CN105975846B - The authentication method and system of terminal - Google Patents

Abstract

A kind of authentication method of terminal, for realizing two-way authentication between two terminals, the described method includes: first terminal receives the certification request of second terminal transmission, verification information is calculated according to the certification request, and judge whether according to the verification information to receive the certification of second terminal.The present invention also provides a kind of Verification Systems of terminal.The present invention can not need third party in certification, reduce the occupancy of Internet resources and computing resource, and be able to solve user terminal online transaction safety issue.

Description

The authentication method and system of terminal

Technical field

The present invention relates to technical field of network security, and in particular, to a kind of authentication method and system of terminal.

Background technique

In broad terms, M2M can represent Machine To Machine (Machine to Machine), Human-to-Machine (Man to Machine), machine is to people (Machine to Man), mobile network to the connection between machine (Mobile to Machine) With communication, it covers all technologies and means realized and establish communication connection between people, machine, system.M2M business is each The client of kind industry provides a kind of total solution for collecting data acquisition, transmission, processing and service management.Currently, M2M The wireless communication for focusing on Machine To Machine, there are following three kinds of modes: Machine To Machine, and machine is to mobile phone (as used Family remotely monitors), mobile phone is to machine (such as user remotely controls).

Radio equipment is that M2M is whole in M2M business to realize to machine agreement (WMMP, Wireless M2M Protocol) Between end and M2M platform, the data communication process between M2M terminal, between M2M platform and application platform and the application layer designed Agreement is the agreement that China Mobile develops for M2M business, and the protocol provides for the communications of radio equipment end to end, terminal The basic function of management and service security etc..It is provided according to WMMP, M2M terminal, which is only registered and passed through in M2M platform, recognizes M2M business could be used after card.

The solution of authentication between existing machine and machine is based on public-key cryptosystem.The base In public-key cryptosystem include: each M2M terminal all from believable third party's digital certificate authentication center (Certificate Authority, abbreviation CA) at obtain corresponding letter of identity and corresponding private key, and CA certificate can be obtained for verifying Corresponding letter of identity；When M2M accessing terminal to network, verifying both sides' identity is carried out by sending respective letter of identity； Certification can just access network after passing through.

There is cryptographic calculation complexity for the public-key cryptosystem, and performance and efficiency all substantially reduce when encrypting big data Disadvantage, when terminal node quantity is huge, a large number of users authenticates the Internet resources and computing resource that can consume Signalling exchange.

In addition, the public-key cryptosystem, which needs to rely on third party trusty, manages key, fished in virus, hacker, network Under the deliberate threats such as fish and Phishing swindle, great challenge is brought to the safety of online transaction.

Summary of the invention

In view of the foregoing, it is necessary to which the authentication method for proposing a kind of terminal does not need third party in certification, reduces net The occupancy of network resource and computing resource, and it is able to solve user terminal online transaction safety issue.

A kind of authentication method of terminal, comprising:

First terminal receives the first certification request for sending of second terminal, calculates the according to first certification request One verification information, and the certification to the second terminal is executed according to first verification information；And

When the first terminal has authenticated the legal identity of the second terminal, the first terminal is whole to described second The second certification request of end transmission, so that the second terminal calculates the second verification information, and root according to second certification request The certification to the first terminal is executed according to second verification information.

In other preferred embodiments of the invention, the first certification request that the second terminal is sent includes described second User name, authentication key and the timestamp of terminal；And first verification information include the first authentication secret, described first Authentication secret is the user name and timestamp according to the received second terminal, utilizes the server of registrar Key and Encryption Algorithm are calculated.

In other preferred embodiments of the invention, the certification packet to the second terminal is executed according to first verification information It includes:

When the authentication key of the second terminal is identical as first authentication secret, the conjunction of the second terminal is authenticated Method identity；And

When the authentication key of the second terminal and first authentication secret be not identical, terminate to the second terminal Authentication operation.

In other preferred embodiments of the invention, the first verification information is calculated according to first certification request, and according to institute Before the execution of the first verification information is stated to the certification of the second terminal, further includes:

What timestamp and the second terminal when receiving the first certification request of the second terminal transmission transmitted When difference between timestamp is less than preset effective time interval, first verification information is calculated；And

What timestamp and the second terminal when receiving the first certification request of the second terminal transmission transmitted When difference between timestamp is more than or equal to the preset effective time interval, terminate the certification to the second terminal Operation.

In other preferred embodiments of the invention, the authentication method further includes executing registration to the first terminal, described First terminal executes registration

The first terminal to registrar transmit the first terminal user name and encrypted user key；

It receives the user key of the secondary encryption of the registrar transmission, the login key of the first terminal, add Encryption Algorithm used in server key and the registrar after close, wherein the user of the secondary encryption is close Key is that the registrar carries out second obtained by encrypting the user key using the Encryption Algorithm, the registration Key is that the registrar is close according to the user name of the first terminal, user key and the encrypted server Key is calculated using the Encryption Algorithm；And

User key, login key, the encrypted server for storing the secondary encryption of the registrar transmission are close Encryption Algorithm used in key and the registrar is in the secure storage section of the first terminal.

In other preferred embodiments of the invention, the user key is one of biometric keys of user or a variety of Combination, including fingerprint key, iris key, sound key and face key.

In other preferred embodiments of the invention, the secure storage section is the embedded SIM card of the first terminal Secure storage areas.

In other preferred embodiments of the invention, the identity of the entitled embedded SIM card offer of user.

