CN111901303A - Device authentication method and apparatus, storage medium, and electronic apparatus - Google Patents

Device authentication method and apparatus, storage medium, and electronic apparatus Download PDF

Info

Publication number
CN111901303A
CN111901303A CN202010600243.4A CN202010600243A CN111901303A CN 111901303 A CN111901303 A CN 111901303A CN 202010600243 A CN202010600243 A CN 202010600243A CN 111901303 A CN111901303 A CN 111901303A
Authority
CN
China
Prior art keywords
chip
password
authentication
key
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010600243.4A
Other languages
Chinese (zh)
Inventor
孙瑜
夏攀
冯克
王伟
王小虎
王大海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Original Assignee
BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD filed Critical BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Priority to CN202010600243.4A priority Critical patent/CN111901303A/en
Publication of CN111901303A publication Critical patent/CN111901303A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an equipment authentication method and device, a storage medium and an electronic device. The method comprises the following steps: the method comprises the steps of detecting a login operation executed by a first object on a first device, wherein the login operation is used for logging in the first device by using a target account and a first password; responding to the login operation, acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to the target account, and the first chip is located in the first device and runs independently of an operating system of the first device; and determining that the first object is authenticated and the first device is allowed to log in if the first password is matched with the first authentication data. The invention solves the technical problem of poor authentication reliability caused by easy cracking and embezzlement of the user password in the authentication mode in the related technology.

