WO2023082894A1 - Authentication method between terminal side device and network side device, and system - Google Patents

Authentication method between terminal side device and network side device, and system Download PDF

Info

Publication number
WO2023082894A1
WO2023082894A1 PCT/CN2022/123503 CN2022123503W WO2023082894A1 WO 2023082894 A1 WO2023082894 A1 WO 2023082894A1 CN 2022123503 W CN2022123503 W CN 2022123503W WO 2023082894 A1 WO2023082894 A1 WO 2023082894A1
Authority
WO
WIPO (PCT)
Prior art keywords
protocol type
authentication protocol
authentication
side device
key
Prior art date
Application number
PCT/CN2022/123503
Other languages
French (fr)
Chinese (zh)
Inventor
潘龙
Original Assignee
杭州萤石软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杭州萤石软件有限公司 filed Critical 杭州萤石软件有限公司
Publication of WO2023082894A1 publication Critical patent/WO2023082894A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the present application relates to the field of wireless communication, and in particular, relates to an authentication method between a terminal-side device and a network-side device.
  • the authentication method between the terminal-side device and the network-side device usually completes the authentication by means of a pre-embedded public and private key and a certain fixed algorithm.
  • a pre-embedded public and private key and a certain fixed algorithm For example, in the Internet of Things system, the Internet of Things devices and platforms respectively store public and private keys and the same algorithm in advance, and use the algorithm and public and private keys for authentication.
  • the authentication algorithm of the upgraded device is usually also upgraded, so that the authentication algorithm of the device that has not been upgraded is no longer the same algorithm, resulting in the same algorithm between the upgraded device and the non-upgraded Authentication between devices is not possible.
  • the present application provides an authentication method between a terminal-side device and a network-side device, so as to avoid interdependence between the terminal-side device and/or the network-side device when performing authentication.
  • the present application provides an authentication method between a terminal-side device and a network-side device.
  • the method includes, on the side of any of the terminal-side device and the network-side device,
  • the local device interacts with the other device's authentication protocol type to determine the authentication protocol type supported by both devices, wherein the authentication protocol type corresponds to an authentication method;
  • the local device performs authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, and enables the other device to perform authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type.
  • the local device interacts with the counterparty device in an authentication protocol type, including,
  • the two devices exchange the first authentication protocol type supported by default by either device, and the second authentication protocol type selected from the authentication protocol type group when either device does not support the first authentication protocol type,
  • the two devices exchange the second authentication protocol type selected from the authentication protocol type group;
  • the authentication protocol type group includes at least one authentication protocol type, and each authentication protocol type corresponds to an authentication method.
  • the second authentication protocol type is: the authentication protocol type with the highest priority in the authentication protocol type group, and the authentication protocol type group is a terminal-side device authentication protocol type group and a network-side device authentication protocol type group the intersection of
  • the two devices exchange the first authentication protocol type supported by default by either device, and the second authentication protocol type selected from the authentication protocol type group when either device does not support the first authentication protocol type, including,
  • the local device sends the first authentication protocol type and the authentication protocol type group supported by any device by default to the opposite device, so that the opposite device selects the first authentication protocol type group from the authentication protocol type group if it does not support the first authentication protocol type. 2. Authentication protocol type, and send the adopted authentication protocol type to the local device.
  • the two devices interact with the second authentication protocol type selected from the authentication protocol type group, including:
  • the local device sends the authentication protocol type group to the counterparty device, so that the counterparty device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device,
  • the local device performs authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, and makes the opposite device perform authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, including ,
  • Both devices perform authentication using the authentication mode corresponding to the second authentication protocol type respectively.
  • the two devices interact with the second authentication protocol type selected from the authentication protocol type group, including:
  • the local device sends the authentication protocol type group to the counterparty device, so that the counterparty device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device,
  • the local device receives the second authentication protocol type from the other device, judges whether it supports the second authentication protocol type, and if not, notifies the other device to reselect, or selects the authentication protocol supported by the local device from the authentication protocol type group
  • the type is sent to the other device, so that the other device selects the authentication protocol type supported by the other device from the supported authentication protocol types, and sends it to the local device.
  • the authentication method includes one of a public-private key pair generation method, a total key generation method, a shared key generation method, an encryption and decryption method, and a digest generation method or any combination thereof,
  • the second authentication protocol type is the optimal authentication protocol type selected according to the security level
  • the authentication between the two devices includes:
  • the first authentication that the own device is authenticated by the other device and
  • the first authentication of the local device being authenticated by the counterparty device includes:
  • the shared key generation method corresponding to the authentication protocol type, use the first device identifier and the device verification code to generate the shared key of the other party's device,
  • the encryption and decryption method use the shared key of the other party's device to decrypt the encrypted public key of the local device to obtain the public key of the local device.
  • the public-private key pair generation method corresponding to the authentication protocol type, use the private key of the other party's device and the public key of the local device to generate the total key of the other party's device.
  • the public key of the counterpart device is encrypted by using the general key of the counterpart device to obtain the encrypted public key of the counterpart device.
  • the second authentication performed by the local device on the counterparty device includes,
  • the local device receives the encrypted public key of the other device sent by the other device,
  • the encryption and decryption method use the shared key of the local device to decrypt the encrypted public key of the other party's device to obtain the public key of the other party's device.
  • the public-private key pair generation method corresponding to the authentication protocol type, use the private key of the local device and the public key of the other device to generate the total key of the local device.
  • the digest generation method corresponding to the authentication protocol type, use the total key of the local device to generate a digest for the first device identifier, and obtain the first result,
  • the session key and the second device identifier are encrypted using the total key of the other party's device to obtain the encrypted session key and the second device identifier
  • the local device receives the second result from the opposite device, and the encrypted session key and the second device identifier,
  • the digest generation method corresponding to the authentication protocol type, use the total key of the local device to generate a digest for the first device identifier, and obtain the third result,
  • the present application also provides a terminal-side device, including a memory and a processor, the memory stores a computer program, and the processor is configured to execute the steps of implementing any authentication method between the terminal-side device and the network-side device .
  • the present application further provides a network-side device, including a memory and a processor, the memory stores a computer program, and the processor is configured to execute the steps of implementing any authentication method between the terminal-side device and the network-side device .
  • the present application further provides an Internet of Things system, including the above-mentioned terminal-side device and the above-mentioned network-side device.
  • the present application also provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, any authentication method between the terminal-side device and the network-side device is implemented A step of.
  • This application provides an authentication method between a terminal-side device and a network-side device.
  • the two devices perform authentication protocol type interaction, so that the two devices can find at least one authentication protocol type through negotiation, so that the two devices follow the negotiated authentication.
  • the authentication method corresponding to the protocol type is used for authentication, which avoids the problem of interdependence between the two devices on the authentication method during the iterative process of software and hardware resources.
  • the second authentication protocol type selected from the authentication protocol type group, or the second authentication protocol type selected from the authentication protocol type group through interaction not only provides abundant authentication protocol type negotiation resources, It is also conducive to accelerating the negotiation speed of the authentication protocol type and improving the authentication efficiency.
  • FIG. 1 is a schematic flow diagram of authentication between a terminal-side device and a network-side device according to an embodiment of the present application
  • Fig. 2a and Fig. 2b are a schematic flow diagram of authentication between the terminal-side device and the network-side device;
  • Fig. 3a and Fig. 3b are schematic flow diagrams when the negotiation between the terminal side device and the network side device is inconsistent;
  • FIG. 4 is a schematic flow diagram of authentication between a terminal-side device and a network-side device in Embodiment 2 of the present application;
  • FIG. 5 is a schematic diagram of an authentication process between a terminal-side device and a network-side device in Embodiment 3 of the present application;
  • FIG. 6 is a schematic diagram of another authentication process between a terminal-side device and a network-side device in Embodiment 3 of the present application;
  • FIG. 7 is a schematic flow diagram of authentication between a terminal-side device and a network-side device according to Embodiment 4 of the present application;
  • FIG. 8 is a schematic diagram of another authentication process between a terminal-side device and a network-side device according to Embodiment 4 of the present application;
  • FIG. 9 is a schematic diagram of a terminal-side device or a network-side device.
  • FIG. 10 is a schematic diagram of a terminal-side device or a network-side device.
  • This application uses the authentication protocol type negotiated between the terminal-side device and the network-side device to perform authentication using the authentication method corresponding to the authentication protocol type, so as to avoid interdependence between the terminal-side device and/or the network-side device when performing authentication.
  • FIG. 1 is a schematic flowchart of authentication between a terminal-side device and a network-side device according to an embodiment of the present application. The method includes,
  • Step 101 the terminal-side device and the network-side device perform authentication protocol type interaction to determine the authentication protocol type supported by both devices, so that the terminal-side device and the network-side device negotiate to obtain an authentication protocol type,
  • Step 102 the devices of both parties have corresponding authentication methods according to the types of supported authentication protocols, and perform authentication between the devices of both parties;
  • the authentication protocol type corresponds to an authentication method
  • the authentication between the two devices includes,
  • This embodiment is selected, and the authentication protocol types are exchanged between the two devices, so that the two devices can find at least one authentication protocol type through negotiation, so that the two devices can perform authentication according to the authentication method corresponding to the negotiated authentication protocol type, avoiding The interdependence of authentication methods in the iterative process of software and hardware resources, further, through the first authentication protocol type supported by the interactive device by default, and the authentication protocol type group from the authentication protocol type group in the case that any device does not support the first authentication protocol type
  • the selected second authentication protocol type, or the second authentication protocol type selected from the authentication protocol type group through interaction not only provides abundant authentication protocol type negotiation resources, but also helps to speed up the authentication protocol type negotiation speed and improve authentication efficiency .
  • an authentication protocol type negotiated between the terminal-side device and the network-side device should be supported by the terminal-side device and should be supported by the network-side device.
  • the authentication protocol type negotiated between the terminal-side device and the network-side device is authentication protocol type 2 or Authentication protocol type 3.
  • the authentication method corresponding to the authentication protocol type means that the authentication protocol type corresponds to the authentication method, and the authentication between the devices of the two parties that complies with the authentication protocol type can be performed according to the authentication method.
  • the case where the terminal side device supports the first authentication protocol type by default and the network side terminal device also supports the first authentication protocol type is exchanged between the two devices respectively (see the examples shown in Fig. 2a and Fig. 2b below), and
  • the network-side device selects the second authentication protocol type from the authentication protocol type group (see Figure 3a and Figure 3b below).
  • the illustrated example) is described, wherein the authentication protocol type group is the intersection of the terminal-side device authentication protocol type group and the network-side device authentication protocol type group.
  • the terminal-side device supports authentication protocol types 1-3
  • the authentication protocol type group is ⁇ authentication protocol type 2, authentication protocol type 3 ⁇ .
  • the second authentication protocol type is the authentication protocol type with the highest priority in the authentication protocol type group. If the two parties do not have corresponding authentication types, that is, there is no intersection between the types of authentication protocols supported by the devices of both parties, the interaction is stopped.
  • Figs. 2a and 2b are schematic flowcharts of authentication between a terminal-side device and a network-side device.
  • the authentication methods include,
  • Devices on the terminal side such as IoT devices, mobile phones, tablets, etc.
  • Step 201 the terminal-side device obtains the first authentication protocol type, which is recorded as default_auth_type.
  • the authentication protocol type can be the authentication protocol type supported by the device by default, or the authentication protocol type supported by the network-side device by default, but the first authentication protocol The type should be the authentication protocol type supported by the terminal-side device.
  • the terminal-side device determines the first authentication protocol type from multiple default authentication protocol types supported by the terminal-side device according to preset rules.
  • the first authentication protocol type corresponds to an authentication method
  • the authentication method includes one of the public-private key pair generation method, the total key Masterkey generation method, the shared key Sharekey generation method, the encryption and decryption method, and the digest generation method or Any combination thereof; it is specifically determined according to authentication requirements, and the above method can be understood as a specific algorithm.
  • authentication protocol type 1 stipulates that during the authentication process, a public-private key pair is generated by means of ECP_DP_SECP384R1, and a total key is generated by means of ECP_DP_SECP384R1, and the md5(md5(MD5(verification code derasthcode+device sequence devid)+identification to generate a shared key, encrypt and decrypt through AES128-GCM, and generate a digest through the release of Hmac_SHA384.
  • Step 202 obtain the authentication type protocol group supported by the terminal side equipment, denoted as auth_type_group, the authentication type protocol group includes more than one authentication protocol type, and each authentication protocol type corresponds to a public-private key pair generation method, a total key Masterkey generation method, Sharekey generation method, encryption and decryption method, summary generation method or any combination thereof. Specifically, it is determined according to authentication requirements. In this embodiment, it is a combination of all authentication methods.
  • the above authentication method can be understood as a specific algorithm.
  • Step 203 read the first device identification and device verification code pre-stored in the terminal side device, which are devided and demultihcode respectively.
  • the first device identifier may be a device serial number
  • the device serial number is used to identify a character string of the device
  • each physical device has a different identifier
  • the device verification code is a string of strings stored in the device hardware, which is non-volatile and cannot be changed.
  • Step 204 according to the public-private key pair generation algorithm stipulated in the first authentication protocol type acquired in step 201, generate the public-private key pair of the terminal side device, which is recorded as dev_privatekey (the private key in the public-private key pair), dev_publickey (the public-private key pair) public key).
  • Step 205 according to the shared key Sharekey generation algorithm stipulated in the first authentication protocol type obtained in step 201 , use the pre-stored devid and defughcode to generate a terminal shared key, which is recorded as dev_sharekey.
  • Step 206 according to the encryption and decryption algorithm stipulated in the first authentication protocol type acquired in step 201, use the shared key Sharekey to encrypt the public key dev_publickey of the terminal to obtain the encrypted devic_publickey, which is denoted as cipher(devic_publickey).
  • Step 207 the first authentication protocol type obtained in step 201, the authentication type protocol group obtained in step 202, the first device identifier devid and defughcode obtained in step 203, and the cipher(devic_publickey ) to the network side device.
  • the probability that the terminal-side device supports the default first authentication protocol type is relatively high.
  • parameter calculations for authentication can be performed in advance, such as calculating public-private key pairs, shared keys, encrypted public keys, etc.; in addition, the first authentication protocol type and authentication type
  • the verification code and cipher (devic_publickey) are sent to the network side, which helps to reduce the number of times the terminal side device sends to the network side device, thereby helping to improve the reliability of the authentication process.
  • the first authentication protocol type and authentication type protocol group can be sent to the network side before reading the first device identification and device verification code pre-stored by the terminal side device, so as to communicate with the network side for the authentication protocol type negotiation.
  • Devices on the network side such as platforms, servers, etc.
  • Step 208 judging whether the first authentication protocol type of the terminal-side device is supported.
  • Step 209 determine the first authentication protocol type that supports the terminal-side device.
  • Step 210 according to the public-private key pair generation algorithm stipulated in the first authentication protocol type, generate the public-private key pair of the network side device, recorded as plt_privatekey, plt_publickey, where plt_privatekey is the private key in the public-private key pair, and plt_publickey is the public-private key pair 's public key.
  • Step 211 according to the shared key generation algorithm stipulated in the first authentication protocol type, use the pre-stored devid and defughcode to generate the shared key of the network side device, denoted as plt_sharekey.
  • Step 212 according to the encryption and decryption algorithm stipulated in the first authentication protocol type, use plt_sharekey as the key to decrypt the cipher (dev_publickey) to obtain dev_publickey.
  • Step 213 according to the general key generation algorithm stipulated in the first authentication protocol type, use the private key plt_privatekey and dev_publickey of the network side device to generate a network side device master key, denoted as plt_masterkey.
  • Step 214 according to the encryption and decryption algorithm stipulated in the first authentication protocol type, use the general key of the network side device to encrypt the public key plt_publickey of the network side device, and obtain the encrypted public key of the network side device, which is recorded as cipher(plt_publickey) .
  • Step 215 transmit the cipher (plt_publickey) and the adopted authentication protocol type to the terminal side device through the TCP session.
  • Step 216 receiving the authentication protocol type from the network-side device, and judging that the authentication protocol type of the network-side device is consistent with the authentication protocol type default_auth_type of the terminal-side device.
