CN113507368A - Industrial control equipment identity authentication method and device based on dynamic password - Google Patents

Industrial control equipment identity authentication method and device based on dynamic password Download PDF

Info

Publication number
CN113507368A
CN113507368A CN202110674424.6A CN202110674424A CN113507368A CN 113507368 A CN113507368 A CN 113507368A CN 202110674424 A CN202110674424 A CN 202110674424A CN 113507368 A CN113507368 A CN 113507368A
Authority
CN
China
Prior art keywords
industrial control
control terminal
authentication server
dynamic password
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110674424.6A
Other languages
Chinese (zh)
Inventor
苑桂杰
谭曙光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huierte Technology Co ltd
Original Assignee
Beijing Huierte Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huierte Technology Co ltd filed Critical Beijing Huierte Technology Co ltd
Priority to CN202110674424.6A priority Critical patent/CN113507368A/en
Publication of CN113507368A publication Critical patent/CN113507368A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

An industrial control terminal initiates a device registration request, calculates a hardware feature code and a device serial number of a local machine by the industrial control terminal, and sends the hardware feature code and the device serial number of the local machine to an authentication server; inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated after the authentication server verifies and approves the hardware feature code and the equipment serial number of the local machine; the industrial control terminal obtains the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value; the industrial control terminal sends the hardware feature code of the industrial control terminal, the current local time and the first dynamic password to the authentication server; and the industrial control terminal receives the verification result sent by the authentication server. According to the invention, the two communication parties respectively obtain the seed keys, so that the keys are ensured to be distributed safely on the premise of not being transmitted through a network; and manual participation is not needed, and the accuracy and the safety of identity authentication are improved.

Description

Industrial control equipment identity authentication method and device based on dynamic password
Technical Field
The invention relates to the technical field of identity authentication, in particular to an industrial control equipment identity authentication method and device based on a dynamic password.
Background
A dynamic Password, also called a One Time Password (OTP), is a Password that can be used only once on a computer system or other digital device, and has a validity period of only One login session or transaction.
The identity authentication based on the dynamic password is a strong authentication technology which is realized by using a cryptographic technology and is realized between a client and a server through a shared secret, and is a technical means for enhancing the static password authentication. Generally comprises a dynamic token (a miniature hardware device with a battery and a liquid crystal screen) as a password generator and an identity authentication system for managing the token and completing identity authentication.
The existing identity authentication process based on dynamic passwords is as follows:
step 0: the authentication server generates a seed Key, which is also called a Pre-Shared Key (PSK). The key is then exported to the dynamic token in an off-line manner. This step occurs only 1 time at token initialization;
step 1: when a terminal user logs in, reading a dynamic password displayed on the dynamic token through naked eyes and inputting the dynamic password on a terminal service system to be logged in;
step 2: the terminal service system submits a user name and a dynamic password to an authentication server;
and step 3: the authentication server matches the seed key according to the user name, verifies the correctness of the dynamic password value, and then returns the login result to the terminal service system.
The traditional dynamic password has the defects that the human is difficult to remember, the user needs to be informed through a specific channel, the dynamic password is read by the user and then is manually input on a system to be logged in. For example, the login is manually completed by the user through dynamic token hardware preset with a seed key or through short message notification to the user. Dynamic password-based authentication is generally used for authentication in manual intervention processes, and is difficult to use for highly automated equipment.
Disclosure of Invention
Therefore, the invention provides the method and the device for authenticating the identity of the industrial control equipment based on the dynamic password, which realize the safe distribution of the secret key on the premise of not transmitting the secret key through the network and do not need manual participation in the identity authentication process.