Description

Device authentication method and apparatus, storage medium, and electronic apparatus
Technical Field
The present invention relates to the field of communications, and in particular, to a device authentication method and apparatus, a storage medium, and an electronic apparatus.
Background
Authentication functions may be involved in a variety of scenarios, such as local login, remote connection, and the like. Identity authentication, also known as authentication or authentication, refers to a process of confirming the identity of an operator in a computer and computer network system, thereby determining whether the operator has access and use rights to a certain resource, and can prevent an attacker from impersonating a legitimate user to obtain the access rights to the resource, ensure the security of the system and data, and authorize the legitimate interests of the visitor.
For local login, the operating system typically stores a user password (e.g., Window, Linux, etc.) on the disk where the system resides, e.g., Linux systems typically stores the user password in a password file/etc/password. Although some operating systems use some protection measures (e.g., encryption, hashing, etc.), the possibility of being hacked or misappropriated cannot be avoided.
For network connection, both ends of the network typically perform authentication after establishing a connection (e.g., the user connects to a website or the user is remotely located from a computer). In this application scenario, whether one-way authentication or two-way authentication is used, the key for authentication is stored in a disk file, which may contain a database to store the authentication key. The key existing in the form of disk file is easy to copy, steal and destroy at will, and is difficult to obtain security guarantee.
Therefore, the authentication mode in the related technology has the problem of poor authentication reliability caused by the fact that the user password is easy to crack and steal.
Disclosure of Invention
The embodiment of the application provides an equipment authentication method and device, a storage medium and an electronic device, and aims to at least solve the technical problem that in an identity authentication mode in the related technology, the identity authentication reliability is poor due to the fact that a user password is easy to crack and steal.
According to an aspect of an embodiment of the present application, there is provided a device authentication method, including: the method comprises the steps of detecting a login operation executed by a first object on a first device, wherein the login operation is used for logging in the first device by using a target account and a first password; responding to the login operation, acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to the target account, and the first chip is located in the first device and runs independently of an operating system of the first device; and determining that the first object is authenticated and the first device is allowed to log in if the first password is matched with the first authentication data.
According to another aspect of the embodiments of the present application, there is also provided an apparatus for authenticating a device, including: the device comprises a first detection unit, a second detection unit and a third detection unit, wherein the first detection unit is used for detecting a login operation executed by a first object on a first device, and the login operation is used for logging in the first device by using a target account and a first password; a first obtaining unit, configured to obtain, by a first chip, first authentication data in response to the login operation, where the first authentication data is authentication data stored in the first chip and corresponding to the target account, and the first chip is located in the first device and runs independently of an operating system of the first device; a first determination unit configured to determine that the first object is authenticated and login to the first device is permitted if the first password matches the first authentication data.
According to still another aspect of the embodiments of the present application, there is also provided a storage medium having a computer program stored therein, wherein the computer program is configured to execute the above-mentioned device authentication method when running.
According to another aspect of the embodiments of the present application, there is also provided an electronic apparatus, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the device authentication method through the computer program.
In the embodiment of the application, a mode of storing a password by an independent chip is adopted, and a login operation executed by a first object on a first device is detected, wherein the login operation is used for logging in the first device by using a target account and the first password; responding to login operation, and acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to a target account, and the first chip is located in first equipment and operates independently from an operating system of the first equipment; under the condition that the first password is matched with the first authentication data, the first object is determined to pass authentication, the first device is allowed to log in, the password is stored in an independent chip (for example, TPCM), and the chip is executed independently of an operating system of the device, so that the purpose that the password is difficult to crack and stolen can be realized, the technical effect of improving the reliability of identity verification is achieved, and the technical problem that the reliability of identity verification is poor due to the fact that the password of a user is easy to crack and stolen in an identity verification mode in the related technology is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of a hardware environment for an alternative method of device authentication according to an embodiment of the present application;
FIG. 2 is a flow diagram of an alternative method of device authentication according to an embodiment of the present application;
FIG. 3 is a flow diagram of another alternative method of device authentication according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an alternative method of device authentication according to an embodiment of the present application;
FIG. 5 is a schematic diagram of another alternative device authentication method according to an embodiment of the application;
FIG. 6 is a flow diagram of yet another alternative method of device authentication according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an alternative device authentication apparatus according to an embodiment of the present application;
fig. 8 is a block diagram of an alternative electronic device according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present invention better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, partial nouns or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
TCM: a Trusted Cryptography Module;
TPCM (thermoplastic vulcanizate): a Trusted Platform Control Module;
USB: universal Serial Bus.
According to an aspect of an embodiment of the present application, there is provided a device authentication method. Alternatively, in the present embodiment, the above-described device authentication method may be applied to a hardware environment constituted by the terminal 101 and the server 103 as shown in fig. 1. As shown in fig. 1, the server 103 is connected to the terminal 101 through a network, which may be used to provide services (such as game services, application services, etc.) for the terminal or a first client installed on the terminal, and a database may be provided on the server or separately from the server for providing data storage services for the server 103, and the network includes but is not limited to: the terminal 101 is not limited to a PC, a mobile phone, a tablet computer, and the like. The device authentication method according to the embodiment of the present application may be executed by the server 103, the terminal 101, or both the server 103 and the terminal 101. The terminal 101 executing the device authentication method according to the embodiment of the present application may also be executed by a first client installed thereon.
Optionally, as an optional implementation manner, fig. 2 is a flowchart of an optional device authentication method according to an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
step S202, detecting a login operation executed by a first object on a first device, wherein the login operation is used for logging in the first device by using a target account and a first password;
step S204, responding to login operation, and acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to a target account, and the first chip is positioned in first equipment and operates independently from an operating system of the first equipment;
in step S206, in the case that the first password matches the first authentication data, it is determined that the first object is authenticated, and login to the first device is permitted.
Through the steps S202 to S206, a login operation performed by the first object on the first device is detected, where the login operation is used to log in the first device using the target account and the first password; responding to login operation, and acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to a target account, and the first chip is located in first equipment and operates independently from an operating system of the first equipment; under the condition that the first password is matched with the first authentication data, the first object is determined to pass authentication, the first device is allowed to log in, the technical problem that the authentication reliability is poor due to the fact that the user password is easy to crack and embezzle in the authentication mode in the related technology is solved, and the authentication reliability is improved.
In the technical solution provided in step S202, a login operation performed by the first object on the first device is detected, where the login operation is used to log in the first device using the target account and the first password.
The user may log into the first device using a username and password. When logging in, an input box of an account (e.g., a user name) and an input box of a password may be displayed on a screen of the first device, or the first device may call an account used in the last login or an account recorded by the system, and display the called account on the screen and display an input box of a password at the same time.
The user (first object) may input a target account and a first password or a first password through the input and output part of the first device and perform a login operation on the first device to request to login the first device using the target account and the first password. The input and output components may include, but are not limited to, at least one of: touch screen, keyboard, mouse, handle, remote controller, etc. The login operation may include, but is not limited to, at least one of the following: click operation, double click operation, slide operation, and the like.
After detecting the login operation, the first device may obtain the target account and the first password, and perform identity authentication on the first object using the target account and the first login password.
In the technical solution provided in step S204, in response to the login operation, first authentication data is acquired through the first chip, where the first authentication data is authentication data stored in the first chip and corresponding to the target account, and the first chip is located in the first device and operates independently of an operating system of the first device.
The first chip may be a basic core module that may be integrated in a trusted computing platform and is used to establish and guarantee a trusted source point, and may provide functions of active measurement, active control, trusted authentication, encryption protection, trusted reporting, and the like for the trusted computing platform, where the first chip may be a TPCM chip, and the first device may be a network side in the trusted computing platform.
In a trusted computing platform supported by the TPCM, the TPCM is a first component powered on and running in the platform, and in the whole process from boot to normal operation of the platform, the TPCM should operate independently and not be affected by a host computing assembly (a first device), and is a basic component supported by a trusted computing function and a trusted source point of the trusted computing platform.
It should be noted that, for chips other than the TPCM, the same or similar method may be used for the security assurance of the host computing unit.
