CN110011791B - D2D-based electronic credential secure circulation method and system and electronic credential system - Google Patents

Abstract

The invention belongs to the technical field of D2D communication, and discloses a D2D-based electronic certificate safe circulation method and system, an electronic certificate system and user equipment 1 (UE)₁) Connected to an electronic credential SERVER (SERVER) via a communication network, user equipment 1 (UE)₁) With user equipment 2 (UE)₂) Connected through a D2D channel. The electronic credential server is provided with a certificate issuing module (CA), an authentication module (AS) and a data storage module (DB), and the user equipment is provided with a login module, a data transmission module and a D2D module. In the invention, the same user has more than 1 device, and 1 device (UE) is existed in the device₁) Authentication with the e-credential server and data transfer is completed. Other devices do not need to establish network connection with the electronic certificate server again, and the other devices can establish network connection with the UE₁And establishing a D2D channel to complete the transfer of the bill state. The invention has reasonable structure, can save communication resources of the electronic document server, simplify user operation and shorten document transfer time consumption.

Description

D2D-based electronic credential secure circulation method and system and electronic credential system

Technical Field

The invention belongs to the technical field of D2D communication, and particularly relates to a D2D-based electronic credential safe circulation method and system and an electronic credential system.

Background

Currently, the current state of the art commonly used in the industry is such that: after a user successfully logs in and downloads the relevant electronic credential information by using one device, if a new device is purchased and wants to synchronize credential data on the new device, the new device needs to be networked to communicate with the server, and the electronic credential information is downloaded from the server after the login-authentication process is repeated. With the progress of the paper removal and electronization of the ticket system, more and more users use the electronic credential system. The electronic document system server needs to process a large number of login and data transmission requests, the large number of requests bring huge processing pressure to the server, communication overhead is reduced for the server, communication frequency band resources are saved, the transfer process of electronic document data between user equipment is simplified, and the design of a bill transfer scheme of the electronic document system is an urgent need.

With the progress of the paper removal and electronization of the ticket system, more and more users use the electronic credential system. If a user purchases a new mobile device and wants to synchronize the electronic invoice of an old device with a new device, a login-authentication process must be performed on the new device once, the new device downloads the electronic invoice from a WeChat bill server to the new device after login succeeds, and thus the electronic voucher system server needs to process a large number of login and data transmission requests, a large number of login requests bring huge pressure to the server, and the electronic voucher system requires that the system has the characteristics of high throughput, high concurrency, quick response and the like, for safe circulation of electronic vouchers, the new device and the old device are close in distance and owned by the same user, and the login-authentication process does not need to be repeated once again, so that the login-authentication process of the new device is simplified, and the pressure of the server is reduced, the user can complete the synchronization of the new and old equipment bills without logging in for 2 times.

In summary, the problems of the prior art are as follows: the electronic credential system server needs to process a large amount of login and data transmission requests, and the large amount of login requests bring huge pressure to the server; for the safe circulation of the electronic certificates, the new device and the old device are close to each other and owned by the same user, and the login-authentication process does not need to be repeated.

The difficulty of solving the technical problems is as follows:

the difficulty in solving the above problem is to ensure the security and reliability of the channel between the new device and the old device D2D and how to properly transfer the credential data of the old device to the new device after the channel is established.

The significance of solving the technical problems is as follows:

after the problem is solved, the service pressure of the electronic certificate server can be relieved, the processing resources of the server can be saved, the user operation can be simplified, and the safe flow speed of the electronic certificate can be accelerated.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a D2D-based electronic credential secure circulation method and system and an electronic credential system.

The invention is realized in such a way that an electronic credential safety circulation method based on D2D comprises the following steps:

the user equipment is connected with the electronic credential server through a communication network, the user equipment is connected through a D2D channel, and after mutual authentication is completed, the user equipment acquires the UE in real time or periodically₁Current and future ticket states; the electronic credential server comprises but is not limited to a certificate issuing module, an authentication module and a data storage module, the user equipment is provided with a login module, a data transmission module and a D2D module, and each user equipment is internally provided with a device certificate issued by a CA (certificate authority) and a device private key when leaving a factory, and the certificate of the electronic credential server.

Further, the D2D-based electronic credential secure circulation method comprises the following steps:

(1) the user equipment 1 establishes a secure connection with the electronic credential server through a communication network, a user logs in after the secure connection is established, and the electronic credential server sends a credential that the user successfully logs in to the user equipment 1 after the login is successful and transmits electronic credential data with the user equipment 1; the user equipment 1 and the electronic credential server successfully establish a secure connection through a communication network and complete the transmission of the electronic credential data after successful login is a necessary condition of a ticket transfer scheme based on the D2D technology;

(2) at user equipment 1UE₁After the login process is finished, the user purchases a new device, namely user equipment 2UE₂The user wants to securely transfer the electronic credential data in the user device 1 to the user device 2 without the need for the device 2 to log on to the internet; UE (user Equipment)₁Broadcasting data packet, including UE₁Certificate of (Cert)₁Time stamp of data packet broadcasting

Random number random₁And UE₁To pair

And random₁Is signed

UE₂Receiving the broadcast packet, first verifying the Cert₁The validity of (2); then checking

random₁After checking the label

Whether the two are consistent; after passing the verification, the UE₂To the UE₁Sending a response packet, wherein the data packet comprises the UE₂Certificate of (Cert)₂、UE₁Certificate of (Cert)₁Time stamp at the time of packet generation

Random number random₂、UE₂To random₁Is signed

And UE₂For Cert₁、

And random₂Is signed

UE₁Upon receiving the response, the Cert is first verified₂The received Cert is verified₁Comparing the certificate with the certificate of the equipment to check whether the certificate is consistent;

then check Cert₁，

random₂After checking the label

Whether the two are consistent; after passing the verification, the UE₁Sending a D2D request data packet to an electronic certificate SERVER SERVER, wherein the data packet comprises Cert₁、Cert₂、UE₁To random₁Is signed

Slave UE₂Derived from returned responses

Time stamp for data packet generation

Random number random₃(ii) a When the SERVER receives the D2D request, Cert is firstly transmitted₁、Cert₂Comparing the certificate with the backup certificate in the certificate issuing module to determine whether the certificate is consistent with the backup certificate, and then verifying

The signature of (2); after passing the verification, the UE₁Sending a response data packet, wherein the data packet comprises a time stamp when the data packet is generated

Random number random₄SERVER pairs (

random₄) Is signed

UE₁After receiving the information sent by the SERVER, selecting a random number a to calculate g^aTo the UE₂The transmission packet includes:

random₄、

g^a、

random₅、

and the data packet uses the UE₂The public key is encrypted for transmission; UE (user Equipment)₂After receiving the data packet, decrypting by using the private key thereof and verifying the SERVER and the UE₁Is verified to obtain g^a；UE₂Selecting a random number b, and calculating g^bBackward UE₁The transmission packet includes: g^bTime stamp at the time of packet generation

