CN113037682A - Encrypted communication method, encrypted communication device, and encrypted communication system - Google Patents
Encrypted communication method, encrypted communication device, and encrypted communication system Download PDFInfo
- Publication number
- CN113037682A CN113037682A CN201911251937.5A CN201911251937A CN113037682A CN 113037682 A CN113037682 A CN 113037682A CN 201911251937 A CN201911251937 A CN 201911251937A CN 113037682 A CN113037682 A CN 113037682A
- Authority
- CN
- China
- Prior art keywords
- dynamic password
- equipment
- identification information
- verification
- sending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims abstract description 67
- 238000004891 communication Methods 0.000 title claims abstract description 66
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000004044 response Effects 0.000 claims abstract description 15
- 238000012795 verification Methods 0.000 claims description 56
- 230000003068 static effect Effects 0.000 description 24
- 238000012937 correction Methods 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000009467 reduction Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an encryption communication method, an encryption communication device and an encryption communication system. The encryption communication method comprises the following steps: receiving identity authentication information, and judging whether the identity authentication information is correspondingly matched with prestored identity authentication information; sending an equipment authentication request in response to the authentication information being matched with the pre-stored authentication information; receiving equipment identification information, and judging whether the equipment identification information is correspondingly matched with prestored equipment identification information or not; in response to the device identification information not matching the pre-stored device identification information, performing the steps of: sending a dynamic password request; receiving a first dynamic password; locally generating a second dynamic password; judging whether the first dynamic password and the second dynamic password are correspondingly matched to obtain a judgment result; and returning a status message indicating whether the login is successful according to the judgment result. The invention carries out secondary authentication in encryption communication, thereby increasing the security.
Description
Technical Field
The present invention relates to the field of communication security technologies, and in particular, to an encrypted communication method, an encrypted communication apparatus, and an encrypted communication system.
Background
At present, the interactive communication between a lower computer and an upper computer is realized through network remote connection, and the connection safety is an important subject, wherein the problem of how to ensure the identity authentication of both sides of a service is the first to come.
In recent years, with the continuous increase of lower computer services, login binding is required before communication between a lower computer and an upper computer, the login password and the verification mode of the lower computer are relatively simple, and many users cannot change the default password of the lower computer, so that although the users use the lower computer conveniently, some users familiar with company products and non-lower computer users using company products can log in and change the played programs. For the problems, the login password of the lower computer can be forcibly changed by the user, but the use of the user is inconvenient in consideration of the product property of the lower computer, so that other mechanisms are needed to ensure the login binding safety of the lower computer and the upper computer. The identity authentication is a process that a system examines the identity of a user so as to determine whether the user has access and use authority to certain resources, the identity authentication identifies the identity of the user through identification, a mechanism for distinguishing and confirming the identity of the user is provided, before the user logs in a software system, the identity authentication system must firstly show the identity of the user, the identity authentication system firstly verifies the authenticity of the user, and then the user is determined whether the user has the authority to access the applied resources according to the authority setting of the user in an authorization database. Currently, the common mechanisms for identity authentication include two types: one is a dynamic password mechanism based on Time Synchronization (Time Synchronization), which is characterized in that a one-way hash function is selected as a generation algorithm of authentication data, a seed key and a Time value are used as the generation algorithm of the authentication data, and the seed key and the Time value are specifically used as input parameters of the one-way hash function; the other is a dynamic password mechanism based on Event Synchronization (Event Synchronization), which is also called a Lamport mode or a Hash chain (Hash chains) mode, and takes events (such as using times or sequence numbers) as variables.
However, although the two mechanisms can ensure the security of the identity authentication, the risk of clock desynchronization and event desynchronization respectively exists, so that the performance of the lower computer is reduced due to frequent clock correction and event correction, and the user experience is poor.
Disclosure of Invention
The embodiment of the invention provides an encrypted communication method, an encrypted communication device and an encrypted communication system, which aim to improve the security of identity authentication on the premise of not influencing the performance of a lower computer.
In one aspect, an encrypted communication method provided in an embodiment of the present invention includes:
receiving identity authentication information, and judging whether the identity authentication information is correspondingly matched with prestored identity authentication information or not;
responding to the identity authentication information matched with the pre-stored identity authentication information, and sending an equipment authentication request to acquire equipment identification information;
receiving equipment identification information, and judging whether the equipment identification information is correspondingly matched with prestored equipment identification information or not;
in response to the device identification information not matching pre-stored device identification information, performing the steps of:
sending a dynamic password request to acquire a first dynamic password;
receiving the first dynamic password;
locally generating a second dynamic password;
judging whether the first dynamic password and the second dynamic password are correspondingly matched to obtain a judgment result; and
and returning a state message representing whether the login is successful according to the judgment result.
