.
  • the first device determines that the actual usage information has not reached the target effective information, it determines that the second device is valid for the first device and can continue to use the second device to authenticate the first device; otherwise, when the first device determines If the actual use information has reached the target effective information, it is determined that the second device is invalid for the first device, and the second device cannot be used to authenticate the first device.
  • the target effective information is the maximum number of times allowed to use the second device for authentication (for example: 5 times); or, the target effective information is the maximum time allowed to use the second device for authentication (for example: 20 hour). In this way, the actual use information carried in the first information is verified through the target effective information stored locally in the first device, so that reliable and safe authentication of the first device is realized.
  • the first information may further include indication information, the indication information being used to indicate at least one of the following information: the time when the use permission is opened, the interface for opening the use permission, or the use Permission operation.
  • the indication information may be sent by the first device to the second device in the challenge request message, or it may be corresponding indication information specified by the second device according to its own authentication range; it may also be the first device in the challenge request message.
  • FIG. 6 shows a schematic flowchart of a method 400 for authenticating the use right of a first device in an embodiment of the present application.
  • the method 400 is applied in a scenario that includes a first device and a second device.
  • the method 400 may include, for example:
  • S401 Encrypt the first information by using a first private key stored locally
  • S402 Send the first information encrypted by the first private key to a first device, so as to authenticate the use right of the first device.
  • the second device can be device 2 in method 100, then the first device is device 1 in method 100, the first private key is private key 1 in method 100, and the first public key is public key in method 100.
  • Key 1 the first information is information 1 in method 100.
  • the second device may be the authentication tool 11 in the method 200.
  • the first device is the debugging interface 12 of the switch in the method 200, the first private key is the private key b in the method 200, and the first public key is In the public key B in the method 200, the first information includes the random number X2 encrypted by the private key b in the method 100.
  • the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface.
  • the potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
  • the second device may refer to an authentication tool with an authentication function.
  • the first device may be any device to be authenticated, for example: it may refer to a network device or a single board, or for example: it may also refer to a debugging interface or a service interface on the device.
  • the authentication tool sends the first information encrypted by the first private key to the device where the debugging interface is located and decrypted by the first public key. After the verification is passed, the device where the debugging interface is located will open the The permission to use the debugging interface is for accessing and using the debugging interface.
  • the first private key and the first public key may be generated by the second device; or, the first private key and the first public key may also be configured by the authentication server for the second device.
  • the method 400 may further include: the second device receiving the second public key of the authentication server sent by the authentication server, the first public key encrypted by the second private key, and the second private key The encrypted first private key, the second private key corresponds to the second public key; then, the second device uses the second public key to encrypt the second private key The first private key is decrypted to obtain the first private key; the second device may also send the first public key encrypted by the second private key to the first device, so that the second device A device decrypts the first public key encrypted by the second private key based on the locally stored second public key to obtain the first public key.
  • the first information includes the first random number.
  • the method 400 may specifically further include: the second device receives a challenge request message sent by the first device, where the challenge request message Carrying the first random number;
  • S402 may specifically include: the second device sends a response message to the first device, where the response message carries the first random number encrypted by the first private key.
  • the second information may also include the first information and first device identification information.
  • the first device identification information is used by the first device for identity verification. For example, it may be the first device ID or the first device ID. A hash value of the device ID.
  • the method 400 may further include: the second device performs matching verification on the first device ID and a locally stored second device ID corresponding to the first device; or, the second device performs a matching verification on the first device ID.
  • the Greek value is matched and verified with the locally stored hash value of the second device ID corresponding to the first device.
  • the first device ID is a hardware unique key HUK defined when the first device leaves the factory, or the first device ID is processed according to the chip ID die ID of the first device and the unique device ID UDI owned.
  • the first information may also include target valid information, which is used by the first device to determine whether the second device can continue to be used for authentication.
  • the method 400 may further include: the second device updates the actual usage information, the actual usage information is used to characterize the current use of the second device authentication on the first device; then, the second device according to The target effective information verifies the updated actual usage information to determine whether the second device can continue to be used to authenticate the first device.
  • the target effective information is the maximum number of times that the second device is allowed to perform authentication, then the actual usage information is the actual number of times the first device uses the second device for authentication until the current time;
  • the target valid information is the maximum time allowed to use the second device for authentication, then the actual usage information is the actual usage time from the timing start time of the target valid information to the current moment.
  • the first information may further include indication information, the indication information being used to indicate at least one of the following information: the time when the use permission is opened, the interface for opening the use permission, or the use Permission operation.
  • the first device 700 includes a transceiver unit 701 and a processing unit 702.
  • the transceiving unit 701 is configured to perform the transceiving operation performed by the device 1 in the embodiment shown in FIG. 3, or the transceiving operation performed by the debugging interface 12 of the switch in the embodiment shown in FIG. 4, or the method embodiment shown in FIG. Transceiving operations performed by the first device;
  • the processing unit 702 is configured to perform operations other than the transceiving operations performed by the device 1 in the embodiment shown in FIG. 3, or other operations performed by the debugging interface 12 of the switch in the embodiment shown in FIG.
  • the first device 700 is the device 1 in the method 100, then the transceiving unit 701 is used to receive the information 1 encrypted with the private key 1 sent by the device 2; the processing unit 702 is used to decrypt according to the public key 1 to obtain Information 1, the processing unit 702 is also used to compare the information 1 and the locally stored information 2 to determine the use right of the device 1.
  • an embodiment of the present application also provides a second device 800, as shown in FIG. 8.
  • the second device 800 includes a transceiver unit 801 and a processing unit 802.
  • the transceiving unit 801 is configured to perform the transceiving operation performed by the device 2 in the embodiment shown in FIG. 3, or the transceiving operation performed by the authentication tool 11 in the embodiment shown in FIG. 4, or the method embodiment shown in FIG. Transceiving operations performed by the second device in the second device;
  • the processing unit 802 is configured to perform operations other than the transceiving operations performed by the device 2 in the embodiment shown in FIG. 3, or other operations performed by the authentication tool 11 in the embodiment shown in FIG.
  • the first device 800 is the device 2 in the method 100, then the transceiver unit 801 is used to send the information 1 encrypted by the private key 1 to the device 1; the processing unit 802 is used to pair the private key 1 according to the locally stored private key. Information 1 is encrypted.
  • an embodiment of the present application also provides a first device 900, as shown in FIG. 9.
  • the first device 900 includes a communication interface 901 and a processor 902 connected to the communication interface 901.
  • the communication interface 901 is used to perform the transceiving operation performed by the device 1 in the embodiment shown in FIG. 3, or the transceiving operation performed by the debugging interface 12 of the switch in the embodiment shown in FIG. 4, or the method shown in FIG. 5 is implemented
  • the transceiving operation performed by the first device in the example; the processor 902 is configured to perform other operations other than the transceiving operation performed by the device 1 in the embodiment shown in FIG. 3, or the debugging interface 12 of the switch in the embodiment shown in FIG.
  • the first device 900 is the device 1 in the method 100, then the communication interface 901 is used to receive the information 1 encrypted with the private key 1 sent by the device 2; the processor 902 is used to decrypt according to the public key 1 to obtain Information 1; The processor 902 is also used to compare the information 1 and the locally stored information 2 to determine the use authority of the device 1.
  • an embodiment of the present application also provides a second device 1000, as shown in FIG. 10.
  • the second device 1000 includes a communication interface 1001 and a processor 1002 connected to the communication interface 1001.
  • the communication interface 1001 is used to perform the transceiving operation performed by the device 2 in the embodiment shown in FIG. 3, or the transceiving operation performed by the authentication tool 11 in the embodiment shown in FIG. 4, or the first method in the method embodiment shown in FIG. 2.
  • Transceiving operations performed by the device; the processor 1002 is configured to perform other operations other than the transceiving operations performed by the device 2 in the embodiment shown in FIG. 3, or the authentication tool 11 in the embodiment shown in FIG. 4 other than transceiving operations Operations other than those performed by the second device in the method embodiment shown in FIG.
  • the second device 1000 is the device 2 in the method 100, then the communication interface 1001 is used to send the information 1 encrypted by the private key 1 to the device 1; the processor 1002 is used to pair the private key 1 according to the locally stored private key. Information 1 is encrypted.
  • an embodiment of the present application also provides a first device 1100, as shown in FIG. 11.
  • the first device 1100 includes a memory 1101 and a processor 1102.
  • the memory 1101 is used to store program code; the processor 1102 is used to run instructions in the program code, so that the first device 1100 executes the method executed by the device 1 in the embodiment shown in FIG. 3, or as shown in FIG. 4
  • an embodiment of the present application also provides a second device 1200, as shown in FIG. 12.
  • the second device 1200 includes a memory 1201 and a processor 1202.
  • the memory 1201 is used to store program code; the processor 1202 is used to run instructions in the program code, so that the second device 1200 executes the method performed by the device 2 in the embodiment shown in FIG. 3, or as shown in FIG. 4
  • the processor may be a central processing unit (English: central processing unit, abbreviation: CPU), a network processor (English: network processor, abbreviation: NP), or a combination of CPU and NP.
  • the processor may also be an application-specific integrated circuit (English: application-specific integrated circuit, abbreviation: ASIC), a programmable logic device (English: programmable logic device, abbreviation: PLD) or a combination thereof.
  • the above-mentioned PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), field programmable logic gate array (English: field-programmable gate array, abbreviation: FPGA), general array logic (English: generic array) logic, abbreviation: GAL) or any combination thereof.
  • the processor may refer to one processor or may include multiple processors.
  • the memory may include volatile memory (English: volatile memory), such as random access memory (English: random-access memory, abbreviation: RAM); the memory may also include non-volatile memory (English: non-volatile memory), For example, read-only memory (English: read-only memory, abbreviation: ROM), flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviation: HDD) or solid state drive (English: solid-state drive, Abbreviation: SSD); the memory can also include a combination of the above-mentioned types of memory.
  • the memory may refer to one memory, or may include multiple memories.
  • computer-readable instructions are stored in the memory, and the computer-readable instructions include multiple software modules, such as a sending module, a processing module, and a receiving module. After executing each software module, the processor can perform corresponding operations according to the instructions of each software module. In this embodiment, an operation performed by a software module actually refers to an operation performed by the processor according to an instruction of the software module. After the processor executes the computer-readable instructions in the memory, it can execute all operations that can be executed by the first device or the second device according to the instructions of the computer-readable instructions.
  • the communication interface 901 of the first device 900 can be specifically used as the transceiver unit 701 in the first device 700 to implement data communication between the first device and the second device.
  • the communication interface 1001 of the second device 1000 can be specifically used as the transceiver unit 801 in the second device 800 to implement data communication between the first device and the second device.
  • an embodiment of the present application also provides a communication system 1300, as shown in FIG. 13.
  • the communication system 1300 includes a first device 1301 and a second device 1302.
  • the first device 1301 may specifically be the above-mentioned first device 700, the first device 900 or the first device 1100, and the second device 1402 may specifically be the above-mentioned second device.
  • embodiments of the present application also provide a computer-readable storage medium that stores instructions in the computer-readable storage medium, which when run on a computer, causes the computer to execute the implementation shown in Figures 3 to 6 above.
  • the authentication method in the example is not limited to.
  • the embodiment of the present application also provides a computer program product, which when it runs on a computer, causes the computer to execute the authentication method in the aforementioned embodiment shown in FIG. 3 to FIG. 6.

Abstract

Disclosed are an authentication method and device. An authentication tool (i.e. a second device) sends first information encrypted by means of a first private key to a first device to be authenticated, and the first device can perform decryption according to a first public key to obtain the first information, wherein the first public key corresponds to the first private key. Therefore, the first device can perform matching verification on the first information and locally stored second information to obtain a verification result, and determine a use permission of the first device according to the verification result. In this way, by means of encryption and decryption techniques and an authentication device with an authentication function, authentication of a first device to be authenticated is realized, security risks when the first device is currently secured by means of, for example, a codebook or an interface being exposed from a pad, are avoided; and safer and more reliable protection of the first device to be authenticated is ensured.

