CN110011791B - D2D-based electronic credential secure circulation method and system and electronic credential system - Google Patents
D2D-based electronic credential secure circulation method and system and electronic credential system Download PDFInfo
- Publication number
- CN110011791B CN110011791B CN201910123597.1A CN201910123597A CN110011791B CN 110011791 B CN110011791 B CN 110011791B CN 201910123597 A CN201910123597 A CN 201910123597A CN 110011791 B CN110011791 B CN 110011791B
- Authority
- CN
- China
- Prior art keywords
- certificate
- credential
- random
- data packet
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of D2D communication, and discloses a D2D-based electronic certificate safe circulation method and system, an electronic certificate system and user equipment 1 (UE)1) Connected to an electronic credential SERVER (SERVER) via a communication network, user equipment 1 (UE)1) With user equipment 2 (UE)2) Connected through a D2D channel. The electronic credential server is provided with a certificate issuing module (CA), an authentication module (AS) and a data storage module (DB), and the user equipment is provided with a login module, a data transmission module and a D2D module. In the invention, the same user has more than 1 device, and 1 device (UE) is existed in the device1) Authentication with the e-credential server and data transfer is completed. Other devices do not need to establish network connection with the electronic certificate server again, and the other devices can establish network connection with the UE1And establishing a D2D channel to complete the transfer of the bill state. The invention has reasonable structure, can save communication resources of the electronic document server, simplify user operation and shorten document transfer time consumption.
Description
Technical Field
The invention belongs to the technical field of D2D communication, and particularly relates to a D2D-based electronic credential safe circulation method and system and an electronic credential system.
Background
Currently, the current state of the art commonly used in the industry is such that: after a user successfully logs in and downloads the relevant electronic credential information by using one device, if a new device is purchased and wants to synchronize credential data on the new device, the new device needs to be networked to communicate with the server, and the electronic credential information is downloaded from the server after the login-authentication process is repeated. With the progress of the paper removal and electronization of the ticket system, more and more users use the electronic credential system. The electronic document system server needs to process a large number of login and data transmission requests, the large number of requests bring huge processing pressure to the server, communication overhead is reduced for the server, communication frequency band resources are saved, the transfer process of electronic document data between user equipment is simplified, and the design of a bill transfer scheme of the electronic document system is an urgent need.
With the progress of the paper removal and electronization of the ticket system, more and more users use the electronic credential system. If a user purchases a new mobile device and wants to synchronize the electronic invoice of an old device with a new device, a login-authentication process must be performed on the new device once, the new device downloads the electronic invoice from a WeChat bill server to the new device after login succeeds, and thus the electronic voucher system server needs to process a large number of login and data transmission requests, a large number of login requests bring huge pressure to the server, and the electronic voucher system requires that the system has the characteristics of high throughput, high concurrency, quick response and the like, for safe circulation of electronic vouchers, the new device and the old device are close in distance and owned by the same user, and the login-authentication process does not need to be repeated once again, so that the login-authentication process of the new device is simplified, and the pressure of the server is reduced, the user can complete the synchronization of the new and old equipment bills without logging in for 2 times.
In summary, the problems of the prior art are as follows: the electronic credential system server needs to process a large amount of login and data transmission requests, and the large amount of login requests bring huge pressure to the server; for the safe circulation of the electronic certificates, the new device and the old device are close to each other and owned by the same user, and the login-authentication process does not need to be repeated.
The difficulty of solving the technical problems is as follows:
the difficulty in solving the above problem is to ensure the security and reliability of the channel between the new device and the old device D2D and how to properly transfer the credential data of the old device to the new device after the channel is established.
The significance of solving the technical problems is as follows:
after the problem is solved, the service pressure of the electronic certificate server can be relieved, the processing resources of the server can be saved, the user operation can be simplified, and the safe flow speed of the electronic certificate can be accelerated.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a D2D-based electronic credential secure circulation method and system and an electronic credential system.
The invention is realized in such a way that an electronic credential safety circulation method based on D2D comprises the following steps:
the user equipment is connected with the electronic credential server through a communication network, the user equipment is connected through a D2D channel, and after mutual authentication is completed, the user equipment acquires the UE in real time or periodically1Current and future ticket states; the electronic credential server comprises but is not limited to a certificate issuing module, an authentication module and a data storage module, the user equipment is provided with a login module, a data transmission module and a D2D module, and each user equipment is internally provided with a device certificate issued by a CA (certificate authority) and a device private key when leaving a factory, and the certificate of the electronic credential server.
Further, the D2D-based electronic credential secure circulation method comprises the following steps:
(1) the user equipment 1 establishes a secure connection with the electronic credential server through a communication network, a user logs in after the secure connection is established, and the electronic credential server sends a credential that the user successfully logs in to the user equipment 1 after the login is successful and transmits electronic credential data with the user equipment 1; the user equipment 1 and the electronic credential server successfully establish a secure connection through a communication network and complete the transmission of the electronic credential data after successful login is a necessary condition of a ticket transfer scheme based on the D2D technology;
(2) at user equipment 1UE1After the login process is finished, the user purchases a new device, namely user equipment 2UE2The user wants to securely transfer the electronic credential data in the user device 1 to the user device 2 without the need for the device 2 to log on to the internet; UE (user Equipment)1Broadcasting data packet, including UE1Certificate of (Cert)1Time stamp of data packet broadcastingRandom number random1And UE1To pairAnd random1Is signedUE2Receiving the broadcast packet, first verifying the Cert1The validity of (2); then checkingrandom1After checking the labelWhether the two are consistent; after passing the verification, the UE2To the UE1Sending a response packet, wherein the data packet comprises the UE2Certificate of (Cert)2、UE1Certificate of (Cert)1Time stamp at the time of packet generationRandom number random2、UE2To random1Is signedAnd UE2For Cert1、And random2Is signedUE1Upon receiving the response, the Cert is first verified2The received Cert is verified1Comparing the certificate with the certificate of the equipment to check whether the certificate is consistent;
then check Cert1,random2After checking the labelWhether the two are consistent; after passing the verification, the UE1Sending a D2D request data packet to an electronic certificate SERVER SERVER, wherein the data packet comprises Cert1、Cert2、UE1To random1Is signedSlave UE2Derived from returned responsesTime stamp for data packet generationRandom number random3(ii) a When the SERVER receives the D2D request, Cert is firstly transmitted1、Cert2Comparing the certificate with the backup certificate in the certificate issuing module to determine whether the certificate is consistent with the backup certificate, and then verifyingThe signature of (2); after passing the verification, the UE1Sending a response data packet, wherein the data packet comprises a time stamp when the data packet is generatedRandom number random4SERVER pairs (random4) Is signedUE1After receiving the information sent by the SERVER, selecting a random number a to calculate gaTo the UE2The transmission packet includes:random4、ga、random5、and the data packet uses the UE2The public key is encrypted for transmission; UE (user Equipment)2After receiving the data packet, decrypting by using the private key thereof and verifying the SERVER and the UE1Is verified to obtain ga;UE2Selecting a random number b, and calculating gbBackward UE1The transmission packet includes: gbTime stamp at the time of packet generationRandom number random6、UE2To (g)b,random6) Is signedAnd the data packet uses the UE1The public key is encrypted and transmitted; UE (user Equipment)1After receiving the data packet, the UE is verified after being decrypted by using the private key of the UE2Is verified to obtain gb;K=(ga)b mod p=(gb)amod p is UE1And UE2Communication key of, UE2Completion and UE1After the channel is established, the user is in the new equipment UE2The UE inputs the self taxpayer identification number taxpayable _ ID2Sending the identification number to the UE through the established D2D channel1;UE1Receiving to UE2After the taxpayer identification number taxpayer _ ID is sent, the UE is connected with the taxpayer identification number taxpaylayer _ ID1Comparing taxpayer identification numbers in locally stored credentials, generating a credential list ticket _ list by using the credentials matched with the taxpayer identification numbers, and returning the credential list ticket _ list to the UE2Each data item of the credential list includes, but is not limited to, a credential issuer name, a credential receiver name, and a credential issuer time; UE (user Equipment)2Receiving to UE1After the returned credential list, the user selects the new equipment UE to be synchronized according to the name of the invoicer, the name of the invoicer and the invoicing time2Credential data of, then the UE2To the UE1Sending tickets _ list _ select of the to-be-synchronized ticket list; UE (user Equipment)1After receiving tickets _ list _ select of the credential list to be synchronized, sending the credential data required in the list to the UE2;
UE2Storing the received credential data locally and then to the UE1Returning the unique identification ticket _ ID of all stored credentialsnAnd signature of unique identification number to all certificatesUE1Informing SERVER of all UEs2Synchronized credential unique identification number, and UE2A signature of a unique identification number to a credential; SERVER receives data packet and then verifies UE2By writing the signature in the database to the UE2And the synchronized ticket identification number in the equipment, and then to the UE1Returning a synchronization completion response, UE1Disconnecting the UE after receiving the synchronization completion response2D2D, and credential flow is complete.
