WO2024031868A1 - Attribute encryption-based device security authentication method and related apparatus thereof - Google Patents

Attribute encryption-based device security authentication method and related apparatus thereof Download PDF

Info

Publication number
WO2024031868A1
WO2024031868A1 PCT/CN2022/133389 CN2022133389W WO2024031868A1 WO 2024031868 A1 WO2024031868 A1 WO 2024031868A1 CN 2022133389 W CN2022133389 W CN 2022133389W WO 2024031868 A1 WO2024031868 A1 WO 2024031868A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
attribute
authentication server
information
random number
Prior art date
Application number
PCT/CN2022/133389
Other languages
French (fr)
Chinese (zh)
Inventor
赵奕捷
成国强
杨立扬
Original Assignee
天翼数字生活科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天翼数字生活科技有限公司 filed Critical 天翼数字生活科技有限公司
Publication of WO2024031868A1 publication Critical patent/WO2024031868A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • the present application relates to the field of network security technology, and in particular to a device security authentication method and related devices based on attribute encryption.
  • This application provides a device security authentication method and related devices based on attribute encryption, which is used to improve the existing technology of using the device factory ID as the device key for encrypted information transmission. It is easy to leak manufacturer information, resulting in batch device keys. Leakage, thus affecting technical issues of equipment security.
  • the first aspect of this application provides a device security authentication method based on attribute encryption, which is applied to terminal devices.
  • the method includes:
  • the authentication server is generated based on the attribute information of the terminal device.
  • the attribute information includes location information, user information of the user bound to the terminal device and the device factory identification; the second encrypted information is generated by the authentication server.
  • the symmetric key obtained by decrypting the first encrypted information with its own attribute identification private key is obtained by encrypting the attribute encryption identification private key and the decrypted random number;
  • the legitimacy of the authentication server is verified through the random number generated by itself and the random number decrypted. After verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
  • the terminal device is preset with the address of the authentication server when it leaves the factory, and the method further includes:
  • the terminal device After binding the user, the terminal device sends attribute information to the authentication server according to the address of the authentication server.
  • the acquisition process of the location information of the terminal device is:
  • the terminal device accesses the blockchain, it calculates the location coordinates of the terminal device based on its relative position to the target node in the blockchain and the location coordinates of the target node to obtain the location information of the terminal device. .
  • verifying the legitimacy of the authentication server by using the random number generated by itself and the decrypted random number includes:
  • the second aspect of this application provides a device security authentication method based on attribute encryption, which is applied to the authentication server.
  • the method includes:
  • the attribute encryption identification private key of the terminal device is generated according to the attribute information of the terminal device, and the attribute encryption identification private key and the decrypted random number are encrypted with the decrypted symmetric key to obtain second encrypted information, the attribute information includes location information, user information of the user bound to the terminal device and the device factory identification;
  • the terminal device sends the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and a random number, and compares it with the symmetric key generated by itself.
  • the random number and the decrypted random number verify the legitimacy of the authentication server, and after verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
  • generating an attribute encryption identification private key of the terminal device according to the attribute information of the terminal device includes:
  • the third aspect of this application provides a terminal device, including:
  • the initialization unit is used to initialize and generate a symmetric key and a random number when accessing the authentication server in the blockchain for registration, and to encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the third - encrypted information;
  • a sending unit configured to send a registration authentication request carrying the first encryption information and a device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification;
  • a receiving unit configured to receive the second encrypted information returned by the authentication server after successful authentication, and to decrypt the second encrypted information using the symmetric key to obtain the attribute encryption identification private key and a random number; wherein, the attribute encryption The identification private key is generated by the authentication server based on the attribute information of the terminal device.
  • the attribute information includes location information, user information of the user bound to the terminal device and the device factory identification; the second encrypted information
  • the symmetric key obtained by the authentication server decrypting the first encrypted information using its own attribute identification private key is obtained by encrypting the attribute encryption identification private key and the decrypted random number;
  • the verification unit is configured to verify the legitimacy of the authentication server by comparing the random number generated by itself with the decrypted random number, and after verifying that the authentication server is legal, save the attribute encryption identification private key.
  • the fourth aspect of this application provides an authentication server, including:
  • the receiving unit is configured to receive the registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory identification carried in the registration authentication request, and authenticate the third ID carried in the registration authentication request through its own attribute identification private key. Decrypt an encrypted information to obtain a symmetric key and a random number; the first encrypted information is generated by encrypting the symmetric key and random number generated by the terminal device through the attribute identification public key of the authentication server;
  • An encryption unit configured to generate an attribute encryption identification private key of the terminal device according to the attribute information of the terminal device after successful authentication, and use the decrypted symmetric key to combine the attribute encryption identification private key and the decrypted symmetric key.
  • the random number is encrypted to obtain the second encrypted information, and the attribute information includes location information, user information of the user bound to the terminal device, and the device factory identification;
  • a sending unit configured to send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and a random number, The legitimacy of the authentication server is verified through the random number generated by itself and the random number decrypted, and after verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
  • a fifth aspect of this application provides a device security authentication system based on attribute encryption, including: the terminal device described in the third aspect and the authentication server described in the fourth aspect.
  • the sixth aspect of this application provides a device security authentication device based on attribute encryption, where the device includes a processor and a memory;
  • the memory is used to store program code and transmit the program code to the processor
  • the processor is configured to execute any one of the attribute encryption-based device security authentication methods described in the first aspect according to the instructions in the program code, or to execute any one of the attribute encryption-based device security authentication methods described in the second aspect. method.
  • This application provides a device security authentication method based on attribute encryption, which is applied to terminal equipment.
  • the method includes: when accessing the authentication server in the blockchain for registration, initializing the generation of symmetric keys and random numbers, and passing the authentication server
  • the attribute identification public key encrypts the symmetric key and the random number to obtain the first encrypted information; sends a registration authentication request carrying the first encrypted information and the device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification; Receive the second encrypted information returned by the authentication server after successful authentication, and decrypt the second encrypted information through the symmetric key to obtain the attribute encryption identification private key and the random number; wherein the attribute encryption identification private key is generated by the authentication server based on the attribute information of the terminal device.
  • the attribute information includes location information, user information of the user bound to the terminal device, and device factory identification;
  • the second encrypted information is encrypted by a symmetric key obtained by the authentication server decrypting the first encrypted information through its own attribute identification private key.
  • the identity private key and the decrypted random number are encrypted; the legitimacy of the authentication server is verified through the random number generated by itself and the decrypted random number. After verifying that the authentication server is legitimate, the attribute encryption identity private key is saved.
  • the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid the leakage of the manufacturer's burning of devices with the same ID or the leakage of production list information.
  • Only the legitimate server (possessing the attribute identification private key of the authentication server) can Decrypt the first encrypted information to obtain the symmetric key and random number, so when the authentication server uses the symmetric secret key to encrypt the random number and send it to the terminal device, the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because only legitimate Only the authentication server can decrypt the symmetric key, and it is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key, thus improving the existing technology of using the device factory ID as the device key for encrypted information transmission, which is easy because The leakage of manufacturer information leads to the leakage of batch device keys, thus affecting the technical issues of device security.
  • Figure 1 is a schematic flow chart of a device security authentication method based on attribute encryption applied to terminal devices provided by an embodiment of the present application
  • Figure 2 is a schematic diagram of the position relationship of a terminal device provided by an embodiment of the present application.
  • Figure 3 is another schematic flowchart of a device security authentication method based on attribute encryption applied to an authentication server provided by an embodiment of the present application;
  • Figure 4 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of an authentication server provided by an embodiment of the present application.
  • This embodiment of the present application provides a device security authentication method based on attribute encryption, which is applied to terminal devices.
  • the method includes:
  • Step 101 When accessing the authentication server in the blockchain for registration, initially generate a symmetric key and a random number, and encrypt the symmetric key and the random number to obtain the first encrypted information.
  • a terminal device can be a camera, etc.
  • the terminal device is initialized, randomly generates a symmetric key and a random number, and can use the attribute identification public key of the authentication server to encrypt the symmetric
  • the key and random number are used to obtain the first encrypted information.
  • the address of the authentication server can be preset for direct network registration, which is suitable for large-scale distribution of IoT device networks.
  • the terminal device registers with the network and binds the user to the network, it can send its own attribute information to the authentication server according to the address of the authentication server.
  • the attribute information can include location information and user information of the user bound to the terminal device (such as the user's mobile phone number). , ID number, registered account, etc.) and device factory identification (such as device factory ID).
  • a terminal device When a terminal device is connected to the blockchain, it can calculate the position coordinates of the terminal device through the relative position of the fixed node in the blockchain and the position coordinates of the fixed node, and obtain the position information (X, Y, Z) of the terminal device. .
  • the terminal device is a newly connected blockchain device node.
  • the relative position L2 of the newly connected blockchain device node and the blockchain fixed node server 1, and the relative position L1 of the blockchain fixed node server 2 The relative position L2, the relative position L3 to the blockchain fixed node server 3, the position coordinates (X1, Y1, Z1) of the blockchain fixed node server 1, the position coordinates (X2, Y2, Z2), the position coordinates (X3, Y3, Z3) of the blockchain fixed node server 3 can establish the following relationship:
  • L1 2 (X1-X) 2 + (Y1-Y) 2 + (Z1-Z) 2 ;
  • L2 2 (X2-X) 2 +(Y2-Y) 2 +(Z2-Z) 2 ;
  • L3 2 (X3-X) 2 + (Y3-Y) 2 + (Z3-Z) 2 ;
  • the position coordinates (X, Y, Z) of the newly connected blockchain device node can be calculated, thereby obtaining the position information of the terminal device.
  • Step 102 Send a registration authentication request carrying the first encryption information and the device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification.
  • the terminal device After the terminal device connects to the authentication server, it sends a registration authentication request carrying the first encryption information and the device factory identification to the authentication server.
  • the authentication server authenticates the terminal device through the device factory identification, verifies the legality of the device, and identifies it through its own attributes.
  • the private key decrypts the first encrypted information to obtain the symmetric key and random number; after the authentication server verifies that the device is legal, that is, after the authentication is successful, the authentication server generates the attribute encryption identification private key of the terminal device based on the attribute information of the terminal device, and then decrypts it to obtain
  • the symmetric key encrypts the attribute encryption identification private key of the terminal device and the decrypted random number to obtain the second encrypted information, and then returns the second encrypted information to the terminal device.
  • the process of generating the attribute encryption identification private key of the terminal device according to the attribute information of the terminal device can be:
  • the authentication server can combine the location information, user information and device factory identification to generate the device identification of the terminal device.
  • the location information, user information and device factory identification are directly concatenated as the device identification of the terminal device.
  • the authentication server can use the SM9 algorithm according to
  • the device identification of the terminal device generates the attribute encryption identification private key of the terminal device, and can also generate the attribute encryption identification public key of the terminal device.
  • the attribute encryption identification public key is stored in the authentication server, and the attribute encryption private key needs to be stored in the terminal device.
  • information is encrypted and transmitted through the attribute encryption identification public key and the attribute encryption identification private key. It can be understood that the attribute identification private key and attribute identification public key of the authentication server can also be generated based on the attribute information (location information, authentication server identification, etc.) of the authentication server through the SM9 algorithm.
  • the location information of the terminal device, the user information of the bound user, and the device factory identification are combined in the blockchain as the attribute encryption identification public key of the terminal device to perform security authentication of the device in the blockchain.
  • the terminal device changes the binding user or the device location is transferred, the attribute information of the terminal device is updated, and the public and private keys of the corresponding terminal device will also change, thus avoiding information leakage and confusion.
  • the same terminal device changes the binding After the user is logged in, because the user information has changed, the public and private keys corresponding to the terminal device have also changed. The subsequent binding user of the same terminal device will not know the public and private key information corresponding to the previous binding user, which improves the security of the terminal device. sex.
  • Step 103 Receive the second encrypted information returned by the authentication server after successful authentication, and decrypt the second encrypted information using the symmetric key to obtain the attribute encryption identification private key and random number.
  • the terminal device After receiving the second encrypted information returned by the authentication server, the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and random number.