Random number random₆、UE₂To (g)^b,

random₆) Is signed

And the data packet uses the UE₁The public key is encrypted and transmitted; UE (user Equipment)₁After receiving the data packet, the UE is verified after being decrypted by using the private key of the UE₂Is verified to obtain g^b；K＝(g^a)^b mod p＝(g^b)^amod p is UE₁And UE₂Communication key of, UE₂Completion and UE₁After the channel is established, the user is in the new equipment UE₂The UE inputs the self taxpayer identification number taxpayable _ ID₂Sending the identification number to the UE through the established D2D channel₁；UE₁Receiving to UE₂After the taxpayer identification number taxpayer _ ID is sent, the UE is connected with the taxpayer identification number taxpaylayer _ ID₁Comparing taxpayer identification numbers in locally stored credentials, generating a credential list ticket _ list by using the credentials matched with the taxpayer identification numbers, and returning the credential list ticket _ list to the UE₂Each data item of the credential list includes, but is not limited to, a credential issuer name, a credential receiver name, and a credential issuer time; UE (user Equipment)₂Receiving to UE₁After the returned credential list, the user selects the new equipment UE to be synchronized according to the name of the invoicer, the name of the invoicer and the invoicing time₂Credential data of, then the UE₂To the UE₁Sending tickets _ list _ select of the to-be-synchronized ticket list; UE (user Equipment)₁After receiving tickets _ list _ select of the credential list to be synchronized, sending the credential data required in the list to the UE₂；

UE₂Storing the received credential data locally and then to the UE₁Returning the unique identification ticket _ ID of all stored credentials_nAnd signature of unique identification number to all certificates

UE₁Informing SERVER of all UEs₂Synchronized credential unique identification number, and UE₂A signature of a unique identification number to a credential; SERVER receives data packet and then verifies UE₂By writing the signature in the database to the UE₂And the synchronized ticket identification number in the equipment, and then to the UE₁Returning a synchronization completion response, UE₁Disconnecting the UE after receiving the synchronization completion response₂D2D, and credential flow is complete.

Further, the D2D-based electronic credential secure circulation method specifically includes:

first step, UE₁Broadcasting:

user intended by UE₁To the UE₂Transferring credential status information, UE₁Broadcasting data packet for requesting to establish D2D connection channel, wherein the data packet includes UE₁Certificate of (Cert)₁Time stamp of system

Random number random₁And UE₁Signature on system time stamp and random number

Second step, UE₂→UE₁：

UE₂After receiving the broadcast data packet, verifying the UE in the data packet by using the certificate of the SERVER which is built in when leaving the factory₁Validity of certificate, and confirmation of UE at user₁After the information obtained, the obtained UE is utilized₁Certificate of (2) verifying the UE₁To pair

And random₁Is signed

Then checks the time stamp

Whether the random number random is within the allowed time period₁Whether it has occurred within the allowed time period, if the UE has₁Certificate failure, signature verification failure,

Go beyondAllowed time period, random₁Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂To the UE₁Transmitting a response packet, the packet comprising: UE (user Equipment)₂Certificate of (Cert)₂、UE₂To random₁Is signed

Cert₁Time stamp of system

Random number random₂And UE₂To UE₁Certificate of (2), system time stamp and signature of random number

Third step, UE₁→SERVER：

UE₁Receiving to UE₂The returned response packet utilizes the certificate of the SERVER built in the factory to verify the UE in the data packet₂Validity of certificate, and confirmation of UE at user₂After the information obtained, the obtained UE is utilized₂Certificate of (2) verifying the UE₂For Cert₁、

And random₂Is signed

Then comparing the UE in the received data packet₁Checking whether the certificate is identical to a certificate stored in the device, checking the timestamp

Whether the random number random is within the allowed time period₂Whether within an allowed time periodIf it is, if UE₂Certificate is illegal, signature verification fails, and UE₁The certificate comparison is inconsistent,

Beyond the allowed time period, random₂Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period₂Sending a communication rejection data packet and disconnecting, otherwise, UE₁Sending a D2D parameter request data packet to the SERVER, wherein the data packet comprises: cert₁、Cert₂、UE₁To random₁Is signed

By UE₂The response packet being obtained

System time stamp T_S3Random number random₃；

Fourth step, SERVER → UE₁：

SERVER receiving UE₁After the transmitted D2D parameter request data packet is compared with the Cert in the received data packet₁、Cert₂Whether the certificate is consistent with the certificate backup stored in the certificate library or not and then verifying

And

whether the result of the signature verification is consistent or not, and checking the timestamp

Whether the random number random is within the allowed time period₃Whether the certificate appears within an allowed time period or not, if the certificate is inconsistent with the backup in the certificate library, the signature checking result is different,

Beyond the allowed time period, random₃Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period₁Sending a communication rejection data packet and disconnecting, otherwise, the SERVER sends the UE to the UE₁Transmitting a D2D parameter response packet, the packet comprising: time stamping of system

Random number random₄And SERVER signing system time stamp, random number

Fifth step, UE₁→UE₂：

UE₁The timestamp is checked after receiving the D2D parameter response packet returned by the SERVER

Whether the random number random is within the allowed time period₄Whether it has occurred within the allowed time period, if

Has exceeded the allowed time period or random number random₄Discarding the data packet and requesting to resend the D2D parameter to the SERVER if the occurrence in the allowed time period is over, otherwise, the UE₁Selecting a random number a, calculating g^a，UE₁To the UE₂Transmitting a D2D parameter notification packet, the packet comprising:

random₄、

g^atime stamp of system

Random number random₅And UE₁For g^aTime stamp of system and signature of random number

The data packet uses the UE₂Public key PK₂Encrypting and sending;

sixth step, UE₂→UE₁：

UE₂After receiving the D2D parameter notification packet, the UE is firstly used₂Decrypting the data packet by the private key of the private key, and verifying the data packet by using the certificate of the SERVER which is built in when the private key leaves the factory

Using the UE obtained in ii₁Certificate verification of

Validity of (2), check the time stamp finally

Whether the random number random is within the allowed time period₄、random₅If the data packet is not decrypted, whether the data packet appears within the allowed time period,

Failure of signature verification,

Failure of signature verification,

Or

Has exceeded the allowed time period, random₄Or random₅Dropping data packets and sending the data packets to the UE when any one of the above conditions is over satisfied within the allowed time period₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂Selecting a random number b, calculating g^bAnd (g)^a)^b mod p，UE₂To the UE₁Transmitting a D2D parameter response packet, the packet comprising: g^bTime stamp of system