The embodiment of the invention carries out secondary identity authentication in encryption communication, namely, carrying out static authentication of matching the equipment identification information with the prestored equipment identification information and dynamic authentication of matching the first dynamic password with the second dynamic password, thereby increasing the login difficulty, improving the safety and solving the problems of clock desynchronization and event desynchronization in the traditional encryption communication, and the problems of lower computer performance reduction and poor user experience caused by frequent clock correction and event correction.
In one embodiment of the invention, a login failure message is returned in response to the authentication information not matching the pre-stored authentication information.
In one embodiment of the invention, a login success message is returned in response to the device identification information matching pre-stored device identification information.
In one embodiment of the present invention, the generating the second dynamic password includes:
locally generating an operation factor;
obtaining a pre-stored token equipment identification code and a token key;
encrypting the operation factor and the token equipment identification code based on a token secret key to obtain an encryption result; and
and generating the second dynamic password according to the encryption result.
In one embodiment of the invention, the operation factor is generated by an event synchronization method.
In one embodiment of the invention, the pre-stored token device identification code and token key are stored in an encrypted manner.
On the other hand, an encryption communication apparatus provided in an embodiment of the present invention is adapted to perform the encryption communication method described in any one of the above, and includes:
the identity authentication module is used for receiving identity authentication information and judging whether the identity authentication information is correspondingly matched with prestored identity authentication information;
the request sending module is used for responding to the matching of the authentication information and the pre-stored authentication information and sending an equipment authentication request to acquire equipment identification information;
the device verification module is used for receiving the device identification information and judging whether the device identification information is correspondingly matched with the pre-stored device identification information;
a dynamic password verification module, configured to, in response to a mismatch between the device identification information and pre-stored device identification information, perform the following steps:
sending a dynamic password request to acquire a first dynamic password;
receiving the first dynamic password;
locally generating a second dynamic password;
judging whether the first dynamic password and the second dynamic password are correspondingly matched to obtain a judgment result; and
and returning a state message representing whether the login is successful according to the judgment result.
In another aspect, an encrypted communication method provided in an embodiment of the present invention includes:
sending identity authentication information for the target embedded equipment to authenticate;
receiving an equipment verification request fed back due to successful authentication, and acquiring and sending equipment identification information for equipment verification of the target embedded equipment;
receiving a dynamic password request fed back due to the failure of the equipment verification, and acquiring a dynamic password, wherein the dynamic password is generated by token equipment; and
and sending the dynamic password to the target embedded equipment so as to carry out dynamic password verification on the target embedded equipment.
In another aspect, an encrypted communication apparatus provided in an embodiment of the present invention includes:
the verification information sending module is used for sending the identity verification information for the target embedded equipment to perform identity verification;
the identification information sending module is used for receiving the equipment verification request fed back due to successful authentication and acquiring and sending equipment identification information for the target embedded equipment to carry out equipment verification;
the dynamic password acquisition module is used for receiving a dynamic password request fed back due to the failure of the equipment verification and acquiring a dynamic password, wherein the dynamic password is generated by the token equipment; and
and the dynamic password sending module is used for sending the dynamic password to the target embedded equipment so as to carry out dynamic password verification on the target embedded equipment.
In another aspect, an encrypted communication system provided in an embodiment of the present invention includes: a processor and a memory; wherein the memory stores instructions for execution by the processor and the instructions cause the processor to perform operations to perform any of the cryptographic communication methods described above.
The embodiment of the invention carries out secondary identity verification, namely static verification and dynamic verification in the encryption communication process, thereby increasing the login difficulty, improving the safety, and solving the problems of lower computer performance reduction and poor user experience caused by clock desynchronization and event desynchronization in the traditional encryption communication and frequent clock correction and event correction.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1A is a flowchart of an encrypted communication method according to a first embodiment of the present invention.
Fig. 1B is a flowchart of another encrypted communication method according to the first embodiment of the present invention.
Fig. 1C is a flowchart of generating a second dynamic password in an encrypted communication method according to a first embodiment of the present invention.
Fig. 2 is a block diagram of an encryption communication apparatus according to a second embodiment of the present invention.
Fig. 3 is a flowchart of an encrypted communication method according to a third embodiment of the present invention.
Fig. 4 is a block diagram of an encryption communication apparatus according to a fourth embodiment of the present invention.
Fig. 5 is a schematic structural diagram of an encrypted communication system according to a fifth embodiment of the present invention.