Description

鉴权方法及设备Authentication method and equipment
本申请要求于2019年12月26日提交中国国家知识产权局、申请号为201911368436.5、申请名称为“鉴权方法及设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office of China, the application number is 201911368436.5, and the application name is "Authentication Method and Equipment" on December 26, 2019. The entire content is incorporated into this application by reference. .
技术领域Technical field
本申请涉及安全通信技术领域,特别是涉及一种鉴权方法和设备,该方法可以用于有开通设备或设备上接口的使用权限的需求时,对该设备或设备上接口的鉴权。This application relates to the field of secure communication technology, and in particular to an authentication method and device. The method can be used to authenticate the device or the interface on the device when there is a need to open the device or the interface on the device.
背景技术Background technique
设备上会存储很多信息,有的信息对于设备的生产商或者使用者非常重要。目前,通常采用密码本的方式对设备进行鉴权,以确保设备以及其上信息的安全。具体而言,密码本上保存着多个密码,在设备上预置一个或多个密码,当有开放该设备的使用权限的需求时,由指定人员(如:调试人员、运维人员、生产人员等)将密码本中的密码输入到设备中,和设备中预置的密码进行匹配,匹配成功时,视作该设备鉴权通过,该设备上匹配成功的密码对应的使用权限开放,从而可以通过设备上已开放的使用权限访问对应的重要信息。A lot of information is stored on the device, and some information is very important to the manufacturer or user of the device. At present, the device is usually authenticated by a codebook to ensure the security of the device and the information on it. Specifically, multiple passwords are stored in the codebook, and one or more passwords are preset on the device. When there is a need to open the use rights of the device, designated personnel (such as debuggers, operation and maintenance personnel, production Personnel, etc.) input the password in the password book into the device and match it with the password preset in the device. When the matching is successful, the device is deemed to have passed the authentication, and the access rights corresponding to the successfully matched password on the device are opened, thus The corresponding important information can be accessed through the use permission that has been opened on the device.
但是,由于密码本的存储、传输和匹配均采用的是明文,而且,人为管理密码本非常容易泄露密码本中的密码,可见,采用该密码本对设备进行鉴权,安全性较低。基于此,亟待提供一种安全等级更高的鉴权方式,确保设备在安全的情况下被开放使用权限,从而保障其上信息的安全。However, since the storage, transmission, and matching of the cipher book are all in plain text, and the manual management of the cipher book is very easy to reveal the password in the cipher book, it can be seen that using the cipher book to authenticate the device has low security. Based on this, it is urgent to provide an authentication method with a higher security level to ensure that the device is open to use permissions under safe conditions, so as to ensure the security of the information on it.
发明内容Summary of the invention
基于此,本申请实施例提供了一种鉴权方法和设备,通过鉴权工具对待鉴权设备发送来的信息进行加密,并由待鉴权设备进行解密的方式,实现对待鉴权设备更为安全的鉴权。Based on this, the embodiments of the present application provide an authentication method and device. The information sent by the device to be authenticated is encrypted by the authentication tool and decrypted by the device to be authenticated, so that the device to be authenticated is more Secure authentication.
第一方面,提供了一种鉴权方法,应用在包括第一设备和第二设备的场景中,以第一设备为执行主体,该鉴权方法例如可以包括:第一设备接收第二设备发送的采用第一私钥加密的第一信息后,根据第一公钥进行解密,获得该第一信息,其中,第一公钥与第一私钥对应;那么,第一设备即可对第一信息和本地存储的第二信息进行匹配验证,获得验证结果,并根据该验证结果,确定第一设备的使用权限。具体而言,当验证结果表示验证通过,则第一设备开放对应的使用权限,当验证结果表示验证未通过,则第一设备不开放对应的使用权限。这样,通过加解密技术以及具有鉴权功能的第二设备,实现对待鉴权的第一设备的鉴权,克服了目前通过密码本或者接口对应焊盘裸露的等方式保护第一设备安全时存在的安全隐患,确保了对待鉴权的第一设备更加安全和可靠的保护。In the first aspect, an authentication method is provided, which is applied in a scenario that includes a first device and a second device, with the first device as the execution subject, the authentication method may include, for example, the first device receives a transmission from the second device After using the first private key to encrypt the first information, decrypt it according to the first public key to obtain the first information, where the first public key corresponds to the first private key; then, the first device can The information and the locally stored second information are matched and verified to obtain a verification result, and the use authority of the first device is determined according to the verification result. Specifically, when the verification result indicates that the verification is passed, the first device opens the corresponding use right, and when the verification result indicates that the verification fails, the first device does not open the corresponding use right. In this way, through the encryption and decryption technology and the second device with authentication function, the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface. The potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
其中,第一设备可以是待鉴权的任何设备,例如:可以指网络设备或单板,又例如:也可以指设备上的调试接口或业务接口。第二设备可以是指具有鉴权功能的鉴权工具。当第一设备指调试接口时,鉴权工具将第一私钥加密的第一信息下发到调试接口所在设备并 由第一公钥进行解密,通过验证通过后,该调试接口所在设备开放该调试接口的使用权限,供访问和使用该调试接口。Wherein, the first device may be any device to be authenticated, for example, it may refer to a network device or a single board, or for another example, it may also refer to a debugging interface or a service interface on the device. The second device may refer to an authentication tool with an authentication function. When the first device refers to the debugging interface, the authentication tool sends the first information encrypted by the first private key to the device where the debugging interface is located and decrypted by the first public key. After the verification is passed, the device where the debugging interface is located will open the The permission to use the debugging interface is for accessing and using the debugging interface.
可选的,第一私钥和第一公钥可以是第二设备生成的;或者,第一私钥和第一公钥也可以是鉴权服务器为第二设备配置的。Optionally, the first private key and the first public key may be generated by the second device; or, the first private key and the first public key may also be configured by the authentication server for the second device.
为了更加安全,本申请实施例中还可以包括:第一设备接收第二设备发送的经过鉴权服务器的第二私钥加密的第一公钥;第一设备使用本地存储的鉴权服务器的第二公钥,对加密的第一公钥进行解密,获得所述第一公钥。这样,通过鉴权服务器这一安全等级较高的服务器对第一公钥进行加密,相比在第一设备上直接保存第一公钥,更加安全和可靠。For more security, the embodiments of the present application may further include: the first device receives the first public key encrypted by the second private key of the authentication server sent by the second device; the first device uses the locally stored first public key of the authentication server The second public key is used to decrypt the encrypted first public key to obtain the first public key. In this way, encrypting the first public key by a server with a higher security level, which is the authentication server, is more secure and reliable than storing the first public key directly on the first device.
可选地,第二信息包括第一随机数,在所述接收第二设备发送的采用第一私钥加密的第一信息之前,本申请实施例还可以包括:第一设备向第二设备发送挑战请求消息,该挑战请求消息中携带第一随机数;那么,第一设备接收第二设备发送的采用第一私钥加密的第一信息,包括:第一设备接收所述第二设备发送的响应消息,该响应消息中携带所述第一信息,所述第一信息包括第二随机数;此时,第一设备对所述第一信息和本地存储的第二信息进行匹配验证,包括:对所述第一随机数和所述第二随机数进行匹配验证。其中,第一随机数可以唯一标识对第一设备的一次鉴权,使用随机数进行鉴权,确保每次鉴权中都可以基于本次生成的随机数进行,能够有效防止第一设备的信息被复制,防止重放攻击。Optionally, the second information includes the first random number, and before the first information encrypted by the first private key sent by the second device is received, the embodiment of the present application may further include: the first device sends to the second device A challenge request message, the challenge request message carries the first random number; then, the first device receiving the first information encrypted by the first private key sent by the second device includes: the first device receiving the first information sent by the second device A response message, which carries the first information, and the first information includes a second random number; at this time, the first device performs matching verification on the first information and the locally stored second information, including: Perform matching verification on the first random number and the second random number. Among them, the first random number can uniquely identify an authentication to the first device, and the random number is used for authentication to ensure that each authentication can be performed based on the random number generated this time, which can effectively prevent the information of the first device Is copied to prevent replay attacks.
可选地,该第二信息还可以包括第一设备标识信息,第一信息中包括第二设备标识信息,其中,第一设备标识信息用于唯一标识所述第一设备,那么,第一设备对所述第一信息和本地存储的第二信息进行匹配验证,还可以包括:对所述第一设备标识信息和所述第二设备标识信息进行匹配验证。作为一个示例,所述第一设备标识信息为第一设备ID,所述第二设备标识信息为第二设备ID,那么,所述第一设备对所述第一信息和本地存储的第二信息进行匹配验证,还可以包括:对所述第一设备ID和所述第二设备ID进行匹配验证。作为另一个示例,为了更加安全,所述第一设备标识信息为第一设备ID的哈希值,所述第二设备标识信息为第二设备ID的哈希值,那么,第一设备对所述第一信息和本地存储的第二信息进行匹配验证,还可以包括:对所述第一设备ID的哈希值和第二设备ID的哈希值进行匹配验证。其中,所述第一设备ID用于唯一标识所述第一设备。为了鉴权的安全进行,本申请实施例中设备ID为非公开的能够唯一标识设备的ID,例如:第一设备ID为第一设备出厂时定义的硬件唯一密钥(英文:Hardware Unique Key,简称:HUK),又例如:第一设备ID为根据第一设备的晶片标识(英文:die Identification,简称:die ID)和唯一设备标识(英文:Unique Device Identification,简称:UDI)处理得到的。这样,通过第一设备本地存储的第一设备ID或第一设备ID的哈希值等第一设备标识信息,对解密后获得的第二设备ID或第二设备ID的哈希值等第二设备标识信息进行验证,指导第一设备对其使用权限的管理,实现对第一设备可靠和安全的鉴权。Optionally, the second information may also include first device identification information, and the first information includes second device identification information, where the first device identification information is used to uniquely identify the first device, then the first device Performing matching verification on the first information and the locally stored second information may also include: performing matching verification on the first device identification information and the second device identification information. As an example, the first device identification information is a first device ID, and the second device identification information is a second device ID. Then, the first device has a response to the first information and the locally stored second information Performing matching verification may also include: performing matching verification on the first device ID and the second device ID. As another example, for more security, the first device identification information is the hash value of the first device ID, and the second device identification information is the hash value of the second device ID. Performing matching verification on the first information and the locally stored second information may also include: performing matching verification on the hash value of the first device ID and the hash value of the second device ID. Wherein, the first device ID is used to uniquely identify the first device. For safe authentication, the device ID in this embodiment of the application is a non-public ID that can uniquely identify the device. For example, the first device ID is a hardware unique key (English: Hardware Unique Key, which is defined when the first device leaves the factory). Abbreviation: HUK), another example: the first device ID is obtained by processing the chip identification (English: die Identification, abbreviation: die ID) of the first device and the unique device identification (English: Unique Device Identification, abbreviation: UDI). In this way, through the first device identification information such as the first device ID or the hash value of the first device ID stored locally by the first device, the decrypted second device ID or the hash value of the second device ID and other second device identification information The device identification information is verified, and the first device is guided to manage its use authority, so as to realize reliable and safe authentication of the first device.
可选的,该第二信息还可以包括目标有效信息,所述第一信息中包括实际使用信息,其中,实际使用信息用于表征所述第一设备上当前使用所述第二设备鉴权的情况。那么,第一设备对所述第一信息和本地存储的第二信息进行匹配验证,还可以包括:第一设备根据所述目标有效信息,对所述实际使用信息进行验证,以确定所述第二设备能否继续用于 对所述第一设备进行鉴权。当第一设备确定实际使用信息还未达到目标有效信息,则,确定第二设备对于第一设备而言有效,可以继续使用第二设备对第一设备进行鉴权;否则,当第一设备确定实际使用信息已经达到目标有效信息,则,确定第二设备对于第一设备而言已经失效,不能继续使用第二设备对第一设备进行鉴权。其中,目标有效信息为允许使用所述第二设备进行鉴权的最多次数(例如:5次);或者,目标有效信息为允许使用所述第二设备进行鉴权的最长时间(例如:20小时)。这样,通过第一设备本地存储的目标有效信息,对第一信息中携带的实际使用信息进行验证,指导第一设备对其使用权限的管理,实现对第一设备可靠和安全的鉴权。Optionally, the second information may also include target effective information, and the first information includes actual usage information, where the actual usage information is used to characterize the authentication of the second device on the first device. Happening. Then, the first device to perform matching verification on the first information and the locally stored second information may also include: the first device verifies the actual usage information according to the target valid information to determine the first information Whether the second device can continue to be used to authenticate the first device. When the first device determines that the actual usage information has not reached the target effective information, it determines that the second device is valid for the first device and can continue to use the second device to authenticate the first device; otherwise, when the first device determines If the actual use information has reached the target effective information, it is determined that the second device is invalid for the first device, and the second device cannot be used to authenticate the first device. Wherein, the target effective information is the maximum number of times allowed to use the second device for authentication (for example: 5 times); or, the target effective information is the maximum time allowed to use the second device for authentication (for example: 20 hour). In this way, the actual use information carried in the first information is verified through the target effective information stored locally by the first device, guiding the first device to manage its use rights, and realizing reliable and safe authentication of the first device.
可选地,该第一信息还可以包括指示信息,所述指示信息用于指示下述信息中的至少一个:开放所述使用权限的时间、开放所述使用权限的接口或开放所述使用权限的操作。其中,该指示信息可以是第一设备在挑战请求消息中发送给第二设备的,也可以是第二设备根据自身的鉴权范围指定的对应的指示信息;还可以是第一设备在挑战请求消息中发送给第二设备的,并由第二设备根据自身的鉴权范围确定出的对应的指示信息。这样,通过第一设备接收并解密后获得的指示信息,指导第一设备对其上具体的使用权限的管理,实现对第一设备可靠和安全的鉴权。Optionally, the first information may further include indication information, the indication information being used to indicate at least one of the following information: the time when the usage right is opened, the interface for opening the usage right, or the usage right is opened Operation. Wherein, the indication information may be sent by the first device to the second device in the challenge request message, or it may be corresponding indication information specified by the second device according to its own authentication range; it may also be the first device in the challenge request message. The corresponding indication information sent to the second device in the message and determined by the second device according to its own authentication range. In this way, the instruction information obtained after being received and decrypted by the first device guides the first device to manage the specific usage rights on it, thereby realizing reliable and safe authentication of the first device.
第二方面,本申请实施例还提供了一种对第一设备的使用权限进行鉴权的方法,应用在包括第一设备和第二设备的场景中,以第二设备为执行主体,该鉴权方法例如可以包括:第二设备采用本地存储的第一私钥对所述第一信息进行加密,并向第一设备发送经过所述第一私钥加密的所述第一信息,以对所述第一设备的使用权限进行鉴权。这样,通过加解密技术以及具有鉴权功能的第二设备,实现对待鉴权的第一设备的鉴权,克服了目前通过密码本或者接口对应焊盘裸露的等方式保护第一设备安全时存在的安全隐患,确保了对待鉴权的第一设备更加安全和可靠的保护。In the second aspect, the embodiments of the present application also provide a method for authenticating the use right of a first device. This method is applied in a scenario that includes the first device and the second device, and the second device is the execution subject. The right method may include, for example, the second device encrypts the first information by using a first private key stored locally, and sends the first information encrypted by the first private key to the first device, so as to The use authority of the first device is authenticated. In this way, through the encryption and decryption technology and the second device with authentication function, the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface. The potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
其中,第二设备可以是指具有鉴权功能的鉴权工具。第一设备可以是待鉴权的任何设备,例如:可以指网络设备或单板,又例如:也可以指设备上的调试接口或业务接口。当第一设备指调试接口时,鉴权工具将第一私钥加密的第一信息下发到调试接口所在设备并由第一公钥进行解密,通过验证通过后,该调试接口所在设备开放该调试接口的使用权限,供访问和使用该调试接口。Among them, the second device may refer to an authentication tool with an authentication function. The first device may be any device to be authenticated, for example: it may refer to a network device or a single board, or for example: it may also refer to a debugging interface or a service interface on the device. When the first device refers to the debugging interface, the authentication tool sends the first information encrypted by the first private key to the device where the debugging interface is located and decrypted by the first public key. After the verification is passed, the device where the debugging interface is located will open the The permission to use the debugging interface is for accessing and using the debugging interface.
可选的,第一私钥和第一公钥可以是第二设备生成的;或者,第一私钥和第一公钥也可以是鉴权服务器为第二设备配置的。Optionally, the first private key and the first public key may be generated by the second device; or, the first private key and the first public key may also be configured by the authentication server for the second device.
可选地,本申请实施例中还可以包括:第二设备接收鉴权服务器发送的鉴权服务器的第二公钥、经过第二私钥加密的所述第一公钥和经过所述第二私钥加密的所述第一私钥,所述第二私钥和所述第二公钥对应;接着,第二设备利用所述第二公钥对所述经过所述第二私钥加密的所述第一私钥进行解密,获得所述第一私钥;第二设备也可以将所述经过所述第二私钥加密的所述第一公钥发送至所述第一设备,以便所述第一设备基于本地存储的所述第二公钥,对所述经过所述第二私钥加密的所述第一公钥进行解密,获得所述第一公钥。Optionally, the embodiment of the present application may further include: the second device receives the second public key of the authentication server sent by the authentication server, the first public key encrypted by the second private key, and the second public key encrypted by the second private key. The first private key encrypted by the private key, the second private key corresponds to the second public key; then, the second device uses the second public key to encrypt the second private key The first private key is decrypted to obtain the first private key; the second device may also send the first public key encrypted by the second private key to the first device, so that The first device decrypts the first public key encrypted by the second private key based on the locally stored second public key to obtain the first public key.
可选地,该第一信息包括第一随机数,那么,在对所述第一信息进行加密以前,本申 请实施例还可以包括:第二设备接收所述第一设备发送的挑战请求消息,所述挑战请求消息中携带所述第一随机数;那么,该第二设备向所述第一设备发送经过所述第一私钥加密的所述第一信息,可以包括:第二设备向所述第一设备发送响应消息,所述响应消息中携带经过所述第一私钥加密的所述第一随机数。Optionally, the first information includes a first random number. Then, before encrypting the first information, the embodiment of the present application may further include: the second device receives the challenge request message sent by the first device, The challenge request message carries the first random number; then, the second device sending the first information encrypted by the first private key to the first device may include: The first device sends a response message, and the response message carries the first random number encrypted by the first private key.
可选地,该第一信息可以包括第一设备标识信息,该第一设备标识信息被所述第一设备用于身份验证。其中,第一设备标识信息为所述第一设备标识ID或所述第一设备ID的哈希值。作为一个示例,当第一信息包括第一设备ID,本申请实施例还可以包括:第二设备对所述第一设备ID和本地存储的与所述第一设备对应的第二设备ID进行匹配验证。作为另一个示例,该第一信息还可以包括第一设备ID的哈希值,那么,本申请实施例还可以包括:对所述第一设备ID的哈希值和本地存储的与所述第一设备对应的第二设备ID的哈希值进行匹配验证。其中,所述第一设备ID为所述第一设备出厂时定义的硬件唯一密钥HUK,或者,所述第一设备ID为根据所述第一设备的晶片标识die ID和唯一设备标识UDI处理得到的。Optionally, the first information may include first device identification information, and the first device identification information is used for identity verification by the first device. Wherein, the first device identification information is the first device identification ID or the hash value of the first device ID. As an example, when the first information includes the first device ID, the embodiment of the present application may further include: the second device matches the first device ID with a locally stored second device ID corresponding to the first device verification. As another example, the first information may also include the hash value of the first device ID. Then, the embodiment of the present application may further include: the hash value of the first device ID and the locally stored hash value of the first device ID. The hash value of the second device ID corresponding to a device is matched and verified. Wherein, the first device ID is a hardware unique key HUK defined when the first device leaves the factory, or the first device ID is processed according to the chip ID die ID of the first device and the unique device ID UDI owned.
可选地,该第一信息还包括目标有效信息,该目标有效信息被所述第一设备用于确定能否继续使用所述第二设备进行鉴权,那么,本申请实施例还可以包括:第二设备更新所述实际使用信息,所述实际使用信息用于表征所述第一设备上当前使用所述第二设备鉴权的情况;接着,第二设备根据所述目标有效信息,对更新后的所述实际使用信息进行验证,以确定所述第二设备能否继续用于对所述第一设备进行鉴权。其中,该目标有效信息为允许使用所述第二设备进行鉴权的最多次数,则,所述实际使用信息为所述第一设备截止当前使用所述第二设备进行鉴权的实际使用次数;或者,该目标有效信息为允许使用所述第二设备进行鉴权的最长时间,则,所述实际使用信息为从所述目标有效信息的计时起始时刻到当前时刻的实际使用时间。Optionally, the first information further includes target valid information, and the target valid information is used by the first device to determine whether the second device can continue to be used for authentication. Then, the embodiment of the present application may further include: The second device updates the actual usage information, and the actual usage information is used to characterize the current use of the second device authentication on the first device; then, the second device updates the information according to the target valid information. The subsequent actual use information is verified to determine whether the second device can continue to be used to authenticate the first device. Wherein, the target effective information is the maximum number of times that the second device is allowed to perform authentication, then the actual usage information is the actual number of times the first device uses the second device for authentication until the current time; Alternatively, the target valid information is the maximum time allowed to use the second device for authentication, then the actual usage information is the actual usage time from the timing start time of the target valid information to the current moment.
可选地,该第一信息还可以包括指示信息,所述指示信息用于指示下述信息中的至少一个:开放所述使用权限的时间、开放所述使用权限的接口或开放所述使用权限的操作。Optionally, the first information may further include indication information, the indication information being used to indicate at least one of the following information: the time when the usage right is opened, the interface for opening the usage right, or the usage right is opened Operation.
第二方面提供的方法的各种可能的实现方式以及达到的技术效果,可以参照前述第一方面提供的方法的介绍,此处不再赘述。For the various possible implementation manners and technical effects achieved by the method provided in the second aspect, reference may be made to the introduction of the method provided in the first aspect, which will not be repeated here.
第三方面,本申请还提供了第一设备,包括收发单元和处理单元。其中,收发单元用于执行上述第一方面提供的方法中的收发操作;处理单元用于执行上述第一方面中除了收发操作以外的其他操作。例如:当所述第一设备执行所述第一方面所述的方法时,所述收发单元用于接收第二设备发送的采用第一私钥加密的第一信息;所述处理单元用于根据第一公钥进行解密,获得该第一信息,所述处理单元还用于对第一信息和本地存储的第二信息进行匹配验证,获得验证结果,所述处理单元还用于根据该验证结果,确定第一设备的使用权限。In the third aspect, this application also provides a first device, including a transceiver unit and a processing unit. Wherein, the transceiving unit is used to perform the transceiving operations in the method provided in the above first aspect; the processing unit is used to perform other operations in addition to the transceiving operations in the above first aspect. For example: when the first device executes the method described in the first aspect, the transceiving unit is used to receive the first information encrypted by the first private key sent by the second device; the processing unit is used to The first public key is decrypted to obtain the first information. The processing unit is also used to perform matching verification on the first information and the locally stored second information to obtain a verification result, and the processing unit is further used to obtain the verification result according to the verification result. , To determine the use permission of the first device.
第四方面,本申请实施例还提供了第二设备,该第二设备包括收发单元和处理单元。其中,收发单元用于执行上述第二方面提供的方法中的收发操作;处理单元用于执行上述第二方面中除了收发操作以外的其他操作。例如:当所述第二设备执行所述第二方面所述的方法时,所述收发单元用于向第一设备发送经过所述第一私钥加密的所述第一信息;所 述处理单元用于采用本地存储的第一私钥对所述第一信息进行加密。In a fourth aspect, an embodiment of the present application also provides a second device, and the second device includes a transceiver unit and a processing unit. Wherein, the transceiving unit is used to perform the transceiving operation in the method provided in the above second aspect; the processing unit is used to perform other operations in addition to the transceiving operation in the above second aspect. For example: when the second device executes the method described in the second aspect, the transceiving unit is configured to send the first information encrypted by the first private key to the first device; the processing unit It is used to encrypt the first information by using the first private key stored locally.
第五方面,本申请实施例还提供了一种第一设备,包括通信接口和处理器。其中,通信接口用于执行前述第一方面提供的方法中的收发操作;处理器,用于执行前述第一方面提供的方法中除所述收发操作以外的其他操作。In a fifth aspect, an embodiment of the present application also provides a first device, including a communication interface and a processor. Wherein, the communication interface is used to perform the transceiving operation in the method provided in the foregoing first aspect; the processor is used to perform other operations except the transceiving operation in the method provided in the foregoing first aspect.
第六方面,本申请实施例还提供了一种第二设备,包括通信接口和处理器。其中,通信接口用于执行前述第二方面提供的方法中的收发操作;处理器,用于执行前述第二方面提供的方法中除所述收发操作以外的其他操作。In a sixth aspect, an embodiment of the present application also provides a second device, including a communication interface and a processor. Wherein, the communication interface is used to perform the transceiving operation in the method provided in the foregoing second aspect; the processor is used to perform other operations in the method provided in the foregoing second aspect except for the transceiving operation.
第七方面,本申请实施例还提供了一种第一设备,该第一设备包括存储器和处理器。其中,存储器用于存储程序代码;处理器用于运行所述程序代码中的指令,使得该第一设备执行以上第一方面提供的方法。In a seventh aspect, an embodiment of the present application further provides a first device, and the first device includes a memory and a processor. Wherein, the memory is used to store program code; the processor is used to run instructions in the program code, so that the first device executes the method provided in the first aspect above.