In order to achieve the above object, in a first aspect, the present invention provides an identity authentication method for industrial control equipment based on a dynamic password, including a seed key distribution stage and an identity authentication stage;
the seed key distribution stage comprises:
the industrial control terminal initiates a device registration request, calculates a hardware feature code and a device serial number of the industrial control terminal, and sends the hardware feature code and the device serial number of the industrial control terminal to an authentication server;
inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated after the authentication server checks and approves the hardware feature code and the equipment serial number of the local machine, and the random authorization code is also used for calculating a first hash value by combining the hardware feature code and the equipment serial number of the local machine and adopting a cryptographic algorithm through the authentication server;
the industrial control terminal adopts a cryptographic algorithm to calculate a second hash value comprising the hardware feature code of the industrial control terminal, the equipment serial number and the random authorization code;
the identity authentication phase comprises:
the industrial control terminal obtains the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value;
the industrial control terminal sends the hardware feature code of the local machine, the current local time and the first dynamic password to an authentication server;
the industrial control terminal receives the verification result sent by the authentication server, and the verification result obtaining process is as follows: and the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same.
As a preferred scheme of the industrial control equipment identity authentication method based on the dynamic password, the random authorization code, the hardware feature code of the local computer and the equipment serial number are combined, and a first hash value is calculated by an authentication server by adopting a cryptographic algorithm SM 3;
and the industrial control terminal adopts a cryptographic algorithm SM3 to calculate a second hash value comprising the local hardware feature code, the equipment serial number and the random authorization code.
As a preferred scheme of the dynamic password-based industrial control device identity authentication method, the first hash value is used as a seed key of the authentication server, and the second hash value is used as a seed key of the industrial control terminal;
the first hash value and the second hash value are equal.
As a preferable scheme of the industrial control equipment identity authentication method based on the dynamic password, the authentication server verifies whether the received current local time is within an error range, and if the current local time exceeds the error range, the current local time is judged to be used.
As a preferred scheme of the identity authentication method of the industrial control equipment based on the dynamic password, when the first dynamic password is the same as the second dynamic password, the authentication is successful, the industrial control terminal is allowed to process subsequent operations according to the login result, and the identity authentication of the industrial control terminal is completed.
In a second aspect, the invention provides an identity authentication method for industrial control equipment based on a dynamic password, which comprises a seed key distribution stage and an identity authentication stage;
the seed key distribution stage comprises:
receiving an equipment registration request sent by an industrial control terminal through an authentication server, wherein the equipment registration request comprises a local hardware feature code and an equipment serial number calculated by the industrial control terminal;
the authentication server checks and approves the hardware feature code and the equipment serial number of the local computer, and a random authorization code is generated after the check and approval are passed;
the authentication server adopts a cryptographic algorithm to calculate a first hash value comprising the hardware feature code of the authentication server, the equipment serial number and the random authorization code;
the random authorization code is also used for calculating a second hash value by combining the hardware feature code of the local computer and the equipment serial number through an industrial control terminal by adopting a cryptographic algorithm;
the identity authentication phase comprises:
the authentication server receives a first dynamic password sent by the industrial control terminal, wherein the first dynamic password is obtained by the industrial control terminal according to the acquired current local time and a second hash value;
the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same;
and the authentication server sends the verification result to the industrial control terminal.
As a preferred scheme of the industrial control equipment identity authentication method based on the dynamic password, the authentication server adopts a cryptographic algorithm SM3 to calculate a first hash value comprising the hardware feature code of the local machine, the equipment serial number and the random authorization code;
the random authorization code is also used for calculating a second hash value by combining the hardware feature code of the local computer and the equipment serial number through an industrial control terminal by adopting a cryptographic algorithm SM 3;
the first hash value is used as a seed key of the authentication server, and the second hash value is used as a seed key of the industrial control terminal;
the first hash value and the second hash value are equal.
As a preferred scheme of the industrial control equipment identity authentication method based on the dynamic password, the authentication server verifies whether the received current local time is within an error range, and if the current local time exceeds the error range, the current local time is judged to be used;
and when the first dynamic password is the same as the second dynamic password, the verification is successful, the industrial control terminal is allowed to process subsequent operation according to the login result, and the identity authentication of the industrial control terminal is completed.