In other preferred embodiments of the invention, the authentication method further includes the user key executed in the first terminal Modification, the user key modification include:

When receiving the request of modification user key, user is prompted to input current user key；And

When the current user key for verifying user's input is correct, prompt the user defeated to the first terminal Enter new user key.

In other preferred embodiments of the invention, the user key modification further include:

Secondary encryption, and the use according to the first terminal are carried out to the new user key using the Encryption Algorithm Name in an account book, the new user key and encrypted server key calculate described first eventually using the Encryption Algorithm The new login key at end, and the new user key for storing the secondary encryption and new login key are in first end In the secure storage section at end, and the user key for prompting user new is arranged successfully.

In view of the foregoing, the Verification System that there is a need to propose a kind of terminal does not need third party in certification, reduces The occupancy of Internet resources and computing resource, and it is able to solve user terminal online transaction safety issue.

A kind of Verification System of terminal, the Verification System include:

Authentication module is used for:

The first certification request that second terminal is sent is received, the first verifying is calculated according to first certification request and is believed Breath, and the certification to the second terminal is executed according to first verification information；And

When having authenticated the legal identity of the second terminal, Xiang Suoshu second terminal transmits the second certification request, so that The second terminal calculates the second verification information according to second certification request, and according to second verification information execution pair The certification of first terminal.

In other preferred embodiments of the invention, the first certification request that the second terminal is sent includes described second User name, authentication key and the timestamp of terminal；And first verification information include the first authentication secret, described first Authentication secret is the user name and timestamp according to the received second terminal, utilizes the server of registrar Key and Encryption Algorithm are calculated.

In other preferred embodiments of the invention, the certification packet to the second terminal is executed according to first verification information It includes:

When the authentication key of the second terminal is identical as first authentication secret, the conjunction of the second terminal is authenticated Method identity；And

When the authentication key of the second terminal and first authentication secret be not identical, terminate to the second terminal Authentication operation.

In other preferred embodiments of the invention, the authentication module is also used to:

What timestamp and the second terminal when receiving the first certification request of the second terminal transmission transmitted When difference between timestamp is less than preset effective time interval, first verification information is calculated；And

What timestamp and the second terminal when receiving the first certification request of the second terminal transmission transmitted When difference between timestamp is more than or equal to the preset effective time interval, terminate the certification to the second terminal Operation.

In other preferred embodiments of the invention, the two-way authentication system further include:

Registration module for proposing registration request to registrar, and receives the registrar according to the note Volume requests the registration relevant information of transmission, and the registration relevant information is stored in the secure storage areas of the first terminal In, in which:

The registration request include the first terminal user name and encrypted user key；And

After the registration relevant information includes the user key of secondary encryption, the login key of the first terminal, encryption Server key and the registrar used in Encryption Algorithm, wherein the user key of the secondary encryption is The registrar carries out second obtained by encrypting the user key using the Encryption Algorithm, the login key It is the registrar according to the user name of the first terminal, user key and the encrypted server key, It is calculated using the Encryption Algorithm.

In other preferred embodiments of the invention, the user key is one of biometric keys of user or a variety of Combination, including fingerprint key, iris key, sound key and face key.

In other preferred embodiments of the invention, the secure storage section is the embedded SIM card of the first terminal Secure storage areas.

In other preferred embodiments of the invention, the identity of the entitled embedded SIM card offer of user.

In other preferred embodiments of the invention, the Verification System further include:

Key modified module, for prompting user's input described first eventually when receiving the request of modification user key Current user key is held, and when the current user key of user's input is correct, user is prompted to input new user Key.

In other preferred embodiments of the invention, the key modified module is also used to:

Secondary encryption, and the use according to the first terminal are carried out to the new user key using the Encryption Algorithm Name in an account book, the new user key and encrypted server key calculate described first eventually using the Encryption Algorithm The new login key at end, and the new user key for storing the secondary encryption and new login key are in first end In the secure storage section at end, and the user key for prompting user new is arranged successfully.

Compared to the prior art, in method used in the present invention, in terminal to registrar registration phase, terminal is sent out It send user name and encrypted user key to registrar, rather than directly transmits user key to registrar.Institute With when, there are can not also obtain user key when internal attacker, guaranteeing the safety of user key in registrar.In addition, The method of the present invention has used timestamp mechanism, can prevent Replay Attack.Furthermore in method of the invention, even if registration service The key of device is leaked, and the information of any user key is all safe, because registrar itself is any without storing User key information.Further, the method for the present invention does not need registrar when carrying out the two-way authentication of M2M terminal It participates in, releases the computing resource of registrar.

Detailed description of the invention

It is the method flow diagram of registration phase in the authentication method preferred embodiment of M2M terminal of the present invention shown in Fig. 1.

It is the exemplary diagram of the registration phase in the authentication method preferred embodiment of M2M terminal of the present invention shown in Fig. 2.

It is the method flow in two-way authentication stage in the authentication method preferred embodiment of terminal of the present invention shown in Fig. 3 and Fig. 4 Figure.

It is the exemplary diagram in two-way authentication stage in a kind of authentication method preferred embodiment of terminal of the present invention shown in Fig. 5.

It is the exemplary diagram in two-way authentication stage in another authentication method preferred embodiment of terminal of the present invention shown in Fig. 6.

It is the method flow diagram of key modification stage in the authentication method preferred embodiment of terminal of the present invention shown in Fig. 7.