Random number random₆And UE₂For g^bTime stamp of system and signature of random number

The data packet uses the UE₁Public key PK₁Encrypting and sending;

seventh step, UE₁→UE₂：{START}_K

UE₁Receiving to UE₂After the D2D parameter response packet is sent, the UE is first used₁Decrypting the data packet by its own private key and then using the UE obtained in iii₂Certificate verification of

Validity of (2), check the time stamp finally

Whether the random number random is within the allowed time period₆If the data packet is not decrypted, whether the data packet appears within the allowed time period,

Failure of signature verification,

Has exceeded the allowed time period, random₆At the allowed timeIf one of the conditions is over-satisfied, the data packet is dropped and sent to the UE₂Sending a communication rejection data packet and disconnecting, otherwise, UE₁Calculating (g)^b)^a mod p，UE₁To the UE₂Transmitting a test communication packet including a communication START field START, the test communication packet using a negotiated symmetric encryption key K ═ g^b)^a mod p＝(g^a)^bmod p performs encryption;

eighth step, UE₂→UE₁：{ACK}_K

UE₂Receiving to UE₁Decrypting the transmitted pilot communication data packet by using the symmetric encryption key K which is agreed, and if the test communication data packet cannot be decrypted, transmitting the decrypted data packet to the UE₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂To the UE₁Sending a trial communication response packet, the packet including a response field ACK, the packet using the negotiated symmetric encryption key K ═ g^b)^a mod p＝(g^a)^bmod p performs encryption;

ninth step, UE₂→UE₁：{taxpayer_ID}

UE₂Completion and UE₁After the channel is established, the user is in the new equipment UE₂The UE inputs the self taxpayer identification number taxpayable _ ID₂Sending the identification number to the UE through the established D2D channel₁；

Tenth step, UE₁→UE₂：{tickets_list}

UE₁Receiving to UE₂After the taxpayer identification number taxpayer _ ID is sent, the UE is connected with the taxpayer identification number taxpaylayer _ ID₁Comparing taxpayer identification numbers in locally stored credentials, generating a credential list ticket _ list by using the credentials matched with the taxpayer identification numbers, and returning the credential list ticket _ list to the UE₂Each data item of the credential list comprises a credential issuer name, a credential receiver name, and a credential issuer time;

the tenth step, UE₂→UE₁：{tickets_list_selected}

UE₂Receiving to UE₁Return toAfter the list of the vouchers, the user selects and needs to synchronize to the new equipment UE according to the name of the invoicing party, the name of the ticket collecting party and the invoicing time₂Credential data of, then the UE₂To the UE₁Sending tickets _ list _ select of the to-be-synchronized ticket list;

twelfth step, UE₁→UE₂：{tickets_data}

UE₁After receiving tickets _ list _ select of the credential list to be synchronized, sending the credential data required in the list to the UE₂；

A thirteenth step of the UE₁→UE₂：

UE₂Storing the received credential data locally and then to the UE₁Returning the unique identification ticket _ ID of all stored credentials_nAnd signature of unique identification number to all certificates

Fourteenth step, UE₁→SERVER：

UE₁Informing SERVER of all UEs₂Synchronized credential unique identification number, and UE₂A signature of a unique identification number to a credential;

fifteenth step, SERVER → UE₁：{synchron_complete}

SERVER receives data packet and then verifies UE₂By writing the signature in the database to the UE₂And the synchronized ticket identification number in the equipment, and then to the UE₁Returning a synchronization completion response, UE₁Disconnecting the UE after receiving the synchronization completion response₂D2D, and credential flow is complete.

Another object of the present invention is to provide a D2D-based e-credential secure circulation system for implementing the D2D-based e-credential secure circulation method, wherein the D2D-based e-credential secure circulation system comprises: electronic credential server, user device 1, user device 2;

the user equipment 1 is connected with the electronic credential server through a communication network, and the user equipment 1 is connected with the user equipment 2 through a D2D channel;

the electronic credential server comprises a certificate issuing module, an authentication module and a data storage module, the user equipment is provided with a login module, a data transmission module and a D2D module, and each user equipment is internally provided with an equipment certificate issued by a CA (certificate authority) and an equipment private key when leaving a factory, and a certificate of the electronic credential server.

The electronic document server is connected with the user equipment through a communication network; the certificate issuing module is responsible for issuing data required by authentication for a legal user, and comprises a trusted certificate containing an electronic certificate server signature, a certificate copy for storing a user who has issued the certificate, and related certificate data required by the authentication module in the authentication process; the authentication module is responsible for processing a login request submitted by a user, requesting necessary certificate verification data to the certificate issuing module to complete login verification, interacting with the data storage module after the user successfully logs in, and sending bill data of the user to user equipment; the data storage module is responsible for storing the bill data of the user and sending the corresponding bill data to the login module after receiving the bill data request of the login module.

Further, the user equipment includes a login module, a data transmission module, and a D2D module, and each user equipment is built in when leaving a factory, and includes: CA issued device certificate and device private key, certificate of electronic certificate server and Hash algorithm, symmetric encryption and decryption algorithm, asymmetric encryption and decryption algorithm and p-1 medium multiplication group Z adopted by electronic certificate system_p ^*The g and p parameters of (1); p is prime number, g is generator;

the login module is used for receiving a login request initiated by a user and interacting with the electronic credential server through a communication network; the data transmission module is responsible for storing the bill data sent by the electronic credential server and sending the required data to the D2D module when the D2D module requests the bill data; the D2D module is responsible for completing device authentication, establishing a secure D2D channel, and completing the secure circulation of credentials between new and old devices of the same user.

Another object of the present invention is to provide an electronic certificate system applying the D2D-based electronic certificate secure circulation method.

Another object of the present invention is to provide an information data processing terminal equipped with the electronic voucher system.

In summary, the advantages and positive effects of the invention are: D2D communication plays a very important role as an emerging communication means in communication networks and wireless systems. The D2D communication allows the adjacent devices to communicate directly under the control of the control node, with the help of D2D communication technology, the electronic document flow between the new and old devices of the user can be directly transferred under the control of the server, the new device can receive the transferred bill without connecting the server, compared with the prior art, the communication link between the new device and the electronic document server is omitted, the communication overhead of the electronic document server is reduced, the re-login operation of the user is saved, and the document transfer time consumption is shortened.