In a third aspect, an identity authentication device for industrial control equipment based on a dynamic password is provided, which includes an industrial control terminal:
the industrial control terminal initiates a device registration request, calculates a hardware feature code and a device serial number of the industrial control terminal, and sends the hardware feature code and the device serial number of the industrial control terminal to an authentication server;
inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated after the authentication server checks and approves the hardware feature code and the equipment serial number of the local machine, and the random authorization code is also used for calculating a first hash value by combining the hardware feature code and the equipment serial number of the local machine and adopting a cryptographic algorithm through the authentication server;
the industrial control terminal adopts a cryptographic algorithm to calculate a second hash value comprising the hardware feature code of the industrial control terminal, the equipment serial number and the random authorization code;
the industrial control terminal acquires the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value;
the industrial control terminal sends the hardware feature code of the local machine, the current local time and the first dynamic password to an authentication server;
the industrial control terminal receives the verification result sent by the authentication server, and the verification result obtaining process is as follows: and the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same.
In a fourth aspect, an identity authentication device for industrial control equipment based on dynamic passwords is provided, which includes an authentication server:
the authentication server receives an equipment registration request sent by the industrial control terminal, wherein the equipment registration request comprises a local hardware feature code and an equipment serial number calculated by the industrial control terminal;
the authentication server checks and approves the hardware feature code and the equipment serial number of the local computer, and a random authorization code is generated after the check and approval are passed;
the authentication server adopts a cryptographic algorithm to calculate a first hash value comprising the hardware feature code of the authentication server, the equipment serial number and the random authorization code;
the random authorization code is also used for calculating a second hash value by combining the hardware feature code of the local computer and the equipment serial number through an industrial control terminal by adopting a cryptographic algorithm;
the authentication server receives a first dynamic password sent by the industrial control terminal, and the first dynamic password is obtained by the industrial control terminal according to the acquired current local time and a second hash value;
the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same;
and the authentication server sends the verification result to the industrial control terminal.
The invention has the following advantages: the identity authentication process comprises a seed secret key distribution stage and an identity authentication stage; the seed key distribution stage comprises: the industrial control terminal initiates a device registration request, calculates a hardware feature code and a device serial number of the local machine and sends the hardware feature code and the device serial number of the local machine to the authentication server; inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated after the authentication server checks and approves the hardware feature code and the equipment serial number of the local machine, and the random authorization code is also used for calculating a first hash value by combining the hardware feature code and the equipment serial number of the local machine and adopting a cryptographic algorithm through the authentication server; the industrial control terminal adopts a cryptographic algorithm to calculate a second hash value comprising a hardware feature code of the industrial control terminal, the equipment serial number and the random authorization code; the identity authentication phase comprises the following steps: the industrial control terminal obtains the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value; the industrial control terminal sends the hardware feature code of the industrial control terminal, the current local time and the first dynamic password to the authentication server; the industrial control terminal receives a verification result sent by the authentication server, and the verification result obtaining process is as follows: and the authentication server queries the database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password is the same as the second dynamic password. According to the method, the seed key is obtained by the two communication parties through calculation respectively, and the safe distribution of the key is realized on the premise of ensuring that the key is not transmitted through a network; when the terminal equipment needs to log in, the dynamic password is automatically calculated and submitted to the authentication server without manual participation, so that the accuracy and the safety of identity authentication are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.