  • Step 217 if consistent, decrypt the cipher (plt_publickey) using the shared key dev_sharekey of the terminal-side device according to the decryption algorithm agreed by default_auth_type to obtain the public key plt_publickey of the network-side device.
  • Step 218, according to the general key generation algorithm agreed by default_auth_type, use the private key dev_privatekey of the terminal-side device and the private key plt_publickey of the network-side device to generate the general key of the terminal-side device, which is recorded as dev_masterkey.
  • the total key is a relatively long-term key generated by the terminal-side device and the network-side device during the authentication process, and its life cycle is controlled by the network-side device.
  • Step 219 according to the digest generation algorithm agreed by default_auth_type, use the master key dev_masterkey of the terminal side device to generate a digest for devid, and obtain the first result, which is recorded as Digest(devid).
  • Step 220 transmit the first result Digest (devid) to the network side device through the TCP session.
  • Step 221 according to the digest generation algorithm agreed by default_auth_type, use the total key plt_masterkey of the network side device to generate a digest for devid, and obtain the second result, which is recorded as Digest1(devid)
  • Step 222 verify the first result Digest(devid) and the second result Digest1(devid).
  • Step 223 if the verification is passed, generate a session key sessionkey and a second device ID deviceid, and the second device ID is assigned to the terminal side device by the network side device; otherwise, the authentication fails, and the authentication process ends.
  • Step 224 according to the decryption algorithm agreed by default_auth_type, use the total key plt_masterkey of the network side device to encrypt the sessionkey and deviceid to obtain the encrypted session key cipher(sessionkey), and the encrypted second device identifier cipher( deviceid).
  • Step 225 according to the digest generation algorithm agreed by default_auth_type, use the master key plt_masterkey of the network side device to generate a digest for devid, and obtain the third result, which is denoted as Digest2(devid).
  • the third result is the same as the second result, and the calculation of the third result may not be performed.
  • Step 226, send the cipher (deviceid), cipher (sessionkey), and Digest2 (devid) or Digest1 (devid) to the terminal side device through the TCP session.
  • Step 227 according to the digest generation algorithm agreed by default_auth_type, use the total key dev_masterkey of the terminal side device to generate a digest for devid, and obtain the fourth result, which is recorded as Digest3(devid),
  • Step 228, check the third result Digest2(devid) and the fourth result Digest3(devid), or check the second result Digest1(devid) and the fourth result Digest3(devid).
  • Step 229 when the verification is passed, according to the encryption and decryption algorithm agreed by default_auth_type, use the total key dev_masterkey of the terminal side device to decrypt the cipher (deviceid) and cipher (sessionkey) to obtain the session key sessionkey and the second device identifier deviceid, Otherwise, the authentication fails, and the authentication process ends.
  • Step 230 in view of possible session link changes during the authentication process, transmit the first result Digest (devid) to the network side device again through the TCP session.
  • Step 231 according to the digest generation algorithm agreed by default_auth_type, use the total key plt_masterkey of the network side device to generate a digest for devid again through a digest generation algorithm (such as the hmac-sha384 algorithm), and obtain the fifth result, which is recorded as Digest4(devid).
  • a digest generation algorithm such as the hmac-sha384 algorithm
  • the fifth result is the same as the second result, and the calculation of the fifth result may not be performed.
  • Step 232 check the first result and the fifth result, or check the first result and the second result
  • Step 233 when the verification is passed, store devid, deviceid, plt_masterkey, and sessionkey as a record; otherwise, the authentication fails, and the authentication process ends.
  • Step 234 use the session key sessionkey as the key for communicating with the network side device, encrypt the context to be transmitted, and obtain the encrypted context, which is denoted as cipher(context).
  • Step 235 transmit the encrypted context cipher (context) to the network side device through the TCP session.
  • the aforementioned steps 204 to 215 are the first authentication in which the terminal-side device authenticates the network-side device.
  • the aforementioned steps 216-235 are the second authentication in which the network-side device authenticates the terminal-side device.
  • Fig. 3a and Fig. 3b are schematic flow charts when the negotiation between the terminal-side device and the network-side device is inconsistent.
  • Steps 301-307 are the same as steps 201-207.
  • Step 308 judging whether the first authentication protocol type of the terminal-side device is supported.
  • Step 309 if not supported, select the second authentication protocol type from the authentication type protocol group according to the received authentication type protocol group auth_type_group, the second authentication protocol type is the optimal authentication protocol type selected according to the security level, record is vote_auth_type.
  • Step 310 transmit the second authentication protocol type to the terminal side device through the TCP session.
  • Step 312 set vote_auth_type as the authentication protocol type of this authentication.
  • step 311 ⁇ 312 may not be executed.
  • Step 313 according to the public-private key pair generation algorithm stipulated in the authentication protocol type vote_auth_type acquired in step 312, generate the public-private key pair of the terminal side device, recorded as dev_privatekey, dev_publickey,
  • Step 314 according to the shared key generation algorithm stipulated in the authentication protocol type vote_auth_type obtained in step 312, use the pre-stored devid and deganhcode to generate the shared key of the terminal side device, which is recorded as dev_sharekey.
  • Step 315 according to the encryption and decryption algorithm stipulated in the authentication protocol type vote_auth_type obtained in step 312, use the shared key to encrypt devic_public, and obtain the encrypted devic_public, which is recorded as cipher(devic_public).
  • Step 316 transmit the cipher (devic_public) obtained in step 315 to the network side device through the TCP session.
  • Step 317 according to the public-private key pair generation algorithm stipulated in the selected authentication protocol type vote_auth_type, generate a public-private key pair on the network side, recorded as plt_privatekey, plt_publickey, where plt_privatekey is the private key in the public-private key pair, and plt_publickey is the public-private key pair public key in .
  • Step 318 according to the shared key generation algorithm specified in the authentication protocol type vote_auth_type. Use the pre-stored devid and detubehcode to generate the shared key of the network side device, which is recorded as plt_sharekey.
  • Step 319 according to the encryption and decryption algorithm stipulated in the authentication protocol type vote_auth_type, use plt_sharekey as the key to decrypt the cipher (dev_publickey) to obtain dev_publickey.
  • Step 320 according to the general key generation algorithm specified in the authentication protocol type vote_auth_type, use the private key plt_privatekey and dev_publickey of the network-side device to generate the general key of the network-side device, denoted as plt_masterkey.
  • Step 321 according to the encryption and decryption algorithm stipulated in the authentication protocol type vote_auth_type, use the general key of the network side device to encrypt the public key plt_publickey of the network side device, and obtain the encrypted public key of the network side device, which is recorded as cipher(plt_publickey ).
  • Step 322 transmit the cipher (plt_publickey) to the terminal side device through the TCP session.
  • Step 323 According to the encryption and decryption algorithm agreed by vote_auth_type, use the shared key dev_sharekey of the terminal-side device to decrypt the cipher (plt_publickey) to obtain the public key plt_publickey of the network-side device.
  • Step 324 according to the general key key generation algorithm stipulated by vote_auth_type, use the private key dev_privatekey of the terminal-side device and the private key plt_publickey of the network-side device to generate the general key of the terminal-side device, denoted as dev_masterkey.
  • Step 325 according to the digest generation algorithm agreed by vote_auth_type, use the master key dev_masterkey of the terminal side device to generate a digest for devid, and obtain the first result, which is recorded as Digest(devid).
  • Step 326 transmit the first result Digest(devid) to the network side device through the TCP session.
  • Step 327 according to the digest generation algorithm agreed by vote_auth_type, use the master key plt_masterkey on the network side to generate a digest for devid, and obtain the second result, which is recorded as Digest1(devid).
  • Step 328 verify the first result Digest(devid) and the second result Digest1(devid).
  • Step 329 when the verification is passed, generate the session key sessionkey and the second device identifier deviceid, and store devid, deviceid, masterkey, and sessionkey as a record.
  • Step 330 according to the encryption and decryption algorithm agreed upon by vote_auth_type, use the master key plt_masterkey of the network side device to encrypt sessionkey and deviceid to obtain the encrypted session key cipher(sessionkey), and the encrypted second device identifier cipher( deviceid).
  • Step 331 send cipher (deviceid), cipher (sessionkey), and Digest1 (devid) to the terminal side device through the TCP session.
  • Step 332 according to the digest generation algorithm stipulated by vote_auth_type, using the master key dev_masterkey of the terminal side device, to generate a digest for devid to obtain a third result, which is denoted as Digest2(devid).
  • Step 333 verify the second result Digest1(devid) and the third result Digest2(devid).
  • Step 334 when the verification is passed, according to the encryption and decryption algorithm stipulated by vote_auth_type, the master key dev_masterkey of the terminal side device is used to decrypt cipher (deviceid) and cipher (sessionkey) to obtain the session key sessionkey and the second device identifier deviceid.
  • the session key is used as the key for communicating with the network side, and the context to be transmitted is encrypted to obtain the encrypted context, which is denoted as cipher(context).
  • Step 336 transmit the encrypted context cipher (context) to the network side device through the TCP session.
  • the foregoing steps 304 to 316 are the first authentication in which the terminal-side device authenticates the network-side device.
  • the foregoing steps 317 to 335 are the second authentication in which the network-side device authenticates the terminal-side device.
  • the decision-making power of the negotiation rests with the network side device, thus ensuring that the optimal authentication protocol type is selected within the range of authentication protocol types supported by the terminal side device.
  • FIG. 4 is a schematic flowchart of authentication between a terminal-side device and a network-side device according to Embodiment 2 of the present application.
  • the authentication methods include:
  • step 401 the network-side device sends the first authentication protocol type and authentication protocol type group supported by default by any device to the terminal-side device.
  • the first authentication protocol type may be supported by the terminal-side device by default.
  • the network side may obtain the default authentication protocol type supported by the terminal-side device; the first authentication protocol type may also be It is supported by the network side device by default.
  • step 402 the terminal-side device judges whether it supports the first authentication protocol type.
  • the second authentication protocol type is the optimal authentication protocol type supported by the terminal side device selected according to the security level.
  • the authentication protocol type group is the intersection of the authentication protocol type supported by the terminal-side device and the authentication protocol type supported by the network-side device, so the second authentication protocol type selected from the authentication protocol type group is supported by the network-side device, And it is supported by the terminal side equipment.
  • Step 403 the network side device performs authentication according to the authentication mode corresponding to the received authentication protocol type.
  • the network side device receives the second authentication protocol type from the terminal side device, then use the authentication method corresponding to the second authentication protocol type to perform authentication;
  • the network side device uses the authentication mode corresponding to the first authentication protocol type to perform authentication.
  • both the first authentication protocol type and the second authentication protocol type are the authentication protocol types supported by the network-side device, so the network-side device can use the authentication method corresponding to the first authentication protocol type for authentication, and can also Authentication is performed using the authentication mode corresponding to the second authentication protocol type.
  • the specific authentication process may be the same as that in Embodiment 1.
  • any local device among the two devices sends an authentication protocol type group to the other device, so that the other device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device.
  • FIG. 5 is a schematic flowchart of authentication between a terminal-side device and a network-side device in Embodiment 3 of the present application.
  • the authentication methods include,
  • step 501 the terminal-side device sends the group of authentication protocol types supported by the terminal-side device to the network-side device.
  • Step 502 the network-side device selects a second authentication protocol type from the authentication protocol type group, and sends it to the terminal-side device, where the second authentication protocol type is the optimal authentication protocol type selected according to the security level.
  • step 503 the terminal-side device and the network-side device respectively use the authentication mode corresponding to the second authentication protocol type to perform authentication.
  • the specific authentication process may be the same as that in Embodiment 1.
  • FIG. 6 is another schematic flowchart of authentication between the terminal-side device and the network-side device in Embodiment 3 of the present application.
  • the authentication methods include,
  • Step 601 the network side device authenticates the protocol type group to the sending terminal side device
  • the authentication protocol type group is a set of authentication protocol types supported by the terminal-side device, which can be obtained when the terminal-side device accesses the network.
  • Step 602 the terminal side device selects a second authentication protocol type from the authentication protocol type group, and sends it to the network side device, the second authentication protocol type is the optimal authentication protocol type selected according to the security level,
  • Step 603 the terminal-side device and the network-side device respectively use the authentication mode corresponding to the second authentication protocol type to perform authentication.
  • the specific authentication process may be the same as that in Embodiment 1.
  • any local device among the two devices sends an authentication protocol type group to the other device, so that the other device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device.
  • any local device among the terminal-side device and the network-side device sends an authentication protocol type group to the other device, so that the other device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device.
  • the local device receives the second authentication protocol type from the counterparty device, judges whether it supports the second authentication protocol type, and if not, notifies the counterparty device to reselect, for example, the counterparty device selects one by one from the authentication protocol type group, and returns to the local device until all the authentication protocol types in the authentication protocol type group have been traversed; or, in order to improve the efficiency of interaction, select the authentication protocol type supported by the local device from the authentication protocol type group and send it to the other device, so that the other device Select the authentication protocol type supported by the peer device from the supported authentication protocol types, and send it to the local device.
  • FIG. 7 is a schematic flowchart of authentication between a terminal-side device and a network-side device according to Embodiment 4 of the present application.
  • the authentication methods include:
  • Step 701 the terminal side device sends the authentication protocol type group to the network side device.
  • Step 702 the network side device selects a second authentication protocol type from the authentication protocol type group, and sends it to the terminal side device, the second authentication protocol type is the optimal authentication protocol type selected according to the security level.
  • Step 703 the terminal-side device receives the second authentication protocol type from the peer device, and judges whether the second authentication protocol type is supported.
  • step 704 the terminal-side device and the network-side device respectively use authentication methods corresponding to the authentication protocol type to perform authentication.
  • the specific authentication process may be the same as that in Embodiment 1.
  • FIG. 8 is another schematic flowchart of authentication between a terminal-side device and a network-side device according to Embodiment 4 of the present application.
  • the authentication methods include,
  • Step 801 the network side device sends the authentication protocol type group to the terminal side device
  • Step 802 the terminal side device selects a second authentication protocol type from the authentication protocol type group and sends it to the network side device, the second authentication protocol type is the optimal authentication protocol type supported by the terminal side device selected according to the security level ,
  • Step 803 the network side device receives the second authentication protocol type from the opposite device, and judges whether the second authentication protocol type is supported,
  • step 804 the terminal-side device and the network-side device respectively use authentication methods corresponding to the authentication protocol type to perform authentication.
  • the specific authentication process may be the same as that in Embodiment 1.
  • FIG. 9 is a schematic diagram of a terminal-side device or a network-side device.
  • the device includes,
  • the interaction module is used to interact with the other party's equipment on the authentication protocol type to determine the authentication protocol type supported by both devices, wherein the authentication protocol type corresponds to an authentication method;
  • the authentication module is configured to authenticate the devices of both parties according to the authentication mode corresponding to the determined authentication protocol type.
  • the interactive modules include,
  • the first interaction module is used to interact with the first authentication protocol type supported by default by any device,
  • the second interaction module is used for interacting with the second authentication protocol type selected from the authentication protocol type group when the first authentication protocol type is not supported; or for interacting with the second authentication protocol selected from the authentication protocol type group type.
  • Authentication modules include,
  • the first authentication module is used for the first authentication of the own device by the other device;
  • the second authentication module is used for the own device to perform the second authentication on the counterpart device.
  • FIG. 10 is a schematic diagram of a terminal-side device or a network-side device. It includes a memory and a processor, the memory stores a computer program, and the processor is configured to execute the steps of implementing the authentication method between the terminal-side device and the network-side device.
  • the memory may include a random access memory (Random Access Memory, RAM), and may also include a non-volatile memory (Non-Volatile Memory, NVM), such as at least one disk memory.
  • RAM Random Access Memory
  • NVM non-Volatile Memory
  • the memory may also be at least one storage device located far away from the aforementioned processor.
  • the above-mentioned processor can be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; it can also be a digital signal processor (Digital Signal Processing, DSP), dedicated integrated Circuit (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
  • CPU Central Processing Unit
  • NP Network Processor
  • DSP Digital Signal Processing
  • ASIC Application Specific Integrated Circuit
  • FPGA Field-Programmable Gate Array
  • FPGA Field-Programmable Gate Array
  • the embodiment of the present application also provides a computer-readable storage medium, where a computer program is stored in the storage medium, and when the computer program is executed by a processor, the authentication method between the terminal-side device and the network-side device is implemented. step.
  • a computer program product containing instructions is also provided. When it is run on a computer, the computer executes the communication between any terminal-side device and the network-side device in the above-mentioned embodiments. authentication method.
  • the description is relatively simple, and for the related parts, please refer to the part of the description of the embodiment of the method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application discloses an authentication method between a terminal side device and a network side device, and a system. The method comprises: a local side device and an opposite side device interacts authentication protocol types at any local device side in devices of two parties of the terminal side device and the network side device, so as to determine the authentication protocol types supported by the devices of the two parties, wherein the authentication protocol types correspond to authentication modes. According to the present application, the problem of mutual dependence on authentication modes of the devices of the two parties in a software and hardware resource iteration process is avoided; moreover, abundant authentication protocol type negotiation resources are provided, acceleration of a negotiation speed of the authentication protocol type is also facilitated, and the authentication efficiency is improved.