The invention satisfies 1. after the user logs in the old equipment, another login operation on the new equipment is not needed. 2. The new device can directly perform data transmission with the old device without establishing a communication channel with the electronic credential server respectively. 3. The communication link between the old device and the new device has good security, and the communication link between the old device and the new device should ensure enough security to resist most known attack means. The invention uses the symmetric encryption system, the asymmetric encryption system, the message signature, the message verification algorithm and the Diffie-Hellman key exchange algorithm in the cryptography, which are all acknowledged to have extremely high security. In the patent, the D2D communication equipment is generally close to each other and is within a visual distance range controllable by one person, so that the difficulty in eavesdropping, tampering and intercepting is increased, and the safety of the invention in the current society is enhanced. The invention is properly expanded, thereby greatly saving the communication expense of the electronic certificate server and facilitating the safe circulation of the electronic certificates between new equipment and old equipment.

The invention utilizes the characteristics of cryptography and D2D communication, solves the problem that the credential circulation of the electronic credential system needs to establish a communication link with the server again and log in again on new equipment at the present stage, lightens the service pressure of the credential server, improves the credential circulation speed, avoids replay attack by adopting the combination of the timestamp and the random number, ensures the integrity and non-repudiation of data transmission by adopting a signature algorithm, ensures that all symmetric communication session keys only play a role in the current communication, and needs to negotiate again in the next transmission after the transmission is finished, thereby ensuring the safety of the scheme. The D2D communication allows the adjacent equipment to carry on the direct communication under the control of the control node, under the help of D2D communication technology, the credential circulation between old and new equipment of users can carry on the direct transfer under the control of the server, the new equipment can be while receiving the bill transferred, do not need to connect the server, the apparatus of the credential is transferred by old and new server direct completion, compared with original technology save the communication link between electronic credential server and the new equipment, has reduced the communication expense of the electronic credential server, has saved the operation that users log on again, have shortened the credential and transferred the consumption time and guaranteed the data conformance of old and new equipment and server.

Drawings

Fig. 1 is a system structure diagram of an electronic credential server and a user device 1 according to an embodiment of the present invention.

Fig. 2 is a system structure diagram of a user equipment and a user equipment 2 according to an embodiment of the present invention.

Fig. 3 is a flowchart of a ticket transfer method based on the D2D technology in the electronic credential system according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The following detailed description of the principles of the invention is provided in connection with the accompanying drawings.

As shown in fig. 1 and fig. 2, the D2D-based e-credential secure circulation system according to the embodiment of the present invention includes: electronic credential server, user device 1, user device 2; user equipment 1 (UE)₁) Connected to an electronic credential SERVER (SERVER) via a communication network, user equipment 1 (UE)₁) With user equipment 2 (UE)₂) Connected through a D2D channel. The electronic credential server comprises but is not limited to a certificate issuing module (CA), an authentication module (AS) and a data storage module (DB), the user equipment comprises but is not limited to a login module, a data transmission module and a D2D module, and each user equipment is internally provided with a device certificate and a device private key issued by the CA when being shipped from the factory, and the certificate of the electronic credential server.

Each module of the user equipment is written by using a high-level programming language, and the login module is responsible for receiving a login request initiated by a user and interacting with the electronic credential server through a communication network; the data transmission module is responsible for storing the bill data sent by the electronic credential server and sending the required data to the D2D module when the D2D module requests the bill data; the D2D module is responsible for completing device authentication, establishing a safe D2D channel and completing the safe circulation of bills between new and old devices of the same user. The user equipment 1 establishes a secure connection with the electronic credential server through a communication network, a user logs in after the secure connection is established, and the electronic credential server sends a credential that the user successfully logs in to the user equipment 1 after the login is successful and transmits electronic credential data with the user equipment 1. The user equipment 1 and the electronic credential successfully establish a secure connection through a communication network, and after successful login, the user equipment 1 and the user equipment 2 can start to transfer the electronic credential, and the ticket transfer scheme based on the D2D technology specifically comprises the following steps:

i.UE₁broadcasting:

user intended by UE₁To the UE₂Transferring credential status information, UE₁Broadcasting data packet for requesting to establish D2D connection channel, wherein the data packet includes UE₁Certificate of (Cert)₁) Time stamp of system

Random number (random)₁) And UE₁Signature on system time stamp and random number

ii.UE₂→UE₁：

UE₂After receiving the broadcast data packet, verifying the UE in the data packet by using the certificate of the SERVER which is built in when leaving the factory₁Validity of certificate, and confirmation of UE at user₁After the information obtained, the obtained UE is utilized₁Certificate of (2) verifying the UE₁To pair

And random₁Is signed

Then checks the time stamp

Whether the random number random is within the allowed time period₁Whether it has occurred within the allowed time period, if the UE has₁Certificate failure, signature verification failure,

Beyond the allowed time period, random₁Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂To the UE₁Transmitting a response packet, the packet comprising: UE (user Equipment)₂Certificate of (Cert)₂)、UE₂To random₁Is signed

Cert₁Time stamp of system

Random number (random)₂) And UE₂To UE₁Certificate of (2), system time stamp and signature of random number

iii.UE₁→SERVER：

UE₁Receiving to UE₂The returned response packet utilizes the certificate of the SERVER built in the factory to verify the UE in the data packet₂Validity of certificate, and confirmation of UE at user₂After the information obtained, the obtained UE is utilized₂Certificate of (2) verifying the UE₂For Cert₁、

And random₂Is signed

Then comparing the UE in the received data packet₁Checking whether the certificate is identical to a certificate stored in the device, checking the timestamp

Whether the random number random is within the allowed time period₂Whether it has occurred within the allowed time period, if the UE has₂Certificate is illegal, signature verification fails, and UE₁The certificate comparison is inconsistent,

Exceeds the allowable time period、random₂Dropping the data packet and sending the data packet to the UE when any one of the conditions is over-satisfied within the allowed time period₂Sending a communication rejection data packet and disconnecting, otherwise, UE₁Sending a D2D parameter request data packet to the SERVER, wherein the data packet comprises: cert₁、Cert₂、UE₁To random₁Is signed

By UE₂The response packet being obtained

System time stamp

Random number (random)₃)。

iv.SERVER→UE₁：

SERVER receiving UE₁After the transmitted D2D parameter request data packet is compared with the Cert in the received data packet₁、Cert₂Whether the certificate is consistent with the certificate backup stored in the certificate library or not and then verifying

And

whether the result of the signature verification is consistent or not, and checking the timestamp

Whether the random number random is within the allowed time period₃Whether the certificate appears within an allowed time period or not, if the certificate is inconsistent with the backup in the certificate library, the signature checking result is different,

Beyond the allowed time period, random₃During the allowed time periodDiscarding the data packet and sending the data packet to the UE when one of the conditions is over-satisfied₁Sending a communication rejection data packet and disconnecting, otherwise, the SERVER sends the UE to the UE₁Transmitting a D2D parameter response packet, the packet comprising: time stamping of system