It is the exemplary diagram of key modification stage in the authentication method preferred embodiment of terminal of the present invention shown in Fig. 8.

It is the application environment schematic diagram of the Verification System preferred embodiment of terminal of the present invention shown in Fig. 9.

It is the hardware architecture diagram of terminal of the present invention shown in Figure 10.

It is functional block diagram in the Verification System preferred embodiment of terminal of the present invention shown in Figure 11.

Main element symbol description

M2M terminal 1

Registrar 2

Verification System 10

Communication unit 11

Memory 12

Processor 13

ESIM card 14

Registration module 100

Authentication module 101

Key modified module 102

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention is purged, is complete Site preparation description, it is clear that described embodiment is only a part of the embodiments of the present invention, instead of all the embodiments.

Based on the embodiments of the present invention, those of ordinary skill in the art institute without making creative work The every other embodiment obtained, shall fall within the protection scope of the present invention.

In the embodiment of the present invention, described terminal is a M2M terminal.The M2M can represent Machine To Machine (Machine to Machine), Human-to-Machine (Man to Machine), machine are to people (Machine to Man), mobile network Network to the connection and communication between machine (Mobile to Machine), it cover it is all realize people, machine, system it Between establish the technology and means of communication connection.One M2M terminal can be the connection between first terminal and second terminal and lead to Letter, " first ", words (if present) such as " second " is used to indicate names, and is not indicated any particular order.

Referring to FIG. 1, being the method flow diagram of registration phase in the authentication method preferred embodiment of terminal of the present invention.According to Different demands, the execution sequence in flow chart shown in the figure can change, certain to can be omitted.

S10, M2M terminal to registrar transmit the M2M terminal user name and encrypted user key.

In present pre-ferred embodiments, the user name can be embedded in the body that the eSIM card of the M2M terminal provides Part mark, such as cell-phone number, or it is also possible to the customized user name of user, but the user name must be tied up first with the cell-phone number It is fixed.The user key can be the combination of one or more of biometric keys of user, common biological characteristic Key includes fingerprint key, iris key, sound key, face key etc..

S11, after the registrar receives user name and the user key of M2M terminal transmission, using adding Close algorithm carries out second to the user key and encrypts.

In the present embodiment, the Encryption Algorithm can be a kind of hashing algorithm.

S12, the user name and user key that the registrar is transmitted according to the M2M terminal, and further utilize The encrypted server key of the registrar, the registration for calculating the M2M terminal using the Encryption Algorithm are close Key.

S13, the registrar by the user key for the secondary encryption calculated, the M2M terminal login key, Encrypted server key and the above-mentioned Encryption Algorithm used send the M2M terminal to, and are stored in the M2M terminal In secure storage section, for example, being stored in the secure storage areas for being embedded in the eSIM card of the M2M terminal.

By above-mentioned process it is found that in present pre-ferred embodiments, put down when M2M is added in user's first application of M2M terminal When platform uses M2M business, lawful registration application can be proposed to registrar.User can oneself selection user name UID (User ID) then the UID and the BK by encryption are sent out by safe lane with user key BK (Biosignature key) It is sent to the registrar.Registrar response user's request, calculates the information such as the login key of M2M terminal.Most Afterwards, the registrar is sent in the secure storage areas of M2M terminal by safe lane by information such as login keys.

In present pre-ferred embodiments, executed in the stage registered in the user of M2M terminal to registrar, Yong Hushi The UID of user and the BK of encryption are sent to registrar, rather than directly transmits user key BK to registrar.So When, there are when internal attacker, can not also obtaining user key BK in registrar, guarantee the safety of user key.

One example of the registration phase, please refers to following schematic diagrames shown in Fig. 2.

Some parameters that registration phase shown in Fig. 2 uses are stated as follows first:

UID indicates user name；BK indicates user biological feature key；Hash () indicates hash function；RSK indicates registration clothes Business device key；※ indicates encryption and decryption operation (such as XOR operation).

As shown in fig.2, the registration of M2M terminal user UIDi includes:

1: user name UIDi and encrypted user key Hash (BKi) are sent to registrar.

2: registrar first passes through the user key cryptographic Hash that hash function calculates user UIDi: HHBKi=Hash (Hash(BKi))；

3: registrar reuses the user name UIDi of the hash function and user, encrypted user key Hash (BKi), encrypted registrar key Hash (RSK), the login key that these parameters calculate user UIDi are breathed out Uncommon value: HRSKi=Hash (UIDi ※ Hash (RSK)) ※ Hash (BKi)；

4: registrar will add used in user key cryptographic Hash and user's registration keyed hash value process calculating Relevant information is decrypted, is stored in the eSIM card of user UIDi including [HHBKi, HRSKi, UIDi, Hash (RSK), Hash ()] Secure storage areas in.

Similarly, the registration of M2M terminal user UIDj includes:

1: user name UIDj and encrypted user key Hash (BKj) are sent to the registrar；

2: registrar calculates the user key cryptographic Hash HHBKj=Hash (Hash (BKj)) of user UIDj；

3: registrar calculates the user's registration keyed hash value of user UIDj: HRSKj=Hash (UIDj ※ Hash (RSK))※Hash(BKj)；

4: registrar will add used in user key cryptographic Hash and user's registration keyed hash value process calculating Relevant information is decrypted, is stored in the eSIM card of user UIDj including [HHBKj, HRSKj, UIDj, Hash (RSK), Hash ()] Secure storage areas in.

So far, the verification process of two M2M terminals is completed.