Further, the D2D-based electronic credential secure circulation method specifically includes:
user intended by UE1To the UE2Transferring credential status information, UE1Broadcasting data packet for requesting to establish D2D connection channel, wherein the data packet includes UE1Certificate of (Cert)1Time stamp of systemRandom number random1And UE1Signature on system time stamp and random number
Second step, UE2→UE1:
UE2After receiving the broadcast data packet, verifying the UE in the data packet by using the certificate of the SERVER which is built in when leaving the factory1Validity of certificate, and confirmation of UE at user1After the information obtained, the obtained UE is utilized1Certificate of (2) verifying the UE1To pairAnd random1Is signedThen checks the time stampWhether the random number random is within the allowed time period1Whether it has occurred within the allowed time period, if the UE has1Certificate failure, signature verification failure,Go beyondAllowed time period, random1Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period1Sending a communication rejection data packet and disconnecting, otherwise, UE2To the UE1Transmitting a response packet, the packet comprising: UE (user Equipment)2Certificate of (Cert)2、UE2To random1Is signedCert1Time stamp of systemRandom number random2And UE2To UE1Certificate of (2), system time stamp and signature of random number
UE1Receiving to UE2The returned response packet utilizes the certificate of the SERVER built in the factory to verify the UE in the data packet2Validity of certificate, and confirmation of UE at user2After the information obtained, the obtained UE is utilized2Certificate of (2) verifying the UE2For Cert1、And random2Is signedThen comparing the UE in the received data packet1Checking whether the certificate is identical to a certificate stored in the device, checking the timestampWhether the random number random is within the allowed time period2Whether within an allowed time periodIf it is, if UE2Certificate is illegal, signature verification fails, and UE1The certificate comparison is inconsistent,Beyond the allowed time period, random2Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period2Sending a communication rejection data packet and disconnecting, otherwise, UE1Sending a D2D parameter request data packet to the SERVER, wherein the data packet comprises: cert1、Cert2、UE1To random1Is signedBy UE2The response packet being obtainedSystem time stamp TS3Random number random3;
SERVER receiving UE1After the transmitted D2D parameter request data packet is compared with the Cert in the received data packet1、Cert2Whether the certificate is consistent with the certificate backup stored in the certificate library or not and then verifyingAndwhether the result of the signature verification is consistent or not, and checking the timestampWhether the random number random is within the allowed time period3Whether the certificate appears within an allowed time period or not, if the certificate is inconsistent with the backup in the certificate library, the signature checking result is different,Beyond the allowed time period, random3Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period1Sending a communication rejection data packet and disconnecting, otherwise, the SERVER sends the UE to the UE1Transmitting a D2D parameter response packet, the packet comprising: time stamping of systemRandom number random4And SERVER signing system time stamp, random number
Fifth step, UE1→UE2:
UE1The timestamp is checked after receiving the D2D parameter response packet returned by the SERVERWhether the random number random is within the allowed time period4Whether it has occurred within the allowed time period, ifHas exceeded the allowed time period or random number random4Discarding the data packet and requesting to resend the D2D parameter to the SERVER if the occurrence in the allowed time period is over, otherwise, the UE1Selecting a random number a, calculating ga,UE1To the UE2Transmitting a D2D parameter notification packet, the packet comprising:random4、gatime stamp of systemRandom number random5And UE1For gaTime stamp of system and signature of random numberThe data packet uses the UE2Public key PK2Encrypting and sending;
UE2After receiving the D2D parameter notification packet, the UE is firstly used2Decrypting the data packet by the private key of the private key, and verifying the data packet by using the certificate of the SERVER which is built in when the private key leaves the factoryUsing the UE obtained in ii1Certificate verification ofValidity of (2), check the time stamp finallyWhether the random number random is within the allowed time period4、random5If the data packet is not decrypted, whether the data packet appears within the allowed time period,Failure of signature verification,Failure of signature verification,OrHas exceeded the allowed time period, random4Or random5Dropping data packets and sending the data packets to the UE when any one of the above conditions is over satisfied within the allowed time period1Sending a communication rejection data packet and disconnecting, otherwise, UE2Selecting a random number b, calculating gbAnd (g)a)b mod p,UE2To the UE1Transmitting a D2D parameter response packet, the packet comprising: gbTime stamp of systemRandom number random6And UE2For gbTime stamp of system and signature of random numberThe data packet uses the UE1Public key PK1Encrypting and sending;
seventh step, UE1→UE2:{START}K
UE1Receiving to UE2After the D2D parameter response packet is sent, the UE is first used1Decrypting the data packet by its own private key and then using the UE obtained in iii2Certificate verification ofValidity of (2), check the time stamp finallyWhether the random number random is within the allowed time period6If the data packet is not decrypted, whether the data packet appears within the allowed time period,Failure of signature verification,Has exceeded the allowed time period, random6At the allowed timeIf one of the conditions is over-satisfied, the data packet is dropped and sent to the UE2Sending a communication rejection data packet and disconnecting, otherwise, UE1Calculating (g)b)a mod p,UE1To the UE2Transmitting a test communication packet including a communication START field START, the test communication packet using a negotiated symmetric encryption key K ═ gb)a mod p=(ga)bmod p performs encryption;
eighth step, UE2→UE1:{ACK}K
UE2Receiving to UE1Decrypting the transmitted pilot communication data packet by using the symmetric encryption key K which is agreed, and if the test communication data packet cannot be decrypted, transmitting the decrypted data packet to the UE1Sending a communication rejection data packet and disconnecting, otherwise, UE2To the UE1Sending a trial communication response packet, the packet including a response field ACK, the packet using the negotiated symmetric encryption key K ═ gb)a mod p=(ga)bmod p performs encryption;
ninth step, UE2→UE1:{taxpayer_ID}
UE2Completion and UE1After the channel is established, the user is in the new equipment UE2The UE inputs the self taxpayer identification number taxpayable _ ID2Sending the identification number to the UE through the established D2D channel1;
Tenth step, UE1→UE2:{tickets_list}
UE1Receiving to UE2After the taxpayer identification number taxpayer _ ID is sent, the UE is connected with the taxpayer identification number taxpaylayer _ ID1Comparing taxpayer identification numbers in locally stored credentials, generating a credential list ticket _ list by using the credentials matched with the taxpayer identification numbers, and returning the credential list ticket _ list to the UE2Each data item of the credential list comprises a credential issuer name, a credential receiver name, and a credential issuer time;
the tenth step, UE2→UE1:{tickets_list_selected}
UE2Receiving to UE1Return toAfter the list of the vouchers, the user selects and needs to synchronize to the new equipment UE according to the name of the invoicing party, the name of the ticket collecting party and the invoicing time2Credential data of, then the UE2To the UE1Sending tickets _ list _ select of the to-be-synchronized ticket list;
twelfth step, UE1→UE2:{tickets_data}
UE1After receiving tickets _ list _ select of the credential list to be synchronized, sending the credential data required in the list to the UE2;