Random number (random)₄) And SERVER signing system time stamp, random number

v.UE₁→UE₂：

UE₁The timestamp is checked after receiving the D2D parameter response packet returned by the SERVER

Whether the random number random is within the allowed time period₄Whether it has occurred within the allowed time period, if

Has exceeded the allowed time period or random number random₄Discarding the data packet and requesting to resend the D2D parameter to the SERVER if the occurrence in the allowed time period is over, otherwise, the UE₁Selecting a random number a, calculating g^a，UE₁To the UE₂Transmitting a D2D parameter notification packet, the packet comprising:

random₄、

g^atime stamp of system

Random number (random)₅) And UE₁For g^aSystem time stamp and signature of random number (g)^a,

random₅)_SK1The data packet uses the UE₂Public key PK₂And (5) encrypting and sending.

vi.UE₂→UE₁：

UE₂After receiving the D2D parameter notification packet, the UE is firstly used₂Decrypting the data packet by the private key of the private key, and verifying the data packet by using the certificate of the SERVER which is built in when the private key leaves the factory

Using the UE obtained in ii₁Certificate verification (g)^a,

random₅)_SK1Validity of (2), check the time stamp finally

Whether the random number random is within the allowed time period₄、random₅If the data packet is not decrypted, whether the data packet appears within the allowed time period,

Failure of signature verification, (g)^a,

random₅)_SK1Failure of signature verification,

Or

Has exceeded the allowed time period, random₄Or random₅Dropping data packets and sending the data packets to the UE when any one of the above conditions is over satisfied within the allowed time period₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂Selecting a random number b, calculating g^bAnd (g)^a)^b mod p，UE₂To the UE₁Transmitting a D2D parameter response packet, the packet comprising: g^bTime stamp of system

Random number (random)₆) And UE₂For g^bTime stamp of system and signature of random number

The data packet uses the UE₁Public key PK₁And (5) encrypting and sending.

vii.UE₁→UE₂：{START}_K

UE₁Receiving to UE₂After the D2D parameter response packet is sent, the UE is first used₁Decrypting the data packet by its own private key and then using the UE obtained in iii₂Certificate verification of

Validity of (2), check the time stamp finally

Whether the random number random is within the allowed time period₆If the data packet is not decrypted, whether the data packet appears within the allowed time period,

Failure of signature verification,

Has exceeded the allowed time period, random₆The occurrence of over-satisfaction of any one of the above conditions within the allowable time periodDiscard the packet and send it to the UE₂Sending a communication rejection data packet and disconnecting, otherwise, UE₁Calculating (g)^b)^a mod p，UE₁To the UE₂Transmitting a test communication packet including a communication START field START, the test communication packet using a negotiated symmetric encryption key K ═ g^b)^a mod p＝(g^a)^bmod p performs encryption.

viii.UE₂→UE₁：{ACK}_K

UE₂Receiving to UE₁Decrypting the transmitted pilot communication data packet by using the symmetric encryption key K which is agreed, and if the test communication data packet cannot be decrypted, transmitting the decrypted data packet to the UE₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂To the UE₁Sending a trial communication response packet, the packet including a response field ACK, the packet using the negotiated symmetric encryption key K ═ g^b)^a mod p＝(g^a)^bmod p performs encryption.

ix.UE₂→UE₁：{taxpayer_ID}

UE₂Completion and UE₁After the channel is established, the user is in the new equipment UE₂Enters its own taxpayer identification number (taxpayerID), UE₂Sending the identification number to the UE through the established D2D channel₁。

x.UE₁→UE₂：{tickets_list}

UE₁Receiving to UE₂After the taxpayer identification number (taxpayerID) is sent, the UE is contacted with the taxpayer identification number (taxpayerID)₁Comparing the taxpayer identification number in the locally stored certificate, generating a certificate list (ticket _ list) by using the certificate matched with the taxpayer identification number, and returning the certificate list to the UE₂Each data item of the credential list includes a credential issuer name, a credential receiver name, and a credential issuer time.

xi.UE₂→UE₁：{tickets_list_selected}

UE₂Receiving to UE₁After returning the credential list, the user makes a invoice according to the name of the invoicer, the name of the collector and the invoicingTicket time selection needs to be synchronized to the new device UE₂Credential data of, then the UE₂To the UE₁And sending a list of to-be-synchronized credentials (tickets _ list _ select).

xii.UE₁→UE₂：{tickets_data}

UE₁After receiving the list of credentials to be synchronized (tickets _ list _ select), the credentials required in the list are sent to the UE₂Credential data includes, but is not limited to: the unique identification number of the certificate, the tax number of the invoicing party, the address and the contact number of the invoicing party, the bank and the account number of the invoicing party, the invoicing date and the like.

xiii.UE₁→UE₂：

UE₂Storing the received credential data locally and then to the UE₁Returning unique identification numbers (ticket _ ID) of all stored credentials_n) And signature of unique identification number to all certificates

xiv.UE₁→SERVER：

UE₁Informing SERVER of all UEs₂Synchronized credential unique identification number, and UE₂A signature of the unique identification number to the credential.

xv.SERVER→UE₁：{synchron_complete}

SERVER receives data packet and then verifies UE₂By writing the signature in the database to the UE₂And the synchronized ticket identification number in the equipment, and then to the UE₁Returning a synchronization completion response, UE₁Disconnecting the UE after receiving the synchronization completion response₂D2D, credential flow is complete。

The application of the principles of the present invention will now be described in further detail with reference to the accompanying drawings.

As shown in fig. 3, after the user equipment 1 completes the login process, at this time, the user purchases a new user equipment 2, and the user wants to securely transfer the electronic credential data in the user equipment 1 to the user equipment 2 without the need of network login of the user equipment 2. User equipment 1 (UE)₁) Broadcasting data packet, including UE₁Certificate of (Cert)₁) Time stamp of data packet broadcasting

Random number (random)₁) And UE₁To pair

And random₁Is signed

User equipment 2 (UE)₂) Receiving the broadcast packet, first verifying the Cert₁Because the certificate of each device is issued by the CA and each device has a built-in e-credential server root certificate, the certificate validity can be verified. Then checking

random₁After checking the label

Whether they are consistent. After passing the verification, the UE₂To the UE₁Sending a response packet, wherein the data packet comprises the UE₂Certificate of (Cert)₂)、UE₁Certificate of (Cert)₁) Time stamp at the time of packet generation

Random number (random)₂)、UE₂To random₁Is signed

And UE₂For Cert₁、

And random₂Is signed

UE₁Upon receiving the response, the Cert is first verified₂The received Cert is verified₁Check for compliance with the certificate of the device itself, and then check for Cert₁，

random₂After checking the label

Whether they are consistent. After passing the verification, the UE₁Sending a D2D request packet to an electronic credential SERVER (SERVER), the packet including a Cert₁、Cert₂、UE₁To random₁Is signed