After M2M terminal user UIDi and user UIDj complete registration, the authentication for carrying out both sides is also needed, it just can be with Realize connection and communication between the two.According to existing authentication mode, each M2M terminal need separately with registration Server completes authentication and transmission data, then, registrar will face the office that can not be handled so huge user and request Face, to seriously reduce the service quality of M2M service.

This case is in authentication phase, it is only necessary to authentication is carried out between two or more M2M terminals, verification process is simultaneously The participation of registrar is not needed, detailed process please refers to the description of following Fig. 3 to Fig. 5.

Refering to shown in Fig. 3 and Fig. 4, be M2M terminal of the present invention authentication method preferred embodiment in authentication phase method Flow chart.The execution sequence in flow chart shown in the figure can change according to different requirements, certain to can be omitted.

Refering to shown in Fig. 3:

S20, first terminal according to the login key stored in its secure storage areas, encrypted user key and work as Preceding time stamp T ci calculates the authentication key SKi of the first terminal using the Encryption Algorithm stored in its secure storage areas.

In the present embodiment, the login key that is stored, Encryption Algorithm be in registration phase, registrar transmission.

S21, first terminal send its user name, the authentication key SKi and the time stamp T ci to second eventually End.

S22, second terminal are receiving the user name of first terminal transmission, authentication key SKi and when time stamp T ci, Obtain current time stamp Tcj.

S23, second terminal judge whether Tcj-Tci < Δ T.The Δ T is preset effective time interval.

As Tcj-Tci >=Δ T, second terminal judgement, which has been likely to occur, prevents Replay Attack, therefore terminates this time to recognize Demonstrate,prove process.

As Tcj-Tci < Δ T,

S24, the second terminal user name of first terminal and time stamp T ci based on the received, and using being stored Registrar server key, calculate an authentication secret SKij.

S25, second terminal judge whether SKij=SKi.

If SKij ≠ SKi, terminate this identifying procedure.

Otherwise, if SKij=SKi, S26, second terminal receives the certification of first terminal.

So far, certification of the second terminal to first terminal is completed, then, executes certification of the first terminal to second terminal, Refering to shown in Fig. 4:

S30, second terminal according to the login key stored in its secure storage areas, encrypted user key and work as Preceding time stamp T cj calculates the authentication key SKj of the second terminal using the Encryption Algorithm stored in its secure storage areas.

In the present embodiment, the login key that is stored, Encryption Algorithm be in registration phase, registrar transmission.

S31, second terminal send its user name, the authentication key SKj and the time stamp T cj to first eventually End.

S32, first terminal is in user name, authentication key SKj and the time for receiving the second terminal transmission When stabbing Tcj, current time stamp Tcji is obtained.

S33, first terminal judge whether Tcji-Tcj < Δ T.The Δ T is preset effective time interval.

As Tcji-Tcj >=Δ T, first terminal judgement, which has been likely to occur, prevents Replay Attack, therefore terminates this time to recognize Demonstrate,prove process.

As Tcji-Tcj < Δ T,

S34, the first terminal user name of second terminal and time stamp T cj based on the received, and using being stored Registrar server key, calculate an authentication secret SKji.

S35, first terminal judge whether SKji=SKj.

If SKji ≠ SKj, terminate this identifying procedure.

Otherwise, if SKji=SKj, S36, first terminal receives the certification of second terminal.

So far, verifying of the first terminal to second terminal is completed.

It is to be understood that the first, second terminal described in above-described embodiment is only the exemplary end of the M2M terminal End, the role of the two can be interchanged, and be equally applicable to the first terminal and in institute in the process that the second terminal executes The process for stating first terminal execution is equally applicable to the second terminal.

According to foregoing description as can be seen that can be held when user requires to be verified or need to authenticate other users Row two-way authentication operation.As shown in Figure 5, which, which operates, includes:

S37, first terminal receives the first certification request that second terminal is sent, according to the first certification request meter The first verification information is calculated, and the certification to the second terminal is executed according to first verification information；And

S38, when the first terminal has authenticated the legal identity of the second terminal, the first terminal is to described Two terminals transmit the second certification request, so that the second terminal calculates the second verification information according to second certification request, And the certification to the first terminal is executed according to second verification information.

In present pre-ferred embodiments, the two-way authentication operation, which only occurs in, carries out authentication between M2M terminal, and The participation of registrar is not needed.

One example in the two-way authentication stage, please refers to following schematic diagrames shown in fig. 6.

Firstly, some parameters used the two-way authentication stage shown in fig. 6 are stated as follows:

Tci indicates the current timestamp of M2M terminal user UIDi；Tcj indicates the M2M terminal user UIDj current time Stamp；Δ T indicates effective time interval.

1: calculating the authentication key cryptographic Hash of user UIDi: SKi=Hash (HRSKi ※ Hash (BKi) ※ Tci)；

2: user UIDi all users into M2M operation system send authentication request message [UIDi, SKi, Tci]；

After any online user in 3:M2M operation system receives request message, it is introduced into message authentication process.

Assuming that user UIDi sends request message to user UIDj, and user UIDj receives user UIDi transmission in Tcj and asks Seek message.

4: user UIDj first verifies the legitimacy of request time, i.e. whether judgement (Tcj-Tci) is less than Δ T.If (Tcj- Tci) < Δ T, user UIDj just receive certification request, otherwise refuse certification request.