Description

一种终端侧设备与网络侧设备之间的认证方法、系统An authentication method and system between a terminal-side device and a network-side device
本申请要求于2021年11月10日提交中国专利局、申请号为202111324852.2发明名称为“一种终端侧设备与网络侧设备之间的认证方法、系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202111324852.2 submitted to the China Patent Office on November 10, 2021. The contents are incorporated by reference in this application.
技术领域technical field
本申请涉及无线通信领域,特别地,涉及一种终端侧设备与网络侧设备之间的认证方法。The present application relates to the field of wireless communication, and in particular, relates to an authentication method between a terminal-side device and a network-side device.
背景技术Background technique
目前,终端侧设备与网络侧设备之间进行认证的方法通常通过预埋的公私钥以及固定的某一算法的方式完成认证。例如,在物联网系统中,物联网设备、平台分别预先存储有公私钥和同一算法,利用该算法和公私钥进行认证。At present, the authentication method between the terminal-side device and the network-side device usually completes the authentication by means of a pre-embedded public and private key and a certain fixed algorithm. For example, in the Internet of Things system, the Internet of Things devices and platforms respectively store public and private keys and the same algorithm in advance, and use the algorithm and public and private keys for authentication.
当终端侧设备或网络侧设备升级后,由于升级后的设备其认证算法通常也会升级,这样,就与未升级的设备的认证算法不再是同一算法,导致升级后的设备和未升级的设备之间无法进行认证。When the terminal-side device or network-side device is upgraded, the authentication algorithm of the upgraded device is usually also upgraded, so that the authentication algorithm of the device that has not been upgraded is no longer the same algorithm, resulting in the same algorithm between the upgraded device and the non-upgraded Authentication between devices is not possible.
发明内容Contents of the invention
本申请提供了一种终端侧设备与网络侧设备之间的认证方法,以避免终端侧设备和/或网络侧设备进行认证时相互依赖。The present application provides an authentication method between a terminal-side device and a network-side device, so as to avoid interdependence between the terminal-side device and/or the network-side device when performing authentication.
本申请提供的一种终端侧设备与网络侧设备之间的认证方法,该方法包括,在终端侧设备及网络侧设备双方设备中任一本方设备侧,The present application provides an authentication method between a terminal-side device and a network-side device. The method includes, on the side of any of the terminal-side device and the network-side device,
本方设备与对方设备进行认证协议类型交互,以确定双方设备所支持的认证协议类型,其中,所述认证协议类型对应有认证方式;The local device interacts with the other device's authentication protocol type to determine the authentication protocol type supported by both devices, wherein the authentication protocol type corresponds to an authentication method;
本方设备根据所确定的认证协议类型对应的认证方式,进行双方设备之间的认证,并使得对方设备根据所确定的认证协议类型对应的认证方式,进行双方设备之间的认证。The local device performs authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, and enables the other device to perform authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type.
较佳地,所述本方设备与对方设备进行认证协议类型交互,包括,Preferably, the local device interacts with the counterparty device in an authentication protocol type, including,
双方设备交互任一方设备默认支持的第一认证协议类型、以及任一方设备不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型,The two devices exchange the first authentication protocol type supported by default by either device, and the second authentication protocol type selected from the authentication protocol type group when either device does not support the first authentication protocol type,
or
双方设备交互从认证协议类型组中选取的第二认证协议类型;The two devices exchange the second authentication protocol type selected from the authentication protocol type group;
其中,认证协议类型组包括,至少一个以上认证协议类型,每个认证协议类型分别对应有认证方式。Wherein, the authentication protocol type group includes at least one authentication protocol type, and each authentication protocol type corresponds to an authentication method.
较佳地,所述第二认证协议类型为:认证协议类型组中具有最高优先级中的认证协议类型,所述认证协议类型组为终端侧设备认证协议类型组与网络侧设备认证协议类型组的交集;Preferably, the second authentication protocol type is: the authentication protocol type with the highest priority in the authentication protocol type group, and the authentication protocol type group is a terminal-side device authentication protocol type group and a network-side device authentication protocol type group the intersection of
所述双方设备交互任一方设备默认支持的第一认证协议类型、以及任一方设备不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型,包括,The two devices exchange the first authentication protocol type supported by default by either device, and the second authentication protocol type selected from the authentication protocol type group when either device does not support the first authentication protocol type, including,
所述本方设备向对方设备发送任一方设备默认支持的第一认证协议类型、以及认证协议类型组,使得对方设备在不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型,并将其所采用的认证协议类型发送至本方设备。The local device sends the first authentication protocol type and the authentication protocol type group supported by any device by default to the opposite device, so that the opposite device selects the first authentication protocol type group from the authentication protocol type group if it does not support the first authentication protocol type. 2. Authentication protocol type, and send the adopted authentication protocol type to the local device.
较佳地,所述双方设备交互从认证协议类型组中选取的第二认证协议类型,包括,Preferably, the two devices interact with the second authentication protocol type selected from the authentication protocol type group, including:
所述本方设备向对方设备发送认证协议类型组,使得对方设备从认证协议类型组中选取第二认证协议类型,发送至本方设备,The local device sends the authentication protocol type group to the counterparty device, so that the counterparty device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device,
所述本方设备根据所确定的认证协议类型对应的认证方式,进行双方设备之间的认证,并使得对方设备根据所确定的认证协议类型对应的认证方式,进行双方设备之间的认证,包括,The local device performs authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, and makes the opposite device perform authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, including ,
双方设备分别利用第二认证协议类型对应的认证方式进行认证。Both devices perform authentication using the authentication mode corresponding to the second authentication protocol type respectively.
较佳地,所述双方设备交互从认证协议类型组中选取的第二认证协议类型,包括,Preferably, the two devices interact with the second authentication protocol type selected from the authentication protocol type group, including:
所述本方设备向对方设备发送认证协议类型组,使得对方设备从认证协议类型组中选取第二认证协议类型,发送至本方设备,The local device sends the authentication protocol type group to the counterparty device, so that the counterparty device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device,
本方设备接收来自对方设备的第二认证协议类型,判断是否支持第二认证协议类型,如果不支持,则通知对方设备重新选取,或者,从认证协议类型组选取本方设备所支持的认证协议类型发送至对方设备,使得对方设备从所支持的认证协议类型中选取该对方设备所支持的认证协议类型,并发送至本方设备。The local device receives the second authentication protocol type from the other device, judges whether it supports the second authentication protocol type, and if not, notifies the other device to reselect, or selects the authentication protocol supported by the local device from the authentication protocol type group The type is sent to the other device, so that the other device selects the authentication protocol type supported by the other device from the supported authentication protocol types, and sends it to the local device.
较佳地,所述认证方式包括,公私钥对生成方式、总密钥生成方式、共享密钥生成方式、加解密方式、摘要生成方式之一或其任意组合,Preferably, the authentication method includes one of a public-private key pair generation method, a total key generation method, a shared key generation method, an encryption and decryption method, and a digest generation method or any combination thereof,
所述第二认证协议类型为根据安全等级所选取的最优认证协议类型;The second authentication protocol type is the optimal authentication protocol type selected according to the security level;
所述双方设备之间的认证,包括:The authentication between the two devices includes:
本方设备被对方设备进行认证的第一认证,以及The first authentication that the own device is authenticated by the other device, and
本方设备对对方设备进行认证的第二认证。The second authentication in which the local device authenticates the counterpart device.
较佳地,所述本方设备被对方设备进行认证的第一认证,包括:Preferably, the first authentication of the local device being authenticated by the counterparty device includes:
在本方设备侧,On the local device side,
根据认证协议类型对应的公私钥对生成方式,生成本方设备的公私钥对,According to the public-private key pair generation method corresponding to the authentication protocol type, generate the public-private key pair of the local device,
根据认证协议类型对应的共享密钥生成方式,生成本方设备的共享密钥,According to the shared key generation method corresponding to the authentication protocol type, generate the shared key of the local device,
根据认证协议类型对应的加解密方式,使用共享密钥对公钥进行加密,得到加密后的公钥,According to the encryption and decryption methods corresponding to the authentication protocol type, use the shared key to encrypt the public key to obtain the encrypted public key.
将本方设备的第一设备标识、设备验证码以及加密后的公钥发送给对方设备,使得对方设备:Send the first device ID, device verification code, and encrypted public key of the local device to the other device, so that the other device:
根据认证协议类型对应的共享密钥生成方式,使用第一设备标识以及设备验证码,生成该对方设备的共享密钥,According to the shared key generation method corresponding to the authentication protocol type, use the first device identifier and the device verification code to generate the shared key of the other party's device,
根据认证协议类型对应的加解密方式,使用该对方设备的共享密钥对本方设备的加密后的公钥进行解密,得到本方设备的公钥,According to the encryption and decryption method corresponding to the type of authentication protocol, use the shared key of the other party's device to decrypt the encrypted public key of the local device to obtain the public key of the local device.
根据认证协议类型对应的公私钥对生成方式,使用该对方设备的私钥和本方设备的公钥,生成对方设备的总密钥,According to the public-private key pair generation method corresponding to the authentication protocol type, use the private key of the other party's device and the public key of the local device to generate the total key of the other party's device.
根据认证协议类型对应的加解密方式,使用该对方设备的总密钥对该对方设备的公钥进行加密,得到该对方设备的加密后的公钥。According to the encryption and decryption mode corresponding to the authentication protocol type, the public key of the counterpart device is encrypted by using the general key of the counterpart device to obtain the encrypted public key of the counterpart device.
较佳地,所述本方设备对对方设备进行认证的第二认证,包括,Preferably, the second authentication performed by the local device on the counterparty device includes,
本方设备接收来自对方设备发送的该对方设备的加密后的公钥,The local device receives the encrypted public key of the other device sent by the other device,
根据认证协议类型对应的加解密方式,使用本方设备的共享密钥,对该对方设备的加密后的公钥进行解密,得到该对方设备的公钥,According to the encryption and decryption method corresponding to the type of authentication protocol, use the shared key of the local device to decrypt the encrypted public key of the other party's device to obtain the public key of the other party's device.
根据认证协议类型对应的公私钥对生成方式,使用本方设备的私钥以及对方设备的公钥,生成本方设备的总密钥,According to the public-private key pair generation method corresponding to the authentication protocol type, use the private key of the local device and the public key of the other device to generate the total key of the local device.
根据认证协议类型对应的摘要生成方式,使用本方设备的总密钥对第一设备标识进行摘要生成,得到第一结果,According to the digest generation method corresponding to the authentication protocol type, use the total key of the local device to generate a digest for the first device identifier, and obtain the first result,
将第一结果发送至对方设备,使得对方设备:Sending the first result to the counterparty device, so that the counterparty device:
根据认证协议类型对应的摘要生成方式,使用该对方设备的总密钥对第一设备标识进行摘要生成,得到第二结果,According to the digest generation method corresponding to the type of authentication protocol, use the total key of the counterparty device to generate a digest for the first device identifier to obtain a second result,
校验第一结果和第二结果,在校验通过时,生成会话密钥和第二设备标识,verifying the first result and the second result, and generating a session key and a second device identifier when the verification is passed,
根据认证协议类型对应的加解密方式,使用该对方设备的总密钥对会话密钥和第二设备标识进行加密,得到加密后的会话密钥和第二设备标识,According to the encryption and decryption method corresponding to the authentication protocol type, the session key and the second device identifier are encrypted using the total key of the other party's device to obtain the encrypted session key and the second device identifier,
将第二结果、以及加密后的会话密钥和第二设备标识发送至本方设备;Send the second result, the encrypted session key and the second device identifier to the local device;
本方设备接收来自对方设备的第二结果、以及加密后的会话密钥和第二设备标识,The local device receives the second result from the opposite device, and the encrypted session key and the second device identifier,
根据认证协议类型对应的摘要生成方式,使用本方设备的总密钥,对第一设备标识进行摘要生成,得到第三结果,According to the digest generation method corresponding to the authentication protocol type, use the total key of the local device to generate a digest for the first device identifier, and obtain the third result,
校验第二结果和第三结果,在校验通过时,根据认证协议类型对应的加解密方式,使用本方设备的总密钥对加密后的会话密钥和第二设备标识进行解密。Verify the second result and the third result, and when the verification is passed, use the general key of the local device to decrypt the encrypted session key and the second device identifier according to the encryption and decryption method corresponding to the authentication protocol type.
本申请还提供一种终端侧设备,包括存储器和处理器,所述存储器存储有计算机程序,所述处理器被配置执行实现任一所述终端侧设备与网络侧设备之间的认证方法的步骤。The present application also provides a terminal-side device, including a memory and a processor, the memory stores a computer program, and the processor is configured to execute the steps of implementing any authentication method between the terminal-side device and the network-side device .
本申请又提供一种网络侧设备,包括存储器和处理器,所述存储器存储有计算机程序,所述处理器被配置执行实现任一所述终端侧设备与网络侧设备之间的认证方法的步骤。The present application further provides a network-side device, including a memory and a processor, the memory stores a computer program, and the processor is configured to execute the steps of implementing any authentication method between the terminal-side device and the network-side device .
本申请再提供一种物联网系统,包括上述终端侧设备,以及上述网络侧设备。The present application further provides an Internet of Things system, including the above-mentioned terminal-side device and the above-mentioned network-side device.
本申请还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现任一所述终端侧设备与网络侧设备之间的认证方法的步骤。The present application also provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, any authentication method between the terminal-side device and the network-side device is implemented A step of.
本申请提供的一种终端侧设备与网络侧设备之间的认证方法,通过双方设备进行认证协议类型交互,使得双方设备通过协商能够找到至少一个认证协议类型,从而使得双方设备按照所协商的认证协议类型对应的认证方式进行认证,避免了双方设备在软硬件资源迭代过程中对认证方式的相互依赖的问题,进一步地,通过双方设备默认支持的第一认证协议类型、以及任一方设备不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型,或者,通过交互从认证协议类型组中选取的第二认证协议类型,既提供丰富的认证协议类型协商资源,又有利于加速认证协议类型的协商速度,提高认证效率。This application provides an authentication method between a terminal-side device and a network-side device. The two devices perform authentication protocol type interaction, so that the two devices can find at least one authentication protocol type through negotiation, so that the two devices follow the negotiated authentication. The authentication method corresponding to the protocol type is used for authentication, which avoids the problem of interdependence between the two devices on the authentication method during the iterative process of software and hardware resources. In the case of the first authentication protocol type, the second authentication protocol type selected from the authentication protocol type group, or the second authentication protocol type selected from the authentication protocol type group through interaction, not only provides abundant authentication protocol type negotiation resources, It is also conducive to accelerating the negotiation speed of the authentication protocol type and improving the authentication efficiency.
附图说明Description of drawings
为了更清楚地说明本申请实施例和现有技术的技术方案,下面对实施例和现有技术中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application and the prior art, the following briefly introduces the accompanying drawings required in the embodiments and the prior art. Obviously, the accompanying drawings in the following description are only the present invention. For some embodiments of the application, those skilled in the art can also obtain other drawings based on these drawings without creative work.
图1为本申请实施例终端侧设备与网络侧设备进行认证的一种流程示意图;FIG. 1 is a schematic flow diagram of authentication between a terminal-side device and a network-side device according to an embodiment of the present application;
图2a、图2b为终端侧设备与网络侧设备之间进行认证的一种流程示意图;Fig. 2a and Fig. 2b are a schematic flow diagram of authentication between the terminal-side device and the network-side device;
图3a、图3b为终端侧设备与网络侧设备协商不一致时的一种流程示意图;Fig. 3a and Fig. 3b are schematic flow diagrams when the negotiation between the terminal side device and the network side device is inconsistent;
图4为本申请实施例二终端侧设备与网络侧设备之间进行认证的一种流程示意图;FIG. 4 is a schematic flow diagram of authentication between a terminal-side device and a network-side device in Embodiment 2 of the present application;
图5为本申请实施例三终端侧设备与网络侧设备之间进行认证的一种流程示意图;FIG. 5 is a schematic diagram of an authentication process between a terminal-side device and a network-side device in Embodiment 3 of the present application;