  • Step 104 Verify the legitimacy of the authentication server by comparing the random number generated by itself with the random number decrypted. After verifying that the authentication server is legitimate, save the attribute encryption identification private key.
  • the terminal device verifies the legitimacy of the authentication server by comparing the random number generated by itself with the random number decrypted in the above steps. If the terminal device compares the random number generated by itself with the random number decrypted, it verifies the authentication. The server is legitimate. If the random number generated by itself is compared with the random number obtained by decryption, it is verified that the authentication server is illegal. After verifying that the authentication server is legitimate, the terminal device saves the attribute encryption identity private key in the local hardware storage chip.
  • the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer.
  • Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (possessing the attribute identification private key of the authentication server ) can decrypt the first encrypted information to obtain the symmetric key and random number.
  • the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legal authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
  • the above is an embodiment of an attribute encryption-based device security authentication method applied to a terminal device provided by this application.
  • the following is an attribute encryption-based device security authentication method applied to an authentication server provided by this application.
  • An embodiment of the present application provides a device security authentication method based on attribute encryption, which is applied to the authentication server.
  • the method includes:
  • Step 301 Receive the registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory identification carried in the registration authentication request, and use its own attribute identification private key to decrypt the first encrypted information carried in the registration authentication request to obtain the symmetric encryption keys and random numbers.
  • the authentication server After receiving the registration authentication request sent by the terminal device, the authentication server authenticates the terminal device according to the device factory identification carried in the registration authentication request, verifies the legitimacy of the terminal device through the device factory identification, and authenticates the registration through its own attribute identification private key.
  • the first encrypted information carried in the request is decrypted to obtain the symmetric key and random number.
  • the first encrypted information is encrypted and generated by a symmetric key and a random number generated by the terminal device through initialization of the attribute identification public key pair of the authentication server.
  • Step 302 After the authentication is successful, generate the attribute encryption identification private key of the terminal device according to the attribute information of the terminal device, and encrypt the attribute encryption identification private key and the decrypted random number with the decrypted symmetric key to obtain the second encryption.
  • Information, attribute information includes location information, user information of the user bound to the terminal device, and device factory identification.
  • the authentication server After authenticating that the terminal device is legitimate, the authentication server generates the attribute encryption identification private key of the terminal device based on the attribute information of the terminal device. Specifically, the authentication server assigns a device identification to the terminal device according to the attribute information of the terminal device; and generates an attribute encryption identification private key of the terminal device according to the device identification of the terminal device.
  • the authentication server can combine the location information, user information and device factory identification to generate the device identification of the terminal device.
  • the location information, user information and device factory identification are directly concatenated as the device identification of the terminal device.
  • the authentication server can use the SM9 algorithm according to
  • the device identification of the terminal device generates the attribute encryption identification private key of the terminal device, and can also generate the attribute encryption identification public key of the terminal device.
  • the attribute encryption identification public key is stored in the authentication server, and the attribute encryption private key needs to be stored in the terminal device. Subsequent information is encrypted and transmitted through the attribute encryption identification public key and the attribute encryption identification private key. It can be understood that the attribute identification private key and attribute identification public key of the authentication server can also be generated based on the attribute information of the authentication server through the SM9 algorithm.
  • the terminal device when it registers on the network and binds the user to the Internet, it can send its own attribute information to the authentication server according to the address of the authentication server.
  • the attribute information can include location information, user information of the user bound to the terminal device (such as user Mobile phone number, ID number, registered account number, etc.) and device factory identification (such as device factory ID).
  • a terminal device When a terminal device is connected to the blockchain, it can calculate the position coordinates of the terminal device through the relative position of the fixed node in the blockchain and the position coordinates of the fixed node, and obtain the position information (X, Y, Z) of the terminal device. .
  • the terminal device is a newly connected blockchain device node.
  • the relative position L2 of the newly connected blockchain device node and the blockchain fixed node server 1, and the relative position L1 of the blockchain fixed node server 2 The relative position L2, the relative position L3 to the blockchain fixed node server 3, the position coordinates (X1, Y1, Z1) of the blockchain fixed node server 1, the position coordinates (X2, Y2, Z2), the position coordinates (X3, Y3, Z3) of the blockchain fixed node server 3 can establish the following relationship:
  • L1 2 (X1-X) 2 + (Y1-Y) 2 + (Z1-Z) 2 ;
  • L2 2 (X2-X) 2 +(Y2-Y) 2 +(Z2-Z) 2 ;
  • L3 2 (X3-X) 2 + (Y3-Y) 2 + (Z3-Z) 2 ;
  • the position coordinates (X, Y, Z) of the newly connected blockchain device node can be calculated, thereby obtaining the position information of the terminal device.
  • the embodiment of this application uses the location information of the terminal device, the user information of the bound user, and the device factory identification to uniquely identify the terminal device as the public and private keys of the device, thereby avoiding the need for manufacturers to burn devices with the same ID. Or the problem of device encryption information leakage caused by the leakage of production list information; and when the terminal device changes the bound user or the device location is transferred, the attribute information of the terminal device is updated, and the public and private keys of the corresponding terminal device will also change, thus avoiding information Leakage and confusion. After the bound user of the same terminal device is changed, because the user information has changed, the public and private keys corresponding to the terminal device have also changed. The subsequent bound user of the same terminal device will not know the corresponding key of the previous bound user. Public and private key information improves the security of terminal equipment.
  • Step 303 Send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and the random number, and compares the random number generated by itself with the decrypted random number. Verify the legality of the authentication server through data, and after verifying that the authentication server is legal, save the attribute encryption identification private key.
  • the authentication server sends the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information through the symmetric key generated by itself to obtain the attribute encryption identification private key and the random number.
  • the terminal device compares the random number generated by itself with the decrypted Whether the random numbers are the same is used to verify the legitimacy of the authentication server. If the random number generated by itself is compared with the random number obtained by decryption, it is verified that the authentication server is legitimate. If the random number generated by itself is compared with the random number obtained by decryption, it is verified that the authentication server is legitimate. If the random numbers are different, it is verified that the authentication server is illegal; after verifying that the authentication server is legal, the terminal device saves the attribute encryption identification private key in the local hardware storage chip.
  • the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer.
  • Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (possessing the attribute identification private key of the authentication server ) can decrypt the first encrypted information to obtain the symmetric key and random number.
  • the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legal authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
  • the above is an embodiment of a device security authentication method based on attribute encryption applied to an authentication server provided by this application.
  • the following is an embodiment of a terminal device provided by this application.
  • a terminal device provided by an embodiment of the present application includes:
  • Initialization unit 401 is used to initialize and generate a symmetric key and a random number when accessing the authentication server in the blockchain for registration, and to encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the first encrypted information. ;
  • the sending unit 402 is configured to send a registration authentication request carrying the first encryption information and the device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification;
  • the receiving unit 403 is configured to receive the second encrypted information returned by the authentication server after successful authentication, and decrypt the second encrypted information through the symmetric key to obtain the attribute encryption identification private key and the random number; wherein the attribute encryption identification private key is determined by the authentication server according to The attribute information of the terminal device is generated.
  • the attribute information includes location information, user information of the user bound to the terminal device and device factory identification; the second encrypted information is obtained by the authentication server decrypting the first encrypted information through its own attribute identification private key.
  • the symmetric key is obtained by encrypting the attribute encryption identification private key and the decrypted random number;
  • the verification unit 404 is used to verify the legitimacy of the authentication server through the random numbers generated by itself and the random numbers decrypted. After verifying that the authentication server is legal, save the attribute encryption identification private key.
  • the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer.
  • Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (possessing the attribute identification private key of the authentication server ) can decrypt the first encrypted information to obtain the symmetric key and random number.
  • the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legal authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
  • the above is an embodiment of a terminal device provided by this application, and the following is an embodiment of an authentication server provided by this application.
  • An authentication server provided by an embodiment of this application includes:
  • the receiving unit 501 is configured to receive a registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory ID carried in the registration authentication request, and decrypt the first encrypted information carried in the registration authentication request through its own attribute identification private key. Obtain the symmetric key and random number; the first encrypted information is encrypted and generated by the symmetric key and random number generated by the terminal device through the attribute identification public key pair of the authentication server;
  • the encryption unit 502 is configured to, after successful authentication, generate the attribute encryption identification private key of the terminal device based on the attribute information of the terminal device, and encrypt the attribute encryption identification private key and the decrypted random number using the decrypted symmetric key.
  • the second encrypted information, the attribute information includes location information, user information of the user bound to the terminal device, and device factory identification;
  • the sending unit 503 is used to send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information through the symmetric key generated by itself to obtain the attribute encryption identification private key and random number, and decrypts the random number through the self-generated random number.
  • the random number verifies the legitimacy of the authentication server, and after verifying that the authentication server is legitimate, saves the attribute encryption identification private key.
  • the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer.
  • Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (possessing the attribute identification private key of the authentication server ) can decrypt the first encrypted information to obtain the symmetric key and random number.
  • the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legal authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
  • the embodiment of this application also provides a device security authentication system based on attribute encryption, including: the terminal device and authentication server in the aforementioned embodiment;
  • the terminal device is used to initialize and generate a symmetric key and a random number when accessing the authentication server in the blockchain for registration, and to encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the first encrypted information; Send a registration authentication request carrying the first encryption information and the device factory identification to the authentication server;
  • the authentication server is used to authenticate the terminal device according to the device factory identification, and decrypt the first encrypted information through its own attribute identification private key to obtain the symmetric key and random number; after the verification is successful, generate The attribute encryption identification private key of the terminal device is encrypted with the decrypted symmetric key and the decrypted random number to obtain the second encrypted information, and the second encrypted information is sent to the terminal device; wherein, Attribute information includes location information, user information of the user bound to the terminal device, and device factory identification;
  • the terminal device is also used to decrypt the second encrypted information through the symmetric key generated by itself to obtain the attribute encryption identification private key and random number; and verify the legitimacy of the authentication server through the random number generated by itself and the random number decrypted. After the authentication server is legitimate, save the attribute encryption identification private key.
  • the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer.
  • Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (which has the attribute identification private key of the authentication server) ) can decrypt the first encrypted information to obtain the symmetric key and random number.
  • the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legitimate authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
  • the embodiment of the present application also provides a device security authentication device based on attribute encryption.
  • the device includes a processor and a memory;
  • Memory is used to store program code and transmit the program code to the processor
  • the processor is configured to execute the aforementioned attribute encryption-based device security authentication method applied to the terminal device according to instructions in the program code, or execute the attribute encryption-based device security authentication method applied to the authentication server.
  • At least one (item) refers to one or more, and “plurality” refers to two or more.
  • “And/or” is used to describe the relationship between associated objects, indicating that there can be three relationships. For example, “A and/or B” can mean: only A exists, only B exists, and A and B exist simultaneously. , where A and B can be singular or plural. The character “/” generally indicates that the related objects are in an "or” relationship. “At least one of the following” or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items).
  • At least one of a, b or c can mean: a, b, c, "a and b", “a and c", “b and c", or "a and b and c” ”, where a, b, c can be single or multiple.
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
  • the above integrated units can be implemented in the form of hardware or software functional units.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for executing all or part of the steps of the methods described in various embodiments of the application through a computer device (which can be a personal computer, a server, or a network device, etc.).
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (English full name: Read-Only Memory, English abbreviation: ROM), random access memory (English full name: Random Access Memory, English abbreviation: RAM), magnetic Various media that can store program code, such as discs or optical disks.