A thirteenth step of the UE1→UE2:
UE2Storing the received credential data locally and then to the UE1Returning the unique identification ticket _ ID of all stored credentialsnAnd signature of unique identification number to all certificates
Fourteenth step, UE1→SERVER:
UE1Informing SERVER of all UEs2Synchronized credential unique identification number, and UE2A signature of a unique identification number to a credential;
fifteenth step, SERVER → UE1:{synchron_complete}
SERVER receives data packet and then verifies UE2By writing the signature in the database to the UE2And the synchronized ticket identification number in the equipment, and then to the UE1Returning a synchronization completion response, UE1Disconnecting the UE after receiving the synchronization completion response2D2D, and credential flow is complete.
Another object of the present invention is to provide a D2D-based e-credential secure circulation system for implementing the D2D-based e-credential secure circulation method, wherein the D2D-based e-credential secure circulation system comprises: electronic credential server, user device 1, user device 2;
the user equipment 1 is connected with the electronic credential server through a communication network, and the user equipment 1 is connected with the user equipment 2 through a D2D channel;
the electronic credential server comprises a certificate issuing module, an authentication module and a data storage module, the user equipment is provided with a login module, a data transmission module and a D2D module, and each user equipment is internally provided with an equipment certificate issued by a CA (certificate authority) and an equipment private key when leaving a factory, and a certificate of the electronic credential server.
The electronic document server is connected with the user equipment through a communication network; the certificate issuing module is responsible for issuing data required by authentication for a legal user, and comprises a trusted certificate containing an electronic certificate server signature, a certificate copy for storing a user who has issued the certificate, and related certificate data required by the authentication module in the authentication process; the authentication module is responsible for processing a login request submitted by a user, requesting necessary certificate verification data to the certificate issuing module to complete login verification, interacting with the data storage module after the user successfully logs in, and sending bill data of the user to user equipment; the data storage module is responsible for storing the bill data of the user and sending the corresponding bill data to the login module after receiving the bill data request of the login module.
Further, the user equipment includes a login module, a data transmission module, and a D2D module, and each user equipment is built in when leaving a factory, and includes: CA issued device certificate and device private key, certificate of electronic certificate server and Hash algorithm, symmetric encryption and decryption algorithm, asymmetric encryption and decryption algorithm and p-1 medium multiplication group Z adopted by electronic certificate systemp *The g and p parameters of (1); p is prime number, g is generator;
the login module is used for receiving a login request initiated by a user and interacting with the electronic credential server through a communication network; the data transmission module is responsible for storing the bill data sent by the electronic credential server and sending the required data to the D2D module when the D2D module requests the bill data; the D2D module is responsible for completing device authentication, establishing a secure D2D channel, and completing the secure circulation of credentials between new and old devices of the same user.
Another object of the present invention is to provide an electronic certificate system applying the D2D-based electronic certificate secure circulation method.
Another object of the present invention is to provide an information data processing terminal equipped with the electronic voucher system.
In summary, the advantages and positive effects of the invention are: D2D communication plays a very important role as an emerging communication means in communication networks and wireless systems. The D2D communication allows the adjacent devices to communicate directly under the control of the control node, with the help of D2D communication technology, the electronic document flow between the new and old devices of the user can be directly transferred under the control of the server, the new device can receive the transferred bill without connecting the server, compared with the prior art, the communication link between the new device and the electronic document server is omitted, the communication overhead of the electronic document server is reduced, the re-login operation of the user is saved, and the document transfer time consumption is shortened.
The invention satisfies 1. after the user logs in the old equipment, another login operation on the new equipment is not needed. 2. The new device can directly perform data transmission with the old device without establishing a communication channel with the electronic credential server respectively. 3. The communication link between the old device and the new device has good security, and the communication link between the old device and the new device should ensure enough security to resist most known attack means. The invention uses the symmetric encryption system, the asymmetric encryption system, the message signature, the message verification algorithm and the Diffie-Hellman key exchange algorithm in the cryptography, which are all acknowledged to have extremely high security. In the patent, the D2D communication equipment is generally close to each other and is within a visual distance range controllable by one person, so that the difficulty in eavesdropping, tampering and intercepting is increased, and the safety of the invention in the current society is enhanced. The invention is properly expanded, thereby greatly saving the communication expense of the electronic certificate server and facilitating the safe circulation of the electronic certificates between new equipment and old equipment.
The invention utilizes the characteristics of cryptography and D2D communication, solves the problem that the credential circulation of the electronic credential system needs to establish a communication link with the server again and log in again on new equipment at the present stage, lightens the service pressure of the credential server, improves the credential circulation speed, avoids replay attack by adopting the combination of the timestamp and the random number, ensures the integrity and non-repudiation of data transmission by adopting a signature algorithm, ensures that all symmetric communication session keys only play a role in the current communication, and needs to negotiate again in the next transmission after the transmission is finished, thereby ensuring the safety of the scheme. The D2D communication allows the adjacent equipment to carry on the direct communication under the control of the control node, under the help of D2D communication technology, the credential circulation between old and new equipment of users can carry on the direct transfer under the control of the server, the new equipment can be while receiving the bill transferred, do not need to connect the server, the apparatus of the credential is transferred by old and new server direct completion, compared with original technology save the communication link between electronic credential server and the new equipment, has reduced the communication expense of the electronic credential server, has saved the operation that users log on again, have shortened the credential and transferred the consumption time and guaranteed the data conformance of old and new equipment and server.
Drawings
Fig. 1 is a system structure diagram of an electronic credential server and a user device 1 according to an embodiment of the present invention.
Fig. 2 is a system structure diagram of a user equipment and a user equipment 2 according to an embodiment of the present invention.