For the first device, the first chip may be integrated in the first device, and the first device may include a host computing component of the first chip, where the first chip is a component that is powered on and running in the first device, and is executed independently of an operating system of the first device, and performs multiple levels of trust measurement on the first device in a process from the start to the run of the first device, so as to ensure safe operation of the first device.
A trusted cryptography module, i.e., TCM, may be integrated in the first chip, and may have stored therein: the login account of the first device and the login password corresponding to the login account may be multiple in the case that there are multiple login accounts. The login account and the login password may be in a one-to-one correspondence relationship. Through the TCM, the first chip may provide security protection for the first device for at least one of the following processes: authentication during local login and authentication during remote control.
For the identity verification during local login, after the login operation is detected, the first chip may acquire the target account and the first password, and acquire stored first authentication data, where the first authentication data is authentication data corresponding to the target account, and the first authentication data is used to perform identity authentication on the target account.
In the technical solution provided in step S206, when the first password matches the first authentication data, it is determined that the first object is authenticated, and login to the first device is allowed.
The first authentication data may take many forms, for example, it may be data stored as an original password, or data stored as a transformation of the original password, which may include, but is not limited to, at least one of: and (4) hashing and encrypting.
After obtaining the first authentication data, the first chip may match the first password with the first authentication data, and determine whether the first password and the first authentication data are matched, for example, the first chip may determine whether the first password is identical to the first authentication data (the first authentication data is the original password), and for example, the first chip may determine whether a hash value of the first password is identical to the first authentication data (the first authentication data is the hash value of the original password), and for example, the first chip may determine whether the first password is identical to a plaintext obtained by decrypting the first authentication data (the first authentication data is data obtained by encrypting the original password).
If the first password matches the first authentication data, it may be determined that the first user is a legitimate user, i.e., a user identity that is authorized, and the identity authentication of the first object is passed, allowing login to the first device.
It should be noted that the identity authentication process at the time of local login may be performed by the first chip, or may be performed by a specific hardware module (e.g., TCM) in the first chip. The specific implementation process in this embodiment is not limited, and any method that can store password authentication data through an independent chip and perform an identity hot card during login through the authentication data may be used in this embodiment.
It should be noted that, besides local login, for other login manners, for example, a client that logs in to a target application may perform identity authentication in a manner similar to that of the local login, in this case, a login account and a login password may be saved in a TPCM chip or a similar chip of a terminal device that runs the client, or may be saved in a TPCM chip or a similar chip of a backend server of the target application, and the manner of performing identity authentication is similar to that of performing identity authentication in the local login, which is not described herein again.
Optionally, in this embodiment, after the first authentication data is acquired by the first chip, the method further includes:
s11, determining that the first object is not authenticated and not allowing to log in the first device under the condition that the first password is not matched with the first authentication data;
and S12, displaying prompt information through the first device, wherein the prompt information is used for prompting that the first object is not authenticated.
If the first password does not match the first authentication data, it may be determined that the first user is an illegal user, that is, not a user identity with a right, and the identity authentication of the first object is not passed, and the first device is not allowed to be logged in.
The first chip or the first device may generate a prompt message, or retrieve a pre-stored prompt message and display the prompt message through a screen of the first device, where the prompt message is used to prompt that the first object fails to be authenticated.
The user may re-enter the login account and login password, for example, may enter an account different from the target account, or a password different from the first password, or an account different from the target account and a password different from the first password, to re-attempt login using the newly entered account and password. The re-login method is similar to the local login method described above, and is not described herein.
Through this embodiment, when user authentication failed, through the warning information suggestion authentication failure, can make things convenient for the user to know the authentication result, improve user login efficiency.
As an alternative embodiment, after the first authentication data is obtained by the first chip, the method further includes:
and S21, decrypting the first authentication data by the first chip by using a first key in the first key pair to obtain a second password, wherein the first key is stored in the first chip, and the first authentication data is a ciphertext obtained by encrypting the second password by using a second key in the first key pair.
In order to ensure the security of the password, the password can be stored in an independent chip (a first chip, for example, a TPCM chip), and the password can be stored after being encrypted by a key built in the independent chip, so that the password is difficult to crack and steal.
The first chip may have a first key pair built in, which may be stored in the TCM, or elsewhere. The first key pair includes a first key and a second key, the first key may be a private key or a public key, and the second key may be a private key or a public key. The specific form of the first key and the second key is not limited in this embodiment.
For example, the password is stored in an independent TPCM chip, and the password is encrypted and stored through a TPCM built-in key, so that cracking and embezzlement are difficult to achieve.
The first authentication data may be a ciphertext obtained by encrypting a second password (a current password of the target account) through a key (a second key) built in the first chip. In order to match the first password input by the user with the current password of the target account, the first chip may decrypt the first authentication data using the first key to obtain the second password, that is, the current password of the target account.
After obtaining the second password, the first chip may compare the first password with the second password, and if the first password and the second password are the same, determine that the account number input by the user and the password are matched, and the authentication is passed. Otherwise, judging that the account number input by the user is not matched with the password, and failing to pass the authentication.
Through the embodiment, the password is encrypted and stored, so that the password can be prevented from being cracked and stolen, and the reliability of user identity authentication is improved.
The first chip may be provided with an authentication password module in which a password input by the user upon login is stored. In addition, password setting, verification and change can be operated through a proprietary interface, so that the safety of password storage positions, password verification and password updating is ensured.
As an alternative embodiment, before detecting the login operation performed by the first object on the first device, the method further includes:
s31, detecting a setting operation executed by the second object on the first device, wherein the setting operation is used for setting the login password of the target account as a second password;
s32, responding to the setting operation, and encrypting the second password by the first chip by using the second key to obtain first authentication data;
s33, the first authentication data is saved in the first chip by the first chip.
The user (second object) may make password settings if the set login account has not been used before, or is deleted, closed, etc. after use.
The user can operate the interface of the first device to enter the setting interface of the login account and the login password, and the target account and the second password are input at the corresponding position in the interface to indicate that the login password of the target account is set as the second password.
After detecting the setting operation (which may include the operation of inputting the account number and the password, and the operation of triggering the setting such as carriage return), the first device may acquire the target account number and the second password, and transmit the target account number and the second password to the first chip.
The first chip or a cryptographic module (e.g., TCM) in the first chip may acquire the target account and the second password, encrypt the second password using the second key to obtain first authentication data, and store the first authentication data in the first chip or the cryptographic module in the first chip.
It should be noted that the first object and the second object may be the same object or different objects. That is, the setting of the login account and the login password and the use of the login account and the login password may be the same object or different objects.
Through this embodiment, through the setting operation of detecting the user and logging in the password through independent chip and encrypt and save, can avoid password setting in-process to reveal, improve user's information security.
As an alternative embodiment, after the first authentication data is obtained by the first chip, the method further includes:
s41, detecting an updating operation executed by a third object on the first device, wherein the updating operation is used for updating the login password of the target account from the third password to a fourth password;
s42, responding to the updating operation, and under the condition that the third password is matched with the first authentication data, acquiring second authentication data through the first chip, wherein the second authentication data is a ciphertext obtained by encrypting the fourth password by using the second key;
s43, the second authentication data is saved in the first chip by the first chip.
For the login account and the login password that have been set, the user (the third object) can make password changes by operating the first device.
The user may operate the interface of the first device to enter the login password change interface, and input the target account, the current password (the original password, e.g., the third password), and the changed password (the new password, e.g., the fourth password) at the corresponding position in the interface to instruct to change the login password of the target account from the third password to the fourth password.
After detecting the update operation (which may include the operation of inputting the account number and the password, and the operation of triggering update such as carriage return), the first device may acquire the target account number, the third password, and the fourth password, and transmit the target account number, the third password, and the fourth password to the first chip.
The first chip or a cryptographic module (e.g., TCM) in the first chip may acquire the target account, the third password, and the fourth password, and detect whether the third password is correct, that is, whether the user inputs a correct original password. If the third password matches the first authentication data, it is determined that the user has entered the correct original password, and the password is allowed to be changed.
The first chip or the cryptographic module in the first chip may encrypt a new password (e.g., a fourth password) using a second key to obtain second authentication data, and store the second authentication data in the first chip or the cryptographic module in the first chip.
The first object and the third object may be the same object or different objects. That is, what is changed the login password and what is used with the login password may be the same object or may be different objects.