图6为本申请实施例三终端侧设备与网络侧设备之间进行认证的另一种流程示意图;FIG. 6 is a schematic diagram of another authentication process between a terminal-side device and a network-side device in Embodiment 3 of the present application;
图7为本申请实施例四终端侧设备与网络侧设备之间进行认证的一种流程示意图;FIG. 7 is a schematic flow diagram of authentication between a terminal-side device and a network-side device according to Embodiment 4 of the present application;
图8为本申请实施例四终端侧设备与网络侧设备之间进行认证的另一种流程示意图;FIG. 8 is a schematic diagram of another authentication process between a terminal-side device and a network-side device according to Embodiment 4 of the present application;
图9为终端侧设备或网络侧设备的一种示意图;FIG. 9 is a schematic diagram of a terminal-side device or a network-side device;
图10为终端侧设备或网络侧设备的一种示意图。FIG. 10 is a schematic diagram of a terminal-side device or a network-side device.
具体实施方式Detailed ways
为使本申请的目的、技术方案、及优点更加清楚明白,以下参照附图并举实施例,对本申请进一步详细说明。显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solution, and advantages of the present application clearer, the present application will be further described in detail below with reference to the accompanying drawings and examples. Apparently, the described embodiments are only some of the embodiments of this application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of this application.
本申请通过终端侧设备与网络侧设备之间所协商的认证协议类型,利用认证协议类型对应的认证方式来进行认证,从而避免终端侧设备和/或网络侧设备进行认证时相互依赖。This application uses the authentication protocol type negotiated between the terminal-side device and the network-side device to perform authentication using the authentication method corresponding to the authentication protocol type, so as to avoid interdependence between the terminal-side device and/or the network-side device when performing authentication.
参见图1所示,图1为本申请实施例终端侧设备与网络侧设备进行认证的一种流程示意图。该方法包括,Referring to FIG. 1 , FIG. 1 is a schematic flowchart of authentication between a terminal-side device and a network-side device according to an embodiment of the present application. The method includes,
步骤101,终端侧设备及网络侧设备双方设备进行认证协议类型交互,以确定双方设备所支持的认证协议类型,从而使得终端侧设备及网络侧设备之间协商得到一认证协议类型, Step 101, the terminal-side device and the network-side device perform authentication protocol type interaction to determine the authentication protocol type supported by both devices, so that the terminal-side device and the network-side device negotiate to obtain an authentication protocol type,
步骤102,双方设备根据所支持的认证协议类型对应有认证方式,进行双方设备之间的认证; Step 102, the devices of both parties have corresponding authentication methods according to the types of supported authentication protocols, and perform authentication between the devices of both parties;
其中,in,
所述认证协议类型对应有认证方式;The authentication protocol type corresponds to an authentication method;
所述双方设备之间的认证包括,The authentication between the two devices includes,
双方设备中的任一本方设备被对方设备进行认证的第一认证,以及The first authentication that any one of the two devices is authenticated by the other device, and
本方设备对对方设备进行认证的第二认证。The second authentication in which the local device authenticates the counterpart device.
选用该实施例,通过双方设备进行认证协议类型交互,使得双方设备通过协商能够找到至少一个认证协议类型,从而使得双方设备按照所协商的认证协议类型对应的认证方式进行认证,避免了双方设备在软硬件资源迭代过程中对认证方式的相互依赖的问题,进一步地,通过交互设备默认支持的第一认证协议类型、以及任一方设备不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型,或者,通过交互从认证协议类型组中选取的第二认证协议类型,既提供丰富的认证协议类型协商资源,又有利于加速认证协议类型的协商速度,提高认证效率。This embodiment is selected, and the authentication protocol types are exchanged between the two devices, so that the two devices can find at least one authentication protocol type through negotiation, so that the two devices can perform authentication according to the authentication method corresponding to the negotiated authentication protocol type, avoiding The interdependence of authentication methods in the iterative process of software and hardware resources, further, through the first authentication protocol type supported by the interactive device by default, and the authentication protocol type group from the authentication protocol type group in the case that any device does not support the first authentication protocol type The selected second authentication protocol type, or the second authentication protocol type selected from the authentication protocol type group through interaction, not only provides abundant authentication protocol type negotiation resources, but also helps to speed up the authentication protocol type negotiation speed and improve authentication efficiency .
在S101中,终端侧设备及网络侧设备之间协商得到的一认证协议类型应当被终端侧设备支持,且应当被网络侧设备支持。示例性的,假设终端侧设备支持认证协议类型1-3,网络侧设备支持认证协议类型2-4,则终端侧设备及网络侧设备之间协商得到的一认证协议类型为认证协议类型2或认证协议类型3。In S101, an authentication protocol type negotiated between the terminal-side device and the network-side device should be supported by the terminal-side device and should be supported by the network-side device. Exemplarily, assuming that the terminal-side device supports authentication protocol types 1-3, and the network-side device supports authentication protocol types 2-4, the authentication protocol type negotiated between the terminal-side device and the network-side device is authentication protocol type 2 or Authentication protocol type 3.
在S102中,认证协议类型对应有认证方式是指:认证协议类型对应于认证方式,按照该认证方式能够进行双方设备之间的符合该认证协议类型规定的认证。In S102 , the authentication method corresponding to the authentication protocol type means that the authentication protocol type corresponds to the authentication method, and the authentication between the devices of the two parties that complies with the authentication protocol type can be performed according to the authentication method.
实施例一Embodiment one
在本实施例中,将分别对双方设备交互终端侧设备默认支持第一认证协议类型且网络侧终端设备也支持第一认证协议类型的情况(参见下文图2a、图2b所示示例)、以及终端侧设备支持第一认证协议类型但网络侧设备不支持第一认证协议类型的情形下由网络侧设备从认证协议类型组中选取的第二认证协议类型的情况(参见下文图3a、图3b所示示例)进行说明,其中,所述认证协议类型组为终端侧设备认证协议类型组与网络侧设备认证协议类型组的交集,示例性的,假设终端侧设备支持认证协议类型1-3,网络侧设备支持认证协议类型2-4,则认证协议类型组为{认证协议类型2,认证协议类型3}。所述第二认证协议类型为认证协议类型组中具有最高优先级中的认证协议类型。如果双方没有对应的认证类型,即双方设备各自支持的认证协议类型之间不存在交集,则停止交互。In this embodiment, the case where the terminal side device supports the first authentication protocol type by default and the network side terminal device also supports the first authentication protocol type is exchanged between the two devices respectively (see the examples shown in Fig. 2a and Fig. 2b below), and When the terminal-side device supports the first authentication protocol type but the network-side device does not support the first authentication protocol type, the network-side device selects the second authentication protocol type from the authentication protocol type group (see Figure 3a and Figure 3b below). The illustrated example) is described, wherein the authentication protocol type group is the intersection of the terminal-side device authentication protocol type group and the network-side device authentication protocol type group. For example, it is assumed that the terminal-side device supports authentication protocol types 1-3, If the network-side device supports authentication protocol types 2-4, the authentication protocol type group is {authentication protocol type 2, authentication protocol type 3}. The second authentication protocol type is the authentication protocol type with the highest priority in the authentication protocol type group. If the two parties do not have corresponding authentication types, that is, there is no intersection between the types of authentication protocols supported by the devices of both parties, the interaction is stopped.
参见图2a和2b所示,图2a和2b为终端侧设备与网络侧设备之间进行认证的一种流程示意图。该认证方法包括,Referring to Figs. 2a and 2b, Figs. 2a and 2b are schematic flowcharts of authentication between a terminal-side device and a network-side device. The authentication methods include,
在终端侧设备,例如,物联网设备、手机、平板等。Devices on the terminal side, such as IoT devices, mobile phones, tablets, etc.
步骤201,终端侧设备获取第一认证协议类型,记为default_auth_type,该认证协议类型可以为本设备默认支持的认证协议类型,也可以是网络侧设备默认支持的认证协议类型,但是第一认证协议类型应当为终端侧设备支持的认证协议类型。示例性的,终端侧设备按照预设规则从终端侧设备默认支持的多个认证协议类型中确定第一认证协议类型。Step 201, the terminal-side device obtains the first authentication protocol type, which is recorded as default_auth_type. The authentication protocol type can be the authentication protocol type supported by the device by default, or the authentication protocol type supported by the network-side device by default, but the first authentication protocol The type should be the authentication protocol type supported by the terminal-side device. Exemplarily, the terminal-side device determines the first authentication protocol type from multiple default authentication protocol types supported by the terminal-side device according to preset rules.
如下表所示,第一认证协议类型对应有认证方式,所述认证方式包括,公私钥对生成方式、总密钥Masterkey生成方式、共享密钥Sharekey生成、加解密方式、摘要生成方式之一或其任意组合;具体根据认证的需求而确定,上述方式可理解为某种具体算法。As shown in the table below, the first authentication protocol type corresponds to an authentication method, and the authentication method includes one of the public-private key pair generation method, the total key Masterkey generation method, the shared key Sharekey generation method, the encryption and decryption method, and the digest generation method or Any combination thereof; it is specifically determined according to authentication requirements, and the above method can be understood as a specific algorithm.
Figure PCTCN2022123503-appb-000001
Figure PCTCN2022123503-appb-000001
上表中的第二行表示:认证协议类型1规定,在认证过程中通过ECP_DP_SECP384R1的方式生成公私钥对,并通过ECP_DP_SECP384R1的方式生成总密钥,通过md5(md5(MD5(验证码devauthcode+设备序列号devid)+标识的方式生成共享密钥,并通过AES128-GCM的方式进行加密和解密,并通过Hmac_SHA384的放生生成摘要。The second line in the above table indicates: authentication protocol type 1 stipulates that during the authentication process, a public-private key pair is generated by means of ECP_DP_SECP384R1, and a total key is generated by means of ECP_DP_SECP384R1, and the md5(md5(MD5(verification code devauthcode+device sequence devid)+identification to generate a shared key, encrypt and decrypt through AES128-GCM, and generate a digest through the release of Hmac_SHA384.
步骤202,获取终端侧设备所支持的认证类型协议组,记为auth_type_group,该认证类型协议组包括了一种以上认证协议类型,每种认证协议类型分别对应有公私钥对生成方式、总密钥Masterkey生成方式、共享密钥Sharekey生成方式、加解密方式、摘要生成方式之一或其任意组合。具体根据认证的需求而确定,在本实施例中,为全部认证方式的组合。上述认证方式可理解为某种具体算法。Step 202, obtain the authentication type protocol group supported by the terminal side equipment, denoted as auth_type_group, the authentication type protocol group includes more than one authentication protocol type, and each authentication protocol type corresponds to a public-private key pair generation method, a total key Masterkey generation method, Sharekey generation method, encryption and decryption method, summary generation method or any combination thereof. Specifically, it is determined according to authentication requirements. In this embodiment, it is a combination of all authentication methods. The above authentication method can be understood as a specific algorithm.
Figure PCTCN2022123503-appb-000002
Figure PCTCN2022123503-appb-000002
步骤203,读取终端侧设备预存的第一设备标识以及设备验证码,分别记为devid,devauthcode。Step 203, read the first device identification and device verification code pre-stored in the terminal side device, which are devided and devauthcode respectively.
其中,第一设备标识可以为设备序列号,设备序列号用于标识设备的字符串,每个物理设备具有不同的标识,Wherein, the first device identifier may be a device serial number, the device serial number is used to identify a character string of the device, each physical device has a different identifier,
设备验证码为存储在设备硬件中的一串字符串,非易失且不可变更。The device verification code is a string of strings stored in the device hardware, which is non-volatile and cannot be changed.
步骤204,根据步骤201所获取的第一认证协议类型约定的公私钥对生成算法,生成终端侧设备的公私钥对,记为dev_privatekey(公私钥对中的私钥),dev_publickey(公私钥对中的公钥)。Step 204, according to the public-private key pair generation algorithm stipulated in the first authentication protocol type acquired in step 201, generate the public-private key pair of the terminal side device, which is recorded as dev_privatekey (the private key in the public-private key pair), dev_publickey (the public-private key pair) public key).
步骤205,根据步骤201所获取的第一认证协议类型约定的共享密钥Sharekey生成算法,使用预存的devid,devauthcode,生成终端的共享密钥,记为dev_sharekey。Step 205 , according to the shared key Sharekey generation algorithm stipulated in the first authentication protocol type obtained in step 201 , use the pre-stored devid and devauthcode to generate a terminal shared key, which is recorded as dev_sharekey.
步骤206,根据步骤201所获取的第一认证协议类型约定的加解密算法,使用共享密钥Sharekey对终端的公钥devic_publickey进行加密,得到加密后的devic_publickey,记为cipher(devic_publickey)。Step 206, according to the encryption and decryption algorithm stipulated in the first authentication protocol type acquired in step 201, use the shared key Sharekey to encrypt the public key dev_publickey of the terminal to obtain the encrypted devic_publickey, which is denoted as cipher(devic_publickey).
步骤207,通过TCP会话将步骤201所获取的第一认证协议类型、步骤202所获取的认证类型协议组、步骤203所获取的第一设备标识devid、devauthcode、以及步骤206所得到的cipher(devic_publickey)传输给网络侧设备。Step 207, the first authentication protocol type obtained in step 201, the authentication type protocol group obtained in step 202, the first device identifier devid and devauthcode obtained in step 203, and the cipher(devic_publickey ) to the network side device.
在上述过程中,鉴于实际应用中大多数情况是网络侧设备升级而终端侧设备未升级, 从而导致认证无法进行,因此,终端侧设备支持默认的第一认证协议类型的概率是较大的,这样,可先行进行用于认证的参数计算,例如,计算公私钥对、共享密钥、加密后的公钥等;此外,将第一认证协议类型、认证类型协议组随同第一设备标识、设备验证码、cipher(devic_publickey)发送给网络侧,这样,有利于减少终端侧设备向网络侧设备发送的次数,从而有利于提高认证过程中的可靠性。In the above process, in view of the fact that in most practical applications, the network-side device is upgraded but the terminal-side device is not upgraded, resulting in the failure of authentication, therefore, the probability that the terminal-side device supports the default first authentication protocol type is relatively high. In this way, parameter calculations for authentication can be performed in advance, such as calculating public-private key pairs, shared keys, encrypted public keys, etc.; in addition, the first authentication protocol type and authentication type The verification code and cipher (devic_publickey) are sent to the network side, which helps to reduce the number of times the terminal side device sends to the network side device, thereby helping to improve the reliability of the authentication process.
作为一种变形,所述第一认证协议类型、认证类型协议组可以在进行读取终端侧设备预存的第一设备标识以及设备验证码之前就发送给网络侧,以便与网络侧进行认证协议类型的协商。As a modification, the first authentication protocol type and authentication type protocol group can be sent to the network side before reading the first device identification and device verification code pre-stored by the terminal side device, so as to communicate with the network side for the authentication protocol type negotiation.
在网络侧设备,例如,平台、服务器等。Devices on the network side, such as platforms, servers, etc.
步骤208,判断是否支持终端侧设备的第一认证协议类型。Step 208, judging whether the first authentication protocol type of the terminal-side device is supported.
步骤209,确定支持终端侧设备的第一认证协议类型。Step 209, determine the first authentication protocol type that supports the terminal-side device.
步骤210,根据第一认证协议类型约定的公私钥对生成算法,生成网络侧设备的公私钥对,记为plt_privatekey,plt_publickey,其中,plt_privatekey为公私钥对中的私钥,plt_publickey为公私钥对中的公钥。Step 210, according to the public-private key pair generation algorithm stipulated in the first authentication protocol type, generate the public-private key pair of the network side device, recorded as plt_privatekey, plt_publickey, where plt_privatekey is the private key in the public-private key pair, and plt_publickey is the public-private key pair 's public key.
步骤211,根据第一认证协议类型约定的共享密钥生成算法,使用预存的devid,devauthcode,生成网络侧设备的共享密钥,记为plt_sharekey。Step 211, according to the shared key generation algorithm stipulated in the first authentication protocol type, use the pre-stored devid and devauthcode to generate the shared key of the network side device, denoted as plt_sharekey.
步骤212,根据第一认证协议类型约定的加解密算法,使用plt_sharekey作为密钥,对cipher(dev_publickey)进行解密,得到dev_publickey。Step 212, according to the encryption and decryption algorithm stipulated in the first authentication protocol type, use plt_sharekey as the key to decrypt the cipher (dev_publickey) to obtain dev_publickey.
步骤213,根据第一认证协议类型约定的总密钥生成算法,使用网络侧设备的私钥plt_privatekey以及dev_publickey生成网络侧设备总密钥,记为plt_masterkey。Step 213, according to the general key generation algorithm stipulated in the first authentication protocol type, use the private key plt_privatekey and dev_publickey of the network side device to generate a network side device master key, denoted as plt_masterkey.
步骤214,根据第一认证协议类型约定的加解密算法,使用网络侧设备总密钥对网络侧设备的公钥plt_publickey进行加密,得到加密后的网络侧设备的公钥,记为cipher(plt_publickey)。Step 214, according to the encryption and decryption algorithm stipulated in the first authentication protocol type, use the general key of the network side device to encrypt the public key plt_publickey of the network side device, and obtain the encrypted public key of the network side device, which is recorded as cipher(plt_publickey) .
步骤215,通过TCP会话将cipher(plt_publickey)、以及所采用的认证协议类型传输给终端侧设备。Step 215, transmit the cipher (plt_publickey) and the adopted authentication protocol type to the terminal side device through the TCP session.
在终端侧设备,On the terminal side device,