Fig. 3 is a flowchart of a ticket transfer method based on the D2D technology in the electronic credential system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The following detailed description of the principles of the invention is provided in connection with the accompanying drawings.
As shown in fig. 1 and fig. 2, the D2D-based e-credential secure circulation system according to the embodiment of the present invention includes: electronic credential server, user device 1, user device 2; user equipment 1 (UE)1) Connected to an electronic credential SERVER (SERVER) via a communication network, user equipment 1 (UE)1) With user equipment 2 (UE)2) Connected through a D2D channel. The electronic credential server comprises but is not limited to a certificate issuing module (CA), an authentication module (AS) and a data storage module (DB), the user equipment comprises but is not limited to a login module, a data transmission module and a D2D module, and each user equipment is internally provided with a device certificate and a device private key issued by the CA when being shipped from the factory, and the certificate of the electronic credential server.
Each module of the user equipment is written by using a high-level programming language, and the login module is responsible for receiving a login request initiated by a user and interacting with the electronic credential server through a communication network; the data transmission module is responsible for storing the bill data sent by the electronic credential server and sending the required data to the D2D module when the D2D module requests the bill data; the D2D module is responsible for completing device authentication, establishing a safe D2D channel and completing the safe circulation of bills between new and old devices of the same user. The user equipment 1 establishes a secure connection with the electronic credential server through a communication network, a user logs in after the secure connection is established, and the electronic credential server sends a credential that the user successfully logs in to the user equipment 1 after the login is successful and transmits electronic credential data with the user equipment 1. The user equipment 1 and the electronic credential successfully establish a secure connection through a communication network, and after successful login, the user equipment 1 and the user equipment 2 can start to transfer the electronic credential, and the ticket transfer scheme based on the D2D technology specifically comprises the following steps:
user intended by UE1To the UE2Transferring credential status information, UE1Broadcasting data packet for requesting to establish D2D connection channel, wherein the data packet includes UE1Certificate of (Cert)1) Time stamp of systemRandom number (random)1) And UE1Signature on system time stamp and random number
ii.UE2→UE1:
UE2After receiving the broadcast data packet, verifying the UE in the data packet by using the certificate of the SERVER which is built in when leaving the factory1Validity of certificate, and confirmation of UE at user1After the information obtained, the obtained UE is utilized1Certificate of (2) verifying the UE1To pairAnd random1Is signedThen checks the time stampWhether the random number random is within the allowed time period1Whether it has occurred within the allowed time period, if the UE has1Certificate failure, signature verification failure,Beyond the allowed time period, random1Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period1Sending a communication rejection data packet and disconnecting, otherwise, UE2To the UE1Transmitting a response packet, the packet comprising: UE (user Equipment)2Certificate of (Cert)2)、UE2To random1Is signedCert1Time stamp of systemRandom number (random)2) And UE2To UE1Certificate of (2), system time stamp and signature of random number
UE1Receiving to UE2The returned response packet utilizes the certificate of the SERVER built in the factory to verify the UE in the data packet2Validity of certificate, and confirmation of UE at user2After the information obtained, the obtained UE is utilized2Certificate of (2) verifying the UE2For Cert1、And random2Is signedThen comparing the UE in the received data packet1Checking whether the certificate is identical to a certificate stored in the device, checking the timestampWhether the random number random is within the allowed time period2Whether it has occurred within the allowed time period, if the UE has2Certificate is illegal, signature verification fails, and UE1The certificate comparison is inconsistent,Exceeds the allowable time period、random2Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period2Sending a communication rejection data packet and disconnecting, otherwise, UE1Sending a D2D parameter request data packet to the SERVER, wherein the data packet comprises: cert1、Cert2、UE1To random1Is signedBy UE2The response packet being obtainedSystem time stampRandom number (random)3)。
SERVER receiving UE1After the transmitted D2D parameter request data packet is compared with the Cert in the received data packet1、Cert2Whether the certificate is consistent with the certificate backup stored in the certificate library or not and then verifyingAndwhether the result of the signature verification is consistent or not, and checking the timestampWhether the random number random is within the allowed time period3Whether the certificate appears within an allowed time period or not, if the certificate is inconsistent with the backup in the certificate library, the signature checking result is different,Beyond the allowed time period, random3During the allowed time periodDiscarding the data packet and sending the data packet to the UE when one of the conditions is over-satisfied1Sending a communication rejection data packet and disconnecting, otherwise, the SERVER sends the UE to the UE1Transmitting a D2D parameter response packet, the packet comprising: time stamping of systemRandom number (random)4) And SERVER signing system time stamp, random number
v.UE1→UE2:
UE1The timestamp is checked after receiving the D2D parameter response packet returned by the SERVERWhether the random number random is within the allowed time period4Whether it has occurred within the allowed time period, ifHas exceeded the allowed time period or random number random4Discarding the data packet and requesting to resend the D2D parameter to the SERVER if the occurrence in the allowed time period is over, otherwise, the UE1Selecting a random number a, calculating ga,UE1To the UE2Transmitting a D2D parameter notification packet, the packet comprising:random4、gatime stamp of systemRandom number (random)5) And UE1For gaSystem time stamp and signature of random number (g)a,random5)SK1The data packet uses the UE2Public key PK2And (5) encrypting and sending.
UE2After receiving the D2D parameter notification packet, the UE is firstly used2Decrypting the data packet by the private key of the private key, and verifying the data packet by using the certificate of the SERVER which is built in when the private key leaves the factoryUsing the UE obtained in ii1Certificate verification (g)a,random5)SK1Validity of (2), check the time stamp finallyWhether the random number random is within the allowed time period4、random5If the data packet is not decrypted, whether the data packet appears within the allowed time period,Failure of signature verification, (g)a,random5)SK1Failure of signature verification,OrHas exceeded the allowed time period, random4Or random5Dropping data packets and sending the data packets to the UE when any one of the above conditions is over satisfied within the allowed time period1Sending a communication rejection data packet and disconnecting, otherwise, UE2Selecting a random number b, calculating gbAnd (g)a)b mod p,UE2To the UE1Transmitting a D2D parameter response packet, the packet comprising: gbTime stamp of systemRandom number (random)6) And UE2For gbTime stamp of system and signature of random numberThe data packet uses the UE1Public key PK1And (5) encrypting and sending.
vii.UE1→UE2:{START}K
UE1Receiving to UE2After the D2D parameter response packet is sent, the UE is first used1Decrypting the data packet by its own private key and then using the UE obtained in iii2Certificate verification ofValidity of (2), check the time stamp finallyWhether the random number random is within the allowed time period6If the data packet is not decrypted, whether the data packet appears within the allowed time period,Failure of signature verification,Has exceeded the allowed time period, random6The occurrence of over-satisfaction of any one of the above conditions within the allowable time periodDiscard the packet and send it to the UE2Sending a communication rejection data packet and disconnecting, otherwise, UE1Calculating (g)b)a mod p,UE1To the UE2Transmitting a test communication packet including a communication START field START, the test communication packet using a negotiated symmetric encryption key K ═ gb)a mod p=(ga)bmod p performs encryption.