Slave UE₂Derived from returned responses

Time stamp for data packet generation

Random number (random)₃) (ii) a When the SERVER receives the D2D request, Cert is firstly transmitted₁、Cert₂Comparing the certificate with the backup certificate in the certificate issuing module to determine whether the certificate is consistent with the backup certificate, and then verifying

The signature of (2). Through SERVER to UE after verification₁Sending a response data packet, wherein the data packet comprises a time stamp when the data packet is generated

Random number (random)₄) SERVER pairs (

random₄) Is signed

UE₁After receiving the information sent by the SERVER, selecting a random number a to calculate g^aTo the UE₂The transmission packet includes:

random₄、

g^a、

random₅、

and the data packet uses the UE₂The public key is encrypted for transmission; UE (user Equipment)₂After receiving the data packet, decrypting the data packet by using the private key of the user, and verifying the signature of the SERVER and the UE₁Is verified to obtain g^a。UE₂Selecting a random number b, and calculating g^bBackward UE₁The transmission packet includes: g^bTime stamp at the time of packet generation

Random number (random)₆)、UE₂To (g)^b,

random₆) Is signed

And the data packet uses the UE₁The public key is encrypted and transmitted; UE (user Equipment)₁Receive toAfter the data packet is decrypted by using the private key of the user equipment, the UE is verified₂Is verified to obtain g^b；K＝(g^a)^bmod p＝(g^b)^amod p is UE₁And UE₂The communication key of (2); UE (user Equipment)₂Completion and UE₁After the channel is established, the user is in the new equipment UE₂Enters its own taxpayer identification number (taxpayerID), UE₂Sending the identification number to the UE through the established D2D channel₁；UE₁Receiving to UE₂After the taxpayer identification number (taxpayerID) is sent, the UE is contacted with the taxpayer identification number (taxpayerID)₁Comparing the taxpayer identification number in the locally stored certificate, generating a certificate list (ticket _ list) by using the certificate matched with the taxpayer identification number, and returning the certificate list to the UE₂Each data item of the credential list comprises a credential issuer name, a credential receiver name, and a credential issuer time; UE (user Equipment)₂Receiving to UE₁After the returned credential list, the user selects the new equipment UE to be synchronized according to the name of the invoicer, the name of the invoicer and the invoicing time₂Credential data of, then the UE₂To the UE₁Sending a list of to-be-synchronized credentials (tickets _ list _ select); UE (user Equipment)₁After receiving the list of credentials to be synchronized (tickets _ list _ select), the credentials required in the list are sent to the UE₂The credential data comprises: the certificate unique identification number, the invoicing party tax number, the invoicing party address and contact telephone number, the invoicing party account bank and account number, the invoicing date and the like; UE (user Equipment)₂Storing the received credential data locally and then to the UE₁Returning unique identification numbers (ticket _ ID) of all stored credentials_n) And signature of unique identification number to all certificates

UE₁Informing SERVER of all UEs₂Synchronized credential unique identification number, and UE₂A signature of a unique identification number to a credential; SERVER receives data packet and then verifies UE₂By writing the signature in the database to the UE₂And the synchronized ticket identification number in the equipment, and then to the UE₁Returning a synchronization completion response, UE₁Disconnecting the UE after receiving the synchronization completion response₂D2D, and credential flow is complete.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (5)

1. A D2D-based electronic credential secure circulation method is characterized in that the D2D-based electronic credential secure circulation method comprises the following steps:

the user equipment is connected with the electronic credential server through a communication network, the user equipment is connected through a D2D channel, and after mutual authentication is completed, the user equipment acquires the UE in real time or periodically₁Current and future ticket states; the electronic credential server comprises but is not limited to a certificate issuing module, an authentication module and a data storage module, the user equipment is provided with a login module, a data transmission module and a D2D module, and each user equipment is internally provided with an equipment certificate issued by CA (certificate authority) and an equipment private key when leaving a factory, and a certificate of the electronic credential server;

the D2D-based electronic credential secure circulation method comprises the following steps:

(1) the user equipment 1 establishes a secure connection with the electronic credential server through a communication network, a user logs in after the secure connection is established, and the electronic credential server sends a credential that the user successfully logs in to the user equipment 1 after the login is successful and transmits electronic credential data with the user equipment 1; the user equipment 1 and the electronic credential server successfully establish a secure connection through a communication network and complete the transmission of the electronic credential data after successful login is a necessary condition of a ticket transfer scheme based on the D2D technology;

(2) at user equipment 1UE₁After the login process is finished, the user purchases a new device, namely user equipment 2UE₂The user wants to power up the user device 1 without the need for a networked login to the device 2Secure transfer of sub-credential data into the user device 2; UE (user Equipment)₁Broadcasting data packet, including UE₁Certificate of (Cert)₁Time stamp of data packet broadcasting

Random number random₁And UE₁To pair

And random₁Is signed

UE₂Receiving the broadcast packet, first verifying the Cert₁The validity of (2); then checking

random₁After checking the label

Whether the two are consistent; after passing the verification, the UE₂To the UE₁Sending a response packet, wherein the data packet comprises the UE₂Certificate of (Cert)₂、UE₁Certificate of (Cert)₁Time stamp at the time of packet generation

Random number random₂、UE₂To random₁Is signed

And UE₂For Cert₁、

And random₂Is signed

UE₁ReceivingUpon answering, Cert is first verified₂The received Cert is verified₁Comparing the certificate with the certificate of the equipment to check whether the certificate is consistent;

then check Cert₁，T_S2，random₂After checking the label

Whether the two are consistent; after passing the verification, the UE₁Sending a D2D request data packet to an electronic certificate SERVER SERVER, wherein the data packet comprises Cert₁、Cert₂、UE₁To random₁Is signed

Slave UE₂Derived from returned responses

Time stamp for data packet generation

Random number random₃(ii) a When the SERVER receives the D2D request, Cert is firstly transmitted₁、Cert₂Comparing the certificate with the backup certificate in the certificate issuing module to determine whether the certificate is consistent with the backup certificate, and then verifying

The signature of (2); after passing the verification, the UE₁Sending a response data packet, wherein the data packet comprises a time stamp when the data packet is generated

Random number random₄SERVER pair

Is signed

UE₁After receiving the information sent by the SERVER, selecting a random number a to calculate g^aTo the UE₂The transmission packet includes:

random₄、

g^a、

random₅、

g is a generator; and the data packet uses the UE₂The public key is encrypted for transmission; UE (user Equipment)₂After receiving the data packet, decrypting by using the private key thereof and verifying the SERVER and the UE₁Is verified to obtain g^a；UE₂Selecting a random number b, and calculating g^bBackward UE₁The transmission packet includes: g^bTime stamp at the time of packet generation