Fig. 6 is a schematic structural diagram of a storage medium according to a sixth embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
[ first embodiment ] A method for manufacturing a semiconductor device
As shown in fig. 1A, 1B, and 1C, an encrypted communication method according to a first embodiment of the present invention includes the following steps:
s11, receiving identity authentication information, and judging whether the identity authentication information is correspondingly matched with pre-stored identity authentication information;
s13, responding to the matching of the authentication information and the pre-stored authentication information, sending a device authentication request to acquire device identification information;
s15, receiving equipment identification information, and judging whether the equipment identification information is correspondingly matched with prestored equipment identification information;
s17, responding to the device identification information not matching with the pre-stored device identification information, the following steps are carried out:
s171, sending a dynamic password request to acquire a first dynamic password;
s173, receiving the first dynamic password;
s175, locally generating a second dynamic password;
s177, judging whether the first dynamic password and the second dynamic password are correspondingly matched to obtain a judgment result; and
and S179, returning a status message indicating whether the login is successful according to the judgment result.
Specifically, the first embodiment may be applied to encrypted communication between an upper computer and a lower computer, where the upper computer may be a computer terminal such as a Web or a PC, and may also be a mobile phone terminal, and the lower computer may be an embedded device such as a multimedia broadcast control terminal, for example, a Taurus card of the company limited to the science and technology of the west nova cloud, and specifically, the first embodiment performs, for example, implementation of steps S11 to S17, and sub-steps S171 to S179 of S17, for example, when the upper computer is the mobile phone terminal and the lower computer is the multimedia broadcast control terminal:
before performing the above steps S11-S17 and the substeps S171-S179 of S17, in the first embodiment, the user at the mobile phone end first performs a registration operation, which is to enable the user to establish an initial trust relationship between the mobile phone and the multimedia broadcast control terminal. When a user uses the unregistered multimedia broadcast control terminal through the mobile phone for the first time, the multimedia broadcast control terminal allows the mobile phone to log in a normal mode, and sends a token equipment identification code and a token secret key K to the multimedia broadcast control terminal after logging inAThe multimedia broadcasting control terminal sends the token equipment identification code and the token secret key KARespectively encrypted and stored in the database, and used for preventing external attack on the multimedia broadcast control terminal database from causing the token equipment identification code and the token key KAAnd the leakage is further used for the identity authentication of the subsequent dynamic password, and the encryption algorithm in the encryption processing process comprises RSA, ECC, DH, ECDH and the like.
After the registration work is completed, when a user at the mobile phone end logs in the multimedia playing and controlling terminal, firstly, identity authentication information is input at the mobile phone end, the identity authentication information comprises a user ID and a static password, prestored identity authentication information is stored in the multimedia playing and controlling terminal by default in a factory, the prestored identity authentication information comprises a prestored user ID and a prestored static password, if the prestored user ID and the static password are judged to be matched with each other in step S11, if the prestored user ID and the static password are matched with each other, the multimedia playing and controlling terminal sends an equipment authentication request to the mobile phone end to request to acquire equipment identification information in step S13, and if the prestored user ID and the static password are matched with each other, a unique identifier is generated by using a unique identifier generation algorithm by acquiring a computer hardware number of a computer end such as Web, PC and the like, namely, the equipment identification information, preferably, the unique identifier generating algorithm comprises a GUID and a UUID, for the mobile phone end, the IMEI number of the mobile phone is directly used as the unique identifier, namely, the equipment identification information, the mobile phone end sends the equipment identification information of the mobile phone to the multimedia broadcast control terminal after receiving the equipment verification request sent by the multimedia broadcast control terminal, if the multimedia broadcast control terminal receives the equipment identification information in step S15, matches the equipment identification information with the pre-stored equipment identification information thereof, judges whether the equipment identification information is correspondingly matched with the pre-stored equipment identification information, performs static verification, if the pre-stored equipment identification information is the unique identifier corresponding to the upper computer which has frequently logged in the multimedia broadcast control terminal recently, and if the equipment identification information is not matched with the pre-stored equipment identification information in step S17, performs dynamic verification, specifically, step S17 includes, for example, the following substeps:
s171, sending a dynamic password request to acquire a first dynamic password;
s173, receiving the first dynamic password;
s175, locally generating a second dynamic password;
s177, judging whether the first dynamic password and the second dynamic password are correspondingly matched to obtain a judgment result;
and S179, returning a status message indicating whether the login is successful according to the judgment result.