5: after executing 4, it is assumed that user UIDj demonstrates the legitimacy of user's UIDi request time, receives user UIDi Certification request.Then user UIDj can be calculated in the authentication secret cryptographic Hash at Tci moment: SKij=Hash (Hash (UIDi ※ Hash (RSK)) ※ Tci), and judge SKi that current calculated SKij is sended over user UIDi whether phase Together.If the two is identical, user UIDj, which just receives user UIDi, becomes its legitimate user, otherwise it is assumed that user UIDi It is an illegal user.

6: after executing 5, if as soon as user UIDj receives user UIDi as after its legitimate user, accounting The current authentication keyed hash value of user UIDj: SKj=Hash (HRSKj ※ Hash (BKj) ※ Tcj) is calculated, then user UIDj sends request message [SKj, UIDj, Tcj] to user UIDi.

7: user UIDi first verifies the legitimacy of request time, and whether judgement (Tcji-Tcj) is less than Δ T.If (Tcji- Tcj) < Δ T, user UIDi just receive certification request, otherwise refuse certification request.

8: after executing 7, it is assumed that user UIDi demonstrates the legitimacy of user's UIDj request time, receives user UIDj Certification request, then can calculate user UIDi in the authentication secret cryptographic Hash at Tcj moment: SKji=Hash (Hash (UIDj ※ Hash (RSK)) ※ Tcj), finally judge SKj that current calculated SKji is sended over user UIDj whether phase Together.If the two is equal, user UIDi, which receives user UIDj, becomes its legitimate user.Otherwise it is assumed that user UIDj is One illegal user.

After having executed 5, it is identical as the SKi that user UIDi is sended over to obtain SKij, and after having executed 8, obtains SKji is identical as the SKj that user UIDj is sended over, that is, as SKij=SKi and SKji=SKj, with regard to realization user Two-way authentication operation between UIDi and user UIDj.

Above-described embodiment is described using user biological feature as user key, executes the registration and certification of terminal. It is to be understood that the biometric keys of user sometimes need to modify, for example, user wishes its user key from fingerprint Key becomes iris key, alternatively, needing for user key to be revised as the biological characteristic of user B from the biological characteristic of user A.Under The modification for how executing user key introduced in face.

As shown in fig.7, being the side of key modification stage in the mutual authentication method preferred embodiment of M2M terminal of the present invention Method flow chart.The execution sequence in flow chart shown in the figure can change according to different requirements, certain to can be omitted.

S40, M2M terminal prompt user to input current user key when receiving the request of modification user key.Example Such as, the M2M terminal can provide a key modification request icon in its user interface, when user selects the icon, The M2M terminal judgement receives the request of modification user key.

S41, M2M terminal judge to carry out the current user key that user inputs the value and registration after cryptographic calculation twice Whether the user key of the secondary encryption of server transmission is consistent.

If carrying out what value and registrar after cryptographic calculation twice transmitted to the current user key of user's input The user key of secondary encryption is inconsistent, then terminates key modification process.

Otherwise, if value and registrar after carrying out cryptographic calculation twice to the current user key of user's input pass The user key for the secondary encryption sent is consistent, then S42, and M2M terminal notifying user inputs new user key.

S43, M2M terminal carry out secondary encryption to the new user key using Encryption Algorithm, and according to the M2M terminal User name, new user key and encrypted server key, calculate the new of the terminal using the Encryption Algorithm Login key, and the new user key for storing the secondary encryption and new login key are in the secure storage areas of terminal In domain.

The new user key of S44, M2M terminal notifying user is arranged successfully.

According to foregoing description it is found that modification the user key stage occur mainly in user need to modify user key when It waits；After user inputs correct user biological key, the modification key process that can just execute.Due to the eSIM of M2M terminal The secure storage areas of (Embedded SIM, embedded SIM) card, which is stored, encrypts relevant information, so the process of modification key The participation of registrar is not needed.

One example of the key modification, please refers to schematic diagram shown in Fig. 8.

1: when needing to modify user key, user first inputs current user key BKi in M2M terminal；

2:M2M terminal is close using the user that the hash function Hash () being stored in the safety zone of eSIM card inputs user Key carries out hash function operation Hash (Hash (BKi)), and judges whether it is equal to stored HHBKi, if the two is equal, Illustrate that the user key BKi of user's input is legitimate secret, enters new key registration process；

3:M2M terminal using hash function by calculating the new user key cryptographic Hash of user UIDi: HHBKn twice =Hash (Hash (BKn))；

4:M2M terminal reuses UIDi, Hash (BKn) of hash function and user, Hash (RSK) these parameters calculate The new user's registration keyed hash value of user UIDi out: HRSKn=Hash (UIDn ※ Hash (RSK)) ※ Hash (BKn)；

New user key cryptographic Hash and user's registration keyed hash value [HHBKn, HRSKn] are stored in by 5:M2M terminal In secure storage areas in the eSIM card of the M2M terminal of user UIDi；

6:M2M terminal notifying user UIDi, modification new key success.

Analysis to the safety of the method for the present invention:

In method of the invention, in user to registrar registration phase, be send the UID and Hash (BK) of user to Registrar, rather than user key BK is directly transmitted to registrar, so when there are inside to attack in registrar The person of hitting can not also obtain the key BK of user, guarantee the safety of user key information.In addition, the method for the present invention uses Timestamp mechanism can prevent Replay Attack.Further, in method of the invention, if the key RSK quilt of registrar Leakage, any user key information is also safe, because registrar itself is believed without storing any user key Breath.