Random number random₆、UE₂To pair

Is signed

And the data packet uses the UE₁The public key is encrypted and transmitted; UE (user Equipment)₁After receiving the data packet, the UE is verified after being decrypted by using the private key of the UE₂Is verified to obtain g^b；K＝(g^a)^bmod p＝(g^b)^amod p is UE₁And UE₂Communication key of, UE₂Completion and UE₁After the channel is established, the user is in the new equipment UE₂Upper transfusionEnter its own taxpayer identification number, taxpayor _ ID, UE₂Sending the identification number to the UE through the established D2D channel₁；UE₁Receiving to UE₂After the taxpayer identification number taxpayer _ ID is sent, the UE is connected with the taxpayer identification number taxpaylayer _ ID₁Comparing taxpayer identification numbers in locally stored credentials, generating a credential list ticket _ list by using the credentials matched with the taxpayer identification numbers, and returning the credential list ticket _ list to the UE₂Each data item of the credential list includes, but is not limited to, a credential issuer name, a credential receiver name, and a credential issuer time; UE (user Equipment)₂Receiving to UE₁After the returned credential list, the user selects the new equipment UE to be synchronized according to the name of the invoicer, the name of the invoicer and the invoicing time₂Credential data of, then the UE₂To the UE₁Sending tickets _ list _ select of the to-be-synchronized ticket list; UE (user Equipment)₁After receiving tickets _ list _ select of the credential list to be synchronized, sending the credential data required in the list to the UE₂；

UE₂Storing the received credential data locally and then to the UE₁Returning the unique identification ticket _ ID of all stored credentials_nAnd signature of unique identification number to all certificates

UE₁Informing SERVER of all UEs₂Synchronized credential unique identification number, and UE₂A signature of a unique identification number to a credential; SERVER receives data packet and then verifies UE₂By writing the signature in the database to the UE₂And the synchronized ticket identification number in the equipment, and then to the UE₁Returning a synchronization completion response, UE₁Disconnecting the UE after receiving the synchronization completion response₂D2D, and credential flow is complete.

2. The D2D-based e-credential secure circulation method of claim 1, wherein the D2D-based e-credential secure circulation method specifically comprises:

first step, UE₁Broadcasting:

user intended by UE₁To the UE₂Transferring credential status information, UE₁Broadcasting data packet for requesting to establish D2D connection channel, wherein the data packet includes UE₁Certificate of (Cert)₁Time stamp of system

Random number random₁And UE₁Signature on system time stamp and random number

Second step, UE₂→UE₁：

UE₂After receiving the broadcast data packet, verifying the UE in the data packet by using the certificate of the SERVER which is built in when leaving the factory₁Validity of certificate, and confirmation of UE at user₁After the information obtained, the obtained UE is utilized₁Certificate of (2) verifying the UE₁To pair

And random₁Is signed

Then checks the time stamp

Whether the random number random is within the allowed time period₁Whether it has occurred within the allowed time period, if the UE has₁Certificate failure, signature verification failure,

Beyond the allowed time period, random₁Over-satisfaction of the UE occurs within an allowed time period₁Certificate failure, signature verification failure,

Beyond the allowed time period, random₁Discarding the data packet and sending the data packet to the UE when any condition occurs within the allowed time period₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂To the UE₁Transmitting a response packet, the packet comprising: UE (user Equipment)₂Certificate of (Cert)₂、UE₂To random₁Is signed

Cert₁Time stamp of system

Random number random₂And UE₂To UE₁Certificate of (2), system time stamp and signature of random number

Third step, UE₁→SERVER：

UE₁Receiving to UE₂The returned response packet utilizes the certificate of the SERVER built in the factory to verify the UE in the data packet₂Validity of certificate, and confirmation of UE at user₂After the information obtained, the obtained UE is utilized₂Certificate of (2) verifying the UE₂To pair

And random₂Is signed

Then comparing the UE in the received data packet₁Checking whether the certificate is identical to a certificate stored in the device, checking the timestamp

Whether the random number random is within the allowed time period₂Whether it has occurred within the allowed time period, if the UE has₂Certificate is illegal, signature verification fails, and UE₁The certificate comparison is inconsistent,

Beyond the allowed time period, random₂Over-satisfaction of the UE occurs within an allowed time period₂Certificate is illegal, signature verification fails, and UE₁The certificate comparison is inconsistent,

Beyond the allowed time period, random₂Discarding the data packet and sending the data packet to the UE when any condition occurs within the allowed time period₂Sending a communication rejection data packet and disconnecting, otherwise, UE₁Sending a D2D parameter request data packet to the SERVER, wherein the data packet comprises: cert₁、Cert₂、UE₁To random₁Is signed

By UE₂The response packet being obtained

System time stamp

Random number random₃；

Fourth step, SERVER → UE₁：

SERVER receiving UE₁After the transmitted D2D parameter request data packet is compared with the Cert in the received data packet₁、Cert₂Whether the certificate is consistent with the certificate backup stored in the certificate library or not and then verifying

And

whether the result of the signature verification is consistent or not, and checking the timestamp

Whether the random number random is within the allowed time period₃Whether the certificate appears within an allowed time period or not, if the certificate is inconsistent with the backup in the certificate library, the signature checking result is different,

Beyond the allowed time period, random₃The situation that the satisfied certificate is inconsistent with the backup in the certificate bank, the signature verification result is different occurs in the allowed time period,

Beyond the allowed time period, random₃Discarding the data packet and sending the data packet to the UE when any condition occurs within the allowed time period₁Sending a communication rejection data packet and disconnecting, otherwise, the SERVER sends the UE to the UE₁Transmitting a D2D parameter response packet, the packet comprising: time stamping of system

Random number random₄And SERVER signing system time stamp, random number

Fifth step, UE₁→UE₂：

UE₁The timestamp is checked after receiving the D2D parameter response packet returned by the SERVER

Whether the random number random is within the allowed time period₄Whether it has occurred within the allowed time period, if

Has exceeded the allowed time period or random number random₄Discarding the data packet and requesting to resend the D2D parameter to the SERVER if the occurrence in the allowed time period is over, otherwise, the UE₁Selecting a random number a, calculating g^a，UE₁To the UE₂Transmitting a D2D parameter notification packet, the packet comprising:

random₄、

g^atime stamp of system

Random number random₅And UE₁For g^aTime stamp of system and signature of random number

The data packet uses the UE₂Public key PK₂Encrypting and sending;

sixth step, UE₂→UE₁：

UE₂After receiving the D2D parameter notification packet, the UE is firstly used₂Decrypting the data packet by the private key of the private key, and verifying the data packet by using the certificate of the SERVER which is built in when the private key leaves the factory