Abstract

The present application discloses an attribute encryption-based device security authentication method and a related apparatus thereof. A terminal device encrypting a generated symmetric key and a generated random number by means of an attribute identification (ID) public key of an authentication server to obtain first encrypted information, and then sending a registration authentication request to the authentication server for authentication; decrypting, by means of the symmetric key, second encrypted information returned by the authentication server to obtain an attribute encryption ID private key and a random number, wherein the attribute encryption ID private key is generated by the authentication server according to attribute information of the terminal device, and the attribute information comprises position information, user information of a user bound with the terminal device, and a device factory ID; and verifying the legitimacy of an authentication server by means of random numbers, and after the authentication server is verified to be legitimate, storing an attribute encryption ID private key, such that the technical problem in the prior art that device security is affected due to the fact that device factory IDs are used as device keys for information encryption and transmission and then batched device keys are likely to be leaked due to leakage of manufacturer information is mitigated.

Description

一种基于属性加密的设备安全认证方法及其相关装置A device security authentication method based on attribute encryption and related devices 技术领域Technical field
本申请涉及网络安全技术领域,尤其涉及一种基于属性加密的设备安全认证方法及其相关装置。The present application relates to the field of network security technology, and in particular to a device security authentication method and related devices based on attribute encryption.
背景技术Background technique
为了提高信息传输安全性,通常采用设置公私钥对进行信息加密传输。现有技术大多采用设备出厂ID作为设备密钥进行信息加密传输,容易因为厂商信息泄露等原因,导致批量设备密钥泄露,从而导致设备安全问题。In order to improve the security of information transmission, public and private key pairs are usually set for encrypted information transmission. Existing technologies mostly use the device factory ID as the device key for encrypted information transmission, which can easily lead to leakage of batch device keys due to leakage of manufacturer information and other reasons, thus leading to device security issues.
发明内容Contents of the invention
本申请提供了一种基于属性加密的设备安全认证方法及其相关装置,用于改善现有技术采用设备出厂ID作为设备密钥进行信息加密传输,存在容易因为厂商信息泄露,导致批量设备密钥泄露,从而影响设备安全的技术问题。This application provides a device security authentication method and related devices based on attribute encryption, which is used to improve the existing technology of using the device factory ID as the device key for encrypted information transmission. It is easy to leak manufacturer information, resulting in batch device keys. Leakage, thus affecting technical issues of equipment security.
有鉴于此,本申请第一方面提供了一种基于属性加密的设备安全认证方法,应用于终端设备,方法包括:In view of this, the first aspect of this application provides a device security authentication method based on attribute encryption, which is applied to terminal devices. The method includes:
在接入区块链中的认证服务器进行注册时,初始化生成对称密钥和随机数,并通过认证服务器的属性标识公钥加密所述对称密钥和所述随机数得到第一加密信息;When accessing the authentication server in the blockchain for registration, initialize and generate a symmetric key and a random number, and encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the first encrypted information;
发送携带有所述第一加密信息和设备出厂标识的注册认证请求给所述认证服务器,由所述认证服务器根据所述设备出厂标识对所述终端设备进行认证;Send a registration authentication request carrying the first encryption information and the device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification;
接收所述认证服务器在认证成功后返回的第二加密信息,通过所述对称密钥解密所述第二加密信息得到属性加密标识私钥和随机数;其中,所述属性加密标识私钥由所述认证服务器根据所述终端设备的属性信息生成, 所述属性信息包括位置信息、所述终端设备所绑定用户的用户信息和所述设备出厂标识;所述第二加密信息由所述认证服务器通过自身的属性标识私钥对所述第一加密信息进行解密得到的对称密钥对所述属性加密标识私钥和解密出的随机数加密得到;Receive the second encrypted information returned by the authentication server after successful authentication, and decrypt the second encrypted information using the symmetric key to obtain the attribute encryption identification private key and a random number; wherein the attribute encryption identification private key is obtained by The authentication server is generated based on the attribute information of the terminal device. The attribute information includes location information, user information of the user bound to the terminal device and the device factory identification; the second encrypted information is generated by the authentication server. The symmetric key obtained by decrypting the first encrypted information with its own attribute identification private key is obtained by encrypting the attribute encryption identification private key and the decrypted random number;
通过自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,在验证所述认证服务器合法后,保存所述属性加密标识私钥。The legitimacy of the authentication server is verified through the random number generated by itself and the random number decrypted. After verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
可选的,所述终端设备出厂时预设有所述认证服务器的地址,所述方法还包括:Optionally, the terminal device is preset with the address of the authentication server when it leaves the factory, and the method further includes:
所述终端设备在绑定用户后,根据所述认证服务器的地址发送属性信息给所述认证服务器。After binding the user, the terminal device sends attribute information to the authentication server according to the address of the authentication server.
可选的,所述终端设备的位置信息的获取过程为:Optionally, the acquisition process of the location information of the terminal device is:
所述终端设备在接入区块链时,根据自身与区块链中的目标节点的相对位置和所述目标节点的位置坐标计算所述终端设备的位置坐标,得到所述终端设备的位置信息。When the terminal device accesses the blockchain, it calculates the location coordinates of the terminal device based on its relative position to the target node in the blockchain and the location coordinates of the target node to obtain the location information of the terminal device. .
可选的,所述通过自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,包括:Optionally, verifying the legitimacy of the authentication server by using the random number generated by itself and the decrypted random number includes:
比对自身生成的所述随机数和解密出的随机数是否相同;Compare whether the random number generated by itself and the random number decrypted are the same;
若相同,则验证所述认证服务器是合法的;If they are the same, verify that the authentication server is legal;
若不相同,则验证所述认证服务器是不合法的。If they are not the same, it is verified that the authentication server is illegal.
本申请第二方面提供了一种基于属性加密的设备安全认证方法,应用于认证服务器,方法包括:The second aspect of this application provides a device security authentication method based on attribute encryption, which is applied to the authentication server. The method includes:
接收终端设备发送的注册认证请求,根据所述注册认证请求携带的设备出厂标识对所述终端设备进行认证,并通过自身的属性标识私钥对所述注册认证请求携带的第一加密信息进行解密得到对称密钥和随机数;所述第一加密信息由所述终端设备通过所述认证服务器的属性标识公钥对初始化生成的对称密钥和随机数加密生成;Receive the registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory identification carried in the registration authentication request, and decrypt the first encrypted information carried in the registration authentication request through its own attribute identification private key. Obtain the symmetric key and random number; the first encrypted information is encrypted and generated by the symmetric key and random number generated by the terminal device through the attribute identification public key pair of the authentication server;
在认证成功后,根据所述终端设备的属性信息生成所述终端设备的属性加密标识私钥,并通过解密出的对称密钥对所述属性加密标识私钥和解密出的随机数进行加密得到第二加密信息,所述属性信息包括位置信息、 所述终端设备所绑定用户的用户信息和所述设备出厂标识;After the authentication is successful, the attribute encryption identification private key of the terminal device is generated according to the attribute information of the terminal device, and the attribute encryption identification private key and the decrypted random number are encrypted with the decrypted symmetric key to obtain second encrypted information, the attribute information includes location information, user information of the user bound to the terminal device and the device factory identification;
将所述第二加密信息发送给所述终端设备,使得所述终端设备通过自身生成的所述对称密钥解密所述第二加密信息得到属性加密标识私钥和随机数,比对自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,并在验证所述认证服务器合法后,保存所述属性加密标识私钥。Send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and a random number, and compares it with the symmetric key generated by itself. The random number and the decrypted random number verify the legitimacy of the authentication server, and after verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
可选的,所述根据所述终端设备的属性信息生成所述终端设备的属性加密标识私钥,包括:Optionally, generating an attribute encryption identification private key of the terminal device according to the attribute information of the terminal device includes:
根据所述终端设备的属性信息给所述终端设备分配设备标识;Assign a device identification to the terminal device according to the attribute information of the terminal device;
根据所述终端设备的设备标识生成所述终端设备的属性加密标识私钥。Generate an attribute encryption identification private key of the terminal device according to the device identification of the terminal device.
本申请第三方面提供了一种终端设备,包括:The third aspect of this application provides a terminal device, including:
初始化单元,用于在接入区块链中的认证服务器进行注册时,初始化生成对称密钥和随机数,并通过认证服务器的属性标识公钥加密所述对称密钥和所述随机数得到第一加密信息;The initialization unit is used to initialize and generate a symmetric key and a random number when accessing the authentication server in the blockchain for registration, and to encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the third - encrypted information;
发送单元,用于发送携带有所述第一加密信息和设备出厂标识的注册认证请求给所述认证服务器,由所述认证服务器根据所述设备出厂标识对所述终端设备进行认证;A sending unit configured to send a registration authentication request carrying the first encryption information and a device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification;
接收单元,用于接收所述认证服务器在认证成功后返回的第二加密信息,通过所述对称密钥解密所述第二加密信息得到属性加密标识私钥和随机数;其中,所述属性加密标识私钥由所述认证服务器根据所述终端设备的属性信息生成,所述属性信息包括位置信息、所述终端设备所绑定用户的用户信息和所述设备出厂标识;所述第二加密信息由所述认证服务器通过自身的属性标识私钥对所述第一加密信息进行解密得到的对称密钥对所述属性加密标识私钥和解密出的随机数加密得到;A receiving unit, configured to receive the second encrypted information returned by the authentication server after successful authentication, and to decrypt the second encrypted information using the symmetric key to obtain the attribute encryption identification private key and a random number; wherein, the attribute encryption The identification private key is generated by the authentication server based on the attribute information of the terminal device. The attribute information includes location information, user information of the user bound to the terminal device and the device factory identification; the second encrypted information The symmetric key obtained by the authentication server decrypting the first encrypted information using its own attribute identification private key is obtained by encrypting the attribute encryption identification private key and the decrypted random number;
验证单元,用于通过比对自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,在验证所述认证服务器合法后,保存所述属性加密标识私钥。The verification unit is configured to verify the legitimacy of the authentication server by comparing the random number generated by itself with the decrypted random number, and after verifying that the authentication server is legal, save the attribute encryption identification private key.
本申请第四方面提供了一种认证服务器,包括:The fourth aspect of this application provides an authentication server, including:
接收单元,用于接收终端设备发送的注册认证请求,根据所述注册认证请求携带的设备出厂标识对所述终端设备进行认证,并通过自身的属性 标识私钥对所述注册认证请求携带的第一加密信息进行解密得到对称密钥和随机数;所述第一加密信息由所述终端设备通过所述认证服务器的属性标识公钥对初始化生成的对称密钥和随机数加密生成;The receiving unit is configured to receive the registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory identification carried in the registration authentication request, and authenticate the third ID carried in the registration authentication request through its own attribute identification private key. Decrypt an encrypted information to obtain a symmetric key and a random number; the first encrypted information is generated by encrypting the symmetric key and random number generated by the terminal device through the attribute identification public key of the authentication server;
加密单元,用于在认证成功后,根据所述终端设备的属性信息生成所述终端设备的属性加密标识私钥,并通过解密出的对称密钥对所述属性加密标识私钥和解密出的随机数进行加密得到第二加密信息,所述属性信息包括位置信息、所述终端设备所绑定用户的用户信息和所述设备出厂标识;An encryption unit, configured to generate an attribute encryption identification private key of the terminal device according to the attribute information of the terminal device after successful authentication, and use the decrypted symmetric key to combine the attribute encryption identification private key and the decrypted symmetric key. The random number is encrypted to obtain the second encrypted information, and the attribute information includes location information, user information of the user bound to the terminal device, and the device factory identification;
发送单元,用于将所述第二加密信息发送给所述终端设备,使得所述终端设备通过自身生成的所述对称密钥解密所述第二加密信息得到属性加密标识私钥和随机数,通过自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,并在验证所述认证服务器合法后,保存所述属性加密标识私钥。a sending unit, configured to send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and a random number, The legitimacy of the authentication server is verified through the random number generated by itself and the random number decrypted, and after verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
本申请第五方面提供了一种基于属性加密的设备安全认证系统,包括:第三方面所述的终端设备和第四方面所述的认证服务器。A fifth aspect of this application provides a device security authentication system based on attribute encryption, including: the terminal device described in the third aspect and the authentication server described in the fourth aspect.
本申请第六方面提供了一种基于属性加密的设备安全认证设备,所述设备包括处理器以及存储器;The sixth aspect of this application provides a device security authentication device based on attribute encryption, where the device includes a processor and a memory;
所述存储器用于存储程序代码,并将所述程序代码传输给所述处理器;The memory is used to store program code and transmit the program code to the processor;
所述处理器用于根据所述程序代码中的指令执行第一方面任一种所述的基于属性加密的设备安全认证方法,或执行第二方面任一种所述的基于属性加密的设备安全认证方法。The processor is configured to execute any one of the attribute encryption-based device security authentication methods described in the first aspect according to the instructions in the program code, or to execute any one of the attribute encryption-based device security authentication methods described in the second aspect. method.