The above is only a specific embodiment of the invention, but scope of protection of the present invention is not limited thereto, for For those skilled in the art, without departing from the concept of the premise of the invention, improvement, but these can also be made It all belongs to the scope of protection of the present invention.

Above-mentioned Fig. 1 to Fig. 8 describes register method, authentication method and the key modification of M2M terminal of the invention in detail Method, below with reference to the 9th~11 figure, the hardware system structure to the authentication method for realizing above-mentioned M2M terminal and realization respectively The functional module of the software systems of the authentication method of the M2M terminal is introduced.

It should be appreciated that the embodiment is only purposes of discussion, do not limited by this structure in patent claim.

As shown in figure 9, realizing the hardware system structure of the authentication method preferred embodiment of the M2M terminal for the present invention Figure.

In one of preferred embodiment of the invention, the realization of the authentication method of the M2M terminal is by two large divisions It constitutes: more M2M terminals 1, registrar 2.

Wherein, the M2M terminal 1 is can to answer to include the request of data in some equipment or can automatically deliver Equipment comprising data in such devices, apply electric power, traffic, Industry Control, retail, Administration of Public Affairs, medical treatment, Multiple industries such as water conservancy, petroleum are used for vehicle anti-theft, safety monitoring, automatic vending, flight-line maintenance, mobile logistics management (M- Logistic management), mobile payment (M-POS), mobile monitor (M-monitoring) etc..

As shown in Figure 10, the M2M terminal 1 include Verification System 10, communication unit 11, memory 12, processor 13 with And eSIM card 14.It should be appreciated that the M2M terminal 1 also may include other hardware or software, for example, display screen, camera shooting Head, control circuit etc., and it is not restricted to the above-mentioned component enumerated.

The communication unit 11 is used for the M2M terminal 1 and other equipment, as between other M2M terminals 1 or server Information exchange.

The communication unit 11 can be wireless communication module, including Wi-Fi module, WiMax (World Interoperability for Microwave Access, i.e. World Interoperability for Microwave Access, WiMax) module, GSM (Global System for Mobile Communication, global system for mobile communications) module, CDMA (Code Division Multiple Access, CDMA) module, including CDMA2000, CDMA, CDMA2000 1x evdo, WCDMA, TD- SCDMA etc.), LTE (Long Term Evolution, long term evolution) module, HiperLAN (high-performance Radio local area network, high performance radio local area network) module and short range wireless transmission module, as bluetooth, Zigbee, RF etc..

The memory 12 is realized at a high speed, certainly for storing program and various data, and in 1 operational process of M2M terminal The access of program or data is completed dynamicly.The memory 12 can be the external memory and/or storage inside of M2M terminal 1 Device.Further, the memory 12 can be the circuit with store function for not having physical form in integrated circuit, such as RAM (Random-Access Memory, random access memory), FIFO (First In First Out) etc..Alternatively, institute It states memory 12 and is also possible to the storage equipment with physical form, such as memory bar, TF card (Trans-flash Card).

The processor 13 is also known as central processing unit (CPU, Central Processing Unit), is one piece of super large rule The integrated circuit of mould is the arithmetic core (Core) and control core (Control Unit) of M2M terminal 1.The function of processor 11 It can be mainly the data in interpreter directive and processing software.

The eSIM card 14, which refers to, is directly embedded into traditional SIM card in device chip, not as independent removable Except components are added in equipment, to meet the requirement of convenience, trip, cost, safety etc..

The Verification System 10 may include multiple functional modules as composed by program segment (being detailed in Figure 11).The certification The program code of each program segment in system 10 can store in the memory 12, and be held by the processor 13 Row operates (be detailed in Figure 11 and describe) to execute registration on M2M platform and with the certification of other M2M terminals 1 etc..

Wherein, in present pre-ferred embodiments, the registrar 2 can be a CA server, for number The applicant of certificate provides, management, cancels etc..The effect of the CA is to check the legitimacy of certificate holder's identity, and sign and issue Certificate (is mathematically signed on certificate), is forged or is distorted to prevent certificate.

In the present embodiment, the registrar 2 is used to receive the registration of each M2M terminal 1, so that M2M terminal 1 can be with It is legal to use M2M business.

In present pre-ferred embodiments, the registrar 2 receives the registration request for the first time of M2M terminal 1, and responding should Registration request, calculates the keyed hash value HHBK and login key cryptographic Hash HRSK of user, and the information such as HHBK, HRSK are led to Safe lane is crossed to be sent in the secure storage areas of eSIM card 14 of M2M terminal 1.

In present pre-ferred embodiments, the registrar 2 is only involved in the operation of registration for the first time of M2M terminal 1, is registering Authentication operation between each operation later, such as each M2M terminal 1 can be not involved in.

It is the functional block diagram of recommender system preferred embodiment in position of the present invention refering to fig. 1 shown in 1.In the present embodiment, institute Function of the Verification System 10 according to performed by it is stated, multiple functional modules can be divided into.In the present embodiment, the function mould Block includes: registration module 100, authentication module 101 and key modified module 102.

The registration module 100 is used to propose registration request to registrar 2, and receives registrar 2 according to institute It states registration request and sends back the registration relevant information come, and the registration relevant information that this is received is stored in the peace of M2M terminal 1 In full storage region, for example, being stored in the secure storage areas for being embedded in the eSIM card 14 of the M2M terminal 1.