第八方面,本申请实施例还提供了一种第二设备,该第二设备包括存储器和处理器。其中,存储器用于存储程序代码;处理器用于运行所述程序代码中的指令,使得该第一设备执行以上第二方面提供的方法。In an eighth aspect, an embodiment of the present application also provides a second device, the second device including a memory and a processor. Wherein, the memory is used to store program code; the processor is used to run instructions in the program code, so that the first device executes the method provided in the second aspect above.
第九方面,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算机上运行时,使得所述计算机执行以上第一方面或第二方面提供的所述的鉴权方法。In a ninth aspect, the embodiments of the present application also provide a computer-readable storage medium that stores instructions in the computer-readable storage medium, which when run on a computer, causes the computer to execute the first aspect or the second aspect above. The authentication method provided by the aspect.
第十方面,本申请实施例还提供了计算机程序产品,当其在计算机上运行时,使得计算机执行前述第一方面或第二方面提供的所述的鉴权方法。In a tenth aspect, the embodiments of the present application also provide a computer program product, which when running on a computer, causes the computer to execute the authentication method provided in the first or second aspect.
第十一方面,本申请实施例还提供了一种通信系统,该通信系统包括第三方面、第五方面或第七方面提供的所述的第一设备以及第四方面、第六方面或第八方面提供的第二设备。In an eleventh aspect, an embodiment of the present application also provides a communication system, which includes the first device provided in the third, fifth, or seventh aspect and the fourth, sixth, or first device provided in the third, fifth, or seventh aspect. The second device provided by the eighth aspect.
附图说明Description of the drawings
图1为本申请实施例中一应用场景所涉及的网络系统框架示意图;FIG. 1 is a schematic diagram of a network system framework involved in an application scenario in an embodiment of this application;
图2为本申请实施例中在图1场景下对设备12鉴权的流程示意图;FIG. 2 is a schematic diagram of the authentication process of the device 12 in the scenario of FIG. 1 in an embodiment of the application;
图3为本申请实施例中一种鉴权方法100的流程示意图;FIG. 3 is a schematic flowchart of an authentication method 100 in an embodiment of this application;
图4为本申请实施例中在图1场景下一种鉴权方法200的流程示意图;FIG. 4 is a schematic flowchart of an authentication method 200 in the scenario of FIG. 1 in an embodiment of this application;
图5为本申请实施例中一种鉴权方法300的流程示意图;FIG. 5 is a schematic flowchart of an authentication method 300 in an embodiment of this application;
图6为本申请实施例中一种对第一设备的使用权限进行鉴权的方法400的流程示意图;FIG. 6 is a schematic flowchart of a method 400 for authenticating the use right of a first device in an embodiment of this application;
图7为本申请实施例中一种第一设备700的结构示意图;FIG. 7 is a schematic structural diagram of a first device 700 in an embodiment of this application;
图8为本申请实施例中一种第二设备800的结构示意图;FIG. 8 is a schematic structural diagram of a second device 800 in an embodiment of this application;
图9为本申请实施例中一种第一设备900的结构示意图;FIG. 9 is a schematic structural diagram of a first device 900 in an embodiment of this application;
图10为本申请实施例中一种第二设备1000的结构示意图;FIG. 10 is a schematic structural diagram of a second device 1000 in an embodiment of this application;
图11为本申请实施例中一种第一设备1100的结构示意图;FIG. 11 is a schematic structural diagram of a first device 1100 in an embodiment of this application;
图12为本申请实施例中一种第二设备1200的结构示意图;FIG. 12 is a schematic structural diagram of a second device 1200 in an embodiment of this application;
图13为本申请实施例中一种通信系统1300的结构示意图。FIG. 13 is a schematic structural diagram of a communication system 1300 in an embodiment of this application.
具体实施方式Detailed ways
设备上一般会存储一些重要信息(例如:设备的硬盘数据),这些重要信息对设备安全十分关键,需要采取一定的保护措施确保这些重要信息的安全。Some important information (for example: hard disk data of the device) is generally stored on the device. This important information is critical to the safety of the device, and certain protective measures need to be taken to ensure the safety of this important information.
目前,通常采用密码本的方式对设备进行鉴权,在设备上预置一个或多个密码,密码本上保存着多个密码,当需要开放该设备的使用权限时,由调试人员、运维人员、生产人员等指定人员将密码本中的密码输入到设备中,设备将该输入的密码和其中预置的密码进行匹配,匹配成功时,视作该设备的鉴权通过,该设备开放上匹配成功的密码对应的使用权限,从而可以通过开放的使用权限访问对应的重要信息。虽然密码本由少数的指定人员掌握,一定程度上可以保证设备上存储的重要信息的安全,但是,由于密码本的存储、传输和匹配均采用的是明文,而且,具有密码本权限的指定人员较杂,人为管理密码本非常容易泄露密码本中的密码,该采用该密码本对设备进行鉴权的方式,安全性较低。At present, the device is usually authenticated by a codebook. One or more passwords are preset on the device, and multiple passwords are stored in the codebook. When the permission to use the device needs to be opened, the debugging personnel, operation and maintenance Designated personnel, such as personnel, production personnel, enter the password in the codebook into the device, and the device will match the entered password with the preset password. When the match is successful, it will be regarded as the authentication of the device passed, and the device will be opened. The use authority corresponding to the successfully matched password, so that the corresponding important information can be accessed through the open use authority. Although the cipher book is controlled by a small number of designated personnel, which can ensure the security of important information stored on the device to a certain extent, the storage, transmission and matching of the cipher book are all in plain text, and the designated personnel with the authority of the cipher book It is more complicated, and it is very easy to leak the password in the codebook by manual management. The method of using the codebook to authenticate the device has low security.
此外,由于访问设备上的重要信息,通常通过设备上的关键接口(如:调试接口或业务接口)实现,那么,很多设备厂商在设备出厂时,将这些关键接口的连接器去掉(即,关键接口对应的焊盘裸露),以确保设备上重要信息的安全。但是,攻击者可以通过观察以及万用表等仪器识别出这些关键接口对应的焊盘,并通过跳线将该关键接口接入分析仪,从而直接获取这些重要信息,十分不安全。例如:微软笔记本的硬件数据通常采用两级密钥进行加密保护,即,通过全卷加密密钥(英文:Full Volume Encryption Key,简称:FVEK)加密,通过卷主密钥(英文:Volume Master Key,简称:VMK)(也称为原始密钥)加密FVEK;该VMK保存在可信平台模块(英文:Trusted Platform Module,简称:TPM)中。微软在生产该笔记本电脑时,增加TPM的LPC(英文:Low Pin Count)接口以测试该笔记本电脑的性能,但是在发货时,将该接口从连接器对应的焊盘裸露,那么,攻击者很容易就可以识别出了该裸露的TPM的LPC接口,并通过跳线将该接口接入逻辑分析仪,直接获取到VMK,从而破解出由VMK加密的FVEK,进而破解出由FVEK加密的硬盘数据,严重危及该笔记本电脑的安全。In addition, because access to important information on the device is usually achieved through key interfaces on the device (such as a debugging interface or a business interface), many equipment manufacturers remove the connectors of these key interfaces when the device leaves the factory (that is, the key The corresponding pads of the interface are exposed) to ensure the safety of important information on the device. However, an attacker can identify the pads corresponding to these key interfaces through observations and instruments such as multimeters, and connect the key interfaces to the analyzer through jumpers to directly obtain these important information, which is very insecure. For example, the hardware data of a Microsoft notebook is usually encrypted and protected by a two-level key, that is, encrypted by a full volume encryption key (English: Full Volume Encryption Key, abbreviated as: FVEK), and encrypted by a volume master key (English: Volume Master Key). , Referred to as VMK) (also referred to as the original key) encrypts FVEK; the VMK is stored in a trusted platform module (English: Trusted Platform Module, referred to as TPM). When Microsoft produced the laptop, it added the LPC (English: Low Pin Count) interface of the TPM to test the performance of the laptop. However, when the laptop was shipped, the interface was exposed from the corresponding pad of the connector. Then, the attacker It is easy to identify the LPC interface of the exposed TPM, and connect the interface to the logic analyzer through a jumper to directly obtain the VMK, thereby cracking the FVEK encrypted by the VMK, and then cracking the hard disk encrypted by the FVEK Data seriously endangers the safety of the laptop.
可见,无论通过密码本的保护方式还是上述在出厂时去掉设备的关键接口的连接器的方式,均不能很好的确保设备的安全以及设备上重要信息的安全。It can be seen that neither the cipher key protection method nor the above-mentioned method of removing the connector of the key interface of the device at the factory can not well ensure the security of the device and the security of important information on the device.
基于此,本申请实施例提供一种鉴权方法,在用户需要访问第一设备时,第一设备需要进行鉴权,鉴权通过后才可以开放第一设备上对应的使用权限,供用户在开放的使用权限范围内安全的访问或者使用该第一设备。待鉴权的第一设备本地存储有第二信息以及第一公钥,鉴权的过程具体可以包括:由待鉴权的第一设备向鉴权工具等具有鉴权功能的第二设备发送第二信息;对于第二设备,接收到第一设备发送的第一信息(该第一信息可能与第二信息相同,也可能与第二信息不同),基于第一私钥对接收到的第一信息进行加密,并将该经过第一私钥加密的第一信息发送给第一设备;第一设备根据第一公钥进行解密,获得第一信息,并对该第一信息和本地存储的第二信息进行匹配验证,获得验证结果,再根据该验证结果,确定第一设备的使用权限。这样,通过加解密技术以及具有鉴权功能的第二设备,实现对待鉴权的第一设备的鉴权,克服了目前通过密码本或者接口对应焊盘裸露的等方式保护第一设备安全时存在的安全隐患,确保了对待鉴权的第一设备更加 安全和可靠的保护。Based on this, the embodiment of the present application provides an authentication method. When the user needs to access the first device, the first device needs to be authenticated. After the authentication is passed, the corresponding usage rights on the first device can be opened for the user to access the first device. Safely access or use the first device within the scope of the open use authority. The first device to be authenticated locally stores the second information and the first public key. The authentication process may specifically include: the first device to be authenticated sends the first device to a second device with authentication function such as an authentication tool. Second information; for the second device, the first information sent by the first device is received (the first information may be the same as the second information, or may be different from the second information), based on the first private key pair received The information is encrypted, and the first information encrypted by the first private key is sent to the first device; the first device decrypts according to the first public key to obtain the first information, and the first information and the locally stored first information The second information is matched and verified to obtain a verification result, and then the use authority of the first device is determined according to the verification result. In this way, through the encryption and decryption technology and the second device with authentication function, the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface. The potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
举例来说,本申请实施例的场景之一,可以是应用到如图1所示的网络中。参见图1,该网络中包括:鉴权工具11和设备12。其中,鉴权工具11可以是设备12的制造商设计的、用于对其出厂的设备12进行鉴权的物理实体,该鉴权工具11本地保存有私钥a,具有利用私钥a为信息进行加密的功能。设备12可以是任何需要进行鉴权的设备,例如:设备12可以是路由器、交换机等网络设备,也可以是手机、笔记本电脑等终端设备,还可以是U盘等移动存储设备,也可以是调试接口、业务接口或者单板。其中,图1所示的场景中还可以包括证书颁发机构(英文:Certificate Authority,简称:CA)服务器13,用于为鉴权工具分配公私钥,以提高该鉴权场景的安全等级。For example, one of the scenarios of the embodiment of the present application may be applied to the network as shown in FIG. 1. Referring to Figure 1, the network includes: an authentication tool 11 and a device 12. Wherein, the authentication tool 11 may be a physical entity designed by the manufacturer of the device 12 to authenticate the device 12 that it leaves the factory. The authentication tool 11 stores the private key a locally, and uses the private key a as information. Encryption function. The device 12 can be any device that needs to be authenticated. For example, the device 12 can be a network device such as a router or a switch, a terminal device such as a mobile phone, a laptop, etc., a mobile storage device such as a USB flash drive, or a debugging device. Interface, service interface or single board. The scenario shown in FIG. 1 may also include a certificate authority (English: Certificate Authority, abbreviated as: CA) server 13 for allocating public and private keys to authentication tools to improve the security level of the authentication scenario.
具体实现时,鉴权工具11在本地的安全存储区域中保存有私钥a,设备12在本地的安全存储区域中保存有公钥A,该私钥a和公钥A对应。当需要访问设备12时,对设备12的鉴权过程参见图2,可以包括:S11,设备12产生随机数1;S12,设备12将随机数1携带在挑战请求消息中发送给鉴权工具11;S13,鉴权工具11用私钥a对接收到的随机数2(可以和随机数1一致,也可以和随机数1不一致)进行加密,得到X;S14,鉴权工具11将X携带在响应消息中,发送给设备12;S15,设备12利用公钥A对X进行解密,获得随机数2;S16,设备12比较随机数1和随机数2,若两者相同,则表示设备12的该次鉴权通过,反之,表示设备12的该次鉴权失败。这样,实现了对待鉴权设备12更加安全的保护。In specific implementation, the authentication tool 11 stores the private key a in the local secure storage area, and the device 12 stores the public key A in the local secure storage area, and the private key a corresponds to the public key A. When the device 12 needs to be accessed, the authentication process for the device 12 is shown in Fig. 2, which may include: S11, the device 12 generates a random number 1; S12, the device 12 carries the random number 1 in the challenge request message and sends it to the authentication tool 11. S13, the authentication tool 11 uses the private key a to encrypt the received random number 2 (which can be consistent with the random number 1, or inconsistent with the random number 1) to obtain X; S14, the authentication tool 11 carries X in The response message is sent to the device 12; S15, the device 12 uses the public key A to decrypt X to obtain the random number 2; S16, the device 12 compares the random number 1 and the random number 2. If the two are the same, it means that the device 12’s The authentication passed this time, otherwise, it means that the authentication of the device 12 failed this time. In this way, more secure protection of the authentication device 12 is realized.
需要说明的是,上述公钥A和私钥a可以是鉴权工具11自己生成的,也可以是CA服务器13为鉴权工具11分配的,具体可以根据设备12的安全要求确定,在本申请实施例中不作具体限定。其中,CA服务器13相对于鉴权工具11以及设备12来说,可以是离线服务器,需要用户(例如:设备12的管理人员)通过安全的生产环境设备作为媒介配置鉴权工具11和设备12;或者,CA服务器13相对于鉴权工具11以及设备12来说,也可以是在线服务器,可以直接通过CA服务器13和鉴权工具11之间建立的连接以及CA服务器13和设备12之间建立的连接进行交互,无需再由用户进行中转。It should be noted that the above-mentioned public key A and private key a can be generated by the authentication tool 11 itself, or distributed by the CA server 13 for the authentication tool 11, which can be specifically determined according to the security requirements of the device 12. In this application There is no specific limitation in the embodiment. Wherein, the CA server 13 may be an offline server relative to the authentication tool 11 and the device 12, requiring a user (for example, a manager of the device 12) to configure the authentication tool 11 and the device 12 through a secure production environment device as a medium; Alternatively, compared to the authentication tool 11 and the device 12, the CA server 13 may also be an online server, which can directly pass the connection established between the CA server 13 and the authentication tool 11 and the connection established between the CA server 13 and the device 12 Connect to interact, no need to be transferred by the user.
需要说明的是,本申请实施例中设备本地的安全存储区域,是指设备本地的存储区域中,不能被轻易访问和篡改的存储区域。例如:安全存储区域可以是设备的一次性可编程存储器(英文:One-Time Programmable,简称:OTP),又例如:安全存储区域也可以是设备的电熔丝(英文:electrical FUSE,简称:eFUSE),由于OTP或eFUSE等安全存储区域上存储的内容不可更改,所以,设备本地的安全存储区域可以可靠和安全的保存重要信息,例如:鉴权工具11本地的安全存储区域可以可靠和安全的保存私钥a,设备12本地的安全存储区域可以可靠和安全的保存公钥A。It should be noted that the local secure storage area of the device in the embodiment of the present application refers to a storage area in the local storage area of the device that cannot be easily accessed or tampered with. For example, the secure storage area can be the one-time programmable memory of the device (English: One-Time Programmable, abbreviated as OTP), and for example: the secure storage area can also be the electrical fuse of the device (English: electrical FUSE, abbreviated as: eFUSE) ), because the content stored in the secure storage area such as OTP or eFUSE cannot be changed, the local secure storage area of the device can store important information reliably and securely. For example, the local secure storage area of the authentication tool 11 can be reliable and secure. To save the private key a, the local secure storage area of the device 12 can save the public key A reliably and securely.
可以理解的是,上述场景仅是本申请实施例提供的一个场景示例,本申请实施例并不限于此场景。It is understandable that the foregoing scenario is only an example of a scenario provided in an embodiment of the present application, and the embodiment of the present application is not limited to this scenario.
下面结合附图,通过实施例来详细说明本申请实施例中鉴权方法的具体实现方式。The specific implementation of the authentication method in the embodiment of the present application will be described in detail below with reference to the accompanying drawings and embodiments.
图3为本申请实施例中的一种鉴权方法100的流程示意图。参见图3,该方法100应 用于包括设备1和设备2的网络中,其中,设备1预先保存有公钥1。在需要对设备1进行访问时,可以先执行该方法100对设备1进行鉴权。例如:该方法100可以应用在图1所示的网络中,设备1可以是设备12,设备2可以是鉴权工具11。该方法100例如可以包括下述S101~S106:FIG. 3 is a schematic flowchart of an authentication method 100 in an embodiment of this application. Referring to Fig. 3, the method 100 is applied to a network including a device 1 and a device 2, where the device 1 has a public key 1 stored in advance. When the device 1 needs to be accessed, the method 100 can be executed first to authenticate the device 1. For example, the method 100 can be applied to the network shown in FIG. 1, the device 1 can be the device 12, and the device 2 can be the authentication tool 11. The method 100 may include the following S101 to S106, for example:
S101,设备2接收设备1发送的信息1。S101: Device 2 receives information 1 sent by device 1.
其中,设备2是指用于对待鉴权的设备1进行鉴权的物理实体,也称为鉴权工具,用于对待鉴权的设备进行鉴权,确定是否开放待鉴权的设备的使用权限。设备2上可以包括鉴权接口,用于与待鉴权的设备1之间建立连接该鉴权接口可以是有线接口,例如:通用串行总线(英文:Universal Serial Bus,简称:USB)接口或联合测试工作组(英文:Joint Test Action Group,简称:JTAG)接口;或者,该鉴权接口也可以是无线接口,例如:蓝牙。Among them, device 2 refers to the physical entity used to authenticate the device 1 to be authenticated, also known as an authentication tool, used to authenticate the device to be authenticated, and determine whether to open the right to use the device to be authenticated . The device 2 may include an authentication interface, which is used to establish a connection with the device 1 to be authenticated. The authentication interface may be a wired interface, such as a universal serial bus (English: Universal Serial Bus, abbreviated as: USB) interface or Joint Test Action Group (English: Joint Test Action Group, JTAG for short) interface; or, the authentication interface may also be a wireless interface, such as Bluetooth.
设备1是指待鉴权的设备,本申请实施例中,待鉴权的设备可以是网络设备,例如:交换机、路由器,也可以是终端设备,例如:手机、笔记本电脑,还可以是移动存储设备,例如:U盘,也可以是接口,例如:调试接口、业务接口,还可以是单板。Device 1 refers to the device to be authenticated. In the embodiment of the application, the device to be authenticated can be a network device, such as a switch, a router, or a terminal device, such as a mobile phone, a laptop, or a mobile storage device. A device, such as a USB flash drive, can also be an interface, such as a debugging interface, a service interface, or a single board.
信息1可以包括:设备2接收到的随机数2。设备1在需要进行鉴权时,可以产生该次鉴权对应的随机数1,并将该随机数2保存在设备1本地安全存储区域中。该随机数1可以唯一标识对设备1的一次鉴权,使用随机数进行鉴权,确保每次鉴权中都可以基于本次生成的随机数进行,能够有效防止设备1的信息被复制,防止重放攻击。Information 1 may include: random number 2 received by device 2. When the device 1 needs to perform authentication, it can generate the random number 1 corresponding to the second authentication, and save the random number 2 in the local secure storage area of the device 1. The random number 1 can uniquely identify an authentication to device 1, and use random numbers for authentication to ensure that each authentication can be performed based on the random number generated this time, which can effectively prevent the information of device 1 from being copied. Replay attack.
具体实现时,在S101之前,设备1可以向设备2发送挑战请求消息,该挑战请求消息中携带该随机数1;那么,S102具体可以是:设备2接收到该挑战请求消息,并从中获得随机数2,可以理解的是,若挑战请求消息在传输过程中无误,随机数2和随机数1是一致的,否则,随机数2也可能和随机数1不一致。In specific implementation, before S101, device 1 may send a challenge request message to device 2, and the challenge request message carries the random number 1. Then, S102 may specifically be: device 2 receives the challenge request message and obtains a random number from it. Number 2, it is understandable that if the challenge request message is correct in the transmission process, random number 2 and random number 1 are consistent, otherwise, random number 2 may also be inconsistent with random number 1.
此外,信息1还可以包括:设备2接收到的设备1对应的设备标识信息2,设备标识信息2可以用于唯一标识设备1。具体而言,设备标识信息2可以是设备标识(英文:Identification,简称:ID)2或设备ID2的哈希值。设备1上保存有设备1的设备ID1或设备ID1的哈希值,该设备ID1可以是能够唯一标识该设备1的标识,设备ID1的哈希值即对设备ID1进行哈希计算得到的哈希值。为了更加安全,该设备ID1可以是设备1对外非公开的标识。例如:该设备ID1可以是设备1出厂时定义的硬件唯一密钥(英文:Hardware Unique Key,简称:HUK);又例如:该设备ID1也可以是根据设备1的唯一设备标识(英文:Unique Device Identification,简称:UDI)和该设备1中的晶片标识(英文:die Identification,简称:die ID)获得的标识。可见,使用设备ID1或设备ID1的哈希值进行鉴权,能够有效管控设备2的鉴权权限,即,攻击者或使用者获取到公钥后,只能攻击或使用设备1,无法利用该公钥对别的设备进行鉴权并开发对应的使用权限,使得安全风险降到最低,提高了对设备的安全保护。In addition, the information 1 may also include: the device identification information 2 corresponding to the device 1 received by the device 2, and the device identification information 2 may be used to uniquely identify the device 1. Specifically, the device identification information 2 may be a device identification (English: Identification, abbreviation: ID) 2 or a hash value of the device ID2. The device 1 stores the device ID1 or the hash value of the device ID1 of the device 1. The device ID1 can be an identifier that can uniquely identify the device 1. The hash value of the device ID1 is the hash obtained by the hash calculation of the device ID1 value. For more security, the device ID1 may be a non-public identification of the device 1 to the outside. For example: the device ID1 can be the hardware unique key (English: Hardware Unique Key, abbreviated as HUK) defined when the device 1 leaves the factory; for another example: the device ID1 can also be a unique device identification based on the device 1 (English: Unique Device) Identification (abbreviation: UDI) and the identification obtained by the chip identification (English: die Identification, abbreviation: die ID) in the device 1. It can be seen that the use of device ID1 or the hash value of device ID1 for authentication can effectively control the authentication authority of device 2. That is, after an attacker or user obtains the public key, they can only attack or use device 1, but cannot use this The public key authenticates other devices and develops corresponding usage rights, minimizing security risks and improving the security protection of devices.
此外,信息1还可以包括目标有效信息,该目标有效信息被设备1用于确定能否继续使用设备2进行鉴权。该目标有效信息具体可以是允许使用设备2进行鉴权的最多次数(例如:5次),或者,是允许使用设备2进行鉴权的最长时间(例如:1天),以便参考该目 标有效信息限制该设备2的有效使用次数或时长,使得控制该设备2在安全的范围内使用。In addition, the information 1 may also include target valid information, which is used by the device 1 to determine whether the device 2 can continue to be used for authentication. The target validity information may specifically be the maximum number of times allowed to use device 2 for authentication (for example: 5 times), or the maximum time allowed to use device 2 for authentication (for example: 1 day), so as to refer to the validity of the target The information limits the effective use times or duration of the device 2 so that the device 2 is controlled to be used within a safe range.
若设备1需要自身配置鉴权范围,那么,该信息1中还可以包括指示信息,该指示信息用于指示下述信息中的至少一个:开放使用权限的时间(例如:开放使用权限的时刻起2小时内均可以进行访问)、开放使用权限的接口(例如:开放设备1上的3个调试接口,或者,开放设备1上的调试接口1和调试接口2)或开放使用权限的操作(例如:允许在设备1上进行读操作,或允许在设备1上进行写操作)。需要说明的是,根据鉴权需求,设备1也可以不指定鉴权范围,即,在信息1中不包括该指示信息,而由设备2配置该鉴权范围,或者,均不进行配置,一次鉴权通过后遵循设置的默认鉴权范围开放设备1的使用权限。If the device 1 needs to configure its own authentication range, then the information 1 may also include indication information, which is used to indicate at least one of the following information: the time when the use authority is opened (for example: the time when the use authority is opened It can be accessed within 2 hours), interfaces with open access rights (for example: open 3 debugging interfaces on device 1, or open debug interface 1 and debugging interface 2 on device 1) or open access operations (for example : Allow read operation on device 1, or allow write operation on device 1). It should be noted that, according to the authentication requirements, device 1 may not specify the authentication scope, that is, the indication information is not included in information 1, and the authentication scope is configured by device 2, or no configuration is performed. After the authentication is passed, the use authority of the device 1 is opened according to the set default authentication scope.
在使用设备2对设备1进行鉴权之前,设备2本地的安全存储空间中至少预先保存有私钥1,且设备2通过其鉴权接口与设备1建立连接。Before using the device 2 to authenticate the device 1, at least the private key 1 is pre-stored in the local secure storage space of the device 2, and the device 2 establishes a connection with the device 1 through its authentication interface.
具体实现时,当对设备1有访问需求,需要对设备1进行鉴权时,设备1可以向设备2发送挑战请求消息,设备2接收到的该挑战请求消息中携带信息1。In specific implementation, when there is an access requirement for device 1 and device 1 needs to be authenticated, device 1 may send a challenge request message to device 2, and the challenge request message received by device 2 carries information 1.
作为一个示例,该挑战请求消息中可以仅包括挑战请求消息本身的内容,例如:该挑战请求消息包括:挑战类型、密钥类型、密钥号和挑战字段长度,则信息1仅包括:挑战类型、密钥类型、密钥号和挑战字段长度。其中,挑战类型是设备1和设备2预先定义的、用于指示该挑战请求消息作用的,例如:当该挑战类型字段的值为0x5AAA555A时,表示该挑战请求消息用于指示对设备1鉴权。密钥分类用于表示表示当前使用的密钥对的类型,例如:当密钥分类字段的值为0x07,表示当前使用的是鉴权密钥对,又例如:当密钥分类字段的值为0x09,表示当前使用的是远程证明密钥对。密钥号用于指示当前使用的具体密钥对,即,指示本地保存的公钥1对应的密钥对,例如:鉴权密钥对可以包括16个密钥对,分别分配给不同的产品或者不同的接口使用,以防止某一个密钥对被泄露时,还可以允许使用另外的密钥对,产生的影响范围不会太大。挑战字段长度可以用于做信号校验,防止挑战请求消息在传输过程中发送信息丢失等问题。As an example, the challenge request message may only include the content of the challenge request message itself. For example, the challenge request message includes: challenge type, key type, key number, and challenge field length, then information 1 only includes: challenge type , Key type, key number, and challenge field length. Among them, the challenge type is predefined by device 1 and device 2 and used to indicate the role of the challenge request message. For example, when the value of the challenge type field is 0x5AAA555A, it means that the challenge request message is used to indicate the authentication of device 1 . The key classification is used to indicate the type of the key pair currently used. For example, when the value of the key classification field is 0x07, it means that the authentication key pair is currently used. For example, when the value of the key classification field is 0x09, which means that the remote attestation key pair is currently being used. The key number is used to indicate the specific key pair currently in use, that is, the key pair corresponding to the public key 1 stored locally. For example, the authentication key pair can include 16 key pairs, which are allocated to different products. Or when different interfaces are used to prevent a certain key pair from being leaked, another key pair can be allowed to be used, and the impact range will not be too large. The length of the challenge field can be used for signal verification to prevent problems such as loss of information sent during the transmission of the challenge request message.