从以上技术方案可以看出,本申请具有以下优点:It can be seen from the above technical solutions that this application has the following advantages:
本申请提供了一种基于属性加密的设备安全认证方法,应用于终端设备,方法包括:在接入区块链中的认证服务器进行注册时,初始化生成对称密钥和随机数,并通过认证服务器的属性标识公钥加密对称密钥和随机数得到第一加密信息;发送携带有第一加密信息和设备出厂标识的注册认证请求给认证服务器,由认证服务器根据设备出厂标识对终端设备进行认证;接收认证服务器在认证成功后返回的第二加密信息,通过对称密钥解密第二加密信息得到属性加密标识私钥和随机数;其中,属性加密标识私钥由认证服务器根据终端设备的属性信息生成,属性信息包括位置信息、 终端设备所绑定用户的用户信息和设备出厂标识;第二加密信息由认证服务器通过自身的属性标识私钥对第一加密信息进行解密得到的对称密钥对属性加密标识私钥和解密出的随机数加密得到;通过自身生成的随机数和解密出的随机数验证认证服务器的合法性,在验证认证服务器合法后,保存属性加密标识私钥。This application provides a device security authentication method based on attribute encryption, which is applied to terminal equipment. The method includes: when accessing the authentication server in the blockchain for registration, initializing the generation of symmetric keys and random numbers, and passing the authentication server The attribute identification public key encrypts the symmetric key and the random number to obtain the first encrypted information; sends a registration authentication request carrying the first encrypted information and the device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification; Receive the second encrypted information returned by the authentication server after successful authentication, and decrypt the second encrypted information through the symmetric key to obtain the attribute encryption identification private key and the random number; wherein the attribute encryption identification private key is generated by the authentication server based on the attribute information of the terminal device. , the attribute information includes location information, user information of the user bound to the terminal device, and device factory identification; the second encrypted information is encrypted by a symmetric key obtained by the authentication server decrypting the first encrypted information through its own attribute identification private key. The identity private key and the decrypted random number are encrypted; the legitimacy of the authentication server is verified through the random number generated by itself and the decrypted random number. After verifying that the authentication server is legitimate, the attribute encryption identity private key is saved.
本申请中,使用终端设备的位置信息、终端设备所绑定用户的用户信息、设备出厂标识这些设备属性信息来生成终端设备的私钥,可以避免对于厂商烧录同ID设备或生产清单信息泄露导致的设备加密信息泄露问题,从而提高了设备安全性;并且,终端设备使用了认证服务器的属性标识公钥加密信息得到第一加密信息,只有合法服务器(拥有认证服务器的属性标识私钥)才能解密出第一加密信息得到对称密钥和随机数,所以当认证服务器使用对称秘钥加密随机数发送给终端设备,终端设备通过解密出随机数即可验证认证服务器的真伪;同时因为只有合法认证服务器才能解密出该对称密钥,使用该对称密钥来加密、分发属性加密标识私钥是安全的,从而改善了现有技术采用设备出厂ID作为设备密钥进行信息加密传输,存在容易因为厂商信息泄露,导致批量设备密钥泄露,从而影响设备安全的技术问题。In this application, the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid the leakage of the manufacturer's burning of devices with the same ID or the leakage of production list information. This leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key encryption information of the authentication server to obtain the first encrypted information. Only the legitimate server (possessing the attribute identification private key of the authentication server) can Decrypt the first encrypted information to obtain the symmetric key and random number, so when the authentication server uses the symmetric secret key to encrypt the random number and send it to the terminal device, the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because only legitimate Only the authentication server can decrypt the symmetric key, and it is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key, thus improving the existing technology of using the device factory ID as the device key for encrypted information transmission, which is easy because The leakage of manufacturer information leads to the leakage of batch device keys, thus affecting the technical issues of device security.
附图说明Description of drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其它的附图。In order to explain the embodiments of the present application or the technical solutions in the prior art more clearly, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are only These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting any creative effort.
图1为本申请实施例提供的一种应用于终端设备的基于属性加密的设备安全认证方法的一个流程示意图;Figure 1 is a schematic flow chart of a device security authentication method based on attribute encryption applied to terminal devices provided by an embodiment of the present application;
图2为本申请实施例提供的一种终端设备的位置关系示意图;Figure 2 is a schematic diagram of the position relationship of a terminal device provided by an embodiment of the present application;
图3为本申请实施例提供的一种应用于认证服务器的基于属性加密的设备安全认证方法的另一个流程示意图;Figure 3 is another schematic flowchart of a device security authentication method based on attribute encryption applied to an authentication server provided by an embodiment of the present application;
图4为本申请实施例提供的一种终端设备的一个结构示意图;Figure 4 is a schematic structural diagram of a terminal device provided by an embodiment of the present application;
图5为本申请实施例提供的一种认证服务器的一个结构示意图。Figure 5 is a schematic structural diagram of an authentication server provided by an embodiment of the present application.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to enable those in the technical field to better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only These are part of the embodiments of this application, but not all of them. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
为了便于理解,请参阅图1,本申请实施例提供了一种基于属性加密的设备安全认证方法,应用于终端设备,方法包括:For ease of understanding, please refer to Figure 1. This embodiment of the present application provides a device security authentication method based on attribute encryption, which is applied to terminal devices. The method includes:
步骤101、在接入区块链中的认证服务器进行注册时,初始化生成对称密钥和随机数,并加密对称密钥和随机数得到第一加密信息。Step 101: When accessing the authentication server in the blockchain for registration, initially generate a symmetric key and a random number, and encrypt the symmetric key and the random number to obtain the first encrypted information.
终端设备(可以是摄像头等)在接入区块链中的认证服务器进行注册时,终端设备进行初始化,随机生成一个对称密钥和一个随机数,并可以使用认证服务器的属性标识公钥加密对称密钥和随机数,得到第一加密信息。When a terminal device (can be a camera, etc.) is connected to the authentication server in the blockchain for registration, the terminal device is initialized, randomly generates a symmetric key and a random number, and can use the attribute identification public key of the authentication server to encrypt the symmetric The key and random number are used to obtain the first encrypted information.
终端设备出厂时可以预设有认证服务器的地址,以便直接入网注册,适用于大规模发行物联网设备组网。终端设备在入网注册时,在联网绑定用户后,可以根据认证服务器的地址发送自身的属性信息给认证服务器,属性信息可以包括位置信息、终端设备所绑定用户的用户信息(如用户手机号、身份证号码、注册账号等)和设备出厂标识(如设备出厂ID)。When the terminal device leaves the factory, the address of the authentication server can be preset for direct network registration, which is suitable for large-scale distribution of IoT device networks. When the terminal device registers with the network and binds the user to the network, it can send its own attribute information to the authentication server according to the address of the authentication server. The attribute information can include location information and user information of the user bound to the terminal device (such as the user's mobile phone number). , ID number, registered account, etc.) and device factory identification (such as device factory ID).
终端设备在接入区块链时,可以通过和区块链中的固定节点的相对位置以及固定节点的位置坐标计算出终端设备的位置坐标,得到终端设备的位置信息(X,Y,Z)。可以参考图2,终端设备为新接入的区块链设备节点,根据新接入的区块链设备节点与区块链固定节点服务器1的相对位置L1,与区块链固定节点服务器2的相对位置L2、与区块链固定节点服务器3的相对位置L3以及区块链固定节点服务器1的位置坐标(X1,Y1,Z1)、区块链固定节点服务器2的位置坐标(X2,Y2,Z2)、区块链固定节点服务器 3的位置坐标(X3,Y3,Z3)可以建立如下关系式:When a terminal device is connected to the blockchain, it can calculate the position coordinates of the terminal device through the relative position of the fixed node in the blockchain and the position coordinates of the fixed node, and obtain the position information (X, Y, Z) of the terminal device. . Referring to Figure 2, the terminal device is a newly connected blockchain device node. According to the relative position L1 of the newly connected blockchain device node and the blockchain fixed node server 1, and the relative position L1 of the blockchain fixed node server 2 The relative position L2, the relative position L3 to the blockchain fixed node server 3, the position coordinates (X1, Y1, Z1) of the blockchain fixed node server 1, the position coordinates (X2, Y2, Z2), the position coordinates (X3, Y3, Z3) of the blockchain fixed node server 3 can establish the following relationship:
L1 2=(X1-X) 2+(Y1-Y) 2+(Z1-Z) 2L1 2 = (X1-X) 2 + (Y1-Y) 2 + (Z1-Z) 2 ;
L2 2=(X2-X) 2+(Y2-Y) 2+(Z2-Z) 2L2 2 =(X2-X) 2 +(Y2-Y) 2 +(Z2-Z) 2 ;
L3 2=(X3-X) 2+(Y3-Y) 2+(Z3-Z) 2L3 2 = (X3-X) 2 + (Y3-Y) 2 + (Z3-Z) 2 ;
通过求解上述关系式可以计算得到新接入的区块链设备节点的位置坐标(X,Y,Z),从而获取到终端设备的位置信息。By solving the above relationship, the position coordinates (X, Y, Z) of the newly connected blockchain device node can be calculated, thereby obtaining the position information of the terminal device.
步骤102、发送携带有第一加密信息和设备出厂标识的注册认证请求给认证服务器,由认证服务器根据设备出厂标识对终端设备进行认证。Step 102: Send a registration authentication request carrying the first encryption information and the device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification.
终端设备连接认证服务器后,发送携带有第一加密信息和设备出厂标识的注册认证请求给认证服务器,由认证服务器通过设备出厂标识对终端设备进行认证,验证设备合法性,并通过自身的属性标识私钥解密第一加密信息得到对称密钥和随机数;认证服务器在验证设备合法后,即认证成功后,认证服务器根据终端设备的属性信息生成终端设备的属性加密标识私钥,然后通过解密得到的对称密钥对终端设备的属性加密标识私钥和解密得到的随机数进行加密得到第二加密信息,再将第二加密信息返回给终端设备。After the terminal device connects to the authentication server, it sends a registration authentication request carrying the first encryption information and the device factory identification to the authentication server. The authentication server authenticates the terminal device through the device factory identification, verifies the legality of the device, and identifies it through its own attributes. The private key decrypts the first encrypted information to obtain the symmetric key and random number; after the authentication server verifies that the device is legal, that is, after the authentication is successful, the authentication server generates the attribute encryption identification private key of the terminal device based on the attribute information of the terminal device, and then decrypts it to obtain The symmetric key encrypts the attribute encryption identification private key of the terminal device and the decrypted random number to obtain the second encrypted information, and then returns the second encrypted information to the terminal device.
其中,根据终端设备的属性信息生成终端设备的属性加密标识私钥的过程可以为:Among them, the process of generating the attribute encryption identification private key of the terminal device according to the attribute information of the terminal device can be:
根据终端设备的属性信息给终端设备分配设备标识;根据终端设备的设备标识生成终端设备的属性加密标识私钥。Allocate a device identification to the terminal device according to the attribute information of the terminal device; generate an attribute encryption identification private key of the terminal device according to the device identification of the terminal device.
认证服务器可以将位置信息、用户信息和设备出厂标识组合生成该终端设备的设备标识,例如将位置信息、用户信息和设备出厂标识直接串接作为终端设备的设备标识,认证服务器可以采用SM9算法根据终端设备的设备标识生成终端设备的属性加密标识私钥,还可以生成终端设备的属性加密标识公钥,属性加密标识公钥存储在认证服务器中,而属性加密私钥需要存储在终端设备中,在认证后续通过属性加密标识公钥和属性加密标识私钥进行信息加密传输。可以理解的是,认证服务器的属性标识私钥和属性标识公钥也可以通过SM9算法根据认证服务器的属性信息(位置信息、认证服务器标识等)生成。The authentication server can combine the location information, user information and device factory identification to generate the device identification of the terminal device. For example, the location information, user information and device factory identification are directly concatenated as the device identification of the terminal device. The authentication server can use the SM9 algorithm according to The device identification of the terminal device generates the attribute encryption identification private key of the terminal device, and can also generate the attribute encryption identification public key of the terminal device. The attribute encryption identification public key is stored in the authentication server, and the attribute encryption private key needs to be stored in the terminal device. After the authentication, information is encrypted and transmitted through the attribute encryption identification public key and the attribute encryption identification private key. It can be understood that the attribute identification private key and attribute identification public key of the authentication server can also be generated based on the attribute information (location information, authentication server identification, etc.) of the authentication server through the SM9 algorithm.
本申请实施例,利用终端设备的位置信息、绑定用户的用户信息、设备出厂标识结合在区块链中作为终端设备的属性加密标识公钥进行设备在区块链中的安全认证,是通过利用终端设备的位置信息、用户信息以及设备出厂标识这些设备属性信息作为设备公私钥对终端设备进行独有的标识化,从而避免对于厂商烧录同ID设备或生产清单信息泄露导致的设备加密信息泄露问题;并且,在终端设备更换绑定用户或设备位置转移时,终端设备的属性信息更新,对应的终端设备的公私钥也会变化,从而可以避免信息泄露和混淆,同一终端设备更换绑定用户后,由于用户信息改变了,该终端设备对应的公私钥也发生了改变,同一终端设备的后一个绑定用户不会知道前一个绑定用户对应的公私钥信息,提高了终端设备的安全性。In the embodiment of this application, the location information of the terminal device, the user information of the bound user, and the device factory identification are combined in the blockchain as the attribute encryption identification public key of the terminal device to perform security authentication of the device in the blockchain. Utilize the terminal device's location information, user information, and device factory identification and other device attribute information as the device's public and private keys to uniquely identify the terminal device, thereby avoiding device encryption information caused by manufacturers burning devices with the same ID or leaking production list information. Leakage problem; Moreover, when the terminal device changes the binding user or the device location is transferred, the attribute information of the terminal device is updated, and the public and private keys of the corresponding terminal device will also change, thus avoiding information leakage and confusion. The same terminal device changes the binding After the user is logged in, because the user information has changed, the public and private keys corresponding to the terminal device have also changed. The subsequent binding user of the same terminal device will not know the public and private key information corresponding to the previous binding user, which improves the security of the terminal device. sex.