viii.UE2→UE1:{ACK}K
UE2Receiving to UE1Decrypting the transmitted pilot communication data packet by using the symmetric encryption key K which is agreed, and if the test communication data packet cannot be decrypted, transmitting the decrypted data packet to the UE1Sending a communication rejection data packet and disconnecting, otherwise, UE2To the UE1Sending a trial communication response packet, the packet including a response field ACK, the packet using the negotiated symmetric encryption key K ═ gb)a mod p=(ga)bmod p performs encryption.
ix.UE2→UE1:{taxpayer_ID}
UE2Completion and UE1After the channel is established, the user is in the new equipment UE2Enters its own taxpayer identification number (taxpayerID), UE2Sending the identification number to the UE through the established D2D channel1。
x.UE1→UE2:{tickets_list}
UE1Receiving to UE2After the taxpayer identification number (taxpayerID) is sent, the UE is contacted with the taxpayer identification number (taxpayerID)1Comparing the taxpayer identification number in the locally stored certificate, generating a certificate list (ticket _ list) by using the certificate matched with the taxpayer identification number, and returning the certificate list to the UE2Each data item of the credential list includes a credential issuer name, a credential receiver name, and a credential issuer time.
xi.UE2→UE1:{tickets_list_selected}
UE2Receiving to UE1After returning the credential list, the user makes a invoice according to the name of the invoicer, the name of the collector and the invoicingTicket time selection needs to be synchronized to the new device UE2Credential data of, then the UE2To the UE1And sending a list of to-be-synchronized credentials (tickets _ list _ select).
xii.UE1→UE2:{tickets_data}
UE1After receiving the list of credentials to be synchronized (tickets _ list _ select), the credentials required in the list are sent to the UE2Credential data includes, but is not limited to: the unique identification number of the certificate, the tax number of the invoicing party, the address and the contact number of the invoicing party, the bank and the account number of the invoicing party, the invoicing date and the like.
UE2Storing the received credential data locally and then to the UE1Returning unique identification numbers (ticket _ ID) of all stored credentialsn) And signature of unique identification number to all certificates
UE1Informing SERVER of all UEs2Synchronized credential unique identification number, and UE2A signature of the unique identification number to the credential.
xv.SERVER→UE1:{synchron_complete}
SERVER receives data packet and then verifies UE2By writing the signature in the database to the UE2And the synchronized ticket identification number in the equipment, and then to the UE1Returning a synchronization completion response, UE1Disconnecting the UE after receiving the synchronization completion response2D2D, credential flow is complete。
The application of the principles of the present invention will now be described in further detail with reference to the accompanying drawings.
As shown in fig. 3, after the user equipment 1 completes the login process, at this time, the user purchases a new user equipment 2, and the user wants to securely transfer the electronic credential data in the user equipment 1 to the user equipment 2 without the need of network login of the user equipment 2. User equipment 1 (UE)1) Broadcasting data packet, including UE1Certificate of (Cert)1) Time stamp of data packet broadcastingRandom number (random)1) And UE1To pairAnd random1Is signedUser equipment 2 (UE)2) Receiving the broadcast packet, first verifying the Cert1Because the certificate of each device is issued by the CA and each device has a built-in e-credential server root certificate, the certificate validity can be verified. Then checkingrandom1After checking the labelWhether they are consistent. After passing the verification, the UE2To the UE1Sending a response packet, wherein the data packet comprises the UE2Certificate of (Cert)2)、UE1Certificate of (Cert)1) Time stamp at the time of packet generationRandom number (random)2)、UE2To random1Is signedAnd UE2For Cert1、And random2Is signedUE1Upon receiving the response, the Cert is first verified2The received Cert is verified1Check for compliance with the certificate of the device itself, and then check for Cert1,random2After checking the labelWhether they are consistent. After passing the verification, the UE1Sending a D2D request packet to an electronic credential SERVER (SERVER), the packet including a Cert1、Cert2、UE1To random1Is signedSlave UE2Derived from returned responsesTime stamp for data packet generationRandom number (random)3) (ii) a When the SERVER receives the D2D request, Cert is firstly transmitted1、Cert2Comparing the certificate with the backup certificate in the certificate issuing module to determine whether the certificate is consistent with the backup certificate, and then verifyingThe signature of (2). Through SERVER to UE after verification1Sending a response data packet, wherein the data packet comprises a time stamp when the data packet is generatedRandom number (random)4) SERVER pairs (random4) Is signedUE1After receiving the information sent by the SERVER, selecting a random number a to calculate gaTo the UE2The transmission packet includes:random4、ga、random5、and the data packet uses the UE2The public key is encrypted for transmission; UE (user Equipment)2After receiving the data packet, decrypting the data packet by using the private key of the user, and verifying the signature of the SERVER and the UE1Is verified to obtain ga。UE2Selecting a random number b, and calculating gbBackward UE1The transmission packet includes: gbTime stamp at the time of packet generationRandom number (random)6)、UE2To (g)b,random6) Is signedAnd the data packet uses the UE1The public key is encrypted and transmitted; UE (user Equipment)1Receive toAfter the data packet is decrypted by using the private key of the user equipment, the UE is verified2Is verified to obtain gb;K=(ga)bmod p=(gb)amod p is UE1And UE2The communication key of (2); UE (user Equipment)2Completion and UE1After the channel is established, the user is in the new equipment UE2Enters its own taxpayer identification number (taxpayerID), UE2Sending the identification number to the UE through the established D2D channel1;UE1Receiving to UE2After the taxpayer identification number (taxpayerID) is sent, the UE is contacted with the taxpayer identification number (taxpayerID)1Comparing the taxpayer identification number in the locally stored certificate, generating a certificate list (ticket _ list) by using the certificate matched with the taxpayer identification number, and returning the certificate list to the UE2Each data item of the credential list comprises a credential issuer name, a credential receiver name, and a credential issuer time; UE (user Equipment)2Receiving to UE1After the returned credential list, the user selects the new equipment UE to be synchronized according to the name of the invoicer, the name of the invoicer and the invoicing time2Credential data of, then the UE2To the UE1Sending a list of to-be-synchronized credentials (tickets _ list _ select); UE (user Equipment)1After receiving the list of credentials to be synchronized (tickets _ list _ select), the credentials required in the list are sent to the UE2The credential data comprises: the certificate unique identification number, the invoicing party tax number, the invoicing party address and contact telephone number, the invoicing party account bank and account number, the invoicing date and the like; UE (user Equipment)2Storing the received credential data locally and then to the UE1Returning unique identification numbers (ticket _ ID) of all stored credentialsn) And signature of unique identification number to all certificatesUE1Informing SERVER of all UEs2Synchronized credential unique identification number, and UE2A signature of a unique identification number to a credential; SERVER receives data packet and then verifies UE2By writing the signature in the database to the UE2And the synchronized ticket identification number in the equipment, and then to the UE1Returning a synchronization completion response, UE1Disconnecting the UE after receiving the synchronization completion response2D2D, and credential flow is complete.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (5)
1. A D2D-based electronic credential secure circulation method is characterized in that the D2D-based electronic credential secure circulation method comprises the following steps:
the user equipment is connected with the electronic credential server through a communication network, the user equipment is connected through a D2D channel, and after mutual authentication is completed, the user equipment acquires the UE in real time or periodically1Current and future ticket states; the electronic credential server comprises but is not limited to a certificate issuing module, an authentication module and a data storage module, the user equipment is provided with a login module, a data transmission module and a D2D module, and each user equipment is internally provided with an equipment certificate issued by CA (certificate authority) and an equipment private key when leaving a factory, and a certificate of the electronic credential server;
the D2D-based electronic credential secure circulation method comprises the following steps:
(1) the user equipment 1 establishes a secure connection with the electronic credential server through a communication network, a user logs in after the secure connection is established, and the electronic credential server sends a credential that the user successfully logs in to the user equipment 1 after the login is successful and transmits electronic credential data with the user equipment 1; the user equipment 1 and the electronic credential server successfully establish a secure connection through a communication network and complete the transmission of the electronic credential data after successful login is a necessary condition of a ticket transfer scheme based on the D2D technology;
(2) at user equipment 1UE1After the login process is finished, the user purchases a new device, namely user equipment 2UE2The user wants to power up the user device 1 without the need for a networked login to the device 2Secure transfer of sub-credential data into the user device 2; UE (user Equipment)1Broadcasting data packet, including UE1Certificate of (Cert)1Time stamp of data packet broadcastingRandom number random1And UE1To pairAnd random1Is signedUE2Receiving the broadcast packet, first verifying the Cert1The validity of (2); then checkingrandom1After checking the labelWhether the two are consistent; after passing the verification, the UE2To the UE1Sending a response packet, wherein the data packet comprises the UE2Certificate of (Cert)2、UE1Certificate of (Cert)1Time stamp at the time of packet generationRandom number random2、UE2To random1Is signedAnd UE2For Cert1、And random2Is signedUE1ReceivingUpon answering, Cert is first verified2The received Cert is verified1Comparing the certificate with the certificate of the equipment to check whether the certificate is consistent;
then check Cert1,TS2,random2After checking the labelWhether the two are consistent; after passing the verification, the UE1Sending a D2D request data packet to an electronic certificate SERVER SERVER, wherein the data packet comprises Cert1、Cert2、UE1To random1Is signedSlave UE2Derived from returned responsesTime stamp for data packet generationRandom number random3(ii) a When the SERVER receives the D2D request, Cert is firstly transmitted1、Cert2Comparing the certificate with the backup certificate in the certificate issuing module to determine whether the certificate is consistent with the backup certificate, and then verifyingThe signature of (2); after passing the verification, the UE1Sending a response data packet, wherein the data packet comprises a time stamp when the data packet is generatedRandom number random4SERVER pairIs signedUE1After receiving the information sent by the SERVER, selecting a random number a to calculate gaTo the UE2The transmission packet includes:random4、ga、random5、g is a generator; and the data packet uses the UE2The public key is encrypted for transmission; UE (user Equipment)2After receiving the data packet, decrypting by using the private key thereof and verifying the SERVER and the UE1Is verified to obtain ga;UE2Selecting a random number b, and calculating gbBackward UE1The transmission packet includes: gbTime stamp at the time of packet generationRandom number random6、UE2To pairIs signedAnd the data packet uses the UE1The public key is encrypted and transmitted; UE (user Equipment)1After receiving the data packet, the UE is verified after being decrypted by using the private key of the UE2Is verified to obtain gb;K=(ga)bmod p=(gb)amod p is UE1And UE2Communication key of, UE2Completion and UE1After the channel is established, the user is in the new equipment UE2Upper transfusionEnter its own taxpayer identification number, taxpayor _ ID, UE2Sending the identification number to the UE through the established D2D channel1;UE1Receiving to UE2After the taxpayer identification number taxpayer _ ID is sent, the UE is connected with the taxpayer identification number taxpaylayer _ ID1Comparing taxpayer identification numbers in locally stored credentials, generating a credential list ticket _ list by using the credentials matched with the taxpayer identification numbers, and returning the credential list ticket _ list to the UE2Each data item of the credential list includes, but is not limited to, a credential issuer name, a credential receiver name, and a credential issuer time; UE (user Equipment)2Receiving to UE1After the returned credential list, the user selects the new equipment UE to be synchronized according to the name of the invoicer, the name of the invoicer and the invoicing time2Credential data of, then the UE2To the UE1Sending tickets _ list _ select of the to-be-synchronized ticket list; UE (user Equipment)1After receiving tickets _ list _ select of the credential list to be synchronized, sending the credential data required in the list to the UE2;
UE2Storing the received credential data locally and then to the UE1Returning the unique identification ticket _ ID of all stored credentialsnAnd signature of unique identification number to all certificatesUE1Informing SERVER of all UEs2Synchronized credential unique identification number, and UE2A signature of a unique identification number to a credential; SERVER receives data packet and then verifies UE2By writing the signature in the database to the UE2And the synchronized ticket identification number in the equipment, and then to the UE1Returning a synchronization completion response, UE1Disconnecting the UE after receiving the synchronization completion response2D2D, and credential flow is complete.
2. The D2D-based e-credential secure circulation method of claim 1, wherein the D2D-based e-credential secure circulation method specifically comprises:
user intended by UE1To the UE2Transferring credential status information, UE1Broadcasting data packet for requesting to establish D2D connection channel, wherein the data packet includes UE1Certificate of (Cert)1Time stamp of systemRandom number random1And UE1Signature on system time stamp and random number
Second step, UE2→UE1:
UE2After receiving the broadcast data packet, verifying the UE in the data packet by using the certificate of the SERVER which is built in when leaving the factory1Validity of certificate, and confirmation of UE at user1After the information obtained, the obtained UE is utilized1Certificate of (2) verifying the UE1To pairAnd random1Is signedThen checks the time stampWhether the random number random is within the allowed time period1Whether it has occurred within the allowed time period, if the UE has1Certificate failure, signature verification failure,Beyond the allowed time period, random1Over-satisfaction of the UE occurs within an allowed time period1Certificate failure, signature verification failure,Beyond the allowed time period, random1Discarding the data packet and sending the data packet to the UE when any condition occurs within the allowed time period1Sending a communication rejection data packet and disconnecting, otherwise, UE2To the UE1Transmitting a response packet, the packet comprising: UE (user Equipment)2Certificate of (Cert)2、UE2To random1Is signedCert1Time stamp of systemRandom number random2And UE2To UE1Certificate of (2), system time stamp and signature of random number
UE1Receiving to UE2The returned response packet utilizes the certificate of the SERVER built in the factory to verify the UE in the data packet2Validity of certificate, and confirmation of UE at user2After the information obtained, the obtained UE is utilized2Certificate of (2) verifying the UE2To pairAnd random2Is signedThen comparing the UE in the received data packet1Checking whether the certificate is identical to a certificate stored in the device, checking the timestampWhether the random number random is within the allowed time period2Whether it has occurred within the allowed time period, if the UE has2Certificate is illegal, signature verification fails, and UE1The certificate comparison is inconsistent,Beyond the allowed time period, random2Over-satisfaction of the UE occurs within an allowed time period2Certificate is illegal, signature verification fails, and UE1The certificate comparison is inconsistent,Beyond the allowed time period, random2Discarding the data packet and sending the data packet to the UE when any condition occurs within the allowed time period2Sending a communication rejection data packet and disconnecting, otherwise, UE1Sending a D2D parameter request data packet to the SERVER, wherein the data packet comprises: cert1、Cert2、UE1To random1Is signedBy UE2The response packet being obtainedSystem time stampRandom number random3;