Through this embodiment, through the update operation of detecting the user and through independent chip carrying out the update of login password and save, can avoid the password among the password update process to reveal, improve user's information security.
As an alternative embodiment, after determining that the first object is authenticated, the method further includes:
s51, establishing a target connection, wherein the target connection is a dedicated channel connection for network communication between the first device and the second device;
s52, performing bidirectional authentication on the first device and the second device through the target connection by using a first chip and a second chip, wherein the second chip is located in the second device and runs independently of an operating system of the second device;
s53, when the first device and the second device are authenticated, the target connection is maintained.
In the process of remote connection, the first device can use the first chip to perform identity authentication in the remote connection, so that the information security of the remote connection is improved.
The remote connection may be a remote connection between a first device, which may be a client, and a second device, which may be a server. It should be noted that both ends of any network can be used as a server or a client.
In order to ensure that the communication between the network end bodies is a connection on a secure and reliable basis, a dedicated channel connection, i.e. a target connection, between the first device and the second device may be established. The target connection may be a trusted TPCM-based connection, i.e., the trusted connection may be established based on the trusted state metrics of the TPCM.
In order to ensure the correctness of the respective identity information at the two ends of the communication connection, identity authentication can be performed on the established dedicated channel connection, and the identity authentication can be one-way authentication, for example, the one-way authentication of a client to a server or the one-way authentication of the server to the client; alternatively, the identity authentication may be a two-way authentication, for example, a two-way authentication between the client and the server.
For example, after the dedicated channel connection is established, the first chip of the first device and the second chip of the second device may perform bidirectional identity authentication on the first device and the second device through the established dedicated channel connection. The second chip is located in the second device and operates independently of the operating system of the second device, for example, the second chip may be a TPCM chip or the like.
If both of the two-way identities are passed, it may be determined that both parties to the communication are trusted to maintain the communication connection (e.g., the target connection) between the two. If the two-way identity authentication is not passed (at least one identity authentication is not passed), at least one of the two communication parties can be judged to be untrustworthy, and the communication connection between the two parties is disconnected.
For example, a dedicated channel in network communication can ensure that communication between the network two end entities is a connection based on safety and reliability, and in order to ensure that respective identity information is correct, identity authentication can be performed through an identity verification module built in the TPCM, and the correctness of the identity information can be ensured.
Meanwhile, the identity authentication can not be independent of the existence of a special channel connection, a special channel connection foundation is not provided, and the safety foundation is lost in the identity authentication. Therefore, the TPCM can simultaneously support two functions of trusted state measurement (ensuring that the terminal is in a trusted state during verification) and identity verification.
Through the embodiment, the security of network communication can be improved by establishing the special channel connection at the two ends of the network and performing the bidirectional identity authentication at the two ends on the basis of the special channel connection.
As an alternative embodiment, the performing of the mutual authentication between the first device and the second device through the target connection comprises:
s61, receiving the first random number sent by the second device through the target connection;
s62, encrypting the first random number or the hash value of the first random number by using a third key in a second key pair through the first chip or the third device to obtain a first ciphertext, where the second key pair is stored in the first chip or the third device, and the third device is an external device that is connected to the first device through the first interface and matches the target account;
and S63, sending the first ciphertext and the first electronic certificate to the second device through the target connection, so that the second device performs identity authentication on the first device by using the first ciphertext and the first electronic certificate, wherein the first electronic certificate is stored in the first chip and is used for uniquely identifying the first chip.
When the identity authentication of the first device is performed, the first device may receive the first random number sent by the second device through the dedicated channel connection.
The independent chip or the encryption module in the independent chip may include a public-private key pair, and may further include an electronic certificate. The electronic certificate is a unique identification representing the identity of the independent chip and is used for identity verification in network communication. For the first chip, the first chip or its encryption module may include a second key pair, where the second key pair may be the same key pair as the first key pair, or may be a different key pair, and may further include a first electronic certificate, where the first electronic certificate is a unique identifier of the identity of the first chip.
For the first random number, the third key in the second key pair can be directly used to encrypt the random number to obtain a first ciphertext; or, performing hash calculation on the first random number to obtain a hash value of the first random number, and encrypting the hash value of the first random number by using a third key in a second key pair to obtain a first ciphertext.
The encryption operation may be performed by the first chip or an encryption module (e.g., an authentication private key module) in the first chip, or may be performed by an external device (e.g., a third device) of the first device.
The third device may be an external device (e.g., a UKey) matching the target account and connected to the first device through the first interface, and the connection between the third device and the first device may be a wired connection, for example, a connection performed through a USB port or other wired interfaces, or a wireless connection, for example, a connection performed in a wireless manner such as bluetooth or Wi-Fi.
After obtaining the first ciphertext, the first chip may send the first ciphertext and the first electronic certificate to the second device through the target connection, or a second chip of the second device, so that the second device may perform identity authentication on the first device using the first ciphertext and the first electronic certificate.
According to the embodiment, the random number sent by the opposite terminal equipment is encrypted through the independent chip, and the encrypted ciphertext and the electronic certificate are sent to the opposite terminal for identity authentication, so that the reliability of the identity authentication can be improved, and the security of network connection is further improved.
As an optional embodiment, before receiving, through the target connection, the first random number sent by the second device, the method further includes:
s71, generating a first random number by the second chip;
s72, the first random number is sent to the first device through the target connection.
For the second device, the first random number received by the first device may be generated by a second chip in the second device. The second chip may generate a random number and send the random number to the first device over a dedicated channel connection with the first device. The first device performs the above processing on the random number, and sends the first ciphertext and the first electronic certificate to the second device, so that the second device performs identity authentication on the first device according to the first ciphertext and the first electronic certificate.
After the first ciphertext and the first electronic certificate are sent to the second device through the target connection, the method further includes:
s73, receiving the first ciphertext and the first electronic certificate through the target connection;
s74, verifying the first electronic certificate and determining the validity of the first electronic certificate;
s75, extracting a fourth key from the first electronic certificate under the condition that the first electronic certificate is verified to be passed, wherein the fourth key is a key of the second key pair except the third key;
s76, decrypting the first ciphertext by using the fourth key to obtain first decrypted data;
s77, when the first decrypted data is the same as the first random number or the hash value of the first random number, it is determined that the first device is authenticated.
After transmitting the first random number to the first device, the second device may wait to receive authentication information (e.g., a first cryptogram and a first electronic certificate) transmitted by the first device over the target connection. The waiting process may have a certain time limit, for example, the target connection is automatically disconnected after a preset time threshold is exceeded.
After receiving the first ciphertext and the first electronic Certificate, the second device may first perform verification on the first electronic Certificate, to verify authenticity and reliability of the electronic Certificate, so as to determine whether the first electronic Certificate is legal, where the verification may be verification by a CA (digital Certificate Authority).
When the first electronic certificate is verified, a fourth secret key may be extracted from the first electronic certificate, where the fourth secret key may be a public key in the second secret key pair, and correspondingly, the third secret key may be a private key in the second secret key pair. The first ciphertext can be decrypted by using the fourth key to obtain first decrypted data. And if the first decrypted data is the same as the first random number or the hash value of the first random number, judging that the first equipment passes the authentication, and keeping the target connection.
It should be noted that the above process may be performed by the second device, the second chip, or both the second device and the second chip; whether the first decrypted data is compared with the first random number or compared with the hash value of the first random number may be determined according to an agreement between devices or preset configuration information, which is not limited in this embodiment.
Through the embodiment, the electronic certificate is sent to the opposite terminal equipment for verification, the ciphertext is decrypted when the verification passes, and the opposite terminal equipment is authenticated according to the decrypted data, so that the reliability of the authentication can be improved, and the safety of network connection is further improved.
As an alternative embodiment, the performing of the mutual authentication between the first device and the second device through the target connection comprises:
s81, generating a second random number through the first chip or a fourth device, wherein the fourth device is an external device which is connected to the first device through a second interface and is matched with the target account;
s82, sending the second random number to the second equipment through the target connection;
s83, receiving a second ciphertext and a second electronic certificate through target connection, wherein the second electronic certificate is stored in a second chip and is used for uniquely identifying the second chip, the second ciphertext is a ciphertext obtained by encrypting a second random number or a hash value of the second random number by using a fifth key in a third key pair, and the third key pair is stored in the second chip;
s84, verifying the second electronic certificate and determining the legality of the second electronic certificate;