Using the UE obtained in the second step₁Certificate verification of

Validity of (2), check the time stamp finally

Whether the random number random is within the allowed time period₄、random₅If the data packet is not decrypted, whether the data packet appears within the allowed time period,

Failure of signature verification,

Failure of signature verification,

Or T_S5Has exceeded the allowed time period, random₄Or random₅The data packet which is over-satisfied in the allowed time period can not be decrypted,

Failure of signature verification,

Failure of signature verification,

Or

Has exceeded the allowed time period, random₄Or random₅Discarding the data packet and sending the data packet to the UE when any condition occurs in the allowed time period₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂Selecting a random number b, calculating g^bAnd (g)^a)^bmod p，UE₂To the UE₁Transmitting a D2D parameter response packet, the packet comprising: g^bTime stamp of system

Random number random₆And UE₂For g^bTime stamp of system and signature of random number

The data packet uses the UE₁Public key PK₁Encrypting and sending;

seventh step, UE₁→UE₂：{START}_K

UE₁Receiving to UE₂After the D2D parameter response packet is sent, the UE is first used₁Decrypting the data packet by the private key of the UE, and then utilizing the UE obtained in the third step₂Certificate verification of

Validity of (2), check the time stamp finally

Whether the random number random is within the allowed time period₆If the data packet is not decrypted, whether the data packet appears within the allowed time period,

Failure of signature verification,

Has exceeded the allowed time period, random₆The data packet which is over-satisfied in the allowed time period can not be decrypted,

Failure of signature verification,

Has exceeded the allowed time period, random₆Discarding the data packet and sending the data packet to the UE when any condition occurs in the allowed time period₂Sending a communication rejection data packet and disconnecting, otherwise, UE₁Calculating (g)^b)^amod p，UE₁To the UE₂Transmitting a test communication packet including a communication START field START, the test communication packet using a negotiated symmetric encryption key K ═ g^b)^amod p＝(g^a)^bmod p performs encryption;

eighth step, UE₂→UE₁：{ACK}_K

UE₂Receiving to UE₁Decrypting the transmitted pilot communication data packet by using the symmetric encryption key K which is agreed, and if the test communication data packet cannot be decrypted, transmitting the decrypted data packet to the UE₁Sending a communication rejection data packet and disconnecting, otherwise, UE₂To the UE₁Sending a trial communication response packet, the packet including a response field ACK, the packet using the negotiated symmetric encryption key K ═ g^b)^amod p＝(g^a)^bmod p performs encryption;

ninth step, UE₂→UE₁：{taxpayer_ID}

UE₂Completion and UE₁After the channel is established, the user is in the new equipment UE₂The UE inputs the self taxpayer identification number taxpayable _ ID₂Sending the identification number to the UE through the established D2D channel₁；

Tenth step, UE₁→UE₂：{tickets_list}

UE₁Receiving to UE₂After the taxpayer identification number taxpayer _ ID is sent, the UE is connected with the taxpayer identification number taxpaylayer _ ID₁Comparing taxpayer identification numbers in locally stored credentials, generating a credential list ticket _ list by using the credentials matched with the taxpayer identification numbers, and returning the credential list ticket _ list to the UE₂Each data item of the credential list comprises a credential issuer name, a credential receiver name, and a credential issuer time;

the tenth step, UE₂→UE₁：{tickets_list_selected}

UE₂Receiving to UE₁After the returned credential list, the user selects the new equipment UE to be synchronized according to the name of the invoicer, the name of the invoicer and the invoicing time₂Credential data of, then the UE₂To the UE₁Sending tickets _ list _ select of the to-be-synchronized ticket list;

twelfth step, UE₁→UE₂：{tickets_data}

UE₁After receiving tickets _ list _ select of the credential list to be synchronized, sending the credential data required in the list to the UE₂；

A thirteenth step of the UE₁→UE₂：

UE₂Storing the received credential data locally and then to the UE₁Returning the unique identification ticket _ ID of all stored credentials_nAnd signature of unique identification number to all certificates

Fourteenth step, UE₁→SERVER：

UE₁Informing SERVER of all UEs₂Synchronized credential unique identification number, and UE₂A signature of a unique identification number to a credential;

fifteenth step, SERVER → UE₁：{synchron_complete}

SERVER receives data packet and then verifies UE₂By writing the signature in the database to the UE₂And the synchronized ticket identification number in the equipment, and then to the UE₁Returning a synchronization completion response, UE₁Disconnecting the UE after receiving the synchronization completion response₂D2D, and credential flow is complete.

3. A D2D-based e-credential secure circulation system implementing the D2D-based e-credential secure circulation method of claim 1, wherein the D2D-based e-credential secure circulation system comprises: electronic credential server, user device 1, user device 2;

the user equipment 1 is connected with the electronic credential server through a communication network, and the user equipment 1 is connected with the user equipment 2 through a D2D channel;

the electronic credential server comprises a certificate issuing module, an authentication module and a data storage module, the user equipment is provided with a login module, a data transmission module and a D2D module, and each user equipment is internally provided with an equipment certificate issued by a CA (certificate authority) and an equipment private key when leaving a factory, and a certificate of the electronic credential server.

4. The D2D-based e-credential secure circulation system of claim 3, wherein the e-credential server is connected with a user device through a communication network; the certificate issuing module is responsible for issuing data required by authentication for a legal user, and comprises a trusted certificate containing an electronic certificate server signature, a certificate copy for storing a user who has issued the certificate, and related certificate data required by the authentication module in the authentication process; the authentication module is responsible for processing a login request submitted by a user, requesting necessary certificate verification data to the certificate issuing module to complete login verification, interacting with the data storage module after the user successfully logs in, and sending bill data of the user to user equipment; the data storage module is responsible for storing the bill data of the user and sending the corresponding bill data to the login module after receiving the bill data request of the login module.

5. The D2D-based e-credential secure circulation system of claim 3, wherein the user device comprises a login module, a data transmission module, and a D2D module, and each user device is factory installed with: CA issued device certificate and device private key, certificate of electronic certificate server and Hash algorithm, symmetric encryption and decryption algorithm, asymmetric encryption and decryption algorithm and p-1 medium multiplication group Z adopted by electronic certificate system_p ^*The g and p parameters of (1); p is prime number, g is generator;

the login module is used for receiving a login request initiated by a user and interacting with the electronic credential server through a communication network; the data transmission module is responsible for storing the bill data sent by the electronic credential server and sending the required data to the D2D module when the D2D module requests the bill data; the D2D module is responsible for completing device authentication, establishing a secure D2D channel, and completing the secure circulation of credentials between new and old devices of the same user.

Images