SERVER receiving UE1After the transmitted D2D parameter request data packet is compared with the Cert in the received data packet1、Cert2Whether the certificate is consistent with the certificate backup stored in the certificate library or not and then verifyingAndwhether the result of the signature verification is consistent or not, and checking the timestampWhether the random number random is within the allowed time period3Whether the certificate appears within an allowed time period or not, if the certificate is inconsistent with the backup in the certificate library, the signature checking result is different,Beyond the allowed time period, random3The situation that the satisfied certificate is inconsistent with the backup in the certificate bank, the signature verification result is different occurs in the allowed time period,Beyond the allowed time period, random3Discarding the data packet and sending the data packet to the UE when any condition occurs within the allowed time period1Sending a communication rejection data packet and disconnecting, otherwise, the SERVER sends the UE to the UE1Transmitting a D2D parameter response packet, the packet comprising: time stamping of systemRandom number random4And SERVER signing system time stamp, random number
Fifth step, UE1→UE2:
UE1The timestamp is checked after receiving the D2D parameter response packet returned by the SERVERWhether the random number random is within the allowed time period4Whether it has occurred within the allowed time period, ifHas exceeded the allowed time period or random number random4Discarding the data packet and requesting to resend the D2D parameter to the SERVER if the occurrence in the allowed time period is over, otherwise, the UE1Selecting a random number a, calculating ga,UE1To the UE2Transmitting a D2D parameter notification packet, the packet comprising:random4、gatime stamp of systemRandom number random5And UE1For gaTime stamp of system and signature of random numberThe data packet uses the UE2Public key PK2Encrypting and sending;
UE2After receiving the D2D parameter notification packet, the UE is firstly used2Decrypting the data packet by the private key of the private key, and verifying the data packet by using the certificate of the SERVER which is built in when the private key leaves the factoryUsing the UE obtained in the second step1Certificate verification ofValidity of (2), check the time stamp finallyWhether the random number random is within the allowed time period4、random5If the data packet is not decrypted, whether the data packet appears within the allowed time period,Failure of signature verification,Failure of signature verification,Or TS5Has exceeded the allowed time period, random4Or random5The data packet which is over-satisfied in the allowed time period can not be decrypted,Failure of signature verification,Failure of signature verification,OrHas exceeded the allowed time period, random4Or random5Discarding the data packet and sending the data packet to the UE when any condition occurs in the allowed time period1Sending a communication rejection data packet and disconnecting, otherwise, UE2Selecting a random number b, calculating gbAnd (g)a)bmod p,UE2To the UE1Transmitting a D2D parameter response packet, the packet comprising: gbTime stamp of systemRandom number random6And UE2For gbTime stamp of system and signature of random numberThe data packet uses the UE1Public key PK1Encrypting and sending;
seventh step, UE1→UE2:{START}K
UE1Receiving to UE2After the D2D parameter response packet is sent, the UE is first used1Decrypting the data packet by the private key of the UE, and then utilizing the UE obtained in the third step2Certificate verification ofValidity of (2), check the time stamp finallyWhether the random number random is within the allowed time period6If the data packet is not decrypted, whether the data packet appears within the allowed time period,Failure of signature verification,Has exceeded the allowed time period, random6The data packet which is over-satisfied in the allowed time period can not be decrypted,Failure of signature verification,Has exceeded the allowed time period, random6Discarding the data packet and sending the data packet to the UE when any condition occurs in the allowed time period2Sending a communication rejection data packet and disconnecting, otherwise, UE1Calculating (g)b)amod p,UE1To the UE2Transmitting a test communication packet including a communication START field START, the test communication packet using a negotiated symmetric encryption key K ═ gb)amod p=(ga)bmod p performs encryption;
eighth step, UE2→UE1:{ACK}K
UE2Receiving to UE1Decrypting the transmitted pilot communication data packet by using the symmetric encryption key K which is agreed, and if the test communication data packet cannot be decrypted, transmitting the decrypted data packet to the UE1Sending a communication rejection data packet and disconnecting, otherwise, UE2To the UE1Sending a trial communication response packet, the packet including a response field ACK, the packet using the negotiated symmetric encryption key K ═ gb)amod p=(ga)bmod p performs encryption;
ninth step, UE2→UE1:{taxpayer_ID}
UE2Completion and UE1After the channel is established, the user is in the new equipment UE2The UE inputs the self taxpayer identification number taxpayable _ ID2Sending the identification number to the UE through the established D2D channel1;
Tenth step, UE1→UE2:{tickets_list}
UE1Receiving to UE2After the taxpayer identification number taxpayer _ ID is sent, the UE is connected with the taxpayer identification number taxpaylayer _ ID1Comparing taxpayer identification numbers in locally stored credentials, generating a credential list ticket _ list by using the credentials matched with the taxpayer identification numbers, and returning the credential list ticket _ list to the UE2Each data item of the credential list comprises a credential issuer name, a credential receiver name, and a credential issuer time;
the tenth step, UE2→UE1:{tickets_list_selected}
UE2Receiving to UE1After the returned credential list, the user selects the new equipment UE to be synchronized according to the name of the invoicer, the name of the invoicer and the invoicing time2Credential data of, then the UE2To the UE1Sending tickets _ list _ select of the to-be-synchronized ticket list;
twelfth step, UE1→UE2:{tickets_data}
UE1After receiving tickets _ list _ select of the credential list to be synchronized, sending the credential data required in the list to the UE2;
A thirteenth step of the UE1→UE2:
UE2Storing the received credential data locally and then to the UE1Returning the unique identification ticket _ ID of all stored credentialsnAnd signature of unique identification number to all certificates
Fourteenth step, UE1→SERVER:
UE1Informing SERVER of all UEs2Synchronized credential unique identification number, and UE2A signature of a unique identification number to a credential;
fifteenth step, SERVER → UE1:{synchron_complete}
SERVER receives data packet and then verifies UE2By writing the signature in the database to the UE2And the synchronized ticket identification number in the equipment, and then to the UE1Returning a synchronization completion response, UE1Disconnecting the UE after receiving the synchronization completion response2D2D, and credential flow is complete.
3. A D2D-based e-credential secure circulation system implementing the D2D-based e-credential secure circulation method of claim 1, wherein the D2D-based e-credential secure circulation system comprises: electronic credential server, user device 1, user device 2;
the user equipment 1 is connected with the electronic credential server through a communication network, and the user equipment 1 is connected with the user equipment 2 through a D2D channel;
the electronic credential server comprises a certificate issuing module, an authentication module and a data storage module, the user equipment is provided with a login module, a data transmission module and a D2D module, and each user equipment is internally provided with an equipment certificate issued by a CA (certificate authority) and an equipment private key when leaving a factory, and a certificate of the electronic credential server.