步骤216,接收来自网络侧设备的认证协议类型,判断网络侧设备的认证协议类型与终端侧设备的认证协议类型default_auth_type一致。Step 216, receiving the authentication protocol type from the network-side device, and judging that the authentication protocol type of the network-side device is consistent with the authentication protocol type default_auth_type of the terminal-side device.
步骤217,一致时,根据default_auth_type约定的加解算法,使用终端侧设备的共享密钥dev_sharekey,对cipher(plt_publickey)进行解密,得到网络侧设备的公钥plt_publickey。Step 217, if consistent, decrypt the cipher (plt_publickey) using the shared key dev_sharekey of the terminal-side device according to the decryption algorithm agreed by default_auth_type to obtain the public key plt_publickey of the network-side device.
步骤218,根据default_auth_type约定的总密钥生成算法,使用终端侧设备的私钥dev_privatekey、以及网络侧设备的私钥plt_publickey,生成终端侧设备的总密钥,记为 dev_masterkey。Step 218, according to the general key generation algorithm agreed by default_auth_type, use the private key dev_privatekey of the terminal-side device and the private key plt_publickey of the network-side device to generate the general key of the terminal-side device, which is recorded as dev_masterkey.
所述总密钥是终端侧设备与网络侧设备在认证过程中生成的相对长时间使用的密钥,其生命周期由网络侧设备控制。The total key is a relatively long-term key generated by the terminal-side device and the network-side device during the authentication process, and its life cycle is controlled by the network-side device.
步骤219,根据default_auth_type约定的摘要生成算法,使用终端侧设备的总密钥dev_masterkey对devid进行摘要生成,得到第一结果,记为Digest(devid)。Step 219, according to the digest generation algorithm agreed by default_auth_type, use the master key dev_masterkey of the terminal side device to generate a digest for devid, and obtain the first result, which is recorded as Digest(devid).
步骤220,通过TCP会话将第一结果Digest(devid)传输给网络侧设备。Step 220, transmit the first result Digest (devid) to the network side device through the TCP session.
在网络侧设备,On the network side device,
步骤221,根据default_auth_type约定的摘要生成算法,使用网络侧设备的总密钥plt_masterkey,对devid进行摘要生成,得到第二结果,记为Digest1(devid)Step 221, according to the digest generation algorithm agreed by default_auth_type, use the total key plt_masterkey of the network side device to generate a digest for devid, and obtain the second result, which is recorded as Digest1(devid)
步骤222,校验第一结果Digest(devid)和第二结果Digest1(devid)。Step 222, verify the first result Digest(devid) and the second result Digest1(devid).
步骤223,校验通过时,生成会话密钥sessionkey以及第二设备标识deviceid,该第二设备标识由网络侧设备分配给终端侧设备,否则,认证不通过,结束本认证流程。Step 223, if the verification is passed, generate a session key sessionkey and a second device ID deviceid, and the second device ID is assigned to the terminal side device by the network side device; otherwise, the authentication fails, and the authentication process ends.
步骤224,根据default_auth_type约定的加解算法,使用网络侧设备的总密钥plt_masterkey,对sessionkey和deviceid进行加密,得到加密后的会话密钥cipher(sessionkey),以及加密后的第二设备标识cipher(deviceid)。Step 224, according to the decryption algorithm agreed by default_auth_type, use the total key plt_masterkey of the network side device to encrypt the sessionkey and deviceid to obtain the encrypted session key cipher(sessionkey), and the encrypted second device identifier cipher( deviceid).
步骤225,根据default_auth_type约定的摘要生成算法,使用网络侧设备的总密钥plt_masterkey,对devid进行摘要生成,得到第三结果,记为Digest2(devid)。Step 225, according to the digest generation algorithm agreed by default_auth_type, use the master key plt_masterkey of the network side device to generate a digest for devid, and obtain the third result, which is denoted as Digest2(devid).
鉴于总密钥通常在生命周期内,第三结果与第二结果相同,也可以不再进行第三结果的计算。Since the total key is usually within the lifetime, the third result is the same as the second result, and the calculation of the third result may not be performed.
步骤226,通过TCP会话将cipher(deviceid)、cipher(sessionkey)、以及Digest2(devid)或Digest1(devid)发送给终端侧设备。Step 226, send the cipher (deviceid), cipher (sessionkey), and Digest2 (devid) or Digest1 (devid) to the terminal side device through the TCP session.
在终端侧设备,On the terminal side device,
步骤227,根据default_auth_type约定的摘要生成算法,使用终端侧设备的总密钥dev_masterkey,对devid进行摘要生成,得到第四结果,记为Digest3(devid),Step 227, according to the digest generation algorithm agreed by default_auth_type, use the total key dev_masterkey of the terminal side device to generate a digest for devid, and obtain the fourth result, which is recorded as Digest3(devid),
步骤228,校验第三结果Digest2(devid)和第四结果Digest3(devid),或者,校验第二结果Digest1(devid)和第四结果Digest3(devid)。Step 228, check the third result Digest2(devid) and the fourth result Digest3(devid), or check the second result Digest1(devid) and the fourth result Digest3(devid).
步骤229,校验通过时,根据default_auth_type约定的加解密算法,使用终端侧设备的总密钥dev_masterkey对cipher(deviceid)以及cipher(sessionkey)进行解密,得到会话密钥sessionkey以及第二设备标识deviceid,否则,认证不通过,结束认证流程。Step 229, when the verification is passed, according to the encryption and decryption algorithm agreed by default_auth_type, use the total key dev_masterkey of the terminal side device to decrypt the cipher (deviceid) and cipher (sessionkey) to obtain the session key sessionkey and the second device identifier deviceid, Otherwise, the authentication fails, and the authentication process ends.
步骤230,鉴于认证过程中可能发生会话链路的改变,通过TCP会话再次将第一结果Digest(devid)传输给网络侧设备。Step 230 , in view of possible session link changes during the authentication process, transmit the first result Digest (devid) to the network side device again through the TCP session.
在网络侧设备,On the network side device,
步骤231,根据default_auth_type约定的摘要生成算法,使用网络侧设备的总密钥plt_masterkey通过摘要生成算法(例如hmac-sha384算法)对devid再次进行摘要生成,得到第五结果,记为Digest4(devid)。Step 231, according to the digest generation algorithm agreed by default_auth_type, use the total key plt_masterkey of the network side device to generate a digest for devid again through a digest generation algorithm (such as the hmac-sha384 algorithm), and obtain the fifth result, which is recorded as Digest4(devid).
鉴于总密钥通常在生命周期内,第五结果与第二结果相同,也可以不再进行第五结果的计算。Since the total key is usually within the lifetime, the fifth result is the same as the second result, and the calculation of the fifth result may not be performed.
步骤232,校验第一结果和第五结果,或者,校验第一结果和第二结果,Step 232, check the first result and the fifth result, or check the first result and the second result,
步骤233,当校验通过时,将devid、deviceid、plt_masterkey、sessionkey作为一个记录进行存储;否则,认证不通过,结束本认证流程。Step 233, when the verification is passed, store devid, deviceid, plt_masterkey, and sessionkey as a record; otherwise, the authentication fails, and the authentication process ends.
在终端侧设备,On the terminal side device,
步骤234,将会话密钥sessionkey作为与网络侧设备进行通信的密钥,对待传输的上下文进行加密,得到加密后的上下文,记为cipher(context)。Step 234, use the session key sessionkey as the key for communicating with the network side device, encrypt the context to be transmitted, and obtain the encrypted context, which is denoted as cipher(context).
步骤235,通过TCP会话将加密后的上下文cipher(context)传输给网络侧设备。Step 235, transmit the encrypted context cipher (context) to the network side device through the TCP session.
前述步骤204~215为终端侧设备对网络侧设备进行认证的第一认证。The aforementioned steps 204 to 215 are the first authentication in which the terminal-side device authenticates the network-side device.
前述步骤216~235为网络侧设备对终端侧设备进行认证的第二认证。The aforementioned steps 216-235 are the second authentication in which the network-side device authenticates the terminal-side device.
参见图3a、图3b所示,图3a、图3b为终端侧设备与网络侧设备协商不一致时的一种流程示意图。Referring to Fig. 3a and Fig. 3b, Fig. 3a and Fig. 3b are schematic flow charts when the negotiation between the terminal-side device and the network-side device is inconsistent.
在终端侧设备,On the terminal side device,
步骤301~307,与步骤201~207相同。Steps 301-307 are the same as steps 201-207.
在网络侧设备,On the network side device,
步骤308,判断是否支持终端侧设备的第一认证协议类型。Step 308, judging whether the first authentication protocol type of the terminal-side device is supported.
步骤309,当不支持时,根据接收的认证类型协议组auth_type_group,从认证类型协议组中选择出第二认证协议类型,该第二认证协议类型为根据安全等级选取的最优认证协议类型,记为vote_auth_type。Step 309, if not supported, select the second authentication protocol type from the authentication type protocol group according to the received authentication type protocol group auth_type_group, the second authentication protocol type is the optimal authentication protocol type selected according to the security level, record is vote_auth_type.
步骤310,通过TCP会话将第二认证协议类型传输给终端侧设备。Step 310, transmit the second authentication protocol type to the terminal side device through the TCP session.
在终端侧设备,On the terminal side device,
步骤311,在auth_type_group中查找vote_auth_type。Step 311, look up vote_auth_type in auth_type_group.
步骤312,将vote_auth_type作为本次认证的认证协议类型。Step 312, set vote_auth_type as the authentication protocol type of this authentication.
鉴于认证类型协议组来源于终端侧设备,而第二认证协议类型是由网络侧设备从认证类型协议组中选择的,因此第二认证协议类型必然包含在认证类型协议组中,故而,步骤311~312可不执行。Since the authentication type protocol group comes from the terminal-side device, and the second authentication protocol type is selected by the network-side device from the authentication type protocol group, the second authentication protocol type must be included in the authentication type protocol group, therefore, step 311 ~312 may not be executed.
步骤313,根据步骤312所获取的认证协议类型vote_auth_type约定的公私钥对生成算法,生成终端侧设备的公私钥对,记为dev_privatekey,dev_publickey,Step 313, according to the public-private key pair generation algorithm stipulated in the authentication protocol type vote_auth_type acquired in step 312, generate the public-private key pair of the terminal side device, recorded as dev_privatekey, dev_publickey,
步骤314,根据步骤312所获取的认证协议类型vote_auth_type约定的共享密钥生成算法,使用预存的devid,devauthcode,生成终端侧设备的共享密钥,记为dev_sharekey。Step 314, according to the shared key generation algorithm stipulated in the authentication protocol type vote_auth_type obtained in step 312, use the pre-stored devid and devauthcode to generate the shared key of the terminal side device, which is recorded as dev_sharekey.
步骤315,根据步骤312所获取的认证协议类型vote_auth_type约定的加解密算法,使用共享密钥对devic_public进行加密,得到加密后的devic_public,记为cipher(devic_public)。Step 315, according to the encryption and decryption algorithm stipulated in the authentication protocol type vote_auth_type obtained in step 312, use the shared key to encrypt devic_public, and obtain the encrypted devic_public, which is recorded as cipher(devic_public).
步骤316,通过TCP会话将步骤315所得到的cipher(devic_public)传输给网络侧设备。Step 316, transmit the cipher (devic_public) obtained in step 315 to the network side device through the TCP session.
在网络侧设备,On the network side device,
步骤317,根据所选择的认证协议类型vote_auth_type约定的公私钥对生成算法,生成网络侧的公私钥对,记为plt_privatekey,plt_publickey,其中,plt_privatekey为公私钥对中的私钥,plt_publickey为公私钥对中的公钥。Step 317, according to the public-private key pair generation algorithm stipulated in the selected authentication protocol type vote_auth_type, generate a public-private key pair on the network side, recorded as plt_privatekey, plt_publickey, where plt_privatekey is the private key in the public-private key pair, and plt_publickey is the public-private key pair public key in .
步骤318,根据该认证协议类型vote_auth_type约定的共享密钥生成算法。使用预存的devid,devauthcode,生成网络侧设备的共享密钥,记为plt_sharekey。Step 318, according to the shared key generation algorithm specified in the authentication protocol type vote_auth_type. Use the pre-stored devid and devauthcode to generate the shared key of the network side device, which is recorded as plt_sharekey.
步骤319,根据该认证协议类型vote_auth_type约定的加解密算法,使用plt_sharekey作为密钥,对cipher(dev_publickey)进行解密,得到dev_publickey。Step 319, according to the encryption and decryption algorithm stipulated in the authentication protocol type vote_auth_type, use plt_sharekey as the key to decrypt the cipher (dev_publickey) to obtain dev_publickey.
步骤320,根据该认证协议类型vote_auth_type约定的总密钥生成算法,使用网络侧设备的私钥plt_privatekey以及dev_publickey生成网络侧设备的总密钥,记为plt_masterkey。Step 320, according to the general key generation algorithm specified in the authentication protocol type vote_auth_type, use the private key plt_privatekey and dev_publickey of the network-side device to generate the general key of the network-side device, denoted as plt_masterkey.
步骤321,根据该认证协议类型vote_auth_type约定的加解密算法,使用网络侧设备的总密钥对网络侧设备的公钥plt_publickey进行加密,得到加密后的网络侧设备的公钥,记为cipher(plt_publickey)。Step 321, according to the encryption and decryption algorithm stipulated in the authentication protocol type vote_auth_type, use the general key of the network side device to encrypt the public key plt_publickey of the network side device, and obtain the encrypted public key of the network side device, which is recorded as cipher(plt_publickey ).
步骤322,通过TCP会话将cipher(plt_publickey)传输给终端侧设备。Step 322, transmit the cipher (plt_publickey) to the terminal side device through the TCP session.
在终端侧设备,On the terminal side device,
步骤323,根据vote_auth_type约定的加解算法,使用终端侧设备的共享密钥dev_sharekey,对cipher(plt_publickey)进行解密,得到网络侧设备的公钥plt_publickey。Step 323: According to the encryption and decryption algorithm agreed by vote_auth_type, use the shared key dev_sharekey of the terminal-side device to decrypt the cipher (plt_publickey) to obtain the public key plt_publickey of the network-side device.
步骤324,根据vote_auth_type约定的总密钥密钥生成算法,使用终端侧设备的私钥dev_privatekey、以及网络侧设备的私钥plt_publickey,生成终端侧设备的总密钥,记为dev_masterkey。Step 324, according to the general key key generation algorithm stipulated by vote_auth_type, use the private key dev_privatekey of the terminal-side device and the private key plt_publickey of the network-side device to generate the general key of the terminal-side device, denoted as dev_masterkey.
步骤325,根据vote_auth_type约定的摘要生成算法,使用终端侧设备的总密钥dev_masterkey对devid进行摘要生成,得到第一结果,记为Digest(devid)。Step 325, according to the digest generation algorithm agreed by vote_auth_type, use the master key dev_masterkey of the terminal side device to generate a digest for devid, and obtain the first result, which is recorded as Digest(devid).
步骤326,通过TCP会话将第一结果Digest(devid)传输给网络侧设备。Step 326, transmit the first result Digest(devid) to the network side device through the TCP session.
在网络侧设备,On the network side device,
步骤327,根据vote_auth_type约定的摘要生成算法,使用网络侧的总密钥plt_masterkey,对devid进行摘要生成,得到第二结果,记为Digest1(devid)。Step 327, according to the digest generation algorithm agreed by vote_auth_type, use the master key plt_masterkey on the network side to generate a digest for devid, and obtain the second result, which is recorded as Digest1(devid).
步骤328,校验第一结果Digest(devid)和第二结果Digest1(devid)。Step 328, verify the first result Digest(devid) and the second result Digest1(devid).
步骤329,校验通过时,生成会话密钥sessionkey以及第二设备标识deviceid,将devid、deviceid、masterkey、sessionkey作为一个记录进行存储。Step 329, when the verification is passed, generate the session key sessionkey and the second device identifier deviceid, and store devid, deviceid, masterkey, and sessionkey as a record.
步骤330,根据vote_auth_type约定的加解密算法,使用网络侧设备的总密钥plt_masterkey,对sessionkey和deviceid进行加密,得到加密后的会话密钥cipher(sessionkey),以及加密后的第二设备标识cipher(deviceid)。Step 330, according to the encryption and decryption algorithm agreed upon by vote_auth_type, use the master key plt_masterkey of the network side device to encrypt sessionkey and deviceid to obtain the encrypted session key cipher(sessionkey), and the encrypted second device identifier cipher( deviceid).
步骤331,通过TCP会话将cipher(deviceid)、cipher(sessionkey)、以及Digest1(devid)发送给终端侧设备。Step 331, send cipher (deviceid), cipher (sessionkey), and Digest1 (devid) to the terminal side device through the TCP session.
在终端侧设备,On the terminal side device,
步骤332,根据vote_auth_type约定的摘要生成算法,使用终端侧设备的总密钥dev_masterkey,对devid进行摘要生成,得到第三结果,记为Digest2(devid)。Step 332 , according to the digest generation algorithm stipulated by vote_auth_type, using the master key dev_masterkey of the terminal side device, to generate a digest for devid to obtain a third result, which is denoted as Digest2(devid).
步骤333,校验第二结果Digest1(devid)和第三结果Digest2(devid)。Step 333, verify the second result Digest1(devid) and the third result Digest2(devid).
步骤334,校验通过时,根据vote_auth_type约定的加解密算法,使用终端侧设备的总密钥dev_masterkey对cipher(deviceid)以及cipher(sessionkey)进行解密,得到会话密钥sessionkey以及第二设备标识deviceid。Step 334, when the verification is passed, according to the encryption and decryption algorithm stipulated by vote_auth_type, the master key dev_masterkey of the terminal side device is used to decrypt cipher (deviceid) and cipher (sessionkey) to obtain the session key sessionkey and the second device identifier deviceid.
步骤335,将会话密钥sessionkey作为与网络侧进行通信的密钥,对待传输的上下文进行加密,得到加密后的上下文,记为cipher(context)。In step 335, the session key is used as the key for communicating with the network side, and the context to be transmitted is encrypted to obtain the encrypted context, which is denoted as cipher(context).
步骤336,通过TCP会话将加密后的上下文cipher(context)传输给网络侧设备。Step 336, transmit the encrypted context cipher (context) to the network side device through the TCP session.
前述步骤304~316为终端侧设备对网络侧设备进行认证的第一认证。The foregoing steps 304 to 316 are the first authentication in which the terminal-side device authenticates the network-side device.
前述步骤317~335为网络侧设备对终端侧设备进行认证的第二认证。The foregoing steps 317 to 335 are the second authentication in which the network-side device authenticates the terminal-side device.