步骤103、接收认证服务器在认证成功后返回的第二加密信息,通过对称密钥解密第二加密信息得到属性加密标识私钥和随机数。Step 103: Receive the second encrypted information returned by the authentication server after successful authentication, and decrypt the second encrypted information using the symmetric key to obtain the attribute encryption identification private key and random number.
终端设备接收到认证服务器返回的第二加密信息后,通过自身生成的对称密钥对第二加密信息进行解密,得到属性加密标识私钥和随机数。After receiving the second encrypted information returned by the authentication server, the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and random number.
步骤104、通过比对自身生成的随机数和解密出的随机数验证认证服务器的合法性,在验证认证服务器合法后,保存属性加密标识私钥。Step 104: Verify the legitimacy of the authentication server by comparing the random number generated by itself with the random number decrypted. After verifying that the authentication server is legitimate, save the attribute encryption identification private key.
终端设备比对自身生成的随机数和上述步骤解密得到的随机数是否相同,来验证认证服务器的合法性,终端设备若比对自身生成的随机数和解密得到的随机数相同,则验证该认证服务器是合法的,若比对自身生成的随机数和解密得到的随机数不相同,则验证该认证服务器是不合法的。终端设备在验证认证服务器合法后,保存属性加密标识私钥在本地硬件存储芯片中。The terminal device verifies the legitimacy of the authentication server by comparing the random number generated by itself with the random number decrypted in the above steps. If the terminal device compares the random number generated by itself with the random number decrypted, it verifies the authentication. The server is legitimate. If the random number generated by itself is compared with the random number obtained by decryption, it is verified that the authentication server is illegal. After verifying that the authentication server is legitimate, the terminal device saves the attribute encryption identity private key in the local hardware storage chip.
本申请实施例中,使用终端设备的位置信息、终端设备所绑定用户的用户信息、设备出厂标识这些设备属性信息来生成终端设备的私钥,可以避免对于厂商烧录同ID设备或生产清单信息泄露导致的设备加密信息泄露问题,从而提高了设备安全性;并且,终端设备使用了认证服务器的属性标识公钥加密信息得到第一加密信息,只有合法服务器(拥有认证服务器的属性标识私钥)才能解密出第一加密信息得到对称密钥和随机数,所以当认证服务器使用对称秘钥加密随机数发送给终端设备,终端设备通过 解密出随机数即可验证认证服务器的真伪;同时因为只有合法认证服务器才能解密出该对称密钥,使用该对称密钥来加密、分发属性加密标识私钥是安全的,从而改善了现有技术采用设备出厂ID作为设备密钥进行信息加密传输,存在容易因为厂商信息泄露,导致批量设备密钥泄露,从而影响设备安全的技术问题。In the embodiment of this application, the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer. Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (possessing the attribute identification private key of the authentication server ) can decrypt the first encrypted information to obtain the symmetric key and random number. Therefore, when the authentication server uses the symmetric secret key to encrypt the random number and sends it to the terminal device, the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legal authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
以上为本申请提供的应用于终端设备的一种基于属性加密的设备安全认证方法的一个实施例,以下为本申请提供的应用于认证服务器的一种基于属性加密的设备安全认证方法。The above is an embodiment of an attribute encryption-based device security authentication method applied to a terminal device provided by this application. The following is an attribute encryption-based device security authentication method applied to an authentication server provided by this application.
请参考图3,本申请实施例提供的一种基于属性加密的设备安全认证方法,应用于认证服务器,方法包括:Please refer to Figure 3. An embodiment of the present application provides a device security authentication method based on attribute encryption, which is applied to the authentication server. The method includes:
步骤301、接收终端设备发送的注册认证请求,根据注册认证请求携带的设备出厂标识对终端设备进行认证,并通过自身的属性标识私钥对注册认证请求携带的第一加密信息进行解密得到对称密钥和随机数。Step 301: Receive the registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory identification carried in the registration authentication request, and use its own attribute identification private key to decrypt the first encrypted information carried in the registration authentication request to obtain the symmetric encryption keys and random numbers.
认证服务器接收到终端设备发送的注册认证请求后,根据注册认证请求携带的设备出厂标识对终端设备进行认证,通过设备出厂标识验证终端设备的合法性,并通过自身的属性标识私钥对注册认证请求携带的第一加密信息进行解密得到对称密钥和随机数。其中,第一加密信息由终端设备通过认证服务器的属性标识公钥对初始化生成的对称密钥和随机数加密生成。After receiving the registration authentication request sent by the terminal device, the authentication server authenticates the terminal device according to the device factory identification carried in the registration authentication request, verifies the legitimacy of the terminal device through the device factory identification, and authenticates the registration through its own attribute identification private key. The first encrypted information carried in the request is decrypted to obtain the symmetric key and random number. The first encrypted information is encrypted and generated by a symmetric key and a random number generated by the terminal device through initialization of the attribute identification public key pair of the authentication server.
步骤302、在认证成功后,根据终端设备的属性信息生成终端设备的属性加密标识私钥,并通过解密出的对称密钥对属性加密标识私钥和解密出的随机数进行加密得到第二加密信息,属性信息包括位置信息、终端设备所绑定用户的用户信息和设备出厂标识。Step 302: After the authentication is successful, generate the attribute encryption identification private key of the terminal device according to the attribute information of the terminal device, and encrypt the attribute encryption identification private key and the decrypted random number with the decrypted symmetric key to obtain the second encryption. Information, attribute information includes location information, user information of the user bound to the terminal device, and device factory identification.
认证服务器在认证终端设备合法后,根据终端设备的属性信息生成终端设备的属性加密标识私钥。具体的,认证服务器根据终端设备的属性信息给终端设备分配设备标识;根据终端设备的设备标识生成终端设备的属性加密标识私钥。After authenticating that the terminal device is legitimate, the authentication server generates the attribute encryption identification private key of the terminal device based on the attribute information of the terminal device. Specifically, the authentication server assigns a device identification to the terminal device according to the attribute information of the terminal device; and generates an attribute encryption identification private key of the terminal device according to the device identification of the terminal device.
认证服务器可以将位置信息、用户信息和设备出厂标识组合生成该终端设备的设备标识,例如将位置信息、用户信息和设备出厂标识直接串接 作为终端设备的设备标识,认证服务器可以采用SM9算法根据终端设备的设备标识生成终端设备的属性加密标识私钥,还可以生成终端设备的属性加密标识公钥,属性加密标识公钥存储在认证服务器中,而属性加密私钥需要存储在终端设备中,后续通过属性加密标识公钥和属性加密标识私钥进行信息加密传输。可以理解的是,认证服务器的属性标识私钥和属性标识公钥也可以通过SM9算法根据认证服务器的属性信息生成。The authentication server can combine the location information, user information and device factory identification to generate the device identification of the terminal device. For example, the location information, user information and device factory identification are directly concatenated as the device identification of the terminal device. The authentication server can use the SM9 algorithm according to The device identification of the terminal device generates the attribute encryption identification private key of the terminal device, and can also generate the attribute encryption identification public key of the terminal device. The attribute encryption identification public key is stored in the authentication server, and the attribute encryption private key needs to be stored in the terminal device. Subsequent information is encrypted and transmitted through the attribute encryption identification public key and the attribute encryption identification private key. It can be understood that the attribute identification private key and attribute identification public key of the authentication server can also be generated based on the attribute information of the authentication server through the SM9 algorithm.
其中,终端设备在入网注册时,在联网绑定用户后,可以根据认证服务器的地址发送自身的属性信息给认证服务器,属性信息可以包括位置信息、终端设备所绑定用户的用户信息(如用户手机号、身份证号码、注册账号等)和设备出厂标识(如设备出厂ID)。Among them, when the terminal device registers on the network and binds the user to the Internet, it can send its own attribute information to the authentication server according to the address of the authentication server. The attribute information can include location information, user information of the user bound to the terminal device (such as user Mobile phone number, ID number, registered account number, etc.) and device factory identification (such as device factory ID).
终端设备在接入区块链时,可以通过和区块链中的固定节点的相对位置以及固定节点的位置坐标计算出终端设备的位置坐标,得到终端设备的位置信息(X,Y,Z)。可以参考图2,终端设备为新接入的区块链设备节点,根据新接入的区块链设备节点与区块链固定节点服务器1的相对位置L1,与区块链固定节点服务器2的相对位置L2、与区块链固定节点服务器3的相对位置L3以及区块链固定节点服务器1的位置坐标(X1,Y1,Z1)、区块链固定节点服务器2的位置坐标(X2,Y2,Z2)、区块链固定节点服务器3的位置坐标(X3,Y3,Z3)可以建立如下关系式:When a terminal device is connected to the blockchain, it can calculate the position coordinates of the terminal device through the relative position of the fixed node in the blockchain and the position coordinates of the fixed node, and obtain the position information (X, Y, Z) of the terminal device. . Referring to Figure 2, the terminal device is a newly connected blockchain device node. According to the relative position L1 of the newly connected blockchain device node and the blockchain fixed node server 1, and the relative position L1 of the blockchain fixed node server 2 The relative position L2, the relative position L3 to the blockchain fixed node server 3, the position coordinates (X1, Y1, Z1) of the blockchain fixed node server 1, the position coordinates (X2, Y2, Z2), the position coordinates (X3, Y3, Z3) of the blockchain fixed node server 3 can establish the following relationship:
L1 2=(X1-X) 2+(Y1-Y) 2+(Z1-Z) 2L1 2 = (X1-X) 2 + (Y1-Y) 2 + (Z1-Z) 2 ;
L2 2=(X2-X) 2+(Y2-Y) 2+(Z2-Z) 2L2 2 =(X2-X) 2 +(Y2-Y) 2 +(Z2-Z) 2 ;
L3 2=(X3-X) 2+(Y3-Y) 2+(Z3-Z) 2L3 2 = (X3-X) 2 + (Y3-Y) 2 + (Z3-Z) 2 ;
通过求解上述关系式可以计算得到新接入的区块链设备节点的位置坐标(X,Y,Z),从而获取到终端设备的位置信息。By solving the above relationship, the position coordinates (X, Y, Z) of the newly connected blockchain device node can be calculated, thereby obtaining the position information of the terminal device.
本申请实施例是通过利用终端设备的位置信息、绑定用户的用户信息以及设备出厂标识这些设备属性信息作为设备公私钥对终端设备进行独有的标识化,从而避免对于厂商烧录同ID设备或生产清单信息泄露导致的设备加密信息泄露问题;并且,在终端设备更换绑定用户或设备位置转移时,终端设备的属性信息更新,对应的终端设备的公私钥也会变化,从而可以避免信息泄露和混淆,同一终端设备更换绑定用户后,由于用户信息 改变了,该终端设备对应的公私钥也发生了改变,同一终端设备的后一个绑定用户不会知道前一个绑定用户对应的公私钥信息,提高了终端设备的安全性。The embodiment of this application uses the location information of the terminal device, the user information of the bound user, and the device factory identification to uniquely identify the terminal device as the public and private keys of the device, thereby avoiding the need for manufacturers to burn devices with the same ID. Or the problem of device encryption information leakage caused by the leakage of production list information; and when the terminal device changes the bound user or the device location is transferred, the attribute information of the terminal device is updated, and the public and private keys of the corresponding terminal device will also change, thus avoiding information Leakage and confusion. After the bound user of the same terminal device is changed, because the user information has changed, the public and private keys corresponding to the terminal device have also changed. The subsequent bound user of the same terminal device will not know the corresponding key of the previous bound user. Public and private key information improves the security of terminal equipment.
步骤303、将第二加密信息发送给终端设备,使得终端设备通过自身生成的对称密钥解密第二加密信息得到属性加密标识私钥和随机数,比对自身生成的随机数和解密出的随机数验证认证服务器的合法性,并在验证认证服务器合法后,保存属性加密标识私钥。Step 303: Send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and the random number, and compares the random number generated by itself with the decrypted random number. Verify the legality of the authentication server through data, and after verifying that the authentication server is legal, save the attribute encryption identification private key.
认证服务器将第二加密信息发送给终端设备,使得终端设备通过自身生成的对称密钥解密第二加密信息得到属性加密标识私钥和随机数,终端设备比对自身生成的随机数和解密得到的随机数是否相同,来验证认证服务器的合法性,若比对自身生成的随机数和解密得到的随机数相同,则验证该认证服务器是合法的,若比对自身生成的随机数和解密得到的随机数不相同,则验证该认证服务器是不合法的;终端设备在验证认证服务器合法后,保存属性加密标识私钥在本地硬件存储芯片中。The authentication server sends the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information through the symmetric key generated by itself to obtain the attribute encryption identification private key and the random number. The terminal device compares the random number generated by itself with the decrypted Whether the random numbers are the same is used to verify the legitimacy of the authentication server. If the random number generated by itself is compared with the random number obtained by decryption, it is verified that the authentication server is legitimate. If the random number generated by itself is compared with the random number obtained by decryption, it is verified that the authentication server is legitimate. If the random numbers are different, it is verified that the authentication server is illegal; after verifying that the authentication server is legal, the terminal device saves the attribute encryption identification private key in the local hardware storage chip.
本申请实施例中,使用终端设备的位置信息、终端设备所绑定用户的用户信息、设备出厂标识这些设备属性信息来生成终端设备的私钥,可以避免对于厂商烧录同ID设备或生产清单信息泄露导致的设备加密信息泄露问题,从而提高了设备安全性;并且,终端设备使用了认证服务器的属性标识公钥加密信息得到第一加密信息,只有合法服务器(拥有认证服务器的属性标识私钥)才能解密出第一加密信息得到对称密钥和随机数,所以当认证服务器使用对称秘钥加密随机数发送给终端设备,终端设备通过解密出随机数即可验证认证服务器的真伪;同时因为只有合法认证服务器才能解密出该对称密钥,使用该对称密钥来加密、分发属性加密标识私钥是安全的,从而改善了现有技术采用设备出厂ID作为设备密钥进行信息加密传输,存在容易因为厂商信息泄露,导致批量设备密钥泄露,从而影响设备安全的技术问题。In the embodiment of this application, the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer. Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (possessing the attribute identification private key of the authentication server ) can decrypt the first encrypted information to obtain the symmetric key and random number. Therefore, when the authentication server uses the symmetric secret key to encrypt the random number and sends it to the terminal device, the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legal authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
以上为本申请提供的应用于认证服务器的一种基于属性加密的设备安全认证方法的一个实施例,以下为本申请提供的一种终端设备的一个实施例。The above is an embodiment of a device security authentication method based on attribute encryption applied to an authentication server provided by this application. The following is an embodiment of a terminal device provided by this application.