Performing dynamic authentication through substeps S171 to S179, specifically, when the static authentication fails, the multimedia broadcast control terminal sends a dynamic password request to the mobile phone terminal, asks the mobile phone terminal for a first dynamic password to be dynamically authenticated, after receiving the dynamic password request, the mobile phone terminal generates a first dynamic password through the token device, the mobile phone terminal obtains the first dynamic password and sends the first dynamic password to the multimedia broadcast control terminal, the multimedia broadcast control terminal receives the first dynamic password and generates a second dynamic password locally at the multimedia broadcast control terminal, and determines whether the first dynamic password and the second dynamic password are matched with each other to obtain a determination result, and finally returns a status message indicating whether login is successful according to the determination result, specifically, when the first dynamic password and the second dynamic password are matched, returns a login success message to the mobile phone terminal, the multimedia broadcast control terminal indicates that the mobile phone end user is allowed to normally log in, dynamic verification is realized, and finally the mobile phone end user normally logs in, so that encrypted communication between the mobile phone end and the multimedia broadcast control terminal is realized; and when the first dynamic password is not matched with the second dynamic password, a login failure message is returned to the mobile phone terminal, which indicates that the multimedia broadcast control terminal refuses the login of the user at the mobile phone terminal, and finally the illegal user is not allowed to login, so that encrypted communication between the mobile phone terminal and the multimedia broadcast control terminal is realized. The step S175 of locally generating the second dynamic password includes the following sub-steps:
s1751, locally generating an operation factor;
s1753, obtaining a pre-stored token equipment identification code and a token secret key;
s1755, encrypting the operation factor and the token equipment identification code based on a token secret key to obtain an encryption result; and
s1757, generating the second dynamic password according to the encryption result.
Through the sub-steps S1751 to S1757, a second dynamic password is locally generated at the multimedia broadcast control terminal, and specifically, the multimedia broadcast control terminal first obtains a token device identification code and a token key K, which are provided by a mobile phone terminal during registration and are pre-stored in the multimedia broadcast control terminal in an encryption manner, from a databaseAMeanwhile, the multimedia broadcast control terminal locally utilizes an event synchronization method to generate an operation factor, and a pre-stored token secret key K is usedAAnd respectively encrypting the token equipment identification code and the operation factor to obtain an encryption result, and calculating the encryption result by using the operation factor to generate a second dynamic password. The encryption algorithm in the encryption process includes RSA, ECC, DH, ECDH, and the like.
It should be noted that, for the first login of the multimedia broadcast control terminal, the mobile phone end is allowed to normally log in the multimedia broadcast control terminal, after the first login of the multimedia broadcast control terminal is successful, the static password is modified at the mobile phone end by the user at the mobile phone end, so as to increase the security, and when the static password is modified, the multimedia broadcast control terminal updates the static password stored in the multimedia broadcast control terminal database by using the modified static password, thereby ensuring that the user at the mobile phone end normally logs in the multimedia broadcast control terminal next time.
Further, in the process of judging whether the authentication information is correspondingly matched with the pre-stored authentication information or not, when the authentication information is not matched with the pre-stored authentication information in response to the fact that the multimedia broadcast control terminal possibly has illegal user login, a login failure message is returned, and the multimedia broadcast control terminal directly refuses the login of the user at the mobile phone terminal.
Further, in the step of judging whether the device identification information is matched with the pre-stored device identification information correspondingly, when the device identification information is matched with the device identification information in response to the response, subsequent further dynamic verification login operation is not needed, and the multimedia broadcast control terminal directly returns a login success message to the mobile phone end user, which indicates that the multimedia broadcast control terminal allows the mobile phone end user to normally log in.
To sum up, in the first embodiment, when the lower computer communicates with the upper computer, the lower computer first determines whether the user ID and the static password stored locally in advance, and the user ID and the static password input by the user are matched, if the matching is successful, the lower computer requests the upper computer for device identification information, the upper computer sends the device identification information to the lower computer, the lower computer reads the device identification information corresponding to the upper computer which has recently logged in the lower computer from the database, and matches the device identification information of the upper computer which has requested to log in, if the matching is successful, the login is successful, if the matching is not successful, the lower computer requests the upper computer to input a first dynamic password, and meanwhile, the lower computer locally generates a second dynamic password, and matches the first dynamic password input by the upper computer, if the matching is successful, the login is successful, if the matching is not successful, the login is rejected, and thereby, the second authentication is performed during the login, the method comprises the steps of performing static verification of matching of equipment identification information on an upper computer and equipment identification information prestored on a lower computer, and performing dynamic verification of matching of a first dynamic password provided by the upper computer and a second dynamic password locally generated by the lower computer, so that the login difficulty is increased, the safety is improved, and the problems of clock desynchronization and event desynchronization in the traditional encrypted communication, and the problems of lower computer performance reduction and poor user experience caused by frequent clock correction and event correction are solved.