作为另一个示例,为了增加对设备1鉴权的安全等级,该挑战请求消息中还可以添加字段,用于携带随机数1、设备ID1和设备ID1的哈希值中的至少一个,那么,该信息1不仅包括挑战请求消息本身的内容,还包括:随机数2、设备ID2和设备ID2的哈希值中的至少一个。其中,若设备1向设备2发送该挑战请求消息以及设备2接收该挑战请求消息的过程中,没有发生任何错误,则,随机数2和随机数1一致,设备ID2和设备ID1一致,设备ID2的哈希值和设备ID1的哈希值一致。As another example, in order to increase the security level for device 1 authentication, the challenge request message can also add a field to carry at least one of the random number 1, the device ID1, and the hash value of the device ID1. Then, the Information 1 not only includes the content of the challenge request message itself, but also includes at least one of the random number 2, the device ID2, and the hash value of the device ID2. Among them, if device 1 sends the challenge request message to device 2 and device 2 receives the challenge request message, no error occurs, then random number 2 is consistent with random number 1, device ID2 is consistent with device ID1, and device ID2 The hash value of is the same as the hash value of device ID1.
作为再一个示例,根据对设备1的鉴权需要,还可以在该挑战请求消息中添加其他字段,用于携带指示信息或目标有效信息,那么,该信息1不仅包括挑战请求消息本身的内容,还包括指示信息或目标有效信息;或者,在此基础上,信息1还可以包括:随机数2、设备ID2和设备ID2的哈希值中的至少一个。As another example, according to the authentication needs of the device 1, other fields can be added to the challenge request message to carry indication information or target validity information. Then, the information 1 not only includes the content of the challenge request message itself, It also includes indication information or target valid information; or, on this basis, information 1 may also include: at least one of a random number 2, a device ID2, and a hash value of the device ID2.
这样,设备1通过向设备2发送挑战请求消息,指示设备2为设备1进行鉴权。设备2接收到该挑战请求消息后,通过解析该挑战请求消息,获得信息1,为对设备1的鉴权提 供了数据基础。In this way, device 1 sends a challenge request message to device 2 to instruct device 2 to perform authentication for device 1. After receiving the challenge request message, device 2 obtains information 1 by parsing the challenge request message, which provides a data basis for device 1 authentication.
S102,设备2根据私钥1对信息1进行加密。S102, the device 2 encrypts the information 1 according to the private key 1.
私钥1为设备2本地的安全存储空间中保存的私钥,用于对设备1进行鉴权时,对设备2接收到的信息1进行加密处理。The private key 1 is a private key stored in the local secure storage space of the device 2 and is used to encrypt the information 1 received by the device 2 when the device 1 is authenticated.
在一些可能的实现方式中,设备2可以采用自身生成的公私钥对设备1进行鉴权,那么,该私钥1可以是设备2基于内部算法生成并保存在本地的。该示例中,设备2还需要在执行在下述S105之前,将私钥1对应的公钥1发送给设备1,以便设备1将该公钥1保存在本地的安全存储空间中。In some possible implementation manners, the device 2 can use the public and private key generated by itself to authenticate the device 1. Then, the private key 1 can be generated by the device 2 based on an internal algorithm and stored locally. In this example, the device 2 also needs to send the public key 1 corresponding to the private key 1 to the device 1 before performing the following S105, so that the device 1 saves the public key 1 in the local secure storage space.
例如:当信息1包括挑战请求消息本身的内容和随机数2时,信息1具体可以包括:私钥1加密的挑战类型、私钥1加密的随机数2、私钥1加密的密钥类型、私钥1加密的密钥号和私钥1加密的挑战字段长度。For example: when information 1 includes the content of the challenge request message itself and random number 2, information 1 may specifically include: the challenge type encrypted by the private key 1, the random number encrypted by the private key 1, the key type encrypted by the private key 1, The key number encrypted by private key 1 and the length of the challenge field encrypted by private key 1.
在另一些可能的实现方式中,为了提高安全等级,设备2也可以从设备3申请公私钥对,用于对设备1的鉴权,那么,该私钥1可以是设备3为设备2分配的私钥。其中,设备3例如可以是CA服务器等安全等级高的鉴权服务器。In other possible implementations, in order to improve the security level, device 2 can also apply for a public-private key pair from device 3 to authenticate device 1. Then, the private key 1 can be assigned by device 3 to device 2. Private key. Among them, the device 3 may be, for example, an authentication server with a high security level such as a CA server.
无论公钥1和私钥1是设备2自己生成的,还是设备3为其分配的,都可以通过设备3上的私钥2加密后发送给设备2,以提高安全性。具体实现时,设备3向设备2发送公私钥对的过程,例如可以包括:S21,设备2向设备3发送请求消息,用于请求设备3发送用于对设备1进行鉴权的公私钥对;S22,设备3响应于该请求消息,确定即将发送给设备2的私钥1和对应的公钥1,并且,为了进一步提高安全性,设备3利用自身的私钥2将私钥1和公钥1进行加密;S23,设备2接收设备3发送的私钥2对应的公钥2;S24,设备2接收设备3发送的私钥2加密的私钥1和私钥2加密的公钥1;S25,设备2利用公钥2对私钥2加密的私钥1进行解密,获得私钥1,并将该私钥1保存在本地的安全存储空间中。该示例中,设备1本地预先保存有设备3上私钥2对应的公钥2,以便后续鉴权时,设备2将该私钥2加密的公钥1发送给设备1,设备1利用本地保存的公钥2对该私钥2加密的公钥1进行解密,并将解密后获得的公钥1进行本地保存,为鉴权提供数据基础。Regardless of whether the public key 1 and the private key 1 are generated by the device 2 itself or assigned by the device 3, they can be encrypted by the private key 2 on the device 3 and sent to the device 2 to improve security. In specific implementation, the process of sending a public-private key pair from device 3 to device 2 may include, for example: S21, device 2 sends a request message to device 3 for requesting device 3 to send a public-private key pair for authenticating device 1; S22: In response to the request message, device 3 determines the private key 1 and corresponding public key 1 to be sent to device 2, and, in order to further improve security, device 3 uses its own private key 2 to combine private key 1 and public key 1 is encrypted; S23, device 2 receives the private key 2 sent by device 3, and the corresponding public key 2; S24, device 2 receives the private key 2 sent by device 3, encrypted private key 1 and private key 2 encrypted public key 1; S25 , The device 2 uses the public key 2 to decrypt the private key 1 encrypted by the private key 2 to obtain the private key 1, and save the private key 1 in the local secure storage space. In this example, the device 1 locally pre-stores the public key 2 corresponding to the private key 2 on the device 3, so that during subsequent authentication, the device 2 sends the public key 1 encrypted by the private key 2 to the device 1, and the device 1 uses the locally stored public key 2 The public key 2 decrypts the public key 1 encrypted by the private key 2, and saves the public key 1 obtained after decryption locally to provide a data basis for authentication.
需要说明的是,设备3下发公钥2给设备1的方式,以及S23和S24中设备3可以将公钥2、私钥2加密的私钥1和私钥2加密的公钥1发送给设备2的方式,均可以根据设备3是离线服务器还是在线服务器确定。当设备3相对设备1是离线状态时,可以由该用户通过安全的生产环境设备从设备3上拷贝公钥2,并通过该安全的生产环境设备将公钥2配置到设备1上;当设备3相对设备1是在线状态时,设备3可以直接通过两者建立的连接将公钥2发送给设备1。同理,当设备3相对设备2是离线状态时,可以通过用户在设备3上提交上述请求消息,该用户通过安全的生产环境设备从设备3上拷贝公钥2、私钥2加密的私钥1和私钥2加密的公钥1后,通过安全的生产环境设备将公钥2、私钥2加密的私钥1和私钥2加密的公钥1配置到设备2上;当设备3相对设备2是在线状态时,设备3可以直接通过两者建立的连接将公钥2、私钥2加密的私钥1和私钥2加密的公钥1发送给设备2。It should be noted that the way in which device 3 sends public key 2 to device 1, and in S23 and S24, device 3 can send public key 2, private key 1 encrypted by private key 2, and public key 1 encrypted by private key 2 to The mode of the device 2 can be determined according to whether the device 3 is an offline server or an online server. When device 3 is offline relative to device 1, the user can copy public key 2 from device 3 through a secure production environment device, and configure public key 2 to device 1 through the secure production environment device; 3 When the device 1 is online, the device 3 can directly send the public key 2 to the device 1 through the connection established between the two. Similarly, when the device 3 is offline relative to the device 2, the user can submit the above request message on the device 3. The user copies the public key 2 and the private key encrypted by the private key 2 from the device 3 through a secure production environment device After public key 1 encrypted by 1 and private key 2, configure public key 2, private key 1 encrypted by private key 2 and public key 1 encrypted by private key 2 to device 2 through a secure production environment device; when device 3 is opposite When the device 2 is online, the device 3 can directly send the public key 2, the private key 1 encrypted by the private key 2 and the public key 1 encrypted by the private key 2 to the device 2 through the connection established between the two.
对于S23和S24,作为一个示例,设备3可以将公钥2、私钥2加密的私钥1和私钥2 加密的公钥1携带在一条消息中,反馈给设备2。作为另一个示例,为了更加安全,设备3可以将公钥2携带在一条消息中,将私钥2加密的私钥1和私钥2加密的公钥1携带在另一条消息中,分别反馈给设备2。For S23 and S24, as an example, the device 3 can carry the public key 2, the private key 1 encrypted by the private key 2, and the public key 1 encrypted by the private key 2, in a message, and feed it back to the device 2. As another example, for more security, the device 3 can carry the public key 2 in one message, carry the private key 1 encrypted by the private key 2 and the public key 1 encrypted by the private key 2 in another message, and feed them back to Equipment 2.
对于S102,若信息1中包括设备标识信息2,则,设备2本地还可以保存其负责鉴权的设备标识信息列表,该列表中标识的设备均可以作为该设备2鉴权的对象。设备2在接收到信息1后,可以先将该设备标识信息2,与本地保存的设备标识信息列表进行匹配验证,若匹配,则执行S102,否则,确定该设备1不是设备2鉴权的对象,中止该次鉴权。For S102, if the information 1 includes the device identification information 2, the device 2 can also store locally a list of device identification information responsible for authentication, and all the devices identified in the list can be the objects of the device 2 authentication. After device 2 receives information 1, it can first perform matching verification on the device identification information 2 with the locally saved device identification information list, if it matches, execute S102, otherwise, it is determined that device 1 is not the target of device 2 authentication , Suspend this authentication.
需要说明的是,当信息1中包括的设备标识信息2为设备ID2或设备ID2的哈希值时,为了区别都使用设备2进行鉴权的不同设备1,S102可以将包括设备ID2或设备ID2的哈希值的信息1进行加密后发送给设备1,以便不同的设备1基于所接收到的加密后的信息1中设备ID或设备ID的哈希值,确定是否对自身进行鉴权;或者,S102也可以将信息1中的设备ID2或设备ID2的哈希值剔除后,将剩余的信息1进行加密后发送给设备1,即,信息1中不包括私钥1加密的设备ID2或设备ID2的哈希值。It should be noted that when the device identification information 2 included in the information 1 is the device ID2 or the hash value of the device ID2, in order to distinguish different devices 1 that all use the device 2 for authentication, S102 may include the device ID2 or the device ID2. The information 1 with the hash value of is encrypted and sent to the device 1, so that different devices 1 can determine whether to authenticate themselves based on the device ID or the hash value of the device ID in the received encrypted information 1; or , S102 can also remove the device ID2 or the hash value of the device ID2 in the information 1, and then encrypt the remaining information 1 and send it to the device 1. That is, the information 1 does not include the device ID 2 or the device encrypted by the private key 1 The hash value of ID2.
对于S102,若信息1中包括目标有效信息,则,设备2本地还可以保存实际有效信息,该实际有效信息用于表征当前使用该设备2对设备1进行鉴权的情况。设备2在接收到信息1后,可以先更新实际使用信息,再对目标有效信息和更新后的实际使用信息进行匹配验证,若匹配(即,设备2的实际使用信息未达到目标有效信息),则执行S102,否则,确定该设备2失效,无法对设备1进行鉴权。设备2失效后,可以由设备1的制造商重置该设备2的实际有效信息,以恢复该设备2对设备1的鉴权功能。For S102, if the information 1 includes target effective information, the device 2 can also store actual effective information locally, and the actual effective information is used to characterize the current use of the device 2 to authenticate the device 1. After device 2 receives information 1, it can update the actual use information first, and then perform matching verification on the target effective information and the updated actual use information. If they match (that is, the actual use information of device 2 does not reach the target effective information), S102 is executed, otherwise, it is determined that the device 2 is invalid and the device 1 cannot be authenticated. After the device 2 fails, the manufacturer of the device 1 can reset the actual valid information of the device 2 to restore the authentication function of the device 2 to the device 1.
作为一个示例,当目标有效信息为允许使用设备2进行鉴权的最多次数(例如:5次),则,实际使用信息为设备1截止当前使用设备2进行鉴权的实际使用次数(例如:3次),则,当设备2再收到信息1时,可以将实际使用次数加一,并判断新的实际使用次数是否小于等于目标有效信息,若是,则执行S102,否则,停止使用设备2对设备1的鉴权,并提示设备2失效。As an example, when the target effective information is the maximum number of times that device 2 is allowed to perform authentication (for example: 5 times), then the actual use information is the actual number of times that device 1 has used device 2 to perform authentication (for example: 3). Times), when device 2 receives information 1 again, it can add one to the actual number of uses, and determine whether the new actual number of uses is less than or equal to the target effective information, if so, execute S102, otherwise, stop using device 2 Device 1 authenticates and prompts that device 2 is invalid.
作为另一个示例,当目标有效信息为允许使用设备2进行鉴权的最长时间(例如:24小时),则,所述实际使用信息为从所述目标有效信息的计时起始时刻到当前时刻的实际使用时间(例如:10小时),则,当设备2再收到信息1时,可以将更新实际使用时间为从所述目标有效信息的计时起始时刻到当前时刻所经过的时间(例如:12小时),并判断新的实际使用时间是否达到目标有效信息,若否,则执行S102,若是,则停止使用设备2对设备1的鉴权,并提示设备2失效。As another example, when the target valid information is the longest time allowed to use the device 2 for authentication (for example: 24 hours), then the actual usage information is from the timing start time of the target valid information to the current time The actual use time (for example: 10 hours), when the device 2 receives information 1, it can update the actual use time to the time elapsed from the timing start time of the target effective information to the current time (for example, : 12 hours), and judge whether the new actual use time reaches the target effective information, if not, execute S102, if yes, stop using the device 2 to authenticate the device 1 and prompt the device 2 to be invalid.
需要说明的是,当信息1中包括目标有效信息时,S102可以将包括目标有效信息的信息1进行加密后发送给设备1;或者,S102也可以将信息1中的目标有效信息剔除后,将剩余的信息1进行加密后发送给设备1,即,信息1中不包括公钥1加密后的目标有效信息。或者,信息1也可以将更新后的实际使用信息携带在信息1中,发送给设备1,以便设备1基于该实际使用信息和本地保存的目标有效信息再确认该设备2是否有效。It should be noted that when the target valid information is included in the message 1, S102 may encrypt the message 1 including the target valid information and send it to the device 1; or, in S102, after removing the target valid information in the message 1, the The remaining information 1 is encrypted and sent to the device 1, that is, the information 1 does not include the target effective information encrypted by the public key 1. Alternatively, the information 1 can also carry the updated actual usage information in the information 1 and send it to the device 1, so that the device 1 can reconfirm whether the device 2 is valid based on the actual usage information and the target valid information stored locally.
对于S102,若信息1中包括指示信息,则,设备2可以将包括指示信息的信息1进行加密后发送给设备1;或者,若信息1中包括指示信息,设备2本地还可以保存其负责对 设备1进行鉴权的鉴权范围,那么,设备2在接收到信息1后,可以先将该指示信息与本地保存的对设备1的鉴权范围进行匹配验证,将匹配后的鉴权范围对应的指示信息基于私钥1加密后作为信息1的一部分发送给设备1;再或者,若信息1中不包括指示信息,但是,设备2本地保存其负责对设备1进行鉴权的鉴权范围,那么,设备2在接收到信息1后,可以将本地保存的鉴权范围对应的指示信息基于私钥1加密后作为信息1的一部分发送给设备1;又或者,若信息1中不包括指示信息,且设备2本地也未保存对其负责对设备1进行鉴权的鉴权范围,则,可以直接执行S102,信息1中不包括指示信息,设备1可以按照其上默认的设置开放设备1的使用权限。For S102, if information 1 includes instruction information, device 2 can encrypt information 1 including instruction information and send it to device 1; or, if information 1 includes instruction information, device 2 can also store its responsible counterpart locally. Device 1 performs the authentication range of authentication. Then, after device 2 receives information 1, it can first match and verify the indication information with the authentication range of device 1 stored locally, and then correspond to the matched authentication range The instruction information is encrypted based on the private key 1 and then sent to the device 1 as part of the information 1. Or, if the instruction information is not included in the information 1, but the device 2 locally stores the authentication scope that it is responsible for authenticating the device 1, Then, after device 2 receives information 1, it can encrypt the indication information corresponding to the authentication scope stored locally based on private key 1 and then send it to device 1 as a part of information 1; or, if information 1 does not include indication information , And device 2 does not store the authentication scope responsible for authenticating device 1 locally, then S102 can be executed directly, and the instruction information is not included in message 1, and device 1 can open device 1’s default settings according to its default settings. Use permissions.
S103,设备2将经过私钥1加密的信息1发送给设备1。S103: The device 2 sends the information 1 encrypted by the private key 1 to the device 1.
S104,设备1接收设备2发送的采用私钥1加密的信息1。S104: The device 1 receives the information 1 encrypted by the private key 1 sent by the device 2.
具体实现时,作为对设备1向设备2发送的挑战请求消息的回应,设备2可以将信息1携带在该挑战请求消息对应的响应消息中,发送给设备1。In specific implementation, as a response to the challenge request message sent by device 1 to device 2, device 2 may carry information 1 in a response message corresponding to the challenge request message and send it to device 1.
作为一个示例,设备2可以将私钥2加密的公钥1和信息1加密后的内容同时作为信息1,携带在响应消息中发送给设备1。例如:当信息1包括挑战请求消息本身的内容和随机数2时,私钥1加密的信息1具体可以包括:私钥2加密的公钥1、私钥1加密的挑战类型、私钥1加密的随机数2、私钥1加密的密钥类型、私钥1加密的密钥号和私钥1加密的挑战字段长度。As an example, the device 2 may use the public key 1 encrypted by the private key 2 and the encrypted content of the information 1 as the information 1 at the same time, and send it to the device 1 in a response message. For example: when information 1 includes the content of the challenge request message itself and random number 2, information 1 encrypted by private key 1 may specifically include: public key encrypted by private key 2, challenge type encrypted by private key 1, and encryption by private key 1. The random number 2, the key type encrypted by private key 1, the key number encrypted by private key 1, and the length of the challenge field encrypted by private key 1.
作为另一个示例,为了更加安全,设备2也可以单独将私钥2加密的公钥1发送给设备1,而将信息1携带在响应消息中发送给设备1。例如:当信息2包括挑战请求消息本身的内容和设备ID2时,私钥1加密的信息1具体可以包括:私钥1加密的挑战类型、私钥1加密的设备ID2、私钥1加密的密钥类型、私钥1加密的密钥号和私钥1加密的挑战字段长度。而设备2将私钥2加密的公钥1通过传输信息1的消息以外的其他消息发送给设备1。As another example, in order to be more secure, the device 2 may also separately send the public key 1 encrypted by the private key 2 to the device 1, and carry the information 1 in the response message and send it to the device 1. For example: when the information 2 includes the content of the challenge request message itself and the device ID2, the information 1 encrypted by the private key 1 may specifically include: the challenge type encrypted by the private key 1, the device ID encrypted by the private key 1, and the secret encrypted by the private key 1. The key type, the key number encrypted by the private key 1, and the length of the challenge field encrypted by the private key 1. The device 2 sends the public key 1 encrypted by the private key 2 to the device 1 through a message other than the message of the transmission information 1.
若信息1仅包括挑战请求消息本身的内容,则,响应消息中私钥1加密的信息1具体可以包括:私钥1加密的挑战类型、私钥1加密的密钥类型、私钥1加密的密钥号和私钥1加密的挑战字段长度。If the information 1 only includes the content of the challenge request message itself, the information 1 encrypted by the private key 1 in the response message may specifically include: the challenge type encrypted by the private key 1, the key type encrypted by the private key 1, and the private key 1 encrypted The length of the challenge field encrypted by the key number and private key 1.
若信息1包括挑战请求消息本身的内容和随机数2,则,响应消息中私钥1加密的信息1具体可以包括:私钥1加密的挑战类型、私钥1加密的随机数2、私钥1加密的密钥类型、私钥1加密的密钥号和私钥1加密的挑战字段长度。If the information 1 includes the content of the challenge request message itself and the random number 2, then the information 1 encrypted by the private key 1 in the response message may specifically include: the challenge type encrypted by the private key 1, the random number encrypted by the private key 1, 2, the private key 1Encrypted key type, private key 1 encrypted key number, and private key 1 encrypted challenge field length.
若信息1包括挑战请求消息本身的内容和设备标识信息2(例如:设备ID2或设备ID2的哈希值),则,响应消息中私钥1加密的信息1具体可以包括:私钥1加密的挑战类型、私钥1加密的标识信息2(例如:私钥1加密的设备ID2或私钥1加密的设备ID2的哈希值)、私钥1加密的密钥类型、私钥1加密的密钥号和私钥1加密的挑战字段长度。If information 1 includes the content of the challenge request message itself and device identification information 2 (for example: device ID2 or the hash value of device ID2), then the information 1 encrypted by private key 1 in the response message may specifically include: encrypted by private key 1 Challenge type, identification information 2 encrypted by private key 1 (for example: device ID 2 encrypted by private key 1 or hash value of device ID 2 encrypted by private key 1), key type encrypted by private key 1, and secret encrypted by private key 1. The length of the challenge field encrypted by the key number and private key 1.
若信息1包括挑战请求消息本身的内容和指示信息,则,响应消息中私钥1加密的信息1具体可以包括:私钥1加密的挑战类型、私钥1加密的指示信息、私钥1加密的密钥类型、私钥1加密的密钥号和私钥1加密的挑战字段长度。If the information 1 includes the content and instruction information of the challenge request message itself, the information 1 encrypted by the private key 1 in the response message may specifically include: the challenge type encrypted by the private key 1, the instruction information encrypted by the private key 1, and the private key 1 encryption The key type, the key number encrypted by private key 1, and the length of the challenge field encrypted by private key 1.
需要说明的是,信息1除了包括挑战请求消息本身的内容以外,还可以包括随机数 2、设备标识信息2以及指示信息中的一个或多个。例如:当信息1包括挑战请求消息本身的内容、指示信息、随机数2和设备标识信息2时,响应消息中私钥1加密的信息1具体可以包括:私钥1加密的挑战类型、私钥1加密的随机数2、私钥1加密的设备标识信息2、私钥1加密的指示信息、私钥1加密的密钥类型、私钥1加密的密钥号和私钥1加密的挑战字段长度。It should be noted that, in addition to the content of the challenge request message itself, information 1 may also include one or more of random number 2, device identification information 2, and indication information. For example: when information 1 includes the content of the challenge request message itself, indication information, random number 2 and device identification information 2, the information 1 encrypted by private key 1 in the response message may specifically include: challenge type encrypted by private key 1, private key 1 encrypted random number 2, private key 1 encrypted device identification information 2, private key 1 encrypted instruction information, private key 1 encrypted key type, private key 1 encrypted key number, and private key 1 encrypted challenge field length.
这样,设备2通过向设备1发送响应消息,设备1接收到该响应消息后,通过解析该响应消息,获得设备2使用其私钥1加密的信息1,为对设备1的鉴权提供了数据基础。In this way, device 2 sends a response message to device 1. After receiving the response message, device 1 parses the response message to obtain information 1 encrypted by device 2 with its private key 1, which provides data for authenticating device 1 basis.
S105,设备1根据公钥1进行解密,获得信息1。S105: Device 1 performs decryption according to public key 1 to obtain information 1.
S106,设备1比较信息1和本地存储的信息2,获得验证结果,并根据该验证结果确定设备1的使用权限。S106: The device 1 compares the information 1 with the locally stored information 2 to obtain a verification result, and determines the use right of the device 1 according to the verification result.
作为一个示例,若信息1中仅挑战请求消息本身的内容,则,设备1对解密后的信息1可以包括:挑战类型、密钥类型、密钥号和挑战字段长度。该示例中,对于S106,具体可以是:若设备1本地保存有挑战请求消息本身的内容,则,可以对比解密后得到的该挑战请求消息本身的内容和本地保存的挑战请求消息本身的内容,若一致,则确定开放设备1的使用权限,否则,确定设备1鉴权失败;或者,若设备1本地未保存挑战请求消息本身的内容,则,S105~S106具体可以是:只要采用公钥1进行解密获得信息1,即可确定对设备1的鉴权通过,开放该设备1的使用权限,否则,确定设备1鉴权失败。As an example, if only the content of the challenge request message itself is contained in the information 1, the decrypted information 1 by the device 1 may include: challenge type, key type, key number, and challenge field length. In this example, S106 may specifically be: if the device 1 locally stores the content of the challenge request message itself, then the decrypted content of the challenge request message itself can be compared with the content of the challenge request message itself stored locally. If they are consistent, it is determined that the use authority of device 1 is opened; otherwise, it is determined that the authentication of device 1 has failed; or, if the content of the challenge request message itself is not saved locally, S105 to S106 may specifically be: as long as the public key 1 is used By decrypting to obtain information 1, it can be determined that the authentication of the device 1 is passed and the use right of the device 1 is opened; otherwise, it is determined that the authentication of the device 1 has failed.
作为另一个示例,若信息1包括挑战请求消息本身的内容和随机数2,则,设备1解密后的信息1可以包括:挑战类型、随机数2、密钥类型、密钥号和挑战字段长度。该示例中,对于S106,具体可以是:设备1判断本地保存的随机数1和该信息1中的随机数2是否一致,若一致,则确定开放设备1的使用权限,否则,确定设备1鉴权失败。As another example, if information 1 includes the content of the challenge request message itself and random number 2, then the information 1 decrypted by device 1 may include: challenge type, random number 2, key type, key number, and challenge field length . In this example, for S106, it can be specifically: Device 1 judges whether the random number 1 stored locally and the random number 2 in the information 1 are consistent, if they are consistent, it determines that the use authority of device 1 is opened; otherwise, it determines that device 1 authenticates. Right to fail.
作为又一个示例,若信息1包括挑战请求消息本身的内容和设备标识信息2,则,设备1解密后的信息1可以包括:挑战类型、设备标识信息2、密钥类型、密钥号和挑战字段长度。该示例中,对于S106,具体可以是:设备1判断本地保存的设备标识信息1和该信息1中的设备标识信息2是否一致,若一致,则开放该设备1的使用权限,否则,确定设备1鉴权失败。As another example, if information 1 includes the content of the challenge request message itself and device identification information 2, then the information 1 decrypted by device 1 may include: challenge type, device identification information 2, key type, key number, and challenge The length of the field. In this example, for S106, it can specifically be: Device 1 determines whether the locally stored device identification information 1 and the device identification information 2 in the information 1 are consistent, if they are consistent, then the use authority of the device 1 is opened, otherwise, the device is determined 1Authentication failed.