请参考图4,本申请实施例提供的一种终端设备,包括:Please refer to Figure 4. A terminal device provided by an embodiment of the present application includes:
初始化单元401,用于在接入区块链中的认证服务器进行注册时,初始化生成对称密钥和随机数,并通过认证服务器的属性标识公钥加密对称密钥和随机数得到第一加密信息;Initialization unit 401 is used to initialize and generate a symmetric key and a random number when accessing the authentication server in the blockchain for registration, and to encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the first encrypted information. ;
发送单元402,用于发送携带有第一加密信息和设备出厂标识的注册认证请求给认证服务器,由认证服务器根据设备出厂标识对终端设备进行认证;The sending unit 402 is configured to send a registration authentication request carrying the first encryption information and the device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification;
接收单元403,用于接收认证服务器在认证成功后返回的第二加密信息,通过对称密钥解密第二加密信息得到属性加密标识私钥和随机数;其中,属性加密标识私钥由认证服务器根据终端设备的属性信息生成,属性信息包括位置信息、终端设备所绑定用户的用户信息和设备出厂标识;第二加密信息由认证服务器通过自身的属性标识私钥对第一加密信息进行解密得到的对称密钥对属性加密标识私钥和解密出的随机数加密得到;The receiving unit 403 is configured to receive the second encrypted information returned by the authentication server after successful authentication, and decrypt the second encrypted information through the symmetric key to obtain the attribute encryption identification private key and the random number; wherein the attribute encryption identification private key is determined by the authentication server according to The attribute information of the terminal device is generated. The attribute information includes location information, user information of the user bound to the terminal device and device factory identification; the second encrypted information is obtained by the authentication server decrypting the first encrypted information through its own attribute identification private key. The symmetric key is obtained by encrypting the attribute encryption identification private key and the decrypted random number;
验证单元404,用于通过自身生成的随机数和解密出的随机数验证认证服务器的合法性,在验证认证服务器合法后,保存属性加密标识私钥。The verification unit 404 is used to verify the legitimacy of the authentication server through the random numbers generated by itself and the random numbers decrypted. After verifying that the authentication server is legal, save the attribute encryption identification private key.
本申请实施例中,使用终端设备的位置信息、终端设备所绑定用户的用户信息、设备出厂标识这些设备属性信息来生成终端设备的私钥,可以避免对于厂商烧录同ID设备或生产清单信息泄露导致的设备加密信息泄露问题,从而提高了设备安全性;并且,终端设备使用了认证服务器的属性标识公钥加密信息得到第一加密信息,只有合法服务器(拥有认证服务器的属性标识私钥)才能解密出第一加密信息得到对称密钥和随机数,所以当认证服务器使用对称秘钥加密随机数发送给终端设备,终端设备通过解密出随机数即可验证认证服务器的真伪;同时因为只有合法认证服务器才能解密出该对称密钥,使用该对称密钥来加密、分发属性加密标识私钥是安全的,从而改善了现有技术采用设备出厂ID作为设备密钥进行信息加密传输,存在容易因为厂商信息泄露,导致批量设备密钥泄露,从而影响设备安全的技术问题。In the embodiment of this application, the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer. Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (possessing the attribute identification private key of the authentication server ) can decrypt the first encrypted information to obtain the symmetric key and random number. Therefore, when the authentication server uses the symmetric secret key to encrypt the random number and sends it to the terminal device, the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legal authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
以上为本申请提供的一种终端设备的一个实施例,以下为本申请提供的一种认证服务器的一个实施例。The above is an embodiment of a terminal device provided by this application, and the following is an embodiment of an authentication server provided by this application.
请参考图5,本申请实施例提供的一种认证服务器,包括:Please refer to Figure 5. An authentication server provided by an embodiment of this application includes:
接收单元501,用于接收终端设备发送的注册认证请求,根据注册认证请求携带的设备出厂标识对终端设备进行认证,并通过自身的属性标识私钥对注册认证请求携带的第一加密信息进行解密得到对称密钥和随机数;第一加密信息由终端设备通过认证服务器的属性标识公钥对初始化生成的对称密钥和随机数加密生成;The receiving unit 501 is configured to receive a registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory ID carried in the registration authentication request, and decrypt the first encrypted information carried in the registration authentication request through its own attribute identification private key. Obtain the symmetric key and random number; the first encrypted information is encrypted and generated by the symmetric key and random number generated by the terminal device through the attribute identification public key pair of the authentication server;
加密单元502,用于在认证成功后,根据终端设备的属性信息生成终端设备的属性加密标识私钥,并通过解密出的对称密钥对属性加密标识私钥和解密出的随机数进行加密得到第二加密信息,属性信息包括位置信息、终端设备所绑定用户的用户信息和设备出厂标识;The encryption unit 502 is configured to, after successful authentication, generate the attribute encryption identification private key of the terminal device based on the attribute information of the terminal device, and encrypt the attribute encryption identification private key and the decrypted random number using the decrypted symmetric key. The second encrypted information, the attribute information includes location information, user information of the user bound to the terminal device, and device factory identification;
发送单元503,用于将第二加密信息发送给终端设备,使得终端设备通过自身生成的对称密钥解密第二加密信息得到属性加密标识私钥和随机数,通过自身生成的随机数和解密出的随机数验证认证服务器的合法性,并在验证认证服务器合法后,保存属性加密标识私钥。The sending unit 503 is used to send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information through the symmetric key generated by itself to obtain the attribute encryption identification private key and random number, and decrypts the random number through the self-generated random number. The random number verifies the legitimacy of the authentication server, and after verifying that the authentication server is legitimate, saves the attribute encryption identification private key.
本申请实施例中,使用终端设备的位置信息、终端设备所绑定用户的用户信息、设备出厂标识这些设备属性信息来生成终端设备的私钥,可以避免对于厂商烧录同ID设备或生产清单信息泄露导致的设备加密信息泄露问题,从而提高了设备安全性;并且,终端设备使用了认证服务器的属性标识公钥加密信息得到第一加密信息,只有合法服务器(拥有认证服务器的属性标识私钥)才能解密出第一加密信息得到对称密钥和随机数,所以当认证服务器使用对称秘钥加密随机数发送给终端设备,终端设备通过解密出随机数即可验证认证服务器的真伪;同时因为只有合法认证服务器才能解密出该对称密钥,使用该对称密钥来加密、分发属性加密标识私钥是安全的,从而改善了现有技术采用设备出厂ID作为设备密钥进行信息加密传输,存在容易因为厂商信息泄露,导致批量设备密钥泄露,从而影响设备安全的技术问题。In the embodiment of this application, the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer. Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (possessing the attribute identification private key of the authentication server ) can decrypt the first encrypted information to obtain the symmetric key and random number. Therefore, when the authentication server uses the symmetric secret key to encrypt the random number and sends it to the terminal device, the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legal authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
本申请实施例还提供了一种基于属性加密的设备安全认证系统,包括:前述实施例中的终端设备和认证服务器;The embodiment of this application also provides a device security authentication system based on attribute encryption, including: the terminal device and authentication server in the aforementioned embodiment;
终端设备,用于在接入区块链中的认证服务器进行注册时,初始化生 成对称密钥和随机数,并通过认证服务器的属性标识公钥加密对称密钥和随机数得到第一加密信息;发送携带有第一加密信息和设备出厂标识的注册认证请求给认证服务器;The terminal device is used to initialize and generate a symmetric key and a random number when accessing the authentication server in the blockchain for registration, and to encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the first encrypted information; Send a registration authentication request carrying the first encryption information and the device factory identification to the authentication server;
认证服务器,用于根据设备出厂标识对终端设备进行认证,并通过自身的属性标识私钥对第一加密信息进行解密得到对称密钥和随机数;在验证成功后,根据终端设备的属性信息生成终端设备的属性加密标识私钥,并通过解密出的对称密钥对属性加密标识私钥和解密出的随机数进行加密得到第二加密信息,并将第二加密信息发送给终端设备;其中,属性信息包括位置信息、终端设备所绑定用户的用户信息和设备出厂标识;The authentication server is used to authenticate the terminal device according to the device factory identification, and decrypt the first encrypted information through its own attribute identification private key to obtain the symmetric key and random number; after the verification is successful, generate The attribute encryption identification private key of the terminal device is encrypted with the decrypted symmetric key and the decrypted random number to obtain the second encrypted information, and the second encrypted information is sent to the terminal device; wherein, Attribute information includes location information, user information of the user bound to the terminal device, and device factory identification;
终端设备,还用于通过自身生成的对称密钥解密第二加密信息得到属性加密标识私钥和随机数;并通过自身生成的随机数和解密出的随机数验证认证服务器的合法性,在验证认证服务器合法后,保存属性加密标识私钥。The terminal device is also used to decrypt the second encrypted information through the symmetric key generated by itself to obtain the attribute encryption identification private key and random number; and verify the legitimacy of the authentication server through the random number generated by itself and the random number decrypted. After the authentication server is legitimate, save the attribute encryption identification private key.
本申请实施例中,使用终端设备的位置信息、终端设备所绑定用户的用户信息、设备出厂标识这些设备属性信息来生成终端设备的私钥,可以避免对于厂商烧录同ID设备或生产清单信息泄露导致的设备加密信息泄露问题,从而提高了设备安全性;并且,终端设备使用了认证服务器的属性标识公钥加密信息得到第一加密信息,只有合法服务器(拥有认证服务器的属性标识私钥)才能解密出第一加密信息得到对称密钥和随机数,所以当认证服务器使用对称秘钥加密随机数发送给终端设备,终端设备通过解密出随机数即可验证认证服务器的真伪;同时因为只有合法认证服务器才能解密出该对称密钥,使用该对称密钥来加密、分发属性加密标识私钥是安全的,从而改善了现有技术采用设备出厂ID作为设备密钥进行信息加密传输,存在容易因为厂商信息泄露,导致批量设备密钥泄露,从而影响设备安全的技术问题。In the embodiment of this application, the location information of the terminal device, the user information of the user bound to the terminal device, and the device factory identification are used to generate the private key of the terminal device, which can avoid burning the same ID device or production list for the manufacturer. Information leakage leads to the leakage of device encryption information, thereby improving device security; moreover, the terminal device uses the attribute identification public key of the authentication server to encrypt the information to obtain the first encrypted information, and only the legitimate server (which has the attribute identification private key of the authentication server) ) can decrypt the first encrypted information to obtain the symmetric key and random number. Therefore, when the authentication server uses the symmetric secret key to encrypt the random number and sends it to the terminal device, the terminal device can verify the authenticity of the authentication server by decrypting the random number; at the same time, because Only the legitimate authentication server can decrypt the symmetric key. It is safe to use the symmetric key to encrypt and distribute the attribute encryption identification private key. This improves the existing technology of using the device factory ID as the device key for encrypted information transmission. There is It is easy for the leakage of manufacturer information to lead to the leakage of batch device keys, thus affecting the technical issues of device security.
本申请实施例还提供了一种基于属性加密的设备安全认证设备,设备包括处理器以及存储器;The embodiment of the present application also provides a device security authentication device based on attribute encryption. The device includes a processor and a memory;
存储器用于存储程序代码,并将程序代码传输给处理器;Memory is used to store program code and transmit the program code to the processor;
处理器用于根据程序代码中的指令执行前述应用于终端设备的基于属 性加密的设备安全认证方法,或执行应用于认证服务器的基于属性加密的设备安全认证方法。The processor is configured to execute the aforementioned attribute encryption-based device security authentication method applied to the terminal device according to instructions in the program code, or execute the attribute encryption-based device security authentication method applied to the authentication server.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.
本申请的说明书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例例如能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if present) in the description of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe specific objects. Sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments of the application described herein can, for example, be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.
应当理解,在本申请中,“至少一个(项)”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,用于描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:只存在A,只存在B以及同时存在A和B三种情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b或c中的至少一项(个),可以表示:a,b,c,“a和b”,“a和c”,“b和c”,或“a和b和c”,其中a,b,c可以是单个,也可以是多个。It should be understood that in this application, "at least one (item)" refers to one or more, and "plurality" refers to two or more. "And/or" is used to describe the relationship between associated objects, indicating that there can be three relationships. For example, "A and/or B" can mean: only A exists, only B exists, and A and B exist simultaneously. , where A and B can be singular or plural. The character "/" generally indicates that the related objects are in an "or" relationship. “At least one of the following” or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items). For example, at least one of a, b or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c" ”, where a, b, c can be single or multiple.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以通过一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(英文全称:Read-Only Memory,英文缩写:ROM)、随机存取存储器(英文全称:Random Access Memory,英文缩写:RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for executing all or part of the steps of the methods described in various embodiments of the application through a computer device (which can be a personal computer, a server, or a network device, etc.). The aforementioned storage media include: U disk, mobile hard disk, read-only memory (English full name: Read-Only Memory, English abbreviation: ROM), random access memory (English full name: Random Access Memory, English abbreviation: RAM), magnetic Various media that can store program code, such as discs or optical disks.
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。As mentioned above, the above embodiments are only used to illustrate the technical solution of the present application, but not to limit it. Although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that they can still make the foregoing technical solutions. The technical solutions described in each embodiment may be modified, or some of the technical features may be equivalently replaced; however, these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions in each embodiment of the present application.