[ second embodiment ]
As shown in fig. 2, a cryptographic communication device 20 according to a second embodiment of the present invention includes an identity authentication module 21, a request sending module 23, a device authentication module 25, and a dynamic password authentication module 27.
Specifically, the identity authentication module 21 is configured to receive identity authentication information, and determine whether the identity authentication information is correspondingly matched with pre-stored identity authentication information;
the request sending module 23 is configured to send a device authentication request to acquire device identification information in response to that the authentication information matches pre-stored authentication information;
the device verification module 25 is configured to receive device identification information, and determine whether the device identification information is correspondingly matched with pre-stored device identification information;
the dynamic password verification module 27 is configured to, in response to the device identification information not matching the pre-stored device identification information, perform the following steps:
sending a dynamic password request to acquire a first dynamic password;
receiving the first dynamic password;
locally generating a second dynamic password;
judging whether the first dynamic password and the second dynamic password are correspondingly matched to obtain a judgment result; and
and returning a state message representing whether the login is successful according to the judgment result.
For the details of the functions of the authentication module 21, the request sending module 23, the device authentication module 25, and the dynamic password authentication module 27, reference may be made to the related descriptions of steps S11, S13, S15, and S17 in the foregoing first embodiment, which are not described herein again. Further, it should be noted that the identity verification module 21, the request transmission module 23, the device verification module 25 and the dynamic password verification module 27 may be software modules stored in a non-volatile memory and executed by one or more processors to perform the operations of steps S11, S13, S15 and S17 in the first embodiment.
[ third embodiment ]
As shown in fig. 3, a method for encrypted communication according to a third embodiment of the present invention includes the following steps:
s31, sending identity authentication information for the target embedded device to authenticate;
s33, receiving the device verification request fed back because of the successful identity verification, and acquiring and sending device identification information for the target embedded device to perform device verification;
s35, receiving a dynamic password request fed back due to the failure of the equipment verification, and acquiring a dynamic password, wherein the dynamic password is generated by the token equipment; and
s37, sending the dynamic password to the target embedded device for the target embedded device to carry out dynamic password verification.
Specifically, the second embodiment may be applied to encrypted communication between an upper computer and a lower computer, where the upper computer may be a computer terminal such as a Web or a PC, and may also be a mobile phone terminal, and the lower computer may be an embedded device such as a multimedia broadcast control terminal, for example, a Taurus card of the science and technology corporation, nova, west ann, that is, the target embedded device, and specifically, the second embodiment is implemented, for example, in the first embodiment, by using the upper computer as the mobile phone terminal and the lower computer as the multimedia broadcast control terminal, in steps S31 to S37:
the mobile phone terminal sends the identity authentication information to the multimedia playing and controlling terminal as step S31, the identity authentication information includes the user ID and the static password, the multimedia playing and controlling terminal receives the user ID and the static password, and carries out the identity authentication matching with the user ID and the static password pre-stored in the database, when the identity authentication matching is successful, the multimedia playing and controlling terminal feeds back the equipment identification request to the mobile phone terminal for further static authentication, after the mobile phone terminal receives the equipment authentication information, the mobile phone terminal sends the corresponding equipment identification information to the multimedia playing and controlling terminal as step S33, the equipment authentication matching is carried out with the equipment identification information pre-stored in the database of the multimedia playing and controlling terminal, when the equipment authentication fails (step S33), the multimedia playing and controlling terminal feeds back the dynamic password request to the mobile phone terminal for further dynamic authentication, after the mobile phone terminal receives the dynamic password request, for example, in step 35, a dynamic password is generated by a token device, for example, a dynamic password is generated by a mobile token, specifically, the dynamic password generation method is as described in steps S1751 to S1757 in the first embodiment, and no further description is given here, after the mobile token generates the dynamic password by the generation method, a user at a mobile terminal manually inputs the generated dynamic password to the mobile terminal, or the token device establishes a message communication mode with the mobile terminal, and inputs the dynamic password to the mobile terminal, and as described in step S37, the mobile terminal sends the dynamic password to a multimedia broadcast control terminal for dynamic password verification on the multimedia broadcast control terminal, and specifically, the verification process of the dynamic password on the multimedia broadcast control terminal is as described in steps S173 to S179 in the first embodiment, and no further description is given here. The token equipment also supports the use of a specific password, before the first dynamic password is generated on the token equipment, the safety can be improved through the verification of the specific password, specifically, the specific password is input by the token equipment and is matched with a preset password which is preset and stored in the token equipment, when the specific password is matched with the preset password, the token equipment is allowed to be used for generating the first dynamic password, the login of an illegal user is limited, and therefore the two-factor authentication that the token equipment can be used only by a mobile phone end user himself is realized.