s85, extracting a sixth key from the second electronic certificate when the second electronic certificate is verified, wherein the sixth key is a key of the third key pair except for the fifth key;
s86, decrypting the second ciphertext by using the sixth key to obtain second decrypted data;
s87, when the second decrypted data is the same as the second random number or the hash value of the second random number, it is determined that the second device is authenticated.
When the identity authentication of the second equipment is carried out, the first equipment generates a random number and sends the random number to the second equipment through the special channel connection; and waiting for receiving the authentication information of the second equipment, which is sent through the dedicated channel connection, and authenticating the identity of the second equipment according to the received authentication information. The operation performed by the first device in the identity authentication process of the second device is similar to the operation performed by the second device in the identity authentication process of the first device, and is not described herein again.
The identity authentication procedure with the first device differs mainly in that:
the random number is generated by the first chip or a fourth device, which may be the same as the aforementioned third device, or similar devices, for example, both are Ukey corresponding to the target account number.
Through the embodiment, the electronic certificate is sent to the opposite terminal equipment for verification, the ciphertext is decrypted when the verification passes, and the opposite terminal equipment is authenticated according to the decrypted data, so that the reliability of the authentication can be improved, and the safety of network connection is further improved.
As an alternative embodiment, after sending the second random number to the second device through the target connection, the method further includes:
s91, receiving a second random number sent by the first equipment through the target connection;
s92, encrypting the second random number or the hash value of the second random number by the second chip by using the fifth key to obtain a second ciphertext;
and S93, sending the second ciphertext and the second electronic certificate to the first device through the target connection.
When the identity authentication of the second device is carried out, the second device receives a second random number sent by the first device through the dedicated channel connection, encrypts the second random number or the hash value of the second random number by using a fifth key to obtain a second ciphertext, and sends the second ciphertext and the second electronic certificate to the first device. The operation performed by the second device in the identity authentication process of the second device is similar to the operation performed by the first device in the identity authentication process of the first device, and is not described herein again.
It should be noted that the first device and the second device may be the same or similar devices in the network, the first chip and the second chip may be the same type or similar chips (for example, TPCM chips), the functions of the two chips are similar, the operations performed are similar, and the above description of the first chip may also be applicable to the second chip.
According to the embodiment, the random number sent by the opposite terminal equipment is encrypted through the independent chip, and the encrypted ciphertext and the electronic certificate are sent to the opposite terminal for identity authentication, so that the reliability of the identity authentication can be improved, and the security of network connection is further improved.
It should be noted that the identity authentication in the network connection process and the identity authentication in the local connection do not necessarily have a relationship, that is, the identity authentication in the local connection does not have to be performed, and the identity authentication in the network connection process can be performed as a separate scheme. In addition, the identity authentication in the network connection process can be one-way authentication or two-way authentication; in the bidirectional authentication process, the identity authentication of the client may be performed first, or the identity authentication of the server may be performed first, and a specific identity authentication process may be set as required, which is not specifically limited in this embodiment.
The following explains a device authentication method in the embodiment of the present application with reference to an alternative example. In this example, the first chip and the second chip are both TPCM chips.
Both application scenarios, local login and remote connection, always involve an authentication function. The TPCM may be built-in to provide authentication functions to further enhance the validity of the local login and network connection identities.
As shown in fig. 3, the flow of the device authentication method in this example may include the following steps:
step S302, the TPCM is used for carrying out identity authentication on the local login of the user.
As shown in fig. 4, the password of the user can be stored in an independent TPCM chip, and the password is encrypted and stored by the TPCM built-in key, so that decryption and embezzlement are difficult to achieve. The TPCM may have built in authentication password module, e.g., TCM module, in which the password entered when the user logs in is stored. In addition, password setting, verification and change can be operated through a proprietary interface, so that the safety of password storage positions, password verification and password updating is guaranteed.
The TPCM is used for storing the password, the password storage position is independent from an operating system, and only the authorized user identity can be read or modified; the verification program is built in the TPCM firmware and will not be rewritten.
Step S304, establishing the special channel connection between the client and the server.
The TPCM chip can be internally provided with a key management module which supports the sub-generation of the key private key, the non-derivation of the key private key and the encrypted storage of the key private key, so that the key private key can be protected highly safely. In addition, the TPCM may have a built-in authentication private key module, which includes a pair of public and private key pairs and an electronic certificate. The electronic certificate is a unique identification representing the TPCM identity and is used for identity verification in network communication.
The remote connection may be a remote network connection between the client (acting as the aforementioned first device) and the server (acting as the aforementioned second device). The remote connection can be a dedicated channel connection between two ends, and two ends of any network can be used as a server or a client.
Step S306, the bidirectional identity authentication of the remote connection is carried out through the established dedicated channel connection.
The special channel in the network communication can ensure that the communication of the main bodies at two ends of the network is the connection on the basis of establishing safety and reliability, but can not ensure whether the respective identity information is correct or not. The identity authentication can be ensured through the built-in identity authentication module of the TPCM. Meanwhile, the identity authentication can not be independent of a special channel connection, a special channel connection foundation is not available, and the security foundation of the identity authentication is lost, so that the TPCM can simultaneously support two functions of trusted state measurement and identity authentication.
As shown in fig. 5 and 6, after the dedicated channel connection is established, bidirectional identity authentication between the client and the server may be performed on the basis of the dedicated channel connection. If the client machine uses UKey to carry out verification, the local TPCM is not required to take effect. So in fig. 5 and 6, the use of "TPCM/Ukey" means that either can be used.
After the client establishes the dedicated channel connection at both ends of the network, the client can initiate the connection request again. And sending the random number generated inside the TPCM or Ukey to the opposite terminal.
After receiving the random number, the server uses the TPCM to perform hash calculation and signs the result with a built-in private key. And after the signature is completed, the TPCM electronic certificate and the ciphertext are sent back to the client.
After receiving the data from the server, the client performs verification (for example, CA verification) on the certificate; and after the electronic certificate is judged to be a legal certificate, extracting the public key in the electronic certificate, and verifying the ciphertext. And then, the client performs hash calculation on the random number sent before by using the TPCM or UKey and compares the hash calculation with the data subjected to signature verification. If the comparison result is not equal, the authentication is unsuccessful, the connection is disconnected, otherwise, the verification is successful, the stage of verifying the server is ended, the next stage is started, and the opposite terminal verifies the client.
The communication flow of the server-side authentication client is similar to that of the client-side authentication server. The difference lies in that: the server initiates connection first and sends the random number generated in the TPCM to the client; after the client receives the random number, the client uses the TPCM or UKey of the client to carry out hash calculation on the random number and uses an internal private key to carry out signature. The subsequent process is similar to the above process and is not described herein again.
By the example, the TPCM is internally provided with an identity authentication function, and the legality of local login and network connection identity can be improved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
According to another aspect of the embodiments of the present application, there is also provided an apparatus authentication device for implementing the apparatus authentication method. Fig. 7 is a schematic structural diagram of an alternative device authentication apparatus according to an embodiment of the present application, and as shown in fig. 7, the apparatus may include:
(1) a first detecting unit 72, configured to detect a login operation performed by a first object on a first device, where the login operation is used to login the first device using a target account and a first password;
(2) a first obtaining unit 74, connected to the first detecting unit 72, configured to respond to a login operation and obtain first authentication data through a first chip, where the first authentication data is authentication data stored in the first chip and corresponding to a target account, and the first chip is located in a first device and operates independently of an operating system of the first device;
(3) and a first determining unit 76, connected to the first obtaining unit 74, for determining that the first object is authenticated and the first device is allowed to log in if the first password matches the first authentication data.
It should be noted that the first detecting unit 72 in this embodiment may be configured to execute the step S202, the first acquiring unit 74 in this embodiment may be configured to execute the step S204, and the first determining unit 76 in this embodiment may be configured to execute the step S206.
The method comprises the steps that login operation of a first object on first equipment is detected through the module, wherein the login operation is used for logging in the first equipment by using a target account and a first password; responding to login operation, and acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to a target account, and the first chip is located in first equipment and operates independently from an operating system of the first equipment; under the condition that the first password is matched with the first authentication data, the first object is determined to pass authentication, the first device is allowed to log in, the technical problem that the authentication reliability is poor due to the fact that the user password is easy to crack and embezzle in the authentication mode in the related technology is solved, and the authentication reliability is improved.
As an alternative embodiment, the apparatus further comprises:
and the decryption unit is used for decrypting the first authentication data by using a first key in the first key pair through the first chip after the first authentication data is acquired through the first chip to acquire a second password, wherein the first key pair is stored in the first chip, and the first authentication data is a ciphertext acquired by encrypting the second password by using a second key in the first key pair.