4. The D2D-based e-credential secure circulation system of claim 3, wherein the e-credential server is connected with a user device through a communication network; the certificate issuing module is responsible for issuing data required by authentication for a legal user, and comprises a trusted certificate containing an electronic certificate server signature, a certificate copy for storing a user who has issued the certificate, and related certificate data required by the authentication module in the authentication process; the authentication module is responsible for processing a login request submitted by a user, requesting necessary certificate verification data to the certificate issuing module to complete login verification, interacting with the data storage module after the user successfully logs in, and sending bill data of the user to user equipment; the data storage module is responsible for storing the bill data of the user and sending the corresponding bill data to the login module after receiving the bill data request of the login module.
5. The D2D-based e-credential secure circulation system of claim 3, wherein the user device comprises a login module, a data transmission module, and a D2D module, and each user device is factory installed with: CA issued device certificate and device private key, certificate of electronic certificate server and Hash algorithm, symmetric encryption and decryption algorithm, asymmetric encryption and decryption algorithm and p-1 medium multiplication group Z adopted by electronic certificate systemp *The g and p parameters of (1); p is prime number, g is generator;
the login module is used for receiving a login request initiated by a user and interacting with the electronic credential server through a communication network; the data transmission module is responsible for storing the bill data sent by the electronic credential server and sending the required data to the D2D module when the D2D module requests the bill data; the D2D module is responsible for completing device authentication, establishing a secure D2D channel, and completing the secure circulation of credentials between new and old devices of the same user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910123597.1A CN110011791B (en) | 2019-02-18 | 2019-02-18 | D2D-based electronic credential secure circulation method and system and electronic credential system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910123597.1A CN110011791B (en) | 2019-02-18 | 2019-02-18 | D2D-based electronic credential secure circulation method and system and electronic credential system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110011791A CN110011791A (en) | 2019-07-12 |
CN110011791B true CN110011791B (en) | 2021-07-09 |
Family
ID=67165826
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910123597.1A Active CN110011791B (en) | 2019-02-18 | 2019-02-18 | D2D-based electronic credential secure circulation method and system and electronic credential system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110011791B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113159872B (en) * | 2021-02-26 | 2024-03-29 | 西安电子科技大学 | Privacy protection online billing service authentication method, system, storage medium and application |
CN116049802B (en) * | 2023-03-31 | 2023-07-18 | 深圳竹云科技股份有限公司 | Application single sign-on method, system, computer equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102571376A (en) * | 2012-02-24 | 2012-07-11 | 苏州阔地网络科技有限公司 | Method and system for implementing multi-window chat |
CN102711105A (en) * | 2012-05-18 | 2012-10-03 | 华为技术有限公司 | Method, device and system for communication through mobile communication network |
CN103595750A (en) * | 2012-08-17 | 2014-02-19 | 华为技术有限公司 | Method, terminal and network side for peer-to-pear communication |
CN104660567A (en) * | 2013-11-22 | 2015-05-27 | 中国联合网络通信集团有限公司 | D2D terminal access authentication method as well as D2D terminal and server |
CN106953727A (en) * | 2017-03-13 | 2017-07-14 | 南京邮电大学 | Based on the group safety certifying method without certificate in D2D communications |
CN107251591A (en) * | 2015-03-13 | 2017-10-13 | 英特尔Ip公司 | Device-to-device discovery and system, the method and apparatus of communication for safety |
-
2019
- 2019-02-18 CN CN201910123597.1A patent/CN110011791B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102571376A (en) * | 2012-02-24 | 2012-07-11 | 苏州阔地网络科技有限公司 | Method and system for implementing multi-window chat |
CN102711105A (en) * | 2012-05-18 | 2012-10-03 | 华为技术有限公司 | Method, device and system for communication through mobile communication network |
CN103595750A (en) * | 2012-08-17 | 2014-02-19 | 华为技术有限公司 | Method, terminal and network side for peer-to-pear communication |
CN104660567A (en) * | 2013-11-22 | 2015-05-27 | 中国联合网络通信集团有限公司 | D2D terminal access authentication method as well as D2D terminal and server |
CN107251591A (en) * | 2015-03-13 | 2017-10-13 | 英特尔Ip公司 | Device-to-device discovery and system, the method and apparatus of communication for safety |
CN106953727A (en) * | 2017-03-13 | 2017-07-14 | 南京邮电大学 | Based on the group safety certifying method without certificate in D2D communications |
Non-Patent Citations (4)
Title |
---|
"D2D通信的认证和密钥协商协议研究";卢昊旗;《中国优秀硕士学位论文全文数据库信息科技辑》;20160415;第I136-286页 * |
"D2D通信的隐私安全研究";张亚楠;《中国优秀硕士学位论文全文数据库信息科技辑》;20180615;第I138-81页 * |
"Secure Key Establishment for Device-to-Device Communications";Wenlong Shen等;《IEEE》;20150212;第1-5页 * |
"设备到设备_D2D_通信安全和隐私保护研究";王明君;《中国博士学位论文全文数据库信息科技辑》;20181215;第I136-26页 * |
Also Published As
Publication number | Publication date |
---|---|
CN110011791A (en) | 2019-07-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
EP1277301B1 (en) | Method for transmitting payment information between a terminal and a third equipement | |
CN103051453B (en) | A kind of mobile terminal network affaris safety trade system based on digital certificate and method | |
CN110581854B (en) | Intelligent terminal safety communication method based on block chain | |
CN103763356B (en) | A kind of SSL establishment of connection method, apparatus and system | |
CN103501191B (en) | A kind of mobile payment device based on NFC technology and method thereof | |
WO2022021992A1 (en) | Data transmission method and system based on nb-iot communication, and medium | |
CN103905384B (en) | The implementation method of session handshake between built-in terminal based on secure digital certificate | |
EP1610202A1 (en) | Using a portable security token to facilitate public key certification for devices in a network | |
CN107659406A (en) | A kind of resource operating methods and device | |
CN102026180A (en) | M2M transmission control method, device and system | |
CN111163109B (en) | Block chain center-removing type node anti-counterfeiting method | |
CN113630248B (en) | Session key negotiation method | |
CN113612610B (en) | Session key negotiation method | |
KR20110083886A (en) | Apparatus and method for other portable terminal authentication in portable terminal | |
CN106713236A (en) | End-to-end identity authentication and encryption method based on CPK identifier authentication | |
CN108632042A (en) | A kind of class AKA identity authorization systems and method based on pool of symmetric keys | |
CN111541716A (en) | Data transmission method and related device | |
CN111884811A (en) | Block chain-based data evidence storing method and data evidence storing platform | |
CN110011791B (en) | D2D-based electronic credential secure circulation method and system and electronic credential system | |
CN114331456A (en) | Communication method, device, system and readable storage medium | |
CN112417502B (en) | Distributed instant messaging system and method based on block chain and decentralized deployment | |
CN116582277B (en) | Identity authentication method based on BACnet/IP protocol | |
CN114826593B (en) | Quantum security data transmission method and digital certificate authentication system | |
CN113676330B (en) | Digital certificate application system and method based on secondary secret key |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CB03 | Change of inventor or designer information | ||
CB03 | Change of inventor or designer information |
Inventor after: Cao Jin Inventor after: Liu Xiang Inventor after: Li Hui Inventor after: Zhu Hui Inventor after: Zhao Xingwen Inventor before: Cao Jin Inventor before: Liu Xiang Inventor before: Li Hui Inventor before: Zhu Hui Inventor before: Zhao Xingwen |