To sum up, in the second embodiment, when the lower computer communicates with the upper computer, the user of the upper computer first inputs the user ID and the static password, the lower computer receives the user ID and the static password, and performs authentication matching with the user ID and the static password pre-stored in the lower computer, if the authentication matching is successful, the upper computer sends the device identification information to the lower computer, and the lower computer reads the device identification information corresponding to the upper computer which recently logged in the lower computer from the database, so as to perform device authentication matching with the device identification information of the upper computer which requests to log in, if the device authentication matching is successful, the login is successful, if the device authentication is not matched, the upper computer inputs the dynamic password according to the request of the lower computer, and the lower computer generates the dynamic password locally, matches with the dynamic password input by the upper computer, if the dynamic password authentication matching is successful, the login is normal, if the dynamic password authentication is not matched, the login is rejected, therefore, secondary identity authentication is carried out in the login process, namely, static authentication for matching the equipment identification information provided by the upper computer with the equipment identification information prestored on the lower computer and dynamic authentication for matching the dynamic password generated by the upper computer through the information of the lower computer with the dynamic password generated locally by the lower computer are carried out, so that the login difficulty is increased, the safety is improved, and the problems of clock desynchronization and event desynchronization in the traditional encrypted communication, as well as the problems of lower computer performance reduction and poor user experience caused by frequent clock correction and event correction are solved.
[ fourth example ] A
As shown in fig. 4, a cryptographic communication device 40 according to a fourth embodiment of the present invention includes an authentication information sending module 41, an identification information sending module 43, a dynamic password obtaining module 45, and a dynamic password sending module 47.
Specifically, the verification information sending module 41 is configured to send authentication information for the target embedded device to perform authentication;
the identification information sending module 43 is configured to receive an equipment verification request fed back due to successful authentication, and obtain and send equipment identification information, so that the target embedded equipment performs equipment verification;
the dynamic password obtaining module 45 is configured to receive a dynamic password request fed back due to the device authentication failure, and obtain a dynamic password, where the dynamic password is generated by a token device; and
the dynamic password sending module 47 is configured to send the dynamic password to the target embedded device, so that the target embedded device performs dynamic password verification.
For the detailed functional details of the verification information sending module 41, the identification information sending module 43, the dynamic password obtaining module 45, and the dynamic password sending module 47, reference may be made to the related descriptions of steps S31, S33, S35, and S37 in the foregoing third embodiment, and no further description is given here. Further, it is worth mentioning that the verification information sending module 41, the identification information sending module 43, the dynamic password obtaining module 45 and the dynamic password sending module 47 may be software modules, stored in the non-volatile memory and executed by one or more processors to perform the relevant operations to perform the steps S31, S33, S35 and S37 in the third embodiment.
[ fifth embodiment ]
As shown in fig. 5, a fifth embodiment of the present invention provides an encryption communication system 50, where the encryption communication system 50 includes: a processor 51 and a memory 53; the memory 53 stores instructions executed by the processor 51, and the instructions cause the processor 51 to execute operations to perform the encryption communication method according to the first and third embodiments.
[ sixth embodiment ]
As shown in fig. 6, a sixth embodiment of the present invention provides a computer-readable storage medium 60, which is a non-volatile memory and stores program codes, and when the program codes are executed by one or more processors, the encrypted communication method described in the foregoing first embodiment and third embodiment is implemented.
In addition, it should be understood that the foregoing embodiments are merely exemplary illustrations of the present invention, and the technical solutions of the embodiments can be arbitrarily combined and collocated without conflict between technical features and structural contradictions, which do not violate the purpose of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and/or method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units/modules is only one logical division, and there may be other divisions in actual implementation, for example, multiple units or modules may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units/modules described as separate parts may or may not be physically separate, and parts displayed as units/modules may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the units/modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, each functional unit/module in the embodiments of the present invention may be integrated into one processing unit/module, or each unit/module may exist alone physically, or two or more units/modules may be integrated into one unit/module. The integrated units/modules may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional units/modules.
The integrated units/modules, which are implemented in the form of software functional units/modules, may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several passwords to make one or more processors of a computer device (which may be a personal computer, a server, or a network device) execute part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An encrypted communication method, comprising:
receiving identity authentication information, and judging whether the identity authentication information is correspondingly matched with prestored identity authentication information or not;
responding to the identity authentication information matched with the pre-stored identity authentication information, and sending an equipment authentication request to acquire equipment identification information;
receiving equipment identification information, and judging whether the equipment identification information is correspondingly matched with prestored equipment identification information or not;
in response to the device identification information not matching pre-stored device identification information, performing the steps of:
sending a dynamic password request to acquire a first dynamic password;
receiving the first dynamic password;
locally generating a second dynamic password;
judging whether the first dynamic password and the second dynamic password are correspondingly matched to obtain a judgment result; and
and returning a state message representing whether the login is successful according to the judgment result.