作为再一个示例,若信息1包括挑战请求消息本身的内容和指示信息,则,设备1解密后的信息1可以包括:挑战类型、指示信息、密钥类型、密钥号和挑战字段长度。该示例中,对于S106,具体可以是:若设备1本地保存有指示信息,则,可以对比解密后得到的该指示信息和本地保存的指示信息,若一致,则按照该指示信息开放设备1的使用权限,否则,确定设备1鉴权失败;或者,若设备1本地未保存指示信息,则该指示信息可以视作设备2为设备1配置的鉴权范围,则,S105~S106具体可以是:只要采用公钥1解密获得信息1,即可确定对设备1的鉴权通过,按照该指示信息开放该设备1的使用权限,否则,确定设备1鉴权失败。As another example, if the information 1 includes the content and indication information of the challenge request message itself, the information 1 decrypted by the device 1 may include: challenge type, indication information, key type, key number, and challenge field length. In this example, for S106, it may specifically be: if the device 1 stores the instruction information locally, the instruction information obtained after decryption can be compared with the instruction information stored locally, and if they are consistent, the device 1’s information is opened according to the instruction information. Use permission, otherwise, it is determined that the authentication of device 1 has failed; or, if device 1 does not store the indication information locally, the indication information can be regarded as the authentication range configured by device 2 for device 1. Then, S105 to S106 may specifically be: As long as the public key 1 is used to decrypt the information 1, it can be determined that the authentication of the device 1 is passed, and the use authority of the device 1 is opened according to the instruction information; otherwise, it is determined that the authentication of the device 1 has failed.
需要说明的是,信息1除了包括挑战请求消息本身的内容以外,还可以包括随机数2、设备标识信息2以及指示信息中的一个或多个。例如:当信息1包括挑战请求消息本身的内容、指示信息、随机数2和设标识信息2时,对于S106,具体可以是:设备1判断本 地保存的随机数1和该信息1中的随机数2是否一致,若不一致,则,确定设备1鉴权失败;若一致,则,继续判断本地保存的设备标识信息1和该信息1中的设标识信息2是否一致,若不一致,则,确定设备1鉴权失败;若一致,则以设备1本地保存有被挑战请求消息携带的指示信息为例,继续对比解密后得到的该指示信息和本地保存的指示信息是否一致,若不一致,则确定设备1鉴权失败;若一致,则按照该指示信息、设备标识信息1开放设备1的使用权限。It should be noted that, in addition to the content of the challenge request message itself, the information 1 may also include one or more of the random number 2, the device identification information 2, and the indication information. For example: when the information 1 includes the content of the challenge request message itself, the instruction information, the random number 2 and the identification information 2, for S106, it can be specifically: the device 1 judges the random number 1 stored locally and the random number in the information 1 2 Whether they are consistent, if they are inconsistent, it is determined that the authentication of device 1 has failed; if they are consistent, continue to determine whether the locally stored device identification information 1 and the device identification information 2 in the information 1 are consistent, if they are inconsistent, determine the device 1 Authentication failed; if they are consistent, take the indication information carried in the challenged request message stored locally in device 1 as an example, continue to compare whether the indication information obtained after decryption is consistent with the indication information stored locally, if they are inconsistent, determine the device 1 The authentication fails; if they are consistent, the use authority of the device 1 is opened according to the instruction information and the device identification information 1.
设备1可以是网络设备或单板,以设备1为网络设备为例,作为一个示例,当S106中的各比较过程的结果均一致时,网络设备开放其上所有接口的使用权限;或者,当S106中的各比较过程的结果存在不一致的情况时,网络设备不开放其上任何的一个接口的使用权限。作为另一个示例,该信息1中还携带指示信息,例如:调试接口ID,那么,当S106中的各比较过程的结果均一致时,网络设备可以根据该指示信息开放对应的使用权限,例如:开放调试接口ID对应的调试接口的使用权限;或者,当S106中的各比较过程的结果存在不一致的情况时,网络设备不开放其上任何的一个接口的使用权限。Device 1 can be a network device or a single board. Taking Device 1 as a network device as an example, as an example, when the results of the comparison processes in S106 are consistent, the network device opens the use rights of all interfaces on it; or, when When the results of the comparison processes in S106 are inconsistent, the network device does not open the use right of any interface on it. As another example, the information 1 also carries indication information, such as a debugging interface ID. Then, when the results of the comparison processes in S106 are consistent, the network device can open the corresponding usage rights according to the indication information, for example: Open the use right of the debugging interface corresponding to the debugging interface ID; or, when the results of the comparison processes in S106 are inconsistent, the network device does not open the use right of any interface on it.
设备1也可以指某个设备上的调试接口或业务接口时,当S106中的各比较过程的结果均一致时,该设备可以开放其上对应的调试接口或业务接口的使用权限。当S106中的各比较过程的结果存在不一致的情况时,该设备可以不开放该调试接口或业务接口的使用权限。Device 1 can also refer to a debugging interface or service interface on a certain device. When the results of the comparison processes in S106 are consistent, the device can open the corresponding debugging interface or service interface on it. When the results of the comparison processes in S106 are inconsistent, the device may not open the use right of the debugging interface or the service interface.
这样,通过设备1和设备2的交互,实现了对设备1安全、可靠的鉴权,从而确保对设备1的访问都是安全的。In this way, through the interaction between the device 1 and the device 2, a safe and reliable authentication of the device 1 is realized, thereby ensuring that all accesses to the device 1 are safe.
在一些具体的实现方式中,对于设备3为设备2配置公私钥对这一安全等级更高的场景,设备3作为绝对安全的设备,还具有更新设备3自身公私钥以及吊销为设备2分配的公私钥的能力,使得使用设备2这一鉴权工具对设备1进行鉴权更加灵活和可控。In some specific implementations, for the scenario where device 3 configures a public-private key pair for device 2 with a higher security level, device 3, as an absolutely secure device, also has the ability to update device 3’s own public and private keys and revoke the allocation for device 2 The ability of public and private keys makes it more flexible and controllable to use device 2 as an authentication tool to authenticate device 1.
作为一个示例,当设备3确定自身的公钥2和私钥2不够安全,可能存在一定的安全隐患时,确定该公钥2和私钥2失效,本申请实施例还可以包括:S31,设备3启用私钥4和对应的公钥4;S32,设备3采用私钥4分别对公钥1和私钥1进行加密;S33,设备3将公钥4、采用私钥4分别对公钥1和采用私钥4分别对私钥1配置到设备2;S34,设备2采用公钥4对采用私钥4分别对私钥1进行解密,得到私钥1并保存在设备2本地的安全存储空间中;S35,设备1向设备2发送挑战请求消息;S36,设备2向设备1发送响应消息1,该响应消息1中至少包括:挑战类型、公钥4、密钥类型、密钥号和挑战字段长度,该响应消息1中的挑战类型字段的值用于指示设备1更新其上保存的设备3对应的公钥,例如:挑战类型字段的值=0x55AA555A;S37,设备1将公钥2删除或将公钥2置为禁止使用的公钥,并对应保存公钥4。如此,设备3实现了对设备1上保存的公钥的更新,使得控制对设备1的鉴权更加安全和可靠成为可能。As an example, when the device 3 determines that its public key 2 and private key 2 are not sufficiently secure, and there may be a certain security risk, it is determined that the public key 2 and the private key 2 are invalid. The embodiment of the present application may further include: S31, the device 3 Enable private key 4 and corresponding public key 4; S32, device 3 uses private key 4 to encrypt public key 1 and private key 1 respectively; S33, device 3 uses public key 4 and private key 4 to respectively encrypt public key 1 And using private key 4 to configure private key 1 to device 2; S34, device 2 uses public key 4 to decrypt private key 1 using private key 4 to obtain private key 1 and save it in the local secure storage space of device 2 In; S35, device 1 sends a challenge request message to device 2; S36, device 2 sends a response message 1 to device 1, the response message 1 at least includes: challenge type, public key 4, key type, key number and challenge The field length. The value of the challenge type field in the response message 1 is used to instruct device 1 to update the public key corresponding to device 3 stored on it, for example: the value of the challenge type field = 0x55AA555A; S37, device 1 deletes public key 2 Or set public key 2 as a prohibited public key, and save public key 4 accordingly. In this way, the device 3 realizes the update of the public key stored on the device 1, making it possible to control the authentication of the device 1 more securely and reliably.
作为另一个示例,当设备3确定其为设备2分配的公钥1和私钥1不够安全,可能存在一定的安全隐患时,确定该公钥1和私钥1失效,本申请实施例还可以包括:S41,设备3为设备2重新分配私钥3和对应的公钥3;S42,设备3采用私钥2分别对公钥3和私钥 3进行加密;S43,设备3将公钥2、采用私钥2分别对公钥3和采用私钥2分别对私钥3配置到设备2;S44,设备2采用公钥2对采用私钥2分别对私钥3进行解密,得到私钥3并保存在设备2本地的安全存储空间中。如此,设备3实现了对设备2上用于鉴权的公钥和私钥的吊销和更新,使得设备2能够更加安全和可靠的对设备1进行鉴权。As another example, when the device 3 determines that the public key 1 and the private key 1 allocated to the device 2 are not secure enough and there may be a certain security risk, it is determined that the public key 1 and the private key 1 are invalid. The embodiment of the application may also Including: S41, device 3 redistributes private key 3 and corresponding public key 3 for device 2; S42, device 3 uses private key 2 to encrypt public key 3 and private key 3 respectively; S43, device 3 encrypts public key 2, Use private key 2 to separately configure public key 3 and private key 2 to private key 3 to device 2; S44, device 2 uses public key 2 to decrypt private key 3 using private key 2 to obtain private key 3 and Save it in the local secure storage space of device 2. In this way, the device 3 realizes the revocation and update of the public key and the private key used for authentication on the device 2, so that the device 2 can authenticate the device 1 more securely and reliably.
作为再一个示例,当设备3确定自身的公钥2和私钥2不够安全,且设备3为设备2分配的公钥1和私钥1也不够安全,可能存在一定的安全隐患时,确定该公钥2、私钥2、公钥1和私钥1均失效,本申请实施例还可以包括:S51,设备3启用户私钥4和对应的公钥4,并为设备2重新分配私钥3和对应的公钥3;S52,设备3采用私钥4分别对公钥3和私钥3进行加密;S53,设备3将公钥4、采用私钥4分别对公钥3和采用私钥4分别对私钥3配置到设备2;S54,设备2采用公钥4对采用私钥4分别对私钥3进行解密,得到私钥3并保存在设备2本地的安全存储空间中;S55,设备1向设备2发送挑战请求消息;S56,设备2向设备1发送响应消息2,该响应消息2中至少包括:挑战类型、公钥4、密钥类型、密钥号和挑战字段长度,该响应消息2中的挑战类型字段的值用于指示设备1更新其上保存的设备3对应的公钥;S57,设备1将公钥2删除或将公钥2置为禁止使用的公钥,并对应保存公钥4。如此,设备3实现了对设备1上保存的公钥的更新,以及对设备2上用于鉴权的公钥和私钥的吊销和更新,使得设备2能够更加安全和可靠的对设备1进行鉴权。As another example, when device 3 determines that its public key 2 and private key 2 are not secure enough, and the public key 1 and private key 1 allocated by device 3 to device 2 are also not secure enough, there may be a certain security risk, determine the The public key 2, the private key 2, the public key 1, and the private key 1 are all invalid. The embodiment of this application may also include: S51, the device 3 activates the user private key 4 and the corresponding public key 4, and redistributes the private key for the device 2 3 and the corresponding public key 3; S52, device 3 uses private key 4 to encrypt public key 3 and private key 3 respectively; S53, device 3 uses public key 4 and private key 4 to public key 3 and private key respectively 4 Configure the private key 3 to the device 2 respectively; S54, the device 2 uses the public key 4 to decrypt the private key 3 with the private key 4 to obtain the private key 3 and save it in the local secure storage space of the device 2; S55, Device 1 sends a challenge request message to device 2; S56, device 2 sends a response message 2 to device 1, and the response message 2 includes at least: challenge type, public key 4, key type, key number, and challenge field length. The value of the challenge type field in response message 2 is used to instruct device 1 to update the public key corresponding to device 3 saved on it; S57, device 1 deletes public key 2 or sets public key 2 as a prohibited public key, and Corresponding to save the public key 4. In this way, device 3 can update the public key saved on device 1, and revoke and update the public and private keys used for authentication on device 2, so that device 2 can perform more secure and reliable operations on device 1. Authentication.
可见,通过本申请实施例提供的鉴权方法,由待鉴权的设备1向鉴权工具等具有为鉴权功能的设备2发送信息2;设备2基于私钥1对接收到的信息1进行加密,并将经过私钥1加密的信息1发送给设备1;设备1根据公钥1进行解密,获得信息1,通过比较信息1和本地存储的信息2,确定设备1的使用权限。这样,通过加解密技术以及具有专用于对设备1鉴权的设备2,实现由设备2对待鉴权的设备1的鉴权,克服了目前通过密码本或者接口对应焊盘裸露的等方式保护设备1安全时存在的安全隐患,确保了对待鉴权的设备1的保护更加安全和可靠。It can be seen that, through the authentication method provided by the embodiment of this application, the device 1 to be authenticated sends information 2 to the device 2 with authentication function such as an authentication tool; the device 2 performs the authentication on the received information 1 based on the private key 1. Encrypt and send the information 1 encrypted with the private key 1 to the device 1. The device 1 decrypts the information according to the public key 1 to obtain the information 1. By comparing the information 1 and the locally stored information 2, the use authority of the device 1 is determined. In this way, through the encryption and decryption technology and the device 2 dedicated to authenticating the device 1, the device 2 can authenticate the device 1 to be authenticated, which overcomes the current protection of the device through the codebook or the exposed pad of the interface. 1 The hidden safety hazards that exist during security ensure that the protection of the device 1 to be authenticated is safer and more reliable.
为了更加清楚和详细的介绍本申请实施例,下面在图1所示的场景,假设设备12为交换机的调试接口12,CA服务器13和交换机12不能直接通信、CA服务器13和鉴权工具11也不能直接通信为例,结合图4对本申请实施例中的鉴权过程进行具体说明。In order to introduce the embodiments of this application more clearly and in detail, in the scenario shown in Figure 1 below, it is assumed that the device 12 is the debugging interface 12 of the switch, the CA server 13 and the switch 12 cannot communicate directly, and the CA server 13 and the authentication tool 11 are also Taking the example of not being able to communicate directly, the authentication process in the embodiment of the present application will be described in detail with reference to FIG. 4.
参见图4,本实施例中方法200的鉴权过程例如可以包括:Referring to FIG. 4, the authentication process of the method 200 in this embodiment may include, for example:
S201,用户14在CA服务器13上提交请求消息,该请求消息用于请求CA服务器13为鉴权工具11分配公私钥。S201: The user 14 submits a request message on the CA server 13, and the request message is used to request the CA server 13 to allocate a public and private key to the authentication tool 11.
其中,本实施例中,用户14也可以是安全的产线自动化设备,自动执行用户14所执行的所有操作。Among them, in this embodiment, the user 14 may also be a safe production line automation equipment that automatically performs all operations performed by the user 14.
S202,CA服务器13为鉴权工具11生成私钥b和对应的公钥B。S202: The CA server 13 generates a private key b and a corresponding public key B for the authentication tool 11.
S203,CA服务器13采用自身的私钥d分别加密私钥b和公钥B。S203: The CA server 13 uses its own private key d to encrypt the private key b and the public key B respectively.
S204,CA服务器13将私钥d对应的公钥D通过用户14配置给交换机。S204, the CA server 13 configures the public key D corresponding to the private key d to the switch through the user 14.
S205,交换机将公钥D保存在本地的安全存储空间中。S205: The switch saves the public key D in a local secure storage space.
S206,CA服务器13将公钥D、私钥d加密的私钥b和采用私钥d加密的公钥B通过用户14配置给鉴权工具11。S206, the CA server 13 configures the public key D, the private key b encrypted by the private key d, and the public key B encrypted by the private key d to the authentication tool 11 through the user 14.
S207,鉴权工具11采用公钥D对私钥d加密的私钥b进行解密,获得并保存私钥b。S207: The authentication tool 11 uses the public key D to decrypt the private key b encrypted by the private key d, and obtains and saves the private key b.
S208,交换机向鉴权工具11发送挑战请求消息1,该挑战请求消息1中携带随机数X1。S208: The switch sends a challenge request message 1 to the authentication tool 11. The challenge request message 1 carries a random number X1.
S209,鉴权工具11采用本地保存的私钥b对挑战请求消息1中的信息进行加密,并生成包括私钥b加密的X2的响应消息1,该X2为鉴权工具11接收到的随机数。S209. The authentication tool 11 uses the locally stored private key b to encrypt the information in the challenge request message 1, and generates a response message 1 including X2 encrypted by the private key b, where X2 is the random number received by the authentication tool 11 .
S210,鉴权工具11向交换机发送该响应消息1。S210: The authentication tool 11 sends the response message 1 to the switch.
S211,鉴权工具11向交换机发送采用私钥d加密的公钥B。S211: The authentication tool 11 sends the public key B encrypted with the private key d to the switch.
S212,交换机利用本地保存的公钥D对采用私钥d加密的公钥B进行解密,获得并保存公钥B。S212: The switch uses the public key D stored locally to decrypt the public key B encrypted with the private key d, and obtains and saves the public key B.
S213,交换机采用公钥B解密响应消息1中的信息,获得X2,该X2为公钥B对使用私钥b加密的X2解密得到的。S213: The switch uses the public key B to decrypt the information in the response message 1 to obtain X2, which is obtained by the public key B decrypting X2 encrypted with the private key b.
S214,交换机比较X2和本地保存的随机数X1是否一致,若一致,则执行S215,否则,执行S216。S214: The switch compares whether X2 and the locally stored random number X1 are consistent, if they are consistent, execute S215, otherwise, execute S216.
S215,交换机开放调试接口12的使用权限。S215: The switch opens the use right of the debugging interface 12.
S216,交换机确定中止鉴权流程,并向CA服务器13上报鉴权错误。S216: The switch determines to suspend the authentication process, and reports an authentication error to the CA server 13.
如此,本实施例中,通过加解密技术、CA服务器13这一安全等级较高的服务器、以及专门用于对交换机进行鉴权的鉴权工具11和交换机之间的交互,实现了鉴权工具11对交换机上调试接口12使用权限的管理,实现了对交换机上关键接口更加安全的保护。In this way, in this embodiment, the authentication tool is implemented through the interaction between the encryption and decryption technology, the CA server 13, a server with a higher security level, and the authentication tool 11 that is specifically used to authenticate the switch, and the switch. 11 The management of the use authority of the debugging interface 12 on the switch realizes more secure protection of the key interface on the switch.
图5示出了本申请实施例中一种鉴权方法300的流程示意图,该方法300应用在包括第一设备和第二设备的场景中,以第一设备为执行主体,该鉴权方法300例如可以包括:FIG. 5 shows a schematic flowchart of an authentication method 300 in an embodiment of the present application. The method 300 is applied in a scenario that includes a first device and a second device, and the first device is the execution subject. The authentication method 300 For example, it can include:
S301,接收第二设备发送的采用第一私钥加密的第一信息;S301: Receive the first information encrypted by the first private key and sent by the second device.
S302,根据第一公钥进行解密,获得该第一信息,其中,第一公钥与第一私钥对应;S302: Decrypt according to the first public key to obtain the first information, where the first public key corresponds to the first private key;
S303,对第一信息和本地存储的第二信息进行匹配验证,获得验证结果;S303: Perform matching verification on the first information and the locally stored second information to obtain a verification result;
S304,根据该验证结果,确定第一设备的使用权限。S304: Determine the use right of the first device according to the verification result.
其中,第一设备可以是方法100中的设备1,那么,第二设备为方法100中的设备2,第一私钥为方法100中的私钥1,第一公钥为方法100中的公钥1,第一信息为方法100中的信息1,第二信息为方法100中的信息2。或者,第一设备也可以是方法200中的交换机的调试接口12,那么,第二设备为方法200中的鉴权工具11,第一私钥为方法200中的私钥b,第一公钥为方法200中的公钥B,第一信息包括方法100中私钥b加密的随机数X2,第二信息包括方法100中的随机数X1。The first device can be device 1 in method 100, then the second device is device 2 in method 100, the first private key is private key 1 in method 100, and the first public key is public key in method 100. Key 1, the first information is information 1 in method 100, and the second information is information 2 in method 100. Alternatively, the first device may also be the debugging interface 12 of the switch in the method 200, then the second device is the authentication tool 11 in the method 200, the first private key is the private key b in the method 200, and the first public key For the public key B in the method 200, the first information includes the random number X2 encrypted by the private key b in the method 100, and the second information includes the random number X1 in the method 100.
具体而言,当验证结果表示验证通过,则第一设备开放对应的使用权限,当验证结果表示验证未通过,则第一设备不开放对应的使用权限。这样,通过加解密技术以及具有鉴权功能的第二设备,实现对待鉴权的第一设备的鉴权,克服了目前通过密码本或者接口对应焊盘裸露的等方式保护第一设备安全时存在的安全隐患,确保了对待鉴权的第一设备更 加安全和可靠的保护。Specifically, when the verification result indicates that the verification is passed, the first device opens the corresponding use right, and when the verification result indicates that the verification fails, the first device does not open the corresponding use right. In this way, through the encryption and decryption technology and the second device with authentication function, the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface. The potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
其中,第一设备可以是待鉴权的任何设备,例如:可以指网络设备或单板,又例如:也可以指设备上的调试接口或业务接口。第二设备可以是指具有鉴权功能的鉴权工具。当第一设备指调试接口时,鉴权工具将第一私钥加密的第一信息下发到调试接口所在设备并由第一公钥进行解密,通过验证通过后,该调试接口所在设备开放该调试接口的使用权限,供访问和使用该调试接口。Wherein, the first device may be any device to be authenticated, for example, it may refer to a network device or a single board, or for another example, it may also refer to a debugging interface or a service interface on the device. The second device may refer to an authentication tool with an authentication function. When the first device refers to the debugging interface, the authentication tool sends the first information encrypted by the first private key to the device where the debugging interface is located and decrypted by the first public key. After the verification is passed, the device where the debugging interface is located will open the The permission to use the debugging interface is for accessing and using the debugging interface.
在一些可能的实现方式中,第一私钥和第一公钥可以是第二设备生成的;或者,第一私钥和第一公钥也可以是鉴权服务器为第二设备配置的。In some possible implementation manners, the first private key and the first public key may be generated by the second device; or, the first private key and the first public key may also be configured by the authentication server for the second device.
为了更加安全,该方法300还可以包括:第一设备接收第二设备发送的经过鉴权服务器的第二私钥加密的第一公钥;第一设备使用本地存储的鉴权服务器的第二公钥,对加密的第一公钥进行解密,获得所述第一公钥。这样,通过鉴权服务器这一安全等级较高的服务器对第一公钥进行加密,相比在第一设备上直接保存第一公钥,更加安全和可靠。For more security, the method 300 may further include: the first device receives the first public key encrypted by the second private key of the authentication server sent by the second device; and the first device uses the second public key of the authentication server stored locally. Key to decrypt the encrypted first public key to obtain the first public key. In this way, encrypting the first public key by a server with a higher security level, which is the authentication server, is more secure and reliable than storing the first public key directly on the first device.
作为一个示例,第二信息可以包括第一随机数,在执行S301之前,方法300还可以包括:向第二设备发送挑战请求消息,该挑战请求消息中携带第一随机数;那么,S301具体可以包括:第一设备接收所述第二设备发送的响应消息,该响应消息中携带所述第一信息,所述第一信息包括第二随机数;此时,S303具体可以包括:对所述第一随机数和所述第二随机数进行匹配验证。其中,第一随机数可以唯一标识对第一设备的一次鉴权,使用随机数进行鉴权,确保每次鉴权中都可以基于本次生成的随机数进行,能够有效防止第一设备的信息被复制,防止重放攻击。As an example, the second information may include the first random number. Before S301 is performed, the method 300 may further include: sending a challenge request message to the second device, where the challenge request message carries the first random number; then, S301 may specifically Including: the first device receives a response message sent by the second device, the response message carries the first information, and the first information includes a second random number; in this case, S303 may specifically include: A random number and the second random number are matched and verified. Among them, the first random number can uniquely identify an authentication to the first device, and the random number is used for authentication to ensure that each authentication can be performed based on the random number generated this time, which can effectively prevent the information of the first device Is copied to prevent replay attacks.
作为另一个示例,该第二信息还可以包括第一设备标识信息,该第一信息中包括第二设备标识信息,所述第一设备标识信息用于唯一标识所述第一设备,那么,S303具体还可以包括:对所述第一设备标识信息和所述第二设备标识信息进行匹配验证。作为一个示例,所述第一设备标识信息为第一设备ID,所述第二设备标识信息为第二设备ID,那么,S303具体还可以包括:对所述第一设备ID和第二设备ID进行匹配验证。作为另一个示例,所述第一设备标识信息为第一设备ID的哈希值,所述第二设备标识信息为第二设备ID的哈希值,那么,S303具体可以包括:对所述第一设备ID的哈希值和第二设备ID的哈希值进行匹配验证。为了鉴权的安全进行,本申请实施例中设备ID为非公开的能够唯一标识设备的ID,例如:第一设备ID为第一设备出厂时定义的硬件唯一密钥HUK,又例如:第一设备ID为根据第一设备的晶片标识die ID和唯一设备标识UDI处理得到的。这样,通过第一设备本地存储的第一设备ID或第一设备ID的哈希值,对解密后获得的第二设备ID或第二设备ID的哈希值进行验证,实现对第一设备可靠和安全的鉴权。As another example, the second information may further include first device identification information, the first information includes second device identification information, and the first device identification information is used to uniquely identify the first device, then, S303 Specifically, it may further include: performing matching verification on the first device identification information and the second device identification information. As an example, the first device identification information is a first device ID, and the second device identification information is a second device ID. Then, S303 may specifically include: comparing the first device ID and the second device ID Perform matching verification. As another example, the first device identification information is the hash value of the first device ID, and the second device identification information is the hash value of the second device ID. Then, S303 may specifically include: The hash value of one device ID and the hash value of the second device ID are matched and verified. For the security of authentication, the device ID in this embodiment of the application is a non-public ID that can uniquely identify the device, for example: the first device ID is the hardware unique key HUK defined when the first device leaves the factory, another example is: The device ID is obtained by processing the die ID of the first device and the unique device identifier UDI. In this way, the first device ID or the hash value of the first device ID stored locally by the first device is used to verify the second device ID or the hash value of the second device ID obtained after decryption, so as to realize the reliability of the first device And secure authentication.
作为又一个示例,该第二信息还可以包括目标有效信息,所述第一信息中包括实际使用信息,其中,实际使用信息用于表征所述第一设备上当前使用所述第二设备鉴权的情况。那么,S303具体还可以包括:第一设备根据所述目标有效信息,对所述实际使用信息进行验证,以确定所述第二设备能否继续用于对所述第一设备进行鉴权。当第一设备确定实际使用信息还未达到目标有效信息,则,确定第二设备对于第一设备而言有效,可以继续使用第二设备对第一设备进行鉴权;否则,当第一设备确定实际使用信息已经达到目标 有效信息,则,确定第二设备对于第一设备而言已经失效,不能继续使用第二设备对第一设备进行鉴权。其中,目标有效信息为允许使用所述第二设备进行鉴权的最多次数(例如:5次);或者,目标有效信息为允许使用所述第二设备进行鉴权的最长时间(例如:20小时)。这样,通过第一设备本地存储的目标有效信息,对第一信息中携带的实际使用信息进行验证,实现对第一设备可靠和安全的鉴权。As another example, the second information may also include target valid information, and the first information includes actual usage information, where the actual usage information is used to characterize that the second device authentication is currently used on the first device. Case. Then, S303 may specifically include: the first device verifies the actual usage information according to the target valid information to determine whether the second device can continue to be used to authenticate the first device. When the first device determines that the actual usage information has not reached the target effective information, it determines that the second device is valid for the first device and can continue to use the second device to authenticate the first device; otherwise, when the first device determines If the actual use information has reached the target effective information, it is determined that the second device is invalid for the first device, and the second device cannot be used to authenticate the first device. Wherein, the target effective information is the maximum number of times allowed to use the second device for authentication (for example: 5 times); or, the target effective information is the maximum time allowed to use the second device for authentication (for example: 20 hour). In this way, the actual use information carried in the first information is verified through the target effective information stored locally in the first device, so that reliable and safe authentication of the first device is realized.