在本实施例中,协商的决策权在网络侧设备,从而保障了在终端侧设备所支持的认证协议类型范围内选择最优的认证协议类型。In this embodiment, the decision-making power of the negotiation rests with the network side device, thus ensuring that the optimal authentication protocol type is selected within the range of authentication protocol types supported by the terminal side device.
实施例二Embodiment two
参见图4所示,图4为本申请实施例二终端侧设备与网络侧设备之间进行认证的一种流程示意图。该认证方法包括:Referring to FIG. 4 , FIG. 4 is a schematic flowchart of authentication between a terminal-side device and a network-side device according to Embodiment 2 of the present application. The authentication methods include:
步骤401,网络侧设备向终端侧设备发送任一方设备默认支持的第一认证协议类型、以及认证协议类型组。In step 401, the network-side device sends the first authentication protocol type and authentication protocol type group supported by default by any device to the terminal-side device.
其中,第一认证协议类型可以是终端侧设备默认支持的,例如,终端侧设备接入网络侧设备时,网络侧可以获取到终端侧设备默认支持的认证协议类型;第一认证协议类型也可以是网络侧设备默认支持的。Wherein, the first authentication protocol type may be supported by the terminal-side device by default. For example, when the terminal-side device accesses the network-side device, the network side may obtain the default authentication protocol type supported by the terminal-side device; the first authentication protocol type may also be It is supported by the network side device by default.
步骤402,终端侧设备判断是否支持第一认证协议类型。In step 402, the terminal-side device judges whether it supports the first authentication protocol type.
如果不支持,则从认证协议类型组中选取第二认证协议类型,发送至网络侧设备,所述第二认证协议类型为根据安全等级选取的终端侧设备所支持的最优认证协议类型。在该 示例中,认证协议类型组为终端侧设备支持的认证协议类型与网络侧设备支持的认证协议类型的交集,因此从认证协议类型组中选取的第二认证协议类型被网络侧设备支持,并且被终端侧设备支持。If not, select a second authentication protocol type from the authentication protocol type group and send it to the network side device, where the second authentication protocol type is the optimal authentication protocol type supported by the terminal side device selected according to the security level. In this example, the authentication protocol type group is the intersection of the authentication protocol type supported by the terminal-side device and the authentication protocol type supported by the network-side device, so the second authentication protocol type selected from the authentication protocol type group is supported by the network-side device, And it is supported by the terminal side equipment.
如果支持,则利用第一认证协议类型对应的认证方式进行认证,并将所支持的第一认证协议类型发送网络侧设备。If yes, perform authentication using the authentication mode corresponding to the first authentication protocol type, and send the supported first authentication protocol type to the network side device.
步骤403,网络侧设备根据所接收的认证协议类型对应的认证方式进行认证。Step 403, the network side device performs authentication according to the authentication mode corresponding to the received authentication protocol type.
若网络侧设备接收到来自终端侧设备的第二认证协议类型,则利用第二认证协议类型对应的认证方式进行认证;If the network side device receives the second authentication protocol type from the terminal side device, then use the authentication method corresponding to the second authentication protocol type to perform authentication;
否则,网络侧设备利用第一认证协议类型对应的认证方式进行认证。Otherwise, the network side device uses the authentication mode corresponding to the first authentication protocol type to perform authentication.
如前述分析,无论是第一认证协议类型还是第二认证协议类型,均为网络侧设备支持的认证协议类型,因此网络侧设备可以利用第一认证协议类型对应的认证方式进行认证,并且也可以利用第二认证协议类型对应的认证方式进行认证。As analyzed above, both the first authentication protocol type and the second authentication protocol type are the authentication protocol types supported by the network-side device, so the network-side device can use the authentication method corresponding to the first authentication protocol type for authentication, and can also Authentication is performed using the authentication mode corresponding to the second authentication protocol type.
具体的认证过程可以与实施例一相同。The specific authentication process may be the same as that in Embodiment 1.
实施例三Embodiment Three
在本实施例中,双方设备中的任一本方设备向对方设备发送认证协议类型组,使得对方设备从认证协议类型组中选取第二认证协议类型,发送至本方设备。In this embodiment, any local device among the two devices sends an authentication protocol type group to the other device, so that the other device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device.
参见图5所示,图5为本申请实施例三终端侧设备与网络侧设备之间进行认证的一种流程示意图。该认证方法包括,Referring to FIG. 5 , FIG. 5 is a schematic flowchart of authentication between a terminal-side device and a network-side device in Embodiment 3 of the present application. The authentication methods include,
步骤501,终端侧设备向网络侧设备发送终端侧设备所支持的认证协议类型组。In step 501, the terminal-side device sends the group of authentication protocol types supported by the terminal-side device to the network-side device.
步骤502,网络侧设备从认证协议类型组中选取第二认证协议类型,并发送给终端侧设备,所述第二认证协议类型为根据安全等级选取的最优认证协议类型。Step 502, the network-side device selects a second authentication protocol type from the authentication protocol type group, and sends it to the terminal-side device, where the second authentication protocol type is the optimal authentication protocol type selected according to the security level.
步骤503,终端侧设备、网络侧设备分别利用第二认证协议类型对应的认证方式进行认证。In step 503, the terminal-side device and the network-side device respectively use the authentication mode corresponding to the second authentication protocol type to perform authentication.
具体的认证过程可以与实施例一相同。The specific authentication process may be the same as that in Embodiment 1.
参见图6所示,图6为本申请实施例三终端侧设备与网络侧设备之间进行认证的另一种流程示意图。该认证方法包括,Referring to FIG. 6 , FIG. 6 is another schematic flowchart of authentication between the terminal-side device and the network-side device in Embodiment 3 of the present application. The authentication methods include,
步骤601,网络侧设备向发送终端侧设备认证协议类型组,Step 601, the network side device authenticates the protocol type group to the sending terminal side device,
较佳地,所述认证协议类型组为终端侧设备所支持的认证协议类型的集合,可以通过终端侧设备接入网络时获得。Preferably, the authentication protocol type group is a set of authentication protocol types supported by the terminal-side device, which can be obtained when the terminal-side device accesses the network.
步骤602,终端侧设备从认证协议类型组中选取第二认证协议类型,并发送给网络侧设备,所述第二认证协议类型为根据安全等级选取的最优认证协议类型,Step 602, the terminal side device selects a second authentication protocol type from the authentication protocol type group, and sends it to the network side device, the second authentication protocol type is the optimal authentication protocol type selected according to the security level,
步骤603,终端侧设备、网络侧设备分别利用第二认证协议类型对应的认证方式进行 认证。Step 603, the terminal-side device and the network-side device respectively use the authentication mode corresponding to the second authentication protocol type to perform authentication.
具体的认证过程可以与实施例一相同。The specific authentication process may be the same as that in Embodiment 1.
在本实施例中,双方设备中的任一本方设备向对方设备发送认证协议类型组,使得对方设备从认证协议类型组中选取第二认证协议类型,发送至本方设备。In this embodiment, any local device among the two devices sends an authentication protocol type group to the other device, so that the other device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device.
实施例四Embodiment four
在本实施例中,终端侧设备、网络侧设备双方设备中的任一本方设备向对方设备发送认证协议类型组,使得对方设备从认证协议类型组中选取第二认证协议类型,发送至本方设备,In this embodiment, any local device among the terminal-side device and the network-side device sends an authentication protocol type group to the other device, so that the other device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device. square equipment,
本方设备接收来自对方设备的第二认证协议类型,判断是否支持第二认证协议类型,如果不支持,则通知对方设备重新选取,例如,对方设备在认证协议类型组中逐一地选取,并返回给本方设备,直至遍历完认证协议类型组中的所有认证协议类型;或者,为了提高交互的效率,从认证协议类型组选取本方设备所支持的认证协议类型发送至对方设备,使得对方设备从所支持的认证协议类型中选取该对方设备所支持的认证协议类型,并发送至本方设备。The local device receives the second authentication protocol type from the counterparty device, judges whether it supports the second authentication protocol type, and if not, notifies the counterparty device to reselect, for example, the counterparty device selects one by one from the authentication protocol type group, and returns to the local device until all the authentication protocol types in the authentication protocol type group have been traversed; or, in order to improve the efficiency of interaction, select the authentication protocol type supported by the local device from the authentication protocol type group and send it to the other device, so that the other device Select the authentication protocol type supported by the peer device from the supported authentication protocol types, and send it to the local device.
参见图7所示,图7为本申请实施例四终端侧设备与网络侧设备之间进行认证的一种流程示意图。该认证方法包括:Referring to FIG. 7 , FIG. 7 is a schematic flowchart of authentication between a terminal-side device and a network-side device according to Embodiment 4 of the present application. The authentication methods include:
步骤701,终端侧设备向网络侧设备发送认证协议类型组。Step 701, the terminal side device sends the authentication protocol type group to the network side device.
步骤702,网络侧设备从认证协议类型组中选取第二认证协议类型,并发送给终端侧设备,所述第二认证协议类型为根据安全等级选取的最优认证协议类型。Step 702, the network side device selects a second authentication protocol type from the authentication protocol type group, and sends it to the terminal side device, the second authentication protocol type is the optimal authentication protocol type selected according to the security level.
步骤703,终端侧设备接收来自对方设备的第二认证协议类型,判断是否支持第二认证协议类型。Step 703, the terminal-side device receives the second authentication protocol type from the peer device, and judges whether the second authentication protocol type is supported.
如果不支持,则通知网络侧设备,以使得网络侧设备重新选取,或者,从认证协议类型组选取终端侧设备所支持的认证协议类型发送至网络侧设备,If not, notify the network-side device so that the network-side device can re-select, or select the authentication protocol type supported by the terminal-side device from the authentication protocol type group and send it to the network-side device,
如果支持,则将第二认证协议类型发送给网络侧设备。If supported, send the second authentication protocol type to the network side device.
步骤704,终端侧设备、网络侧设备分别利用认证协议类型对应的认证方式进行认证。In step 704, the terminal-side device and the network-side device respectively use authentication methods corresponding to the authentication protocol type to perform authentication.
具体的认证过程可以与实施例一相同。The specific authentication process may be the same as that in Embodiment 1.
参见图8所示,图8为本申请实施例四终端侧设备与网络侧设备之间进行认证的另一种流程示意图。该认证方法包括,Referring to FIG. 8 , FIG. 8 is another schematic flowchart of authentication between a terminal-side device and a network-side device according to Embodiment 4 of the present application. The authentication methods include,
步骤801,网络侧设备向终端侧设备发送认证协议类型组,Step 801, the network side device sends the authentication protocol type group to the terminal side device,
步骤802,终端侧设备从认证协议类型组中选取第二认证协议类型,并发送给网络侧设备,所述第二认证协议类型为根据安全等级选取的终端侧设备所支持的最优认证协议类型,Step 802, the terminal side device selects a second authentication protocol type from the authentication protocol type group and sends it to the network side device, the second authentication protocol type is the optimal authentication protocol type supported by the terminal side device selected according to the security level ,
步骤803,网络侧设备接收来自对方设备的第二认证协议类型,判断是否支持第二认证协议类型,Step 803, the network side device receives the second authentication protocol type from the opposite device, and judges whether the second authentication protocol type is supported,
如果不支持,则通知终端侧设备,以使得终端侧设备重新选取,或者,网络侧设备从认证协议类型组选取网络侧设备所支持的认证协议类型发送至终端侧设备,If not, notify the terminal side device so that the terminal side device reselects, or the network side device selects the authentication protocol type supported by the network side device from the authentication protocol type group and sends it to the terminal side device,
如果支持,则将第二认证协议类型发送给终端侧设备,If supported, sending the second authentication protocol type to the terminal side device,
步骤804,终端侧设备、网络侧设备分别利用认证协议类型对应的认证方式进行认证。In step 804, the terminal-side device and the network-side device respectively use authentication methods corresponding to the authentication protocol type to perform authentication.
具体的认证过程可以与实施例一相同。The specific authentication process may be the same as that in Embodiment 1.
参见图9所示,图9为终端侧设备或网络侧设备的一种示意图。该设备包括,Referring to FIG. 9, FIG. 9 is a schematic diagram of a terminal-side device or a network-side device. The device includes,
交互模块,用于与对方设备进行认证协议类型交互,以确定双方设备所支持的认证协议类型,其中,所述认证协议类型对应有认证方式;The interaction module is used to interact with the other party's equipment on the authentication protocol type to determine the authentication protocol type supported by both devices, wherein the authentication protocol type corresponds to an authentication method;
认证模块,用于根据所确定的认证协议类型对应的认证方式,进行双方设备的认证。The authentication module is configured to authenticate the devices of both parties according to the authentication mode corresponding to the determined authentication protocol type.
所述交互模块包括,The interactive modules include,
第一交互模块,用于交互任一方设备默认支持的第一认证协议类型,The first interaction module is used to interact with the first authentication protocol type supported by default by any device,
第二交互模块,用于交互在不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型;或者,用于交互从认证协议类型组中选取的第二认证协议类型。The second interaction module is used for interacting with the second authentication protocol type selected from the authentication protocol type group when the first authentication protocol type is not supported; or for interacting with the second authentication protocol selected from the authentication protocol type group type.
认证模块包括,Authentication modules include,
第一认证模块,用于本方设备被对方设备进行第一认证;The first authentication module is used for the first authentication of the own device by the other device;
第二认证模块,用于本方设备对对方设备进行第二认证。The second authentication module is used for the own device to perform the second authentication on the counterpart device.
参见图10所示,图10为终端侧设备或网络侧设备的一种示意图。包括存储器和处理器,所述存储器存储有计算机程序,所述处理器被配置执行实现所述终端侧设备与网络侧设备之间的认证方法的步骤。Referring to FIG. 10 , FIG. 10 is a schematic diagram of a terminal-side device or a network-side device. It includes a memory and a processor, the memory stores a computer program, and the processor is configured to execute the steps of implementing the authentication method between the terminal-side device and the network-side device.
存储器可以包括随机存取存储器(Random Access Memory,RAM),也可以包括非易失性存储器(Non-Volatile Memory,NVM),例如至少一个磁盘存储器。可选的,存储器还可以是至少一个位于远离前述处理器的存储装置。The memory may include a random access memory (Random Access Memory, RAM), and may also include a non-volatile memory (Non-Volatile Memory, NVM), such as at least one disk memory. Optionally, the memory may also be at least one storage device located far away from the aforementioned processor.
上述的处理器可以是通用处理器,包括中央处理器(Central Processing Unit,CPU)、网络处理器(Network Processor,NP)等;还可以是数字信号处理器(Digital Signal Processing,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。The above-mentioned processor can be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; it can also be a digital signal processor (Digital Signal Processing, DSP), dedicated integrated Circuit (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
本申请实施例还提供了一种计算机可读存储介质,所述存储介质内存储有计算机程序,所述计算机程序被处理器执行时实现所述终端侧设备与网络侧设备之间的认证方法的步骤。The embodiment of the present application also provides a computer-readable storage medium, where a computer program is stored in the storage medium, and when the computer program is executed by a processor, the authentication method between the terminal-side device and the network-side device is implemented. step.
在本申请提供的又一实施例中,还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述实施例中任一终端侧设备与网络侧设备之间的认证方法。In yet another embodiment provided by the present application, a computer program product containing instructions is also provided. When it is run on a computer, the computer executes the communication between any terminal-side device and the network-side device in the above-mentioned embodiments. authentication method.
对于装置/网络侧设备/存储介质实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。For the embodiment of the device/network side device/storage medium, since it is basically similar to the embodiment of the method, the description is relatively simple, and for the related parts, please refer to the part of the description of the embodiment of the method.
在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。In this document, relational terms such as first and second etc. are used only to distinguish one entity or operation from another without necessarily requiring or implying any such relationship between these entities or operations. Actual relationship or sequence. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.
以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above is only a preferred embodiment of the application, and is not intended to limit the application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the application should be included in the application. within the scope of protection.
以上所述仅为本申请的较佳实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above are only preferred embodiments of the application, and are not intended to limit the application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the application shall be included in the protection of the application. within the range.