Claims (10)

  1. 一种基于属性加密的设备安全认证方法,其特征在于,应用于终端设备,方法包括:A device security authentication method based on attribute encryption, which is characterized in that it is applied to terminal devices. The method includes:
    在接入区块链中的认证服务器进行注册时,初始化生成对称密钥和随机数,并通过认证服务器的属性标识公钥加密所述对称密钥和所述随机数得到第一加密信息;When accessing the authentication server in the blockchain for registration, initialize and generate a symmetric key and a random number, and encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the first encrypted information;
    发送携带有所述第一加密信息和设备出厂标识的注册认证请求给所述认证服务器,由所述认证服务器根据所述设备出厂标识对所述终端设备进行认证;Send a registration authentication request carrying the first encryption information and the device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification;
    接收所述认证服务器在认证成功后返回的第二加密信息,通过所述对称密钥解密所述第二加密信息得到属性加密标识私钥和随机数;其中,所述属性加密标识私钥由所述认证服务器根据所述终端设备的属性信息生成,所述属性信息包括位置信息、所述终端设备所绑定用户的用户信息和所述设备出厂标识;所述第二加密信息由所述认证服务器通过自身的属性标识私钥对所述第一加密信息进行解密得到的对称密钥对所述属性加密标识私钥和解密出的随机数加密得到;Receive the second encrypted information returned by the authentication server after successful authentication, and decrypt the second encrypted information using the symmetric key to obtain the attribute encryption identification private key and a random number; wherein the attribute encryption identification private key is obtained by The authentication server is generated based on the attribute information of the terminal device, the attribute information includes location information, user information of the user bound to the terminal device and the device factory identification; the second encrypted information is generated by the authentication server The symmetric key obtained by decrypting the first encrypted information with its own attribute identification private key is obtained by encrypting the attribute encryption identification private key and the decrypted random number;
    通过自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,在验证所述认证服务器合法后,保存所述属性加密标识私钥。The legitimacy of the authentication server is verified through the random number generated by itself and the random number decrypted. After verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
  2. 根据权利要求1所述的基于属性加密的设备安全认证方法,其特征在于,所述终端设备出厂时预设有所述认证服务器的地址,所述方法还包括:The device security authentication method based on attribute encryption according to claim 1, characterized in that the address of the authentication server is preset when the terminal device leaves the factory, and the method further includes:
    所述终端设备在绑定用户后,根据所述认证服务器的地址发送属性信息给所述认证服务器。After binding the user, the terminal device sends attribute information to the authentication server according to the address of the authentication server.
  3. 根据权利要求1所述的基于属性加密的设备安全认证方法,其特征在于,所述终端设备的位置信息的获取过程为:The device security authentication method based on attribute encryption according to claim 1, characterized in that the acquisition process of the location information of the terminal device is:
    所述终端设备在接入区块链时,根据自身与区块链中的目标节点的相对位置和所述目标节点的位置坐标计算所述终端设备的位置坐标,得到所述终端设备的位置信息。When the terminal device accesses the blockchain, it calculates the location coordinates of the terminal device based on its relative position to the target node in the blockchain and the location coordinates of the target node to obtain the location information of the terminal device. .
  4. 根据权利要求1所述的基于属性加密的设备安全认证方法,其特征在于,所述通过自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,包括:The device security authentication method based on attribute encryption according to claim 1, characterized in that the verification of the legitimacy of the authentication server through the random number generated by itself and the decrypted random number includes:
    比对自身生成的所述随机数和解密出的随机数是否相同;Compare whether the random number generated by itself and the random number decrypted are the same;
    若相同,则验证所述认证服务器是合法的;If they are the same, verify that the authentication server is legal;
    若不相同,则验证所述认证服务器是不合法的。If they are not the same, it is verified that the authentication server is illegal.
  5. 一种基于属性加密的设备安全认证方法,其特征在于,应用于认证服务器,方法包括:A device security authentication method based on attribute encryption, which is characterized in that it is applied to an authentication server. The method includes:
    接收终端设备发送的注册认证请求,根据所述注册认证请求携带的设备出厂标识对所述终端设备进行认证,并通过自身的属性标识私钥对所述注册认证请求携带的第一加密信息进行解密得到对称密钥和随机数;所述第一加密信息由所述终端设备通过所述认证服务器的属性标识公钥对初始化生成的对称密钥和随机数加密生成;Receive the registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory identification carried in the registration authentication request, and decrypt the first encrypted information carried in the registration authentication request through its own attribute identification private key. Obtain the symmetric key and random number; the first encrypted information is encrypted and generated by the symmetric key and random number generated by the terminal device through the attribute identification public key pair of the authentication server;
    在认证成功后,根据所述终端设备的属性信息生成所述终端设备的属性加密标识私钥,并通过解密出的对称密钥对所述属性加密标识私钥和解密出的随机数进行加密得到第二加密信息,所述属性信息包括位置信息、所述终端设备所绑定用户的用户信息和所述设备出厂标识;After the authentication is successful, the attribute encryption identification private key of the terminal device is generated according to the attribute information of the terminal device, and the attribute encryption identification private key and the decrypted random number are encrypted with the decrypted symmetric key to obtain second encrypted information, the attribute information includes location information, user information of the user bound to the terminal device and the device factory identification;
    将所述第二加密信息发送给所述终端设备,使得所述终端设备通过自身生成的所述对称密钥解密所述第二加密信息得到属性加密标识私钥和随机数,比对自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,并在验证所述认证服务器合法后,保存所述属性加密标识私钥。Send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and a random number, and compares it with the symmetric key generated by itself. The random number and the decrypted random number verify the legitimacy of the authentication server, and after verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
  6. 根据权利要求5所述的基于属性加密的设备安全认证方法,其特征在于,所述根据所述终端设备的属性信息生成所述终端设备的属性加密标识私钥,包括:The device security authentication method based on attribute encryption according to claim 5, characterized in that generating the attribute encryption identification private key of the terminal device according to the attribute information of the terminal device includes:
    根据所述终端设备的属性信息给所述终端设备分配设备标识;Assign a device identification to the terminal device according to the attribute information of the terminal device;
    根据所述终端设备的设备标识生成所述终端设备的属性加密标识私钥。Generate an attribute encryption identification private key of the terminal device according to the device identification of the terminal device.
  7. 一种终端设备,其特征在于,包括:A terminal device, characterized by including:
    初始化单元,用于在接入区块链中的认证服务器进行注册时,初始化生成对称密钥和随机数,并通过认证服务器的属性标识公钥加密所述对称密钥和所述随机数得到第一加密信息;The initialization unit is used to initialize and generate a symmetric key and a random number when accessing the authentication server in the blockchain for registration, and to encrypt the symmetric key and the random number through the attribute identification public key of the authentication server to obtain the third - encrypted information;
    发送单元,用于发送携带有所述第一加密信息和设备出厂标识的注册认证请求给所述认证服务器,由所述认证服务器根据所述设备出厂标识对所述终端设备进行认证;A sending unit configured to send a registration authentication request carrying the first encryption information and a device factory identification to the authentication server, and the authentication server authenticates the terminal device according to the device factory identification;
    接收单元,用于接收所述认证服务器在认证成功后返回的第二加密信息,通过所述对称密钥解密所述第二加密信息得到属性加密标识私钥和随机数;其中,所述属性加密标识私钥由所述认证服务器根据所述终端设备的属性信息生成,所述属性信息包括位置信息、所述终端设备所绑定用户的用户信息和所述设备出厂标识;所述第二加密信息由所述认证服务器通过自身的属性标识私钥对所述第一加密信息进行解密得到的对称密钥对所述属性加密标识私钥和解密出的随机数加密得到;A receiving unit, configured to receive the second encrypted information returned by the authentication server after successful authentication, and to decrypt the second encrypted information using the symmetric key to obtain the attribute encryption identification private key and a random number; wherein, the attribute encryption The identification private key is generated by the authentication server based on the attribute information of the terminal device. The attribute information includes location information, user information of the user bound to the terminal device and the device factory identification; the second encrypted information The symmetric key obtained by the authentication server decrypting the first encrypted information using its own attribute identification private key is obtained by encrypting the attribute encryption identification private key and the decrypted random number;
    验证单元,用于通过比对自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,在验证所述认证服务器合法后,保存所述属性加密标识私钥。The verification unit is configured to verify the legitimacy of the authentication server by comparing the random number generated by itself with the decrypted random number, and after verifying that the authentication server is legal, save the attribute encryption identification private key.
  8. 一种认证服务器,其特征在于,包括:An authentication server, characterized by including:
    接收单元,用于接收终端设备发送的注册认证请求,根据所述注册认证请求携带的设备出厂标识对所述终端设备进行认证,并通过自身的属性标识私钥对所述注册认证请求携带的第一加密信息进行解密得到对称密钥和随机数;所述第一加密信息由所述终端设备通过所述认证服务器的属性标识公钥对初始化生成的对称密钥和随机数加密生成;The receiving unit is configured to receive the registration authentication request sent by the terminal device, authenticate the terminal device according to the device factory identification carried in the registration authentication request, and authenticate the third ID carried in the registration authentication request through its own attribute identification private key. Decrypt an encrypted information to obtain a symmetric key and a random number; the first encrypted information is generated by encrypting the symmetric key and random number generated by the terminal device through the attribute identification public key of the authentication server;
    加密单元,用于在认证成功后,根据所述终端设备的属性信息生成所述终端设备的属性加密标识私钥,并通过解密出的对称密钥对所述属性加密标识私钥和解密出的随机数进行加密得到第二加密信息,所述属性信息包括位置信息、所述终端设备所绑定用户的用户信息和所述设备出厂标识;An encryption unit, configured to generate an attribute encryption identification private key of the terminal device according to the attribute information of the terminal device after successful authentication, and use the decrypted symmetric key to combine the attribute encryption identification private key and the decrypted symmetric key. The random number is encrypted to obtain the second encrypted information, and the attribute information includes location information, user information of the user bound to the terminal device, and the device factory identification;
    发送单元,用于将所述第二加密信息发送给所述终端设备,使得所述终端设备通过自身生成的所述对称密钥解密所述第二加密信息得到属性加密标识私钥和随机数,通过自身生成的所述随机数和解密出的随机数验证所述认证服务器的合法性,并在验证所述认证服务器合法后,保存所述属性加密标识私钥。A sending unit configured to send the second encrypted information to the terminal device, so that the terminal device decrypts the second encrypted information using the symmetric key generated by itself to obtain the attribute encryption identification private key and a random number, The legitimacy of the authentication server is verified through the random number generated by itself and the random number decrypted, and after verifying that the authentication server is legitimate, the attribute encryption identification private key is saved.
  9. 一种基于属性加密的设备安全认证系统,其特征在于,包括:权利要求7所述的终端设备和权利要求8所述的认证服务器。A device security authentication system based on attribute encryption, characterized by comprising: the terminal device according to claim 7 and the authentication server according to claim 8.
  10. 一种基于属性加密的设备安全认证设备,其特征在于,所述设备包括处理器以及存储器;A device security authentication device based on attribute encryption, characterized in that the device includes a processor and a memory;
    所述存储器用于存储程序代码,并将所述程序代码传输给所述处理器;The memory is used to store program code and transmit the program code to the processor;
    所述处理器用于根据所述程序代码中的指令执行权利要求1-4任一项所述的基于属性加密的设备安全认证方法,或执行权利要求5-6任一项所述的基于属性加密的设备安全认证方法。The processor is configured to execute the attribute encryption-based device security authentication method described in any one of claims 1-4 according to the instructions in the program code, or execute the attribute-based encryption described in any one of claims 5-6. Device security certification method.
PCT/CN2022/133389 2022-08-12 2022-11-22 Attribute encryption-based device security authentication method and related apparatus thereof WO2024031868A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210968066.4A CN115348076B (en) 2022-08-12 2022-08-12 Equipment security authentication method and system based on attribute encryption and related devices thereof
CN202210968066.4 2022-08-12