作为再一个示例,该第一信息还可以包括指示信息,所述指示信息用于指示下述信息中的至少一个:开放所述使用权限的时间、开放所述使用权限的接口或开放所述使用权限的操作。其中,该指示信息可以是第一设备在挑战请求消息中发送给第二设备的,也可以是第二设备根据自身的鉴权范围指定的对应的指示信息;还可以是第一设备在挑战请求消息中发送给第二设备的,并由第二设备根据自身的鉴权范围确定出的对应的指示信息。这样,通过第一设备接收并解密后获得的指示信息,实现对第一设备可靠和安全的鉴权。As yet another example, the first information may further include indication information, the indication information being used to indicate at least one of the following information: the time when the use permission is opened, the interface for opening the use permission, or the use Permission operation. Wherein, the indication information may be sent by the first device to the second device in the challenge request message, or it may be corresponding indication information specified by the second device according to its own authentication range; it may also be the first device in the challenge request message. The corresponding indication information sent to the second device in the message and determined by the second device according to its own authentication range. In this way, through the instruction information obtained after the first device receives and decrypts, reliable and safe authentication of the first device is realized.
需要说明的是,本申请实施例中的方法300,具体实现方式以及达到的效果可以参见上述图3和图4所示实施例中的相关说明。It should be noted that, for the method 300 in the embodiment of the present application, the specific implementation manner and the achieved effect can be referred to the related description in the embodiment shown in FIG. 3 and FIG. 4.
图6示出了本申请实施例中一种对第一设备的使用权限进行鉴权的方法400的流程示意图,该方法400应用在包括第一设备和第二设备的场景中,以第二设备为执行主体,该方法400例如可以包括:6 shows a schematic flowchart of a method 400 for authenticating the use right of a first device in an embodiment of the present application. The method 400 is applied in a scenario that includes a first device and a second device. For the execution subject, the method 400 may include, for example:
S401,采用本地存储的第一私钥对所述第一信息进行加密;S401: Encrypt the first information by using a first private key stored locally;
S402,向第一设备发送经过所述第一私钥加密的所述第一信息,以对所述第一设备的使用权限进行鉴权。S402: Send the first information encrypted by the first private key to a first device, so as to authenticate the use right of the first device.
其中,第二设备可以是方法100中的设备2,那么,第一设备为方法100中的设备1,第一私钥为方法100中的私钥1,第一公钥为方法100中的公钥1,第一信息为方法100中的信息1。或者,第二设备可以是方法200中的鉴权工具11,那么,第一设备为方法200中的交换机的调试接口12,第一私钥为方法200中的私钥b,第一公钥为方法200中的公钥B,第一信息包括方法100中私钥b加密的随机数X2。The second device can be device 2 in method 100, then the first device is device 1 in method 100, the first private key is private key 1 in method 100, and the first public key is public key in method 100. Key 1, the first information is information 1 in method 100. Alternatively, the second device may be the authentication tool 11 in the method 200. Then, the first device is the debugging interface 12 of the switch in the method 200, the first private key is the private key b in the method 200, and the first public key is In the public key B in the method 200, the first information includes the random number X2 encrypted by the private key b in the method 100.
这样,通过加解密技术以及具有鉴权功能的第二设备,实现对待鉴权的第一设备的鉴权,克服了目前通过密码本或者接口对应焊盘裸露的等方式保护第一设备安全时存在的安全隐患,确保了对待鉴权的第一设备更加安全和可靠的保护。In this way, through the encryption and decryption technology and the second device with authentication function, the authentication of the first device to be authenticated is realized, which overcomes the current situation of protecting the security of the first device by means of codebooks or exposed pads corresponding to the interface. The potential safety hazards ensure the safer and more reliable protection of the first device to be authenticated.
其中,第二设备可以是指具有鉴权功能的鉴权工具。第一设备可以是待鉴权的任何设备,例如:可以指网络设备或单板,又例如:也可以指设备上的调试接口或业务接口。当第一设备指调试接口时,鉴权工具将第一私钥加密的第一信息下发到调试接口所在设备并由第一公钥进行解密,通过验证通过后,该调试接口所在设备开放该调试接口的使用权限,供访问和使用该调试接口。Among them, the second device may refer to an authentication tool with an authentication function. The first device may be any device to be authenticated, for example: it may refer to a network device or a single board, or for example: it may also refer to a debugging interface or a service interface on the device. When the first device refers to the debugging interface, the authentication tool sends the first information encrypted by the first private key to the device where the debugging interface is located and decrypted by the first public key. After the verification is passed, the device where the debugging interface is located will open the The permission to use the debugging interface is for accessing and using the debugging interface.
在一些具体的实现方式中,第一私钥和第一公钥可以是第二设备生成的;或者,第一私钥和第一公钥也可以是鉴权服务器为第二设备配置的。In some specific implementation manners, the first private key and the first public key may be generated by the second device; or, the first private key and the first public key may also be configured by the authentication server for the second device.
作为一个示例,该方法400还可以包括:第二设备接收鉴权服务器发送的鉴权服务器的第二公钥、经过第二私钥加密的所述第一公钥和经过所述第二私钥加密的所述第一私 钥,所述第二私钥和所述第二公钥对应;接着,第二设备利用所述第二公钥对所述经过所述第二私钥加密的所述第一私钥进行解密,获得所述第一私钥;第二设备也可以将所述经过所述第二私钥加密的所述第一公钥发送至所述第一设备,以便所述第一设备基于本地存储的所述第二公钥,对所述经过所述第二私钥加密的所述第一公钥进行解密,获得所述第一公钥。As an example, the method 400 may further include: the second device receiving the second public key of the authentication server sent by the authentication server, the first public key encrypted by the second private key, and the second private key The encrypted first private key, the second private key corresponds to the second public key; then, the second device uses the second public key to encrypt the second private key The first private key is decrypted to obtain the first private key; the second device may also send the first public key encrypted by the second private key to the first device, so that the second device A device decrypts the first public key encrypted by the second private key based on the locally stored second public key to obtain the first public key.
作为另一个示例,该第一信息包括第一随机数,那么,在S401之前,该方法400具体还可以包括:第二设备接收所述第一设备发送的挑战请求消息,所述挑战请求消息中携带所述第一随机数;S402具体可以包括:第二设备向所述第一设备发送响应消息,所述响应消息中携带经过所述第一私钥加密的所述第一随机数。As another example, the first information includes the first random number. Then, before S401, the method 400 may specifically further include: the second device receives a challenge request message sent by the first device, where the challenge request message Carrying the first random number; S402 may specifically include: the second device sends a response message to the first device, where the response message carries the first random number encrypted by the first private key.
作为又一个示例,该第二信息还可以包括第一信息还包括第一设备标识信息,该第一设备标识信息被所述第一设备用于身份验证,例如:可以是第一设备ID或第一设备ID的哈希值。方法400还可以包括:第二设备对所述第一设备ID和本地存储的与所述第一设备对应的第二设备ID进行匹配验证;或者,第二设备对所述第一设备ID的哈希值和本地存储的与所述第一设备对应的第二设备ID的哈希值进行匹配验证。其中,所述第一设备ID为所述第一设备出厂时定义的硬件唯一密钥HUK,或者,所述第一设备ID为根据所述第一设备的晶片标识die ID和唯一设备标识UDI处理得到的。As another example, the second information may also include the first information and first device identification information. The first device identification information is used by the first device for identity verification. For example, it may be the first device ID or the first device ID. A hash value of the device ID. The method 400 may further include: the second device performs matching verification on the first device ID and a locally stored second device ID corresponding to the first device; or, the second device performs a matching verification on the first device ID. The Greek value is matched and verified with the locally stored hash value of the second device ID corresponding to the first device. Wherein, the first device ID is a hardware unique key HUK defined when the first device leaves the factory, or the first device ID is processed according to the chip ID die ID of the first device and the unique device ID UDI owned.
作为又一个示例,该第一信息还可以包括目标有效信息,该目标有效信息被所述第一设备用于确定能否继续使用所述第二设备进行鉴权。那么,方法400还可以包括:第二设备更新所述实际使用信息,所述实际使用信息用于表征所述第一设备上当前使用所述第二设备鉴权的情况;接着,第二设备根据所述目标有效信息,对更新后的所述实际使用信息进行验证,以确定所述第二设备能否继续用于对所述第一设备进行鉴权。其中,该目标有效信息为允许使用所述第二设备进行鉴权的最多次数,则,所述实际使用信息为所述第一设备截止当前使用所述第二设备进行鉴权的实际使用次数;或者,该目标有效信息为允许使用所述第二设备进行鉴权的最长时间,则,所述实际使用信息为从所述目标有效信息的计时起始时刻到当前时刻的实际使用时间。As another example, the first information may also include target valid information, which is used by the first device to determine whether the second device can continue to be used for authentication. Then, the method 400 may further include: the second device updates the actual usage information, the actual usage information is used to characterize the current use of the second device authentication on the first device; then, the second device according to The target effective information verifies the updated actual usage information to determine whether the second device can continue to be used to authenticate the first device. Wherein, the target effective information is the maximum number of times that the second device is allowed to perform authentication, then the actual usage information is the actual number of times the first device uses the second device for authentication until the current time; Alternatively, the target valid information is the maximum time allowed to use the second device for authentication, then the actual usage information is the actual usage time from the timing start time of the target valid information to the current moment.
作为再一个示例,该第一信息还可以包括指示信息,所述指示信息用于指示下述信息中的至少一个:开放所述使用权限的时间、开放所述使用权限的接口或开放所述使用权限的操作。As yet another example, the first information may further include indication information, the indication information being used to indicate at least one of the following information: the time when the use permission is opened, the interface for opening the use permission, or the use Permission operation.
需要说明的是,本申请实施例中的方法400,具体实现方式以及达到的效果可以参见上述图3、图4以及图5所示实施例中的相关说明。It should be noted that, for the method 400 in the embodiment of the present application, the specific implementation manner and the achieved effect can be referred to the related description in the embodiment shown in FIG. 3, FIG. 4, and FIG. 5.
此外,本申请还提供了第一设备700,参见图7所示。该第一设备700包括收发单元701和处理单元702。其中,收发单元701用于执行上述图3所示实施例中设备1执行的收发操作,或者图4所示实施例中交换机的调试接口12执行的收发操作,或者图5所示方法实施例中第一设备执行的收发操作;处理单元702用于执行上述图3所示实施例中设备1执行的除了收发操作以外的其他操作,或者图4所示实施例中交换机的调试接口12执行的除了收发操作以外的其他操作,或者图5所示方法实施例中第一设备执行的除了收发操作 以外的其他操作。例如:第一设备700为方法100中的设备1,那么,收发单元701用于接收设备2发送的采用私钥1加密的信息1;所述处理单元702用于根据公钥1进行解密,获得信息1,所述处理单元702还用于比较信息1和本地存储的信息2,确定设备1的使用权限。In addition, this application also provides a first device 700, as shown in FIG. 7. The first device 700 includes a transceiver unit 701 and a processing unit 702. The transceiving unit 701 is configured to perform the transceiving operation performed by the device 1 in the embodiment shown in FIG. 3, or the transceiving operation performed by the debugging interface 12 of the switch in the embodiment shown in FIG. 4, or the method embodiment shown in FIG. Transceiving operations performed by the first device; the processing unit 702 is configured to perform operations other than the transceiving operations performed by the device 1 in the embodiment shown in FIG. 3, or other operations performed by the debugging interface 12 of the switch in the embodiment shown in FIG. 4 Operations other than the transceiving operation, or operations performed by the first device in the method embodiment shown in FIG. 5 other than the transceiving operation. For example: the first device 700 is the device 1 in the method 100, then the transceiving unit 701 is used to receive the information 1 encrypted with the private key 1 sent by the device 2; the processing unit 702 is used to decrypt according to the public key 1 to obtain Information 1, the processing unit 702 is also used to compare the information 1 and the locally stored information 2 to determine the use right of the device 1.
此外,本申请实施例还提供了第二设备800,参见图8所示。该第二设备800包括收发单元801和处理单元802。其中,其中,收发单元801用于执行上述图3所示实施例中设备2执行的收发操作,或者图4所示实施例中鉴权工具11执行的收发操作,或者图6所示方法实施例中第二设备执行的收发操作;处理单元802用于执行上述图3所示实施例中设备2执行的除了收发操作以外的其他操作,或者图4所示实施例中鉴权工具11执行的除了收发操作以外的其他操作,或者图6所示方法实施例中第二设备执行的除了收发操作以外的其他操作。例如:第一设备800为方法100中的设备2,那么,收发单元801用于将经过私钥1加密的信息1发送给设备1;所述处理单元802用于根据本地存储的私钥1对信息1进行加密。In addition, an embodiment of the present application also provides a second device 800, as shown in FIG. 8. The second device 800 includes a transceiver unit 801 and a processing unit 802. Among them, the transceiving unit 801 is configured to perform the transceiving operation performed by the device 2 in the embodiment shown in FIG. 3, or the transceiving operation performed by the authentication tool 11 in the embodiment shown in FIG. 4, or the method embodiment shown in FIG. Transceiving operations performed by the second device in the second device; the processing unit 802 is configured to perform operations other than the transceiving operations performed by the device 2 in the embodiment shown in FIG. 3, or other operations performed by the authentication tool 11 in the embodiment shown in FIG. 4 Operations other than the transceiving operation, or operations performed by the second device in the method embodiment shown in FIG. 6 other than the transceiving operation. For example: the first device 800 is the device 2 in the method 100, then the transceiver unit 801 is used to send the information 1 encrypted by the private key 1 to the device 1; the processing unit 802 is used to pair the private key 1 according to the locally stored private key. Information 1 is encrypted.
此外,本申请实施例还提供了一种第一设备900,参见图9所示。该第一设备900包括通信接口901和与通信接口901连接的处理器902。其中,其中,通信接口901用于执行上述图3所示实施例中设备1执行的收发操作,或者图4所示实施例中交换机的调试接口12执行的收发操作,或者图5所示方法实施例中第一设备执行的收发操作;处理器902用于执行上述图3所示实施例中设备1执行的除了收发操作以外的其他操作,或者图4所示实施例中交换机的调试接口12执行的除了收发操作以外的其他操作,或者图5所示方法实施例中第一设备执行的除了收发操作以外的其他操作。例如:第一设备900为方法100中的设备1,那么,通信接口901用于接收设备2发送的采用私钥1加密的信息1;所述处理器902用于根据公钥1进行解密,获得信息1;所述处理器902还用于比较信息1和本地存储的信息2,确定设备1的使用权限。In addition, an embodiment of the present application also provides a first device 900, as shown in FIG. 9. The first device 900 includes a communication interface 901 and a processor 902 connected to the communication interface 901. Among them, the communication interface 901 is used to perform the transceiving operation performed by the device 1 in the embodiment shown in FIG. 3, or the transceiving operation performed by the debugging interface 12 of the switch in the embodiment shown in FIG. 4, or the method shown in FIG. 5 is implemented The transceiving operation performed by the first device in the example; the processor 902 is configured to perform other operations other than the transceiving operation performed by the device 1 in the embodiment shown in FIG. 3, or the debugging interface 12 of the switch in the embodiment shown in FIG. 4 executes Other operations other than the transceiving operation, or other operations performed by the first device in the method embodiment shown in FIG. 5 other than the transceiving operation. For example: the first device 900 is the device 1 in the method 100, then the communication interface 901 is used to receive the information 1 encrypted with the private key 1 sent by the device 2; the processor 902 is used to decrypt according to the public key 1 to obtain Information 1; The processor 902 is also used to compare the information 1 and the locally stored information 2 to determine the use authority of the device 1.
此外,本申请实施例还提供了一种第二设备1000,参见图10所示。该第二设备1000包括通信接口1001和与该通信接口1001连接的处理器1002。其中,通信接口1001用于执行上述图3所示实施例中设备2执行的收发操作,或者图4所示实施例中鉴权工具11执行的收发操作,或者图6所示方法实施例中第二设备执行的收发操作;处理器1002用于执行上述图3所示实施例中设备2执行的除了收发操作以外的其他操作,或者图4所示实施例中鉴权工具11执行的除了收发操作以外的其他操作,或者图6所示方法实施例中第二设备执行的除了收发操作以外的其他操作。例如:第二设备1000为方法100中的设备2,那么,通信接口1001用于将经过私钥1加密的信息1发送给设备1;所述处理器1002用于根据本地存储的私钥1对信息1进行加密。In addition, an embodiment of the present application also provides a second device 1000, as shown in FIG. 10. The second device 1000 includes a communication interface 1001 and a processor 1002 connected to the communication interface 1001. Wherein, the communication interface 1001 is used to perform the transceiving operation performed by the device 2 in the embodiment shown in FIG. 3, or the transceiving operation performed by the authentication tool 11 in the embodiment shown in FIG. 4, or the first method in the method embodiment shown in FIG. 2. Transceiving operations performed by the device; the processor 1002 is configured to perform other operations other than the transceiving operations performed by the device 2 in the embodiment shown in FIG. 3, or the authentication tool 11 in the embodiment shown in FIG. 4 other than transceiving operations Operations other than those performed by the second device in the method embodiment shown in FIG. 6 other than the transceiving operations. For example: the second device 1000 is the device 2 in the method 100, then the communication interface 1001 is used to send the information 1 encrypted by the private key 1 to the device 1; the processor 1002 is used to pair the private key 1 according to the locally stored private key. Information 1 is encrypted.
此外,本申请实施例还提供了一种第一设备1100,参见图11所示。该第一设备1100包括存储器1101和处理器1102。其中,存储器1101用于存储程序代码;处理器1102用于运行所述程序代码中的指令,使得该第一设备1100执行以上图3所示实施例中设备1执行的方法,或者图4所示实施例中交换机的调试接口12执行的方法,或者图5所示方法实施例中第一设备执行的方法。In addition, an embodiment of the present application also provides a first device 1100, as shown in FIG. 11. The first device 1100 includes a memory 1101 and a processor 1102. The memory 1101 is used to store program code; the processor 1102 is used to run instructions in the program code, so that the first device 1100 executes the method executed by the device 1 in the embodiment shown in FIG. 3, or as shown in FIG. 4 The method executed by the debugging interface 12 of the switch in the embodiment, or the method executed by the first device in the method embodiment shown in FIG. 5.
此外,本申请实施例还提供了一种第二设备1200,参见图12所示。该第二设备1200包括存储器1201和处理器1202。其中,存储器1201用于存储程序代码;处理器1202用于运行所述程序代码中的指令,使得该第二设备1200执行以上图3所示实施例中设备2执行的方法,或者图4所示实施例中鉴权工具11执行的方法,或者图6所示方法实施例中第二设备执行的方法。In addition, an embodiment of the present application also provides a second device 1200, as shown in FIG. 12. The second device 1200 includes a memory 1201 and a processor 1202. The memory 1201 is used to store program code; the processor 1202 is used to run instructions in the program code, so that the second device 1200 executes the method performed by the device 2 in the embodiment shown in FIG. 3, or as shown in FIG. 4 The method executed by the authentication tool 11 in the embodiment, or the method executed by the second device in the method embodiment shown in FIG. 6.
可以理解的是,上述实施例中,处理器可以是中央处理器(英文:central processing unit,缩写:CPU),网络处理器(英文:network processor,缩写:NP)或者CPU和NP的组合。处理器还可以是专用集成电路(英文:application-specific integrated circuit,缩写:ASIC),可编程逻辑器件(英文:programmable logic device,缩写:PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(英文:complex programmable logic device,缩写:CPLD),现场可编程逻辑门阵列(英文:field-programmable gate array,缩写:FPGA),通用阵列逻辑(英文:generic array logic,缩写:GAL)或其任意组合。处理器可以是指一个处理器,也可以包括多个处理器。存储器可以包括易失性存储器(英文:volatile memory),例如随机存取存储器(英文:random-access memory,缩写:RAM);存储器也可以包括非易失性存储器(英文:non-volatile memory),例如只读存储器(英文:read-only memory,缩写:ROM),快闪存储器(英文:flash memory),硬盘(英文:hard disk drive,缩写:HDD)或固态硬盘(英文:solid-state drive,缩写:SSD);存储器还可以包括上述种类的存储器的组合。存储器可以是指一个存储器,也可以包括多个存储器。在一个具体实施方式中,存储器中存储有计算机可读指令,所述计算机可读指令包括多个软件模块,例如发送模块,处理模块和接收模块。处理器执行各个软件模块后可以按照各个软件模块的指示进行相应的操作。在本实施例中,一个软件模块所执行的操作实际上是指处理器根据所述软件模块的指示而执行的操作。处理器执行存储器中的计算机可读指令后,可以按照所述计算机可读指令的指示,执行第一设备或第二设备可以执行的全部操作。It can be understood that, in the foregoing embodiment, the processor may be a central processing unit (English: central processing unit, abbreviation: CPU), a network processor (English: network processor, abbreviation: NP), or a combination of CPU and NP. The processor may also be an application-specific integrated circuit (English: application-specific integrated circuit, abbreviation: ASIC), a programmable logic device (English: programmable logic device, abbreviation: PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), field programmable logic gate array (English: field-programmable gate array, abbreviation: FPGA), general array logic (English: generic array) logic, abbreviation: GAL) or any combination thereof. The processor may refer to one processor or may include multiple processors. The memory may include volatile memory (English: volatile memory), such as random access memory (English: random-access memory, abbreviation: RAM); the memory may also include non-volatile memory (English: non-volatile memory), For example, read-only memory (English: read-only memory, abbreviation: ROM), flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviation: HDD) or solid state drive (English: solid-state drive, Abbreviation: SSD); the memory can also include a combination of the above-mentioned types of memory. The memory may refer to one memory, or may include multiple memories. In a specific embodiment, computer-readable instructions are stored in the memory, and the computer-readable instructions include multiple software modules, such as a sending module, a processing module, and a receiving module. After executing each software module, the processor can perform corresponding operations according to the instructions of each software module. In this embodiment, an operation performed by a software module actually refers to an operation performed by the processor according to an instruction of the software module. After the processor executes the computer-readable instructions in the memory, it can execute all operations that can be executed by the first device or the second device according to the instructions of the computer-readable instructions.
可以理解的是,上述实施例中,第一设备900的通信接口901,具体可以被用作第一设备700中的收发单元701,实现第一设备和第二设备之间的数据通信。同理,第二设备1000的通信接口1001,具体可以被用作第二设备800中的收发单元801,实现第一设备和第二设备之间的数据通信。It can be understood that, in the foregoing embodiment, the communication interface 901 of the first device 900 can be specifically used as the transceiver unit 701 in the first device 700 to implement data communication between the first device and the second device. Similarly, the communication interface 1001 of the second device 1000 can be specifically used as the transceiver unit 801 in the second device 800 to implement data communication between the first device and the second device.
此外,本申请实施例还提供了一种通信系统1300,参见图13所示。该通信系统1300包括第一设备1301以及第二设备1302,其中,第一设备1301具体可以是上述第一设备700、第一设备900或第一设备1100,第二设备1402具体可以是上述第二设备800、第二设备1000或第二设备1200。In addition, an embodiment of the present application also provides a communication system 1300, as shown in FIG. 13. The communication system 1300 includes a first device 1301 and a second device 1302. The first device 1301 may specifically be the above-mentioned first device 700, the first device 900 or the first device 1100, and the second device 1402 may specifically be the above-mentioned second device. The device 800, the second device 1000, or the second device 1200.
此外,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算机上运行时,使得所述计算机执行以上图3-图6所示实施例中的所述鉴权方法。In addition, the embodiments of the present application also provide a computer-readable storage medium that stores instructions in the computer-readable storage medium, which when run on a computer, causes the computer to execute the implementation shown in Figures 3 to 6 above. The authentication method in the example.
此外,本申请实施例还提供了计算机程序产品,当其在计算机上运行时,使得计算机执行前述图3-图6所示实施例中的所述鉴权方法。In addition, the embodiment of the present application also provides a computer program product, which when it runs on a computer, causes the computer to execute the authentication method in the aforementioned embodiment shown in FIG. 3 to FIG. 6.
本申请实施例中提到的“第一信息”、“第一私钥”等名称中的“第一”只是用来做名字标识,并不代表顺序上的第一。该规则同样适用于“第二”等。The “first” in the names of “first information”, “first private key” and the like mentioned in the embodiments of the present application is only used for name identification, and does not represent the first in order. This rule also applies to "second" and so on.
通过以上的实施方式的描述可知,本领域的技术人员可以清楚地了解到上述实施例方法中的全部或部分步骤可借助软件加通用硬件平台的方式来实现。基于这样的理解,本申请的技术方案可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如只读存储器(英文:read-only memory,ROM)/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者诸如路由器等网络通信设备)执行本申请各个实施例或者实施例的某些部分所述的方法。From the description of the foregoing implementation manners, it can be understood that those skilled in the art can clearly understand that all or part of the steps in the foregoing embodiment methods can be implemented by means of software and a general hardware platform. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product, and the computer software product can be stored in a storage medium, such as read-only memory (English: read-only memory, ROM)/RAM, magnetic disk, An optical disc, etc., includes a number of instructions to enable a computer device (which may be a personal computer, a server, or a network communication device such as a router) to execute the methods described in the various embodiments or some parts of the embodiments of the present application.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例和设备实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。以上所描述的设备及系统实施例仅仅是示意性的,其中作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the system embodiment and the device embodiment, since they are basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment. The above-described device and system embodiments are only illustrative. The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in One place, or it can be distributed to multiple network units. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Those of ordinary skill in the art can understand and implement it without creative work.
以上所述仅是本申请的优选实施方式,并非用于限定本申请的保护范围。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本申请的保护范围。The above descriptions are only the preferred embodiments of the present application, and are not used to limit the protection scope of the present application. It should be pointed out that for those of ordinary skill in the art, without departing from this application, several improvements and modifications can be made, and these improvements and modifications should also be regarded as the scope of protection of this application.