Fig. 1 is a schematic flowchart of an identity authentication method for industrial control equipment based on a dynamic password according to embodiment 1 of the present invention;
fig. 2 is a schematic diagram illustrating distribution of a seed key in an identity authentication method for industrial control equipment based on a dynamic password according to embodiment 1 of the present invention;
fig. 3 is a schematic diagram of an identity authentication stage in the identity authentication method for industrial control equipment based on a dynamic password according to embodiment 1 of the present invention;
fig. 4 is a schematic flowchart of an identity authentication method for industrial control equipment based on a dynamic password according to embodiment 2 of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1, fig. 2 and fig. 3, embodiment 1 of the present invention provides a method for authenticating an identity of an industrial control device based on a dynamic password, including a seed key distribution stage SA1 and an identity authentication stage SA 2;
the seed key distribution stage SA1 includes:
SA11, the industrial control terminal initiates a device registration request, the industrial control terminal calculates a local hardware feature code and a device serial number, and sends the local hardware feature code and the device serial number to an authentication server;
SA12, inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated by the authentication server after the authentication server checks and approves the hardware feature code and the equipment serial number of the local computer, and the random authorization code is also used for calculating a first hash value by the authentication server by adopting a cryptographic algorithm in combination with the hardware feature code and the equipment serial number of the local computer;
SA13, the industrial control terminal adopts a cryptographic algorithm to calculate a second hash value comprising the local hardware feature code, the equipment serial number and the random authorization code;
the identity authentication phase SA2 includes:
SA21, the industrial control terminal obtains the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value;
SA22, the industrial control terminal sends the local hardware feature code, the current local time and the first dynamic password to an authentication server;
SA23, the industrial control terminal receives the verification result sent by the authentication server, and the verification result obtaining process is as follows: and the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same.
In this embodiment, the random authorization code, in combination with the hardware feature code and the device serial number of the local computer, is used by the authentication server to calculate a first hash value by using a cryptographic algorithm SM 3; and the industrial control terminal adopts a cryptographic algorithm SM3 to calculate a second hash value comprising the local hardware feature code, the equipment serial number and the random authorization code. The first hash value is used as a seed key of the authentication server, and the second hash value is used as a seed key of the industrial control terminal; the first hash value and the second hash value are equal.
Specifically, the national cryptographic algorithm is a series of algorithms specified by the national cryptology authority, and comprises a symmetric encryption algorithm, an elliptic curve asymmetric encryption algorithm and a hash algorithm. Wherein, the SM3 cipher hash algorithm has a hash value length of 32 bytes and is published in the same period as the SM2 algorithm. The SM3 is an algorithm for improving the realization based on SHA-256, and adopts a Merkle-Damgard structure, the length of a message packet is 512 bits, and the length of a digest value is 256 bits. The compression function of the SM3 algorithm has a similar structure to that of SHA-256, but the SM3 algorithm is more complex to design, using 2 message words per round of compression function. The security using the SM3 algorithm is relatively high.
Referring to fig. 2, specifically, based on the technical solution of the present application, an operator of an industrial control terminal initiates a device registration request. When the equipment registration is requested, the industrial control terminal calculates the hardware feature code d1 and the equipment serial number d2, and sends the hardware feature code d1 and the equipment serial number d2 to the authentication server.
And checking the equipment information by an administrator of the authentication server, checking the equipment serial number, and performing approval. After the approval by the authentication server administrator, the authentication server system generates a random authorization code d 3. The authentication server uses the cryptographic algorithm SM3 to calculate a first hash value D1 ═ SM3(D1, D2, D3), which is the seed key D1. The authentication server displays the random authorization code d3 on the page.
Specifically, the industrial control terminal operator manually enters the random authorization code d 3. Then, the industrial control terminal calculates a second hash value D2 ═ SM3(D1, D2, D3) using the cryptographic algorithm SM3, and the second hash value D2 is the seed key. Up to this point, the two communicating parties have each calculated their own seed key, i.e., D1 ═ D2.
In this embodiment, the authentication server verifies whether the received current local time is within an error range, and determines that the current local time is used if the current local time exceeds the error range. And when the first dynamic password is the same as the second dynamic password, the verification is successful, the industrial control terminal is allowed to process subsequent operation according to the login result, and the identity authentication of the industrial control terminal is completed.
In fig. 3, specifically, in the identity authentication phase, the industrial control terminal obtains the current local time t1, and the industrial control terminal calculates the dynamic password p1 ═ opt (D2) according to the current local time t1 and the second hash value D2 of the seed key. The industrial control terminal sends the local hardware feature code d1, the current local time t1 and the dynamic password p1 to the authentication server.