As an alternative embodiment, the apparatus further comprises:
the second detection unit is used for detecting the setting operation of the second object on the first equipment before the login operation of the first object on the first equipment is detected, wherein the setting operation is used for setting the login password of the target account as the second password;
the encryption unit is used for responding to the setting operation and encrypting the second password by using the second key through the first chip to obtain first authentication data;
and the first storage unit is used for storing the first authentication data into the first chip through the first chip.
As an alternative embodiment, the apparatus further comprises:
the third detection unit is used for detecting the updating operation executed by a third object on the first equipment after the first authentication data is acquired through the first chip, wherein the updating operation is used for updating the login password of the target account from the third password to a fourth password;
the second obtaining unit is used for responding to the updating operation, and obtaining second authentication data through the first chip under the condition that the third password is matched with the first authentication data, wherein the second authentication data is a ciphertext obtained by encrypting the fourth password by using a second key;
and the second storage unit is used for storing the second authentication data into the first chip through the first chip.
As an alternative embodiment, the apparatus further comprises:
the device comprises an establishing unit, a judging unit and a judging unit, wherein the establishing unit is used for establishing target connection after the first object is determined to pass authentication, and the target connection is a dedicated channel connection for network communication between the first device and the second device;
the authentication unit is used for performing bidirectional authentication on the first equipment and the second equipment by using the first chip and the second chip through target connection, wherein the second chip is positioned in the second equipment and operates independently of an operating system of the second equipment;
and a holding unit for holding the target connection when the bidirectional authentication of the first device and the second device is passed.
As an alternative embodiment, the authentication unit comprises:
the first receiving module is used for receiving a first random number sent by second equipment through target connection;
the first encryption module is used for encrypting the first random number or the hash value of the first random number by using a third key in a second key pair through a first chip or third equipment to obtain a first ciphertext, wherein the second key pair is stored in the first chip or the third equipment, and the third equipment is external equipment which is connected to the first equipment through a first interface and is matched with the target account;
the first sending module is used for sending the first ciphertext and the first electronic certificate to the second device through target connection so that the second device can perform identity authentication on the first device through the first ciphertext and the first electronic certificate, wherein the first electronic certificate is stored in the first chip and is used for uniquely identifying the first chip.
As an optional embodiment, the authentication unit further comprises:
the first generating module is used for generating a first random number through a second chip before receiving the first random number sent by the second device through the target connection;
the second sending module is used for sending the first random number to the first equipment through the target connection;
the second receiving module is used for receiving the first ciphertext and the first electronic certificate through the target connection after the first ciphertext and the first electronic certificate are sent to the second equipment through the target connection;
the first verification module is used for verifying the first electronic certificate and determining the legality of the first electronic certificate;
the first extraction module is used for extracting a fourth key from the first electronic certificate under the condition that the first electronic certificate is verified to pass, wherein the fourth key is a key of the second key pair except the third key;
the first decryption module is used for decrypting the first ciphertext by using the fourth key to obtain first decrypted data;
and the first determining module is used for determining that the first equipment passes the authentication under the condition that the first decryption data is the same as the first random number or the hash value of the first random number.
As an alternative embodiment, the authentication unit comprises:
the second generation module is used for generating a second random number through the first chip or fourth equipment, wherein the fourth equipment is external equipment which is connected to the first equipment through a second interface and is matched with the target account;
a third sending module, configured to send the second random number to the second device through the target connection;
the third receiving module is used for receiving a second ciphertext and a second electronic certificate through target connection, wherein the second electronic certificate is stored in a second chip and is used for uniquely identifying the second chip, the second ciphertext is a ciphertext obtained by encrypting a second random number or a hash value of the second random number by using a fifth key in a third key pair, and the third key pair is stored in the second chip;
the second verification module is used for verifying the second electronic certificate and determining the legality of the second electronic certificate;
the second extraction module is used for extracting a sixth secret key from the second electronic certificate under the condition that the second electronic certificate is verified to pass, wherein the sixth secret key is a secret key of the third secret key pair except the fifth secret key;
the second decryption module is used for decrypting the second ciphertext by using the sixth key to obtain second decrypted data;
and the second determining module is used for determining that the second equipment passes the authentication under the condition that the second decrypted data is the same as the second random number or the hash value of the second random number.
As an optional embodiment, the authentication unit further comprises:
a fourth receiving module, configured to receive, through the target connection, the second random number sent by the first device after sending the second random number to the second device through the target connection;
the second encryption module is used for encrypting the second random number or the hash value of the second random number by using a fifth key through the second chip to obtain a second ciphertext;
and the fourth sending module is used for sending the second ciphertext and the second electronic certificate to the first equipment through target connection.
As an alternative embodiment, the apparatus further comprises:
a second determination unit configured to determine that the first object is not authenticated and not to allow login to the first device, in a case where the first password does not match the first authentication data after the first authentication data is acquired by the first chip;
and the display unit is used for displaying prompt information through the first equipment, wherein the prompt information is used for prompting that the first object is not authenticated.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 1, and may be implemented by software, or may be implemented by hardware, where the hardware environment includes a network environment.
According to still another aspect of the embodiments of the present application, there is also provided an electronic apparatus for implementing the above-described device authentication method, where the electronic apparatus may be a server, a terminal, or a combination thereof.
Fig. 8 is a block diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 8, the electronic device includes a memory 802 and a processor 804, the memory 802 stores a computer program, and the processor 804 is configured to execute the steps in any one of the method embodiments described above through the computer program.
Optionally, in this embodiment, the electronic apparatus may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, detecting a login operation executed by a first object on a first device, wherein the login operation is used for logging in the first device by using a target account and a first password;
s2, responding to the login operation, acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to the target account, and the first chip is located in the first device and operates independently from an operating system of the first device;
s3, in case the first password matches the first authentication data, determining that the first object is authenticated, and allowing login to the first device.
The memory 802 may be used to store software programs and modules, such as program instructions/modules corresponding to the device authentication method and apparatus in the embodiments of the present application, and the processor 804 executes various functional applications and data processing by running the software programs and modules stored in the memory 802, so as to implement the device authentication method. The memory 802 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 802 can further include memory located remotely from the processor 804, which can be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
As an example, as shown in fig. 8, the memory 802 may include, but is not limited to, the first detecting unit 72, the first obtaining unit 74, and the first determining unit 76 in the device authentication apparatus. In addition, other module units in the device authentication apparatus may also be included, but are not limited to these, and are not described in detail in this example.
Optionally, the transmitting device 806 is configured to receive or transmit data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 806 includes a NIC (network interface Controller) that can be connected to a router via a network cable and other network devices to communicate with the internet or a local area network. In one example, the transmission device 806 is an RF (Radio Frequency) module, which is used for communicating with the internet in a wireless manner.
In addition, the electronic device further includes: a display 808, configured to display an interface of the client; and a connection bus 810 for connecting the respective module parts in the above-described electronic apparatus.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
It can be understood by those skilled in the art that the structure shown in fig. 8 is only an illustration, and the device implementing the device authentication method may be a terminal device, and the terminal device may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, and a MID (Mobile internet devices), a PAD, and the like. Fig. 8 is a diagram illustrating a structure of the electronic device. For example, the terminal device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 8, or have a different configuration than shown in FIG. 8.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, ROM (Read-Only Memory), RAM (Random access Memory), magnetic or optical disks, and the like.
According to still another aspect of an embodiment of the present application, there is also provided a storage medium. Alternatively, in this embodiment, the storage medium may be a program code for executing the device authentication method.
Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
s1, detecting a login operation executed by a first object on a first device, wherein the login operation is used for logging in the first device by using a target account and a first password;
s2, responding to the login operation, acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to the target account, and the first chip is located in the first device and operates independently from an operating system of the first device;
s3, in case the first password matches the first authentication data, determining that the first object is authenticated, and allowing login to the first device.
Optionally, the specific example in this embodiment may refer to the example described in the above embodiment, which is not described again in this embodiment.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing program codes, such as a U disk, a ROM, a RAM, a removable hard disk, a magnetic disk, or an optical disk.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (12)