Claims (27)

  1. 一种鉴权方法,其特征在于,由第一设备实施,包括:An authentication method, characterized in that it is implemented by a first device, and includes:
    接收第二设备发送的采用第一私钥加密的第一信息;Receiving the first information encrypted by the first private key sent by the second device;
    根据第一公钥进行解密,获得所述第一信息,所述第一公钥与所述第一私钥对应;Decrypt according to the first public key to obtain the first information, and the first public key corresponds to the first private key;
    对所述第一信息和本地存储的第二信息进行匹配验证,获得验证结果;Performing matching verification on the first information and the locally stored second information to obtain a verification result;
    根据所述验证结果,确定所述第一设备的使用权限。According to the verification result, the use right of the first device is determined.
  2. 根据权利要求1所述的方法,其特征在于,The method of claim 1, wherein:
    所述第一私钥和所述第一公钥为所述第二设备生成的;The first private key and the first public key are generated by the second device;
    或者,or,
    所述第一私钥和所述第一公钥为鉴权服务器为所述第二设备配置的。The first private key and the first public key are configured by the authentication server for the second device.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:
    接收所述第二设备发送的经过鉴权服务器的第二私钥加密的第一公钥;Receiving the first public key encrypted by the second private key of the authentication server sent by the second device;
    使用本地存储的所述鉴权服务器的第二公钥对所述加密的第一公钥进行解密,获得所述第一公钥。Use the locally stored second public key of the authentication server to decrypt the encrypted first public key to obtain the first public key.
  4. 根据权利要求1-3任一项所述的方法,其特征在于,所述第二信息包括第一随机数,在所述接收第二设备发送的采用第一私钥加密的第一信息之前,所述方法还包括:The method according to any one of claims 1 to 3, wherein the second information comprises a first random number, and before the first information encrypted by the first private key sent by the second device is received, The method also includes:
    向所述第二设备发送挑战请求消息,所述挑战请求消息中携带所述第一随机数;Sending a challenge request message to the second device, where the challenge request message carries the first random number;
    所述接收第二设备发送的采用第一私钥加密的第一信息,包括:The receiving the first information encrypted by the first private key sent by the second device includes:
    接收所述第二设备发送的响应消息,所述响应消息中携带所述第一信息,所述第一信息包括第二随机数;Receiving a response message sent by the second device, where the response message carries the first information, and the first information includes a second random number;
    所述对所述第一信息和本地存储的第二信息进行匹配验证,包括:The performing matching verification on the first information and the locally stored second information includes:
    对所述第一随机数和所述第二随机数进行匹配验证。Perform matching verification on the first random number and the second random number.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述第二信息还包括第一设备标识信息,所述第一信息中包括第二设备标识信息,所述第一设备标识信息用于唯一标识所述第一设备,所述对所述第一信息和本地存储的第二信息进行匹配验证,还包括:The method according to any one of claims 1 to 4, wherein the second information further includes first device identification information, the first information includes second device identification information, and the first device identification The information is used to uniquely identify the first device, and the matching verification of the first information and the locally stored second information further includes:
    对所述第一设备标识信息和所述第二设备标识信息进行匹配验证。Perform matching verification on the first device identification information and the second device identification information.
  6. 根据权利要求5所述的方法,其特征在于,The method of claim 5, wherein:
    所述第一设备标识信息为第一设备标识ID,所述第二设备标识信息为第二设备ID;或者The first device identification information is a first device identification ID, and the second device identification information is a second device ID; or
    所述第一设备标识信息为第一设备ID的哈希值,所述第二设备标识信息为第二设备ID的哈希值。The first device identification information is a hash value of the first device ID, and the second device identification information is a hash value of the second device ID.
  7. 根据权利要求6所述的方法,其特征在于,所述第一设备ID为所述第一设备出厂时定义的硬件唯一密钥HUK,或者,所述第一设备ID为根据所述第一设备的晶片标识die ID和唯一设备标识UDI处理得到的。The method according to claim 6, wherein the first device ID is a hardware unique key HUK defined when the first device leaves the factory, or the first device ID is based on the first device ID. The chip identification die ID and the unique device identification UDI are processed.
  8. 根据权利要求1-7任一项所述的方法,其特征在于,所述第二信息还包括目标有效信息,所述第一信息中包括实际使用信息,所述实际使用信息用于表征所述第一设备上当前使用所述第二设备鉴权的情况,所述对所述第一信息和本地存储的第二信息进行匹配验 证,还包括:The method according to any one of claims 1-7, wherein the second information further includes target effective information, the first information includes actual usage information, and the actual usage information is used to characterize the When the second device authentication is currently used on the first device, the matching verification of the first information and the locally stored second information further includes:
    根据所述目标有效信息,对所述实际使用信息进行验证,以确定所述第二设备能否继续用于对所述第一设备进行鉴权。According to the target effective information, the actual usage information is verified to determine whether the second device can continue to be used to authenticate the first device.
  9. 根据权利要求8所述的方法,其特征在于,The method of claim 8, wherein:
    所述目标有效信息为允许使用所述第二设备进行鉴权的最多次数;The target effective information is the maximum number of times that the second device is allowed to be used for authentication;
    或者,or,
    所述目标有效信息为允许使用所述第二设备进行鉴权的最长时间。The target effective information is the longest time allowed to use the second device for authentication.
  10. 根据权利要求1-9任意一项所述的方法,其特征在于,所述第一信息还包括指示信息,所述指示信息用于指示下述信息中的至少一个:开放所述使用权限的时间、开放所述使用权限的接口或开放所述使用权限的操作。The method according to any one of claims 1-9, wherein the first information further comprises indication information, and the indication information is used to indicate at least one of the following information: the time when the usage authority is released , Opening the interface of the use authority or the operation of opening the use authority.
  11. 根据权利要求1-10任一项所述的方法,其特征在于,所述第一设备为调试接口。The method according to any one of claims 1-10, wherein the first device is a debugging interface.
  12. 一种对第一设备的使用权限进行鉴权的方法,其特征在于,由第二设备实施,包括:A method for authenticating the use right of a first device, characterized in that it is implemented by a second device, and includes:
    采用本地存储的第一私钥对第一信息进行加密;Encrypt the first information by using the first private key stored locally;
    向所述第一设备发送经过所述第一私钥加密的所述第一信息,以对所述第一设备的使用权限进行鉴权。Sending the first information encrypted by the first private key to the first device to authenticate the use right of the first device.
  13. 根据权利要求12所述的方法,其特征在于,所述方法还包括:The method according to claim 12, wherein the method further comprises:
    接收鉴权服务器发送的鉴权服务器的第二公钥、经过第二私钥加密的所述第一公钥和经过所述第二私钥加密的所述第一私钥,所述第二私钥和所述第二公钥对应;Receiving the second public key of the authentication server, the first public key encrypted by the second private key, and the first private key encrypted by the second private key, the second private key The key corresponds to the second public key;
    利用所述第二公钥对所述经过所述第二私钥加密的所述第一私钥进行解密,获得所述第一私钥;Decrypt the first private key encrypted by the second private key by using the second public key to obtain the first private key;
    将所述经过所述第二私钥加密的所述第一公钥发送至所述第一设备。Sending the first public key encrypted by the second private key to the first device.
  14. 根据权利要求12或13所述的方法,其特征在于,所述第一信息包括第一随机数,在对所述第一信息进行加密以前,所述方法还包括:The method according to claim 12 or 13, wherein the first information comprises a first random number, and before encrypting the first information, the method further comprises:
    接收所述第一设备发送的挑战请求消息,所述挑战请求消息中携带所述第一随机数;Receiving a challenge request message sent by the first device, where the challenge request message carries the first random number;
    所述向所述第一设备发送经过所述第一私钥加密的所述第一信息,包括:The sending the first information encrypted by the first private key to the first device includes:
    向所述第一设备发送响应消息,所述响应消息中携带经过所述第一私钥加密的所述第一随机数。Send a response message to the first device, where the response message carries the first random number encrypted by the first private key.
  15. 根据权利要求12-14任一项所述的方法,其特征在于,The method according to any one of claims 12-14, characterized in that,
    所述第一信息包括第一设备标识信息,所述第一设备标识信息被所述第一设备用于身份验证。The first information includes first device identification information, and the first device identification information is used for identity verification by the first device.
  16. 根据权利要求15所述的方法,其特征在于,所述第一设备标识信息为第一设备标识ID或所述第一设备ID的哈希值。The method according to claim 15, wherein the first device identification information is a first device identification ID or a hash value of the first device ID.
  17. 根据权利要求16所述的方法,其特征在于,所述第一设备ID为所述第一设备出厂时定义的硬件唯一密钥HUK,或者,所述第一设备ID为根据所述第一设备的晶片标识die ID和唯一设备标识UDI处理得到的。The method according to claim 16, wherein the first device ID is a hardware unique key HUK defined when the first device leaves the factory, or the first device ID is based on the first device ID. The chip identification die ID and the unique device identification UDI are processed.
  18. 根据权利要求12-17任一项所述的方法,其特征在于,所述第一信息还包括目标有效信息,所述目标有效信息被所述第一设备用于确定能否继续使用所述第二设备进行鉴权。The method according to any one of claims 12-17, wherein the first information further comprises target valid information, and the target valid information is used by the first device to determine whether the first device can continue to use the Second, the device performs authentication.
  19. 根据权利要求18所述的方法,其特征在于,The method of claim 18, wherein:
    所述目标有效信息为允许使用所述第二设备进行鉴权的最多次数;The target effective information is the maximum number of times that the second device is allowed to be used for authentication;
    或者,or,
    所述目标有效信息为允许使用所述第二设备进行鉴权的最长时间。The target effective information is the longest time allowed to use the second device for authentication.
  20. 根据权利要求12-19任一项所述的方法,其特征在于,所述第一信息还包括指示信息,所述指示信息用于指示下述信息中的至少一个:开放所述使用权限的时间、开放所述使用权限的接口或开放所述使用权限的操作。The method according to any one of claims 12-19, wherein the first information further comprises indication information, and the indication information is used to indicate at least one of the following information: the time when the usage authority is released , Opening the interface of the usage authority or the operation of opening the usage authority.
  21. 根据权利要求1-20任一项所述的方法,其特征在于,所述第一设备为调试接口。The method according to any one of claims 1-20, wherein the first device is a debugging interface.
  22. 一种第一设备,其特征在于,包括:A first device, characterized in that it comprises:
    通信接口;和Communication interface; and
    与所述通信接口连接的处理器;A processor connected to the communication interface;
    根据所述通信接口和所述处理器,所述第一设备用于执行前述权利要求1-11任一项所述的方法。According to the communication interface and the processor, the first device is configured to execute the method according to any one of the preceding claims 1-11.
  23. 一种第二设备,其特征在于,包括:A second device, characterized in that it comprises:
    通信接口;和Communication interface; and
    与所述通信接口连接的处理器;A processor connected to the communication interface;
    根据所述通信接口和所述处理器,所述第二设备用于执行前述权利要求12-21任一项所述的方法。According to the communication interface and the processor, the second device is used to execute the method of any one of the preceding claims 12-21.
  24. 一种第一设备,其特征在于,所述第一设备包括存储器和处理器;A first device, characterized in that the first device includes a memory and a processor;
    所述存储器,用于存储程序代码;The memory is used to store program code;
    所述处理器,用于运行所述程序代码中的指令,使得所述第一设备执行以上权利要求1-11任一项所述的方法。The processor is configured to run instructions in the program code, so that the first device executes the method according to any one of claims 1-11.
  25. 一种第二设备,其特征在于,所述第二设备包括存储器和处理器;A second device, characterized in that, the second device includes a memory and a processor;
    所述存储器,用于存储程序代码;The memory is used to store program code;
    所述处理器,用于运行所述程序代码中的指令,使得所述第二设备执行以上权利要求12-21任一项所述的方法。The processor is configured to run instructions in the program code, so that the second device executes the method according to any one of claims 12-21.
  26. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得所述计算机执行以上权利要求1-11或者权利要求12-21任意一项所述的方法。A computer-readable storage medium, characterized in that instructions are stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute any of the above claims 1-11 or claims 12-21. The method described in one item.
  27. 一种通信系统,其特征在于,包括权利要求22或24所述的第一设备以及权利要求23或25所述的第二设备。A communication system, characterized by comprising the first device according to claim 22 or 24 and the second device according to claim 23 or 25.
PCT/CN2020/116536 2019-12-26 2020-09-21 Authentication method and device WO2021128989A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911368436.5A CN113055340B (en) 2019-12-26 2019-12-26 Authentication method and equipment
CN201911368436.5 2019-12-26