In the present embodiment, the registration module 100 transmits M2M terminal 1 when proposing registration request to registrar 2 User name and encrypted user key, receive registrar 2 calculate and the user key of the secondary encryption that transmits, should Encryption Algorithm used in the login key of M2M terminal 1, encrypted server key and registrar 2 etc..

In a preferred embodiment of the present invention, the user name can be the identity that the eSIM card 14 provides, such as hand Machine number etc., or it is also possible to the customized user name of user, but the user name must first be bound with the cell-phone number.The user Key can be one of biometric keys of user, and common biometric keys include that fingerprint key, iris are close Key, sound key, face key etc..

The authentication module 101 is used to receive the certification request of another M2M terminal 1 transmission, according to the certification request meter A verification information is calculated, and judges whether the certification of reception another M2M terminal 1 according to the verification information.

In the present embodiment, the certification request includes user name, the authentication key and one of another M2M terminal 1 Time stamp T ci.The authentication key be another described M2M terminal 1 according to its login key, encrypted user key and The time stamp T ci, utilizes stored Encryption Algorithm to be calculated.Wherein, the login key and the encryption are calculated Method is that another described M2M terminal 1 is transmitted in registration phase by registrar 2.

In the present embodiment, the verification information includes an authentication secret, and the authentication secret is based on the received The user name and time stamp T ci of another M2M terminal 1, and utilize the server key of stored registrar 2 And Encryption Algorithm is calculated.Wherein, the server key of the registrar 2 and the Encryption Algorithm are to infuse It in the volume stage, is transmitted by registrar 2.

Further, the authentication module 101 is also used to judge to receive the certification of another M2M terminal 1 transmission Whether the difference of time stamp T cj and the time stamp T ci when request are less than preset effective time interval delta T, i.e., whether Tcj- Tci<ΔT.Only in Tcj-Tci < Δ T, the authentication module 101 just calculates the verification information.As Tcj-Tci >=Δ T When, the authentication module 101 terminates authentication operation.

In present pre-ferred embodiments, judged whether to receive recognizing for another M2M terminal 1 according to the verification information Card is by judging whether the authentication key is identical as the authentication secret.When the authentication key and the authentication secret phase Meanwhile the authentication module 101 receives the certification of another M2M terminal 1.When the authentication key and the authentication secret When not identical, the authentication module 101 terminates authentication operation.

The key modified module 102 is used to prompt working as user's input when receiving the request of modification user key Preceding user key, and when the current user key for judging user's input is correct, prompt user to input new user key, And when new key is arranged successfully, the user key for prompting user new is arranged successfully.

It is described judgement user input current user key correctly refer to user input current user key into The value obtained after capable cryptographic calculation twice is consistent with the user key of secondary encryption that registrar 2 transmits.

In present pre-ferred embodiments, when the key modified module 102 is close to the new user using Encryption Algorithm Key carries out secondary encryption, and according to the user name of the M2M terminal 1, new user key and encrypted server key, makes The new login key of the terminal is calculated with the Encryption Algorithm, and store the secondary encryption new user key and After new login key is in the secure storage section of M2M terminal 1, new key is arranged successfully.

In several embodiments provided by the present invention, it should be understood that disclosed system, device and method can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the module It divides, only a kind of logical function partition, there may be another division manner in actual implementation.

It, can also be in addition, each functional module in each embodiment of the present invention can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of hardware adds software function module.

The above-mentioned integrated unit realized in the form of software function module, can store and computer-readable deposit at one In storage media.Above-mentioned software function module is stored in a storage medium, including some instructions are used so that a computer It is each that equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the present invention The part of embodiment the method.

It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie In the case where without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power Benefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claims Variation is included in the present invention.Any reference signs in the claims should not be construed as limiting the involved claims.This Outside, it is clear that one word of " comprising " is not excluded for other units or, odd number is not excluded for plural number.The multiple units stated in system claims Or device can also be implemented through software or hardware by a unit or device.

Finally it should be noted that the above examples are only used to illustrate the technical scheme of the present invention and are not limiting, although reference Preferred embodiment describes the invention in detail, those skilled in the art should understand that, it can be to of the invention Technical solution is modified or equivalent replacement, without departing from the spirit and scope of the technical solution of the present invention.

Claims (18)

1. a kind of authentication method of terminal, which is characterized in that the authentication method includes:

First terminal receives the first certification request that second terminal is sent, and calculates first according to first certification request and tests Information is demonstrate,proved, and the certification to the second terminal is executed according to first verification information；And

When the first terminal has authenticated the legal identity of the second terminal, the first terminal is passed to the second terminal The second certification request is sent, so that the second terminal calculates the second verification information according to second certification request, and according to institute State certification of the second verification information execution to the first terminal；

Registration is executed to the first terminal, comprising:

The first terminal to registrar transmit the first terminal user name and encrypted user key；

After the user key of secondary encryption, the login key of the first terminal, encryption that receive the registrar transmission Server key and the registrar used in Encryption Algorithm, wherein the user key of the secondary encryption is The registrar carries out second obtained by encrypting the user key using the Encryption Algorithm, the login key It is the registrar according to the user name of the first terminal, user key and the encrypted server key, It is calculated using the Encryption Algorithm；And

Store the user key of the secondary encryption of registrar transmission, login key, encrypted server key and Encryption Algorithm used in the registrar is in the secure storage section of the first terminal.

2. the authentication method of terminal as described in claim 1, which is characterized in that the second terminal was sent first recognizes Card request includes user name, authentication key and the timestamp of the second terminal；And first verification information includes the One authentication secret, first authentication secret are the user name and timestamp according to the received second terminal, benefit It is calculated with the server key of registrar and Encryption Algorithm.