1. A device authentication method, comprising:
the method comprises the steps of detecting a login operation executed by a first object on first equipment, wherein the login operation is used for logging in the first equipment by using a target account and a first password;
responding to the login operation, acquiring first authentication data through a first chip, wherein the first authentication data is authentication data which is stored in the first chip and corresponds to the target account, and the first chip is located in the first device and runs independently of an operating system of the first device;
and determining that the first object is authenticated and the first device is allowed to log in if the first password is matched with the first authentication data.
2. The method of claim 1, wherein after acquiring the first authentication data by the first chip, the method further comprises:
and decrypting the first authentication data by using a first key in a first key pair through the first chip to obtain a second password, wherein the first key pair is stored in the first chip, and the first authentication data is a ciphertext obtained by encrypting the second password by using a second key in the first key pair.
3. The method of claim 2, wherein prior to detecting the login operation performed by the first object on the first device, the method further comprises:
detecting a setting operation executed by a second object on the first device, wherein the setting operation is used for setting a login password of the target account as the second password;
responding to the setting operation, and encrypting the second password by using the second secret key through the first chip to obtain the first authentication data;
and saving the first authentication data into the first chip through the first chip.
4. The method of claim 2, wherein after acquiring the first authentication data by the first chip, the method further comprises:
detecting an updating operation performed on the first device by a third object, wherein the updating operation is used for updating the login password of the target account from a third password to a fourth password;
responding to the updating operation, and under the condition that the third password is matched with the first authentication data, acquiring second authentication data through the first chip, wherein the second authentication data is a ciphertext obtained by encrypting the fourth password by using the second key;
and saving the second authentication data to the first chip through the first chip.
5. The method of any of claims 1-4, wherein after determining that the first object is authenticated, the method further comprises:
establishing a target connection, wherein the target connection is a dedicated channel connection for network communication between the first device and the second device;
performing bidirectional authentication on the first device and the second device through the target connection by using the first chip and a second chip, wherein the second chip is located in the second device and runs independently of an operating system of the second device;
maintaining the target connection if the first device and the second device are authenticated bidirectionally.
6. The method of claim 5, wherein the bi-directional authentication between the first device and the second device over the target connection comprises:
receiving a first random number sent by the second equipment through the target connection;
encrypting the first random number or the hash value of the first random number by using a third key in a second key pair through the first chip or third equipment to obtain a first ciphertext, wherein the second key pair is stored in the first chip or the third equipment, and the third equipment is an external equipment which is connected to the first equipment through a first interface and is matched with the target account number;
and sending the first ciphertext and a first electronic certificate to the second device through the target connection, so that the second device performs identity authentication on the first device by using the first ciphertext and the first electronic certificate, wherein the first electronic certificate is stored in the first chip, and the first electronic certificate is used for uniquely identifying the first chip.
7. The method of claim 6,
before receiving the first random number transmitted by the second device through the target connection, the method further includes: generating the first random number by the second chip; sending the first random number to the first device through the target connection;
after sending the first ciphertext and the first electronic certificate to the second device over the target connection, the method further comprises: receiving the first ciphertext and the first electronic certificate through the target connection; verifying the first electronic certificate and determining the legality of the first electronic certificate; extracting a fourth key from the first electronic certificate under the condition that the first electronic certificate is verified to be passed, wherein the fourth key is a key of the second key pair except the third key; decrypting the first ciphertext by using the fourth key to obtain first decrypted data; determining that the first device is authenticated when the first decrypted data is identical to the first random number or a hash value of the first random number.
8. The method of claim 5, wherein the bi-directional authentication between the first device and the second device over the target connection comprises:
generating a second random number through the first chip or a fourth device, wherein the fourth device is an external device which is connected to the first device through a second interface and is matched with the target account;
sending the second random number to the second device through the target connection;
receiving a second ciphertext and a second electronic certificate through the target connection, wherein the second electronic certificate is stored in the second chip and is used for uniquely identifying the second chip, the second ciphertext is a ciphertext obtained by encrypting the second random number or a hash value of the second random number by using a fifth key in a third key pair, and the third key pair is stored in the second chip;
verifying the second electronic certificate to determine the legality of the second electronic certificate;
extracting a sixth key from the second electronic certificate when the second electronic certificate is verified to be passed, wherein the sixth key is a key of the third key pair except for the fifth key;
decrypting the second ciphertext by using the sixth key to obtain second decrypted data;
and determining that the second device is authenticated when the second decrypted data is the same as the second random number or the hash value of the second random number.
9. The method of claim 8, wherein after sending the second random number to the second device over the target connection, the method further comprises:
receiving the second random number sent by the first device through the target connection;
encrypting the second random number or the hash value of the second random number by using the fifth key through the second chip to obtain the second ciphertext;
and sending the second ciphertext and the second electronic certificate to the first device through the target connection.
10. An apparatus for authenticating a device, comprising:
the device comprises a first detection unit, a second detection unit and a third detection unit, wherein the first detection unit is used for detecting a login operation executed by a first object on a first device, and the login operation is used for logging in the first device by using a target account and a first password;
a first obtaining unit, configured to obtain, by a first chip, first authentication data in response to the login operation, where the first authentication data is authentication data stored in the first chip and corresponding to the target account, and the first chip is located in the first device and runs independently of an operating system of the first device;
a first determination unit configured to determine that the first object is authenticated and login to the first device is permitted if the first password matches the first authentication data.
11. A storage medium comprising a stored program, wherein the program when executed performs the method of any of claims 1 to 9.
12. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 9 by means of the computer program.
CN202010600243.4A 2020-06-28 2020-06-28 Device authentication method and apparatus, storage medium, and electronic apparatus Pending CN111901303A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010600243.4A CN111901303A (en) 2020-06-28 2020-06-28 Device authentication method and apparatus, storage medium, and electronic apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010600243.4A CN111901303A (en) 2020-06-28 2020-06-28 Device authentication method and apparatus, storage medium, and electronic apparatus