Publications (1)

Publication Number Publication Date
WO2021128989A1 true WO2021128989A1 (en) 2021-07-01

Family

ID=76505408

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/116536 WO2021128989A1 (en) 2019-12-26 2020-09-21 Authentication method and device

Country Status (2)

Country Link
CN (1) CN113055340B (en)
WO (1) WO2021128989A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500150A (en) * 2022-01-11 2022-05-13 上海三一重机股份有限公司 Communication method and device based on CAN bus and operation machine
CN115037552A (en) * 2022-06-29 2022-09-09 北京大甜绵白糖科技有限公司 Authentication method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103324879A (en) * 2013-07-05 2013-09-25 公安部第三研究所 System and method for identification verification on mobile terminal and based on face recognition and intelligent card
CN104541474A (en) * 2012-08-10 2015-04-22 密码研究公司 Secure feature and key management in integrated circuits
CN105516219A (en) * 2014-09-24 2016-04-20 中国电信股份有限公司 Safe deactivation method and system for embedded intelligent card, and card management server for safe deactivation of embedded intelligent card
US20180285555A1 (en) * 2015-10-14 2018-10-04 Alibaba Group Holding Limited Authentication method, device and system

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105095785A (en) * 2014-05-22 2015-11-25 中兴通讯股份有限公司 File access processing method, and file access method and device of distributed file system
CN106559213B (en) * 2015-09-24 2020-06-16 腾讯科技(深圳)有限公司 Equipment management method, equipment and system
CN106713224B (en) * 2015-11-12 2019-12-06 福建福昕软件开发股份有限公司 Document authority control method
CN106230813B (en) * 2016-07-29 2019-08-02 宇龙计算机通信科技(深圳)有限公司 Method for authenticating, authentication device and terminal
WO2018076365A1 (en) * 2016-10-31 2018-05-03 美的智慧家居科技有限公司 Key negotiation method and device
US10686787B2 (en) * 2016-12-15 2020-06-16 Thales Dis France Sa Use of personal device for convenient and secure authentication
CN109309565B (en) * 2017-07-28 2021-08-10 中国移动通信有限公司研究院 Security authentication method and device
CN109508153A (en) * 2017-09-14 2019-03-22 北京立思辰计算机技术有限公司 A kind of data transmission method of printer
CN109600223B (en) * 2017-09-30 2021-05-14 腾讯科技(深圳)有限公司 Verification method, activation method, device, equipment and storage medium
CN110191467B (en) * 2018-02-23 2022-10-18 中移物联网有限公司 Authentication method, equipment, device and storage medium for Internet of things equipment
CN109740360A (en) * 2018-12-29 2019-05-10 中国联合网络通信集团有限公司 A kind of document authorization device, client and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104541474A (en) * 2012-08-10 2015-04-22 密码研究公司 Secure feature and key management in integrated circuits
CN103324879A (en) * 2013-07-05 2013-09-25 公安部第三研究所 System and method for identification verification on mobile terminal and based on face recognition and intelligent card
CN105516219A (en) * 2014-09-24 2016-04-20 中国电信股份有限公司 Safe deactivation method and system for embedded intelligent card, and card management server for safe deactivation of embedded intelligent card
US20180285555A1 (en) * 2015-10-14 2018-10-04 Alibaba Group Holding Limited Authentication method, device and system

Also Published As

Publication number Publication date
CN113055340B (en) 2023-09-26
CN113055340A (en) 2021-06-29

Similar Documents

Publication Publication Date Title
EP2866166B1 (en) Systems and methods for enforcing third party oversight data anonymization
US10985925B1 (en) Systems and methods for providing authentication to a plurality of devices
TWI507006B (en) Key certification in one round trip
EP3275159B1 (en) Technologies for secure server access using a trusted license agent
CN105144626B (en) The method and apparatus of safety is provided
CN107430658B (en) Security software certification and verifying
US20090319793A1 (en) Portable device for use in establishing trust
WO2021128988A1 (en) Authentication method and device
US8090946B2 (en) Inter-system binding method and application based on hardware security unit
CN106687985A (en) Method for privileged mode based secure input mechanism
CN111199058B (en) System and method for ensuring data integrity and confidentiality
JP6735872B2 (en) Computer system and method for initializing computer system
US9280687B2 (en) Pre-boot authentication using a cryptographic processor
WO2021128989A1 (en) Authentication method and device
JP2015232810A (en) Storage device, information processor and information processing method
US20180067671A1 (en) System and method for authenticating critical operations on solid-state drives
CN106992978B (en) Network security management method and server
US20140068028A1 (en) Network connecting method and electronic device
US9692641B2 (en) Network connecting method and electronic device
WO2022251987A1 (en) Data encryption and decryption method and apparatus
TWI789291B (en) Module and method for authenticating data transfer between a storage device and a host device
US9552482B2 (en) Method for determining debug authorization for motherboard control module and associated motherboard control module
US10114654B2 (en) Method of booting a production computer system
CN107609405B (en) External secure memory device and system-on-chip SOC
CN116501353B (en) Firmware updating method, device, equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20904865

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20904865

Country of ref document: EP

Kind code of ref document: A1