3. the authentication method of terminal as claimed in claim 2, which is characterized in that described to be executed according to first verification information Certification to the second terminal includes:

When the authentication key of the second terminal is identical as first authentication secret, the legal body of the second terminal is authenticated Part；And

When the authentication key of the second terminal and first authentication secret be not identical, the second terminal is recognized in end Card operation.

4. the authentication method of terminal as claimed in claim 2, which is characterized in that described to be calculated according to first certification request First verification information, and according to first verification information execute to the certification of the second terminal before, further includes:

The time of timestamp and second terminal transmission when receiving the first certification request of the second terminal transmission When difference between stamp is less than preset effective time interval, first verification information is calculated；And

The time of timestamp and second terminal transmission when receiving the first certification request of the second terminal transmission When difference between stamp is more than or equal to the preset effective time interval, terminates the certification to the second terminal and grasp Make.

5. the authentication method of terminal as described in claim 1, which is characterized in that the user key is the biological characteristic of user One of key or a variety of combinations, including fingerprint key, iris key, sound key and face key.

6. the authentication method of terminal as described in claim 1, which is characterized in that the secure storage section is described first whole The secure storage areas of the embedded SIM card at end.

7. the authentication method of terminal as claimed in claim 6, which is characterized in that the entitled embedded SIM card of user The identity of offer.

8. the authentication method of terminal as described in claim 1, which is characterized in that the authentication method further includes described first The user key modification that terminal executes, the user key modification include:

When receiving the request of modification user key, user is prompted to input current user key；And

When the current user key for verifying user's input is correct, prompt the user new to first terminal input User key.

9. the authentication method of terminal as claimed in claim 8, which is characterized in that the user key modification further include:

Secondary encryption, and the user according to the first terminal are carried out to the new user key using the Encryption Algorithm Name, the new user key and encrypted server key, calculate the first terminal using the Encryption Algorithm New login key, and the new user key for storing the secondary encryption and new login key are in the first terminal Secure storage section in, and the user key for prompting user new is arranged successfully.

10. a kind of Verification System of terminal, which is characterized in that the system comprises:

Authentication module is used for:

The first certification request that second terminal is sent is received, the first verification information is calculated according to first certification request, And the certification to the second terminal is executed according to first verification information；And

When having authenticated the legal identity of the second terminal, Xiang Suoshu second terminal transmits the second certification request, so that described Second terminal calculates the second verification information according to second certification request, and is executed according to second verification information to first The certification of terminal；

Registration module for proposing registration request to registrar, and receives the registrar and is asked according to the registration The registration relevant information of transmission is sought, and the registration relevant information is stored in the secure storage areas of the first terminal, In:

The registration request include the first terminal user name and encrypted user key；And

The registration relevant information includes the user key of secondary encryption, the login key of the first terminal, encrypted clothes Encryption Algorithm used in business device key and the registrar, wherein the user key of the secondary encryption is described Registrar carries out second obtained by encrypting the user key using the Encryption Algorithm, and the login key is institute Registrar is stated according to the user name of the first terminal, user key and the encrypted server key, is used What the Encryption Algorithm was calculated.

11. the Verification System of terminal as claimed in claim 10, which is characterized in that the second terminal send first Certification request includes the user name, authentication key and timestamp of the second terminal；And first verification information includes First authentication secret, first authentication secret are the user name and timestamp according to the received second terminal, It is calculated using the server key and Encryption Algorithm of registrar.

12. the Verification System of terminal as claimed in claim 11, which is characterized in that described to be held according to first verification information Row includes: to the certification of the second terminal

When the authentication key of the second terminal is identical as first authentication secret, the legal body of the second terminal is authenticated Part；And

When the authentication key of the second terminal and first authentication secret be not identical, the second terminal is recognized in end Card operation.

13. the Verification System of terminal as claimed in claim 11, which is characterized in that the authentication module is also used to:

The time of timestamp and second terminal transmission when receiving the first certification request of the second terminal transmission When difference between stamp is less than preset effective time interval, first verification information is calculated；And

The time of timestamp and second terminal transmission when receiving the first certification request of the second terminal transmission When difference between stamp is more than or equal to the preset effective time interval, terminates the certification to the second terminal and grasp Make.

14. the Verification System of terminal as claimed in claim 10, which is characterized in that the user key is that the biology of user is special Levy one of key or a variety of combinations, including fingerprint key, iris key, sound key and face key.

15. the Verification System of terminal as claimed in claim 10, which is characterized in that the secure storage section is described first The secure storage areas of the embedded SIM card of terminal.

16. the Verification System of terminal as claimed in claim 15, which is characterized in that the entitled embedded SIM of user The identity provided is provided.

17. the Verification System of terminal as claimed in claim 10, which is characterized in that the Verification System further include:

Key modified module is worked as when receiving the request of modification user key, prompting user to input the first terminal Preceding user key, and when the current user key of user's input is correct, prompt the user to input new user Key.

18. the Verification System of terminal as claimed in claim 17, which is characterized in that the key modified module is also used to:

Secondary encryption, and the user according to the first terminal are carried out to the new user key using the Encryption Algorithm Name, the new user key and encrypted server key, calculate the first terminal using the Encryption Algorithm New login key, and the new user key for storing the secondary encryption and new login key are in the first terminal Secure storage section in, and the user key for prompting user new is arranged successfully.