2. The encrypted communication method according to claim 1, further comprising:
and returning a login failure message in response to the fact that the authentication information is not matched with the pre-stored authentication information.
3. The encrypted communication method according to claim 1, further comprising:
and returning a login success message in response to the matching of the equipment identification information and the pre-stored equipment identification information.
4. The encrypted communications method of claim 1, wherein the locally generating a second dynamic password comprises:
locally generating an operation factor;
obtaining a pre-stored token equipment identification code and a token key;
encrypting the operation factor and the token equipment identification code based on a token secret key to obtain an encryption result; and
and generating the second dynamic password according to the encryption result.
5. The encryption communication method according to claim 4, wherein said operation factor is generated by an event synchronization method.
6. The encrypted communication method according to claim 4, wherein the pre-stored token device identification code and token key are stored in an encrypted manner.
7. An encryption communication apparatus adapted to perform the encryption communication method according to any one of claims 1 to 6, and comprising:
the identity authentication module is used for receiving identity authentication information and judging whether the identity authentication information is correspondingly matched with prestored identity authentication information;
the request sending module is used for responding to the matching of the authentication information and the pre-stored authentication information and sending an equipment authentication request to acquire equipment identification information;
the device verification module is used for receiving the device identification information and judging whether the device identification information is correspondingly matched with the pre-stored device identification information;
a dynamic password verification module, configured to, in response to a mismatch between the device identification information and pre-stored device identification information, perform the following steps:
sending a dynamic password request to acquire a first dynamic password;
receiving the first dynamic password;
locally generating a second dynamic password;
judging whether the first dynamic password and the second dynamic password are correspondingly matched to obtain a judgment result; and
and returning a state message representing whether the login is successful according to the judgment result.
8. An encrypted communication method, comprising:
sending identity authentication information for the target embedded equipment to authenticate;
receiving an equipment verification request fed back due to successful authentication, and acquiring and sending equipment identification information for equipment verification of the target embedded equipment;
receiving a dynamic password request fed back due to the failure of the equipment verification, and acquiring a dynamic password, wherein the dynamic password is generated by token equipment; and
and sending the dynamic password to the target embedded equipment so as to carry out dynamic password verification on the target embedded equipment.
9. An encrypted communication apparatus, comprising:
the verification information sending module is used for sending the identity verification information for the target embedded equipment to perform identity verification;
the identification information sending module is used for receiving the equipment verification request fed back due to successful authentication and acquiring and sending equipment identification information for the target embedded equipment to carry out equipment verification;
the dynamic password acquisition module is used for receiving a dynamic password request fed back due to the failure of the equipment verification and acquiring a dynamic password, wherein the dynamic password is generated by the token equipment; and
and the dynamic password sending module is used for sending the dynamic password to the target embedded equipment so as to carry out dynamic password verification on the target embedded equipment.