Publications (1)

Publication Number Publication Date
WO2024031868A1 true WO2024031868A1 (en) 2024-02-15

Family

ID=83951676

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/133389 WO2024031868A1 (en) 2022-08-12 2022-11-22 Attribute encryption-based device security authentication method and related apparatus thereof

Country Status (2)

Country Link
CN (1) CN115348076B (en)
WO (1) WO2024031868A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115348076B (en) * 2022-08-12 2024-02-06 天翼数字生活科技有限公司 Equipment security authentication method and system based on attribute encryption and related devices thereof
CN116248280B (en) * 2023-05-09 2023-07-28 北京智芯微电子科技有限公司 Anti-theft method for security module without key issue, security module and device
CN117093969A (en) * 2023-08-22 2023-11-21 上海合芯数字科技有限公司 Debugging authorization method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018076365A1 (en) * 2016-10-31 2018-05-03 美的智慧家居科技有限公司 Key negotiation method and device
CN113037484A (en) * 2021-05-19 2021-06-25 银联商务股份有限公司 Data transmission method, device, terminal, server and storage medium
CN115348076A (en) * 2022-08-12 2022-11-15 天翼数字生活科技有限公司 Equipment security authentication method based on attribute encryption and related device thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112351000B (en) * 2020-10-16 2024-02-09 深圳Tcl新技术有限公司 Bidirectional identity verification method, system, equipment and storage medium
CN113890724A (en) * 2021-08-17 2022-01-04 中国南方电网有限责任公司 Access authentication method and system for power Internet of things communication equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018076365A1 (en) * 2016-10-31 2018-05-03 美的智慧家居科技有限公司 Key negotiation method and device
CN113037484A (en) * 2021-05-19 2021-06-25 银联商务股份有限公司 Data transmission method, device, terminal, server and storage medium
CN115348076A (en) * 2022-08-12 2022-11-15 天翼数字生活科技有限公司 Equipment security authentication method based on attribute encryption and related device thereof

Also Published As

Publication number Publication date
CN115348076A (en) 2022-11-15
CN115348076B (en) 2024-02-06

Similar Documents

Publication Publication Date Title
JP7119040B2 (en) Data transmission method, device and system
WO2024031868A1 (en) Attribute encryption-based device security authentication method and related apparatus thereof
JP4617763B2 (en) Device authentication system, device authentication server, terminal device, device authentication method, and device authentication program
CN109728909B (en) Identity authentication method and system based on USBKey
JP5474969B2 (en) Mobile device association
KR101265873B1 (en) Distributed single sign-on service
WO2017097041A1 (en) Data transmission method and device
WO2018050081A1 (en) Device identity authentication method and apparatus, electric device, and storage medium
JP5431479B2 (en) Protocol for associating devices with stations
CN111416807B (en) Data acquisition method, device and storage medium
KR101985179B1 (en) Blockchain based id as a service
JP2020080530A (en) Data processing method, device, terminal, and access point computer
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
EP2792100A1 (en) Method and device for secure communications over a network using a hardware security engine
CN112351037B (en) Information processing method and device for secure communication
CN108809633B (en) Identity authentication method, device and system
CN110635901B (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN111275440B (en) Remote key downloading method and system
US20220385644A1 (en) Sharing encrypted items with participants verification
WO2022100356A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
JP2017525236A (en) Ensuring communication safety with enhanced media platform
JP4344783B2 (en) Seed delivery type one-time ID authentication
JP2005322033A (en) Information distribution system, information distribution server, terminal appliance, information distribution method, information reception method, information processing program and storage medium
CN111740995B (en) Authorization authentication method and related device
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22954806

Country of ref document: EP

Kind code of ref document: A1