Claims (12)

  1. 一种终端侧设备与网络侧设备之间的认证方法,其特征在于,该方法包括,在终端侧设备及网络侧设备双方设备中任一本方设备侧,An authentication method between a terminal-side device and a network-side device, characterized in that the method includes, on the side of any own device in both the terminal-side device and the network-side device,
    本方设备与对方设备进行认证协议类型交互,以确定双方设备所支持的认证协议类型,其中,所述认证协议类型对应有认证方式;The local device interacts with the other device's authentication protocol type to determine the authentication protocol type supported by both devices, wherein the authentication protocol type corresponds to an authentication method;
    本方设备根据所确定的认证协议类型对应的认证方式,进行双方设备之间的认证,并使得对方设备根据所确定的认证协议类型对应的认证方式,进行双方设备之间的认证。The local device performs authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, and enables the other device to perform authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type.
  2. 如权利要求1所述的认证方法,其特征在于,所述本方设备与对方设备进行认证协议类型交互,包括,The authentication method according to claim 1, wherein the authentication protocol type interaction between the own device and the counterpart device includes,
    双方设备交互任一方设备默认支持的第一认证协议类型、以及任一方设备不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型,The two devices exchange the first authentication protocol type supported by default by either device, and the second authentication protocol type selected from the authentication protocol type group when either device does not support the first authentication protocol type,
    or
    双方设备交互从认证协议类型组中选取的第二认证协议类型;The two devices exchange the second authentication protocol type selected from the authentication protocol type group;
    其中,认证协议类型组包括,至少一个以上认证协议类型,每个认证协议类型分别对应有认证方式。Wherein, the authentication protocol type group includes at least one authentication protocol type, and each authentication protocol type corresponds to an authentication method.
  3. 如权利要求2所述的认证方法,其特征在于,所述第二认证协议类型为:认证协议类型组中具有最高优先级中的认证协议类型,所述认证协议类型组为终端侧设备认证协议类型组与网络侧设备认证协议类型组的交集;The authentication method according to claim 2, wherein the second authentication protocol type is: the authentication protocol type with the highest priority in the authentication protocol type group, and the authentication protocol type group is a terminal-side device authentication protocol The intersection of the type group and the network-side device authentication protocol type group;
    所述双方设备交互任一方设备默认支持的第一认证协议类型、以及任一方设备不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型,包括,The two devices exchange the first authentication protocol type supported by default by either device, and the second authentication protocol type selected from the authentication protocol type group when either device does not support the first authentication protocol type, including:
    所述本方设备向对方设备发送任一方设备默认支持的第一认证协议类型、以及认证协议类型组,使得对方设备在不支持第一认证协议类型的情形下从认证协议类型组中选取的第二认证协议类型,并将其所采用的认证协议类型发送至本方设备。The local device sends the first authentication protocol type and the authentication protocol type group supported by any device by default to the opposite device, so that the opposite device selects the first authentication protocol type group from the authentication protocol type group if it does not support the first authentication protocol type. 2. Authentication protocol type, and send the adopted authentication protocol type to the local device.
  4. 如权利要求2所述的认证方法,其特征在于,所述双方设备交互从认证协议类型组中选取的第二认证协议类型,包括,The authentication method according to claim 2, wherein the two devices interact with the second authentication protocol type selected from the authentication protocol type group, comprising:
    所述本方设备向对方设备发送认证协议类型组,使得对方设备从认证协议类型组中选取第二认证协议类型,发送至本方设备,The local device sends the authentication protocol type group to the counterparty device, so that the counterparty device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device,
    所述本方设备根据所确定的认证协议类型对应的认证方式,进行双方设备之间的认证,并使得对方设备根据所确定的认证协议类型对应的认证方式,进行双方设备之间的认证,包括,The local device performs authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, and makes the opposite device perform authentication between the two devices according to the authentication method corresponding to the determined authentication protocol type, including ,
    双方设备分别利用第二认证协议类型对应的认证方式进行认证。Both devices perform authentication using the authentication mode corresponding to the second authentication protocol type respectively.
  5. 如权利要求2所述的认证方法,其特征在于,所述双方设备交互从认证协议类型 组中选取的第二认证协议类型,包括,The authentication method according to claim 2, wherein the two devices interact with the second authentication protocol type selected from the authentication protocol type group, comprising:
    所述本方设备向对方设备发送认证协议类型组,使得对方设备从认证协议类型组中选取第二认证协议类型,发送至本方设备,The local device sends the authentication protocol type group to the counterparty device, so that the counterparty device selects the second authentication protocol type from the authentication protocol type group and sends it to the local device,
    本方设备接收来自对方设备的第二认证协议类型,判断是否支持第二认证协议类型,如果不支持,则通知对方设备重新选取,或者,从认证协议类型组选取本方设备所支持的认证协议类型发送至对方设备,使得对方设备从所支持的认证协议类型中选取该对方设备所支持的认证协议类型,并发送至本方设备。The local device receives the second authentication protocol type from the other device, judges whether it supports the second authentication protocol type, and if not, notifies the other device to reselect, or selects the authentication protocol supported by the local device from the authentication protocol type group The type is sent to the other device, so that the other device selects the authentication protocol type supported by the other device from the supported authentication protocol types, and sends it to the local device.
  6. 如权利要求1所述的认证方法,其特征在于,所述认证方式包括,公私钥对生成方式、总密钥生成方式、共享密钥生成方式、加解密方式、摘要生成方式之一或其任意组合,The authentication method according to claim 1, wherein the authentication method includes one of a public-private key pair generation method, a total key generation method, a shared key generation method, an encryption and decryption method, a digest generation method or any of them combination,
    所述第二认证协议类型为根据安全等级所选取的最优认证协议类型;The second authentication protocol type is the optimal authentication protocol type selected according to the security level;
    所述双方设备之间的认证,包括:The authentication between the two devices includes:
    本方设备被对方设备进行认证的第一认证,以及The first authentication that the own device is authenticated by the other device, and
    本方设备对对方设备进行认证的第二认证。The second authentication in which the local device authenticates the counterpart device.
  7. 如权利要求6所述的认证方法,其特征在于,所述本方设备被对方设备进行认证的第一认证,包括:The authentication method according to claim 6, wherein the first authentication of the own device being authenticated by the other device includes:
    在本方设备侧,On the local device side,
    根据认证协议类型对应的公私钥对生成方式,生成本方设备的公私钥对,According to the public-private key pair generation method corresponding to the authentication protocol type, generate the public-private key pair of the local device,
    根据认证协议类型对应的共享密钥生成方式,生成本方设备的共享密钥,According to the shared key generation method corresponding to the authentication protocol type, generate the shared key of the local device,
    根据认证协议类型对应的加解密方式,使用共享密钥对公钥进行加密,得到加密后的公钥,According to the encryption and decryption methods corresponding to the authentication protocol type, use the shared key to encrypt the public key to obtain the encrypted public key.
    将本方设备的第一设备标识、设备验证码以及加密后的公钥发送给对方设备,使得对方设备:Send the first device ID, device verification code, and encrypted public key of the local device to the other device, so that the other device:
    根据认证协议类型对应的共享密钥生成方式,使用第一设备标识以及设备验证码,生成该对方设备的共享密钥,According to the shared key generation method corresponding to the authentication protocol type, use the first device identifier and the device verification code to generate the shared key of the other party's device,
    根据认证协议类型对应的加解密方式,使用该对方设备的共享密钥对本方设备的加密后的公钥进行解密,得到本方设备的公钥,According to the encryption and decryption method corresponding to the type of authentication protocol, use the shared key of the other party's device to decrypt the encrypted public key of the local device to obtain the public key of the local device.
    根据认证协议类型对应的公私钥对生成方式,使用该对方设备的私钥和本方设备的公钥,生成对方设备的总密钥,According to the public-private key pair generation method corresponding to the authentication protocol type, use the private key of the other party's device and the public key of the local device to generate the total key of the other party's device.
    根据认证协议类型对应的加解密方式,使用该对方设备的总密钥对该对方设备的公钥进行加密,得到该对方设备的加密后的公钥。According to the encryption and decryption mode corresponding to the authentication protocol type, the public key of the counterpart device is encrypted by using the general key of the counterpart device to obtain the encrypted public key of the counterpart device.
  8. 如权利要求6所述的认证方法,其特征在于,所述本方设备对对方设备进行认证 的第二认证,包括,The authentication method according to claim 6, characterized in that, the second authentication of the authentication performed by the own device on the opposite device includes,
    本方设备接收来自对方设备发送的该对方设备的加密后的公钥,The local device receives the encrypted public key of the other device sent by the other device,
    根据认证协议类型对应的加解密方式,使用本方设备的共享密钥,对该对方设备的加密后的公钥进行解密,得到该对方设备的公钥,According to the encryption and decryption method corresponding to the type of authentication protocol, use the shared key of the local device to decrypt the encrypted public key of the other party's device to obtain the public key of the other party's device.
    根据认证协议类型对应的公私钥对生成方式,使用本方设备的私钥以及对方设备的公钥,生成本方设备的总密钥,According to the public-private key pair generation method corresponding to the authentication protocol type, use the private key of the local device and the public key of the other device to generate the total key of the local device.
    根据认证协议类型对应的摘要生成方式,使用本方设备的总密钥对本方设备的第一设备标识进行摘要生成,得到第一结果,According to the digest generation method corresponding to the authentication protocol type, use the total key of the local device to generate a digest for the first device identifier of the local device, and obtain the first result,
    将第一结果发送至对方设备,使得对方设备:Sending the first result to the counterparty device, so that the counterparty device:
    根据认证协议类型对应的摘要生成方式,使用该对方设备的总密钥对第一设备标识进行摘要生成,得到第二结果,According to the digest generation method corresponding to the type of authentication protocol, use the total key of the counterparty device to generate a digest for the first device identifier to obtain a second result,
    校验第一结果和第二结果,在校验通过时,生成会话密钥和第二设备标识,verifying the first result and the second result, and generating a session key and a second device identifier when the verification is passed,
    根据认证协议类型对应的加解密方式,使用该对方设备的总密钥对会话密钥和第二设备标识进行加密,得到加密后的会话密钥和第二设备标识,According to the encryption and decryption method corresponding to the authentication protocol type, the session key and the second device identifier are encrypted using the total key of the other party's device to obtain the encrypted session key and the second device identifier,
    将第二结果、以及加密后的会话密钥和第二设备标识发送至本方设备;Send the second result, the encrypted session key and the second device identifier to the local device;
    本方设备接收来自对方设备的第二结果、以及加密后的会话密钥和第二设备标识,The local device receives the second result from the opposite device, and the encrypted session key and the second device identifier,
    根据认证协议类型对应的摘要生成方式,使用本方设备的总密钥,对第一设备标识进行摘要生成,得到第三结果,According to the digest generation method corresponding to the authentication protocol type, use the total key of the local device to generate a digest for the first device identifier, and obtain the third result,
    校验第二结果和第三结果,在校验通过时,根据认证协议类型对应的加解密方式,使用本方设备的总密钥对加密后的会话密钥和第二设备标识进行解密。Verify the second result and the third result, and when the verification is passed, use the general key of the local device to decrypt the encrypted session key and the second device identifier according to the encryption and decryption method corresponding to the authentication protocol type.
  9. 一种终端侧设备,其特征在于,包括存储器和处理器,所述存储器存储有计算机程序,所述处理器被配置执行实现如权利要求1至8任一所述终端侧设备与网络侧设备之间的认证方法的步骤。A terminal-side device, characterized in that it includes a memory and a processor, the memory stores a computer program, and the processor is configured to implement the connection between the terminal-side device and the network-side device according to any one of claims 1 to 8. The steps of the authentication method between.
  10. 一种网络侧设备,其特征在于,包括存储器和处理器,所述存储器存储有计算机程序,所述处理器被配置执行实现如权利要求1至8任一所述终端侧设备与网络侧设备之间的认证方法的步骤。A network-side device, characterized in that it includes a memory and a processor, the memory stores a computer program, and the processor is configured to implement the connection between the terminal-side device and the network-side device according to any one of claims 1 to 8. The steps of the authentication method between.
  11. 一种物联网系统,其特征在于,包括如权利要求9所述的终端侧设备,以及如权利要求10所述的网络侧设备。An Internet of Things system, characterized by comprising the terminal-side device as claimed in claim 9 and the network-side device as claimed in claim 10 .
  12. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1-8任一所述的方法步骤。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the method steps described in any one of claims 1-8 are implemented.
PCT/CN2022/123503 2021-11-10 2022-09-30 Authentication method between terminal side device and network side device, and system WO2023082894A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111324852.2 2021-11-10
CN202111324852.2A CN114051244A (en) 2021-11-10 2021-11-10 Authentication method and system between terminal side equipment and network side equipment