10. An encrypted communication system, comprising: a processor and a memory; wherein the memory stores instructions for execution by the processor and the instructions cause the processor to perform operations to perform the method of encrypted communication according to any one of claims 1 to 6 and 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911251937.5A CN113037682A (en) | 2019-12-09 | 2019-12-09 | Encrypted communication method, encrypted communication device, and encrypted communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911251937.5A CN113037682A (en) | 2019-12-09 | 2019-12-09 | Encrypted communication method, encrypted communication device, and encrypted communication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113037682A true CN113037682A (en) | 2021-06-25 |
Family
ID=76451781
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911251937.5A Pending CN113037682A (en) | 2019-12-09 | 2019-12-09 | Encrypted communication method, encrypted communication device, and encrypted communication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113037682A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116959546A (en) * | 2022-04-19 | 2023-10-27 | 象帝先计算技术(重庆)有限公司 | JTAG interface control method, interface control module, chip and electronic equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739403A (en) * | 2012-06-19 | 2012-10-17 | 深圳市文鼎创数据科技有限公司 | Identity authentication method and device for dynamic token |
| JP2013235338A (en) * | 2012-05-07 | 2013-11-21 | Keepdata Ltd | Storage service system |
| CN103986577A (en) * | 2014-05-07 | 2014-08-13 | 无锡北斗星通信息科技有限公司 | Electronic trading authentication method based on facial recognition |
| CN104579649A (en) * | 2013-10-28 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Identity recognition method and system |
| CN105847245A (en) * | 2016-03-21 | 2016-08-10 | 杭州朗和科技有限公司 | Electronic mail box login authentication method and device |
| CN106529961A (en) * | 2016-11-07 | 2017-03-22 | 郑州游爱网络技术有限公司 | Bank fingerprint payment processing method |
| CN107370765A (en) * | 2017-09-06 | 2017-11-21 | 郑州云海信息技术有限公司 | A kind of ftp server identity identifying method and system |
| CN107453871A (en) * | 2016-05-30 | 2017-12-08 | 阿里巴巴集团控股有限公司 | Password generated method, password authentication method, method of payment and device |
| CN108183924A (en) * | 2018-03-01 | 2018-06-19 | 深圳市买买提信息科技有限公司 | A kind of login validation method and terminal device |
-
2019
- 2019-12-09 CN CN201911251937.5A patent/CN113037682A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2013235338A (en) * | 2012-05-07 | 2013-11-21 | Keepdata Ltd | Storage service system |
| CN102739403A (en) * | 2012-06-19 | 2012-10-17 | 深圳市文鼎创数据科技有限公司 | Identity authentication method and device for dynamic token |
| CN104579649A (en) * | 2013-10-28 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Identity recognition method and system |
| CN103986577A (en) * | 2014-05-07 | 2014-08-13 | 无锡北斗星通信息科技有限公司 | Electronic trading authentication method based on facial recognition |
| CN105847245A (en) * | 2016-03-21 | 2016-08-10 | 杭州朗和科技有限公司 | Electronic mail box login authentication method and device |
| CN107453871A (en) * | 2016-05-30 | 2017-12-08 | 阿里巴巴集团控股有限公司 | Password generated method, password authentication method, method of payment and device |
| CN106529961A (en) * | 2016-11-07 | 2017-03-22 | 郑州游爱网络技术有限公司 | Bank fingerprint payment processing method |
| CN107370765A (en) * | 2017-09-06 | 2017-11-21 | 郑州云海信息技术有限公司 | A kind of ftp server identity identifying method and system |
| CN108183924A (en) * | 2018-03-01 | 2018-06-19 | 深圳市买买提信息科技有限公司 | A kind of login validation method and terminal device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116959546A (en) * | 2022-04-19 | 2023-10-27 | 象帝先计算技术(重庆)有限公司 | JTAG interface control method, interface control module, chip and electronic equipment |
| CN116959546B (en) * | 2022-04-19 | 2024-04-16 | 象帝先计算技术(重庆)有限公司 | JTAG interface control method, interface control module, chip and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| US8369833B2 (en) | Systems and methods for providing authentication and authorization utilizing a personal wireless communication device | |
| US8683562B2 (en) | Secure authentication using one-time passwords | |
| US20090158033A1 (en) | Method and apparatus for performing secure communication using one time password | |
| US20040097217A1 (en) | System and method for providing authentication and authorization utilizing a personal wireless communication device | |
| CN108259502A (en) | For obtaining the identification method of interface access rights, server-side and storage medium | |
| US9124571B1 (en) | Network authentication method for secure user identity verification | |
| CN104702562B (en) | Terminal fused business cut-in method, system and terminal | |
| CN102158483A (en) | Method and system for authenticating access of intelligent television, intelligent television and authentication server | |
| JP2017152880A (en) | Authentication system, key processing coordination method, and key processing coordination program | |
| CN111130798A (en) | Request authentication method and related equipment | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| KR20070075715A (en) | System for certify one-time password and method for generating one-time password | |
| CN111405016B (en) | User information acquisition method and related equipment | |
| CN111460410A (en) | Server login method, device and system and computer readable storage medium | |
| CN1786864A (en) | Method for safety identification of computer | |
| KR20050053967A (en) | Authorization system and method for utilizing one time password based on time synchronization | |
| CN104301288A (en) | Method and system for online identity authentication, online transaction certification, and online certification protection | |
| KR20050071768A (en) | System and method for one time password service | |
| CN113852628A (en) | Decentralized single sign-on method, decentralized single sign-on device and storage medium | |
| CN113037682A (en) | Encrypted communication method, encrypted communication device, and encrypted communication system | |
| EP2916509B1 (en) | Network authentication method for secure user identity verification | |
| CN113794571A (en) | Authentication method, device and medium based on dynamic password | |
| CN112084485A (en) | Data acquisition method, device, equipment and computer storage medium | |
| CN1848727B (en) | Method for establishing safety data communication link |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210625 |