Publications (1)

Publication Number Publication Date
CN111901303A true CN111901303A (en) 2020-11-06

Family

ID=73207828

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010600243.4A Pending CN111901303A (en) 2020-06-28 2020-06-28 Device authentication method and apparatus, storage medium, and electronic apparatus

Country Status (1)

Country Link
CN (1) CN111901303A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112115461A (en) * 2020-11-20 2020-12-22 腾讯科技(深圳)有限公司 Equipment authentication method and device, computer equipment and storage medium
CN112948851A (en) * 2021-02-25 2021-06-11 深圳壹账通智能科技有限公司 User authentication method, device, server and storage medium
CN113596822A (en) * 2021-07-21 2021-11-02 深圳市力博得科技有限公司 Data processing method and device for data transmission encryption, electronic equipment and medium

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832403A (en) * 2006-04-24 2006-09-13 北京易恒信认证科技有限公司 CPK credibility authorization system
CN101389133A (en) * 2007-09-14 2009-03-18 深圳富泰宏精密工业有限公司 Identity verification system and method
CN102427449A (en) * 2011-11-04 2012-04-25 北京工业大学 Trusted mobile storage method based on security chips
CN103186732A (en) * 2011-12-29 2013-07-03 中国长城计算机深圳股份有限公司 User identity authentication method and system of one-machine multi-hard disk multi-operating system
CN103491094A (en) * 2013-09-26 2014-01-01 成都三零瑞通移动通信有限公司 Rapid identity authentication method based on C/S mode
CN104580256A (en) * 2015-02-02 2015-04-29 北京嘀嘀无限科技发展有限公司 Method and device for logging in through user equipment and verifying user's identity
CN104639315A (en) * 2013-11-10 2015-05-20 航天信息股份有限公司 Dual-authentication method and device based on identity passwords and fingerprint identification
CN105162797A (en) * 2015-09-24 2015-12-16 广东工业大学 Bidirectional authentication method based on video surveillance system
CN106302354A (en) * 2015-06-05 2017-01-04 北京壹人壹本信息科技有限公司 A kind of identity identifying method and device
CN106603234A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Method, device and system for device identity authentication
CN107403109A (en) * 2017-08-09 2017-11-28 苏州中科安源信息技术有限公司 Encryption method and encryption system
CN108234115A (en) * 2016-12-15 2018-06-29 阿里巴巴集团控股有限公司 The verification method of information security, device and system
EP3355548A1 (en) * 2017-01-31 2018-08-01 Systola GmbH Method and system for user authentication
CN109714185A (en) * 2017-10-26 2019-05-03 阿里巴巴集团控股有限公司 Policy deployment method, apparatus, system and the computing system of trusted servers
CN110401640A (en) * 2019-07-05 2019-11-01 北京可信华泰信息技术有限公司 A kind of credible connection method based on trust computing binary system structure
CN110602699A (en) * 2019-09-17 2019-12-20 中国联合网络通信集团有限公司 Password resetting method and device and server
CN110874478A (en) * 2018-08-29 2020-03-10 阿里巴巴集团控股有限公司 Key processing method and device, storage medium and processor
CN111066284A (en) * 2017-10-09 2020-04-24 华为技术有限公司 Service certificate management method, terminal and server

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832403A (en) * 2006-04-24 2006-09-13 北京易恒信认证科技有限公司 CPK credibility authorization system
CN101389133A (en) * 2007-09-14 2009-03-18 深圳富泰宏精密工业有限公司 Identity verification system and method
CN102427449A (en) * 2011-11-04 2012-04-25 北京工业大学 Trusted mobile storage method based on security chips
CN103186732A (en) * 2011-12-29 2013-07-03 中国长城计算机深圳股份有限公司 User identity authentication method and system of one-machine multi-hard disk multi-operating system
CN103491094A (en) * 2013-09-26 2014-01-01 成都三零瑞通移动通信有限公司 Rapid identity authentication method based on C/S mode
CN104639315A (en) * 2013-11-10 2015-05-20 航天信息股份有限公司 Dual-authentication method and device based on identity passwords and fingerprint identification
CN104580256A (en) * 2015-02-02 2015-04-29 北京嘀嘀无限科技发展有限公司 Method and device for logging in through user equipment and verifying user's identity
CN106302354A (en) * 2015-06-05 2017-01-04 北京壹人壹本信息科技有限公司 A kind of identity identifying method and device
CN105162797A (en) * 2015-09-24 2015-12-16 广东工业大学 Bidirectional authentication method based on video surveillance system
CN106603234A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Method, device and system for device identity authentication
CN108234115A (en) * 2016-12-15 2018-06-29 阿里巴巴集团控股有限公司 The verification method of information security, device and system
EP3355548A1 (en) * 2017-01-31 2018-08-01 Systola GmbH Method and system for user authentication
CN107403109A (en) * 2017-08-09 2017-11-28 苏州中科安源信息技术有限公司 Encryption method and encryption system
CN111066284A (en) * 2017-10-09 2020-04-24 华为技术有限公司 Service certificate management method, terminal and server
CN109714185A (en) * 2017-10-26 2019-05-03 阿里巴巴集团控股有限公司 Policy deployment method, apparatus, system and the computing system of trusted servers
CN110874478A (en) * 2018-08-29 2020-03-10 阿里巴巴集团控股有限公司 Key processing method and device, storage medium and processor
CN110401640A (en) * 2019-07-05 2019-11-01 北京可信华泰信息技术有限公司 A kind of credible connection method based on trust computing binary system structure
CN110602699A (en) * 2019-09-17 2019-12-20 中国联合网络通信集团有限公司 Password resetting method and device and server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
雷敏: "《 网络空间安全导论》", 31 August 2018, pages: 46 - 48 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112115461A (en) * 2020-11-20 2020-12-22 腾讯科技(深圳)有限公司 Equipment authentication method and device, computer equipment and storage medium
CN112115461B (en) * 2020-11-20 2021-04-06 腾讯科技(深圳)有限公司 Equipment authentication method and device, computer equipment and storage medium
CN112948851A (en) * 2021-02-25 2021-06-11 深圳壹账通智能科技有限公司 User authentication method, device, server and storage medium
WO2022179115A1 (en) * 2021-02-25 2022-09-01 深圳壹账通智能科技有限公司 User authentication method and apparatus, server and storage medium
CN113596822A (en) * 2021-07-21 2021-11-02 深圳市力博得科技有限公司 Data processing method and device for data transmission encryption, electronic equipment and medium
CN113596822B (en) * 2021-07-21 2023-09-19 东莞市力博得电子科技有限公司 Data transmission encryption data processing method, device, electronic equipment and medium

Similar Documents

Publication Publication Date Title
KR102328725B1 (en) Method of using one device to unlock another device
CN106330850B (en) Security verification method based on biological characteristics, client and server
US11539690B2 (en) Authentication system, authentication method, and application providing method
CN110990827A (en) Identity information verification method, server and storage medium
US11159329B2 (en) Collaborative operating system
CN111901303A (en) Device authentication method and apparatus, storage medium, and electronic apparatus
CN111327629B (en) Identity verification method, client and server
CN111901304B (en) Registration method and device of mobile security equipment, storage medium and electronic device
US11809540B2 (en) System and method for facilitating authentication via a short-range wireless token
CN111401901A (en) Authentication method and device of biological payment device, computer device and storage medium
JP6378424B1 (en) User authentication method with enhanced integrity and security
KR101206854B1 (en) Authentication system and method based by unique identifier
JP4998314B2 (en) Communication control method and communication control program
CN115834077B (en) Control method, control system, electronic device and storage medium
KR101912403B1 (en) Method for security authentication between equipment
TWI675579B (en) Network authentication system and method
CN109784032B (en) Test equipment verification method, test equipment, verification equipment and storage device
CN115146284A (en) Data processing method and device, electronic equipment and storage medium
CN108574657B (en) Server access method, device and system, computing equipment and server
US20240007272A1 (en) Secure device pairing
CN110972141B (en) Information verification method and device, electronic equipment and readable storage medium
TWI633231B (en) Smart lock and smart lock control method
KR101576038B1 (en) Network authentication method for secure user identity verification
CN112714099A (en) Communication system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201106

RJ01 Rejection of invention patent application after publication