Publications (1)

Publication Number Publication Date
WO2023082894A1 true WO2023082894A1 (en) 2023-05-19

Family

ID=80208101

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/123503 WO2023082894A1 (en) 2021-11-10 2022-09-30 Authentication method between terminal side device and network side device, and system

Country Status (2)

Country Link
CN (1) CN114051244A (en)
WO (1) WO2023082894A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114051244A (en) * 2021-11-10 2022-02-15 杭州萤石软件有限公司 Authentication method and system between terminal side equipment and network side equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859415A (en) * 2006-04-04 2006-11-08 华为技术有限公司 Method and device for forced verifying from end-to-end protocol
EP2381385A1 (en) * 2010-04-26 2011-10-26 Research In Motion Limited Method and system for third party client authentication
WO2014047868A1 (en) * 2012-09-28 2014-04-03 华为技术有限公司 Protocol stack type negotiation method and device
CN108738019A (en) * 2017-04-25 2018-11-02 华为技术有限公司 User authen method in converged network and device
CN114051244A (en) * 2021-11-10 2022-02-15 杭州萤石软件有限公司 Authentication method and system between terminal side equipment and network side equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100539582C (en) * 2004-09-23 2009-09-09 华为技术有限公司 The method of communication apparatus to select communication protocol
CN100455120C (en) * 2005-12-26 2009-01-21 华为技术有限公司 Message safety transmitting method befor set-up of link in heterogeneous network switch-over
CN101188608B (en) * 2006-11-16 2010-09-08 华为技术有限公司 Method for negotiating the network authentication mode
US11729160B2 (en) * 2019-10-16 2023-08-15 Nutanix, Inc. System and method for selecting authentication methods for secure transport layer communication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859415A (en) * 2006-04-04 2006-11-08 华为技术有限公司 Method and device for forced verifying from end-to-end protocol
EP2381385A1 (en) * 2010-04-26 2011-10-26 Research In Motion Limited Method and system for third party client authentication
WO2014047868A1 (en) * 2012-09-28 2014-04-03 华为技术有限公司 Protocol stack type negotiation method and device
CN108738019A (en) * 2017-04-25 2018-11-02 华为技术有限公司 User authen method in converged network and device
CN114051244A (en) * 2021-11-10 2022-02-15 杭州萤石软件有限公司 Authentication method and system between terminal side equipment and network side equipment

Also Published As

Publication number Publication date
CN114051244A (en) 2022-02-15

Similar Documents

Publication Publication Date Title
US7549048B2 (en) Efficient and secure authentication of computing systems
TWI360975B (en) Key generation in a communication system
JP4965558B2 (en) Peer-to-peer authentication and authorization
CN100580610C (en) Security link management method in dynamic networks
US8327143B2 (en) Techniques to provide access point authentication for wireless network
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
AU2003284144B2 (en) Lightweight extensible authentication protocol password preprocessing
JP2019508972A (en) System and method for password assisted computer login service assisted mobile pairing
WO2022127434A1 (en) Wireless local area network authentication method and apparatus, and electronic device and storage medium
US10609070B1 (en) Device based user authentication
WO2016115807A1 (en) Wireless router access processing method and device, and wireless router access method and device
US9137224B2 (en) System and method for secure remote access
EP4231680A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
US11722303B2 (en) Secure enclave implementation of proxied cryptographic keys
JP2001186122A (en) Authentication system and authentication method
EP4096160A1 (en) Shared secret implementation of proxied cryptographic keys
WO2023082894A1 (en) Authentication method between terminal side device and network side device, and system
CN107347073A (en) A kind of resource information processing method
WO2023207113A1 (en) Device interconnection security authentication system, method and apparatus, and server and medium
JP2003234734A (en) Mutual authentication method, server device, client device, mutual authentication program and storage medium stored with mutual authentication program
WO2020155022A1 (en) Method, apparatus and device for authenticating tls certificate and storage medium
JP2009104509A (en) Terminal authentication system and terminal authentication method
JP2009239496A (en) Data communication method using key encryption method, data communication program, data communication program storage medium, and data communication system
KR20080083418A (en) Wire/wireless network access authentication method using challenge message based on chap and system thereof
WO2022135384A1 (en) Identity authentication method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22891695

Country of ref document: EP

Kind code of ref document: A1