Specifically, the authentication server verifies whether the current local time t1 is within the error range, and then determines whether the current local time t1 has been used. The authentication server queries the database according to the local hardware feature code D1 to obtain a first hash value D1 of the seed key, calculates the dynamic password p2 equal to opt (D1), and verifies whether the dynamic password p1 is the same as the dynamic password p 2. The authentication server sends the verification result to the terminal, and the industrial control terminal processes subsequent operation according to the login result, so that the identity authentication process is completed.
Example 2
The embodiment 2 of the invention provides an industrial control equipment identity authentication method based on a dynamic password, which comprises a seed key distribution stage SB1 and an identity authentication stage SB 2;
the seed key distribution stage SB1 includes:
SB11, receiving an equipment registration request sent by the industrial control terminal through the authentication server, wherein the equipment registration request comprises a local hardware feature code and an equipment serial number calculated by the industrial control terminal;
SB12, the authentication server checks and approves the hardware feature code and the equipment serial number of the local computer, and a random authorization code is generated after the check and approval is passed;
SB13, the authentication server adopts a cryptographic algorithm to calculate a first hash value including the local hardware feature code, the equipment serial number and the random authorization code;
the SB14 and the random authorization code are also used for calculating a second hash value by combining the local hardware feature code and the equipment serial number through the industrial control terminal by adopting a cryptographic algorithm;
the identity authentication phase SB2 comprises:
SB21, the authentication server receives a first dynamic password sent by the industrial control terminal, wherein the first dynamic password is obtained by the industrial control terminal according to the obtained current local time and the second hash value;
SB22, the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same;
the SB23 and the authentication server transmit the verification result to the industrial control terminal.
In this embodiment, the authentication server calculates a first hash value including the hardware feature code, the device serial number, and the random authorization code of the local machine by using a cryptographic algorithm SM 3; the random authorization code is also used for calculating a second hash value by combining the hardware feature code of the local computer and the equipment serial number through an industrial control terminal by adopting a cryptographic algorithm SM 3; the first hash value is used as a seed key of the authentication server, and the second hash value is used as a seed key of the industrial control terminal; the first hash value and the second hash value are equal.
In this embodiment, the authentication server verifies whether the received current local time is within an error range, and determines that the current local time is used if the current local time exceeds the error range;
and when the first dynamic password is the same as the second dynamic password, the verification is successful, the industrial control terminal is allowed to process subsequent operation according to the login result, and the identity authentication of the industrial control terminal is completed.
The inventive concept and specific implementation details of embodiment 2 of the present invention are similar to those of embodiment 1, and are not repeated herein. The embodiment 1 is a description of the whole technical scheme from the industrial control terminal, and the embodiment 2 is a description of the whole technical scheme from the authentication server terminal.
Example 3
The embodiment 3 of the invention provides an industrial control equipment identity authentication device based on a dynamic password, which comprises an industrial control terminal:
the industrial control terminal initiates a device registration request, calculates a hardware feature code and a device serial number of the industrial control terminal, and sends the hardware feature code and the device serial number of the industrial control terminal to an authentication server;
inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated after the authentication server checks and approves the hardware feature code and the equipment serial number of the local machine, and the random authorization code is also used for calculating a first hash value by combining the hardware feature code and the equipment serial number of the local machine and adopting a cryptographic algorithm through the authentication server;
the industrial control terminal adopts a cryptographic algorithm to calculate a second hash value comprising the hardware feature code of the industrial control terminal, the equipment serial number and the random authorization code;
the industrial control terminal acquires the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value;
the industrial control terminal sends the hardware feature code of the local machine, the current local time and the first dynamic password to an authentication server;
the industrial control terminal receives the verification result sent by the authentication server, and the verification result obtaining process is as follows: and the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same.
Embodiment 3 of the present invention is a description of a scheme corresponding to the hardware aspect of embodiment 1, and details of implementation are similar to those of embodiment 1, and are not described herein again.
Example 4
The embodiment 4 of the invention provides an industrial control equipment identity authentication device based on a dynamic password, which comprises an authentication server:
the authentication server receives an equipment registration request sent by the industrial control terminal, wherein the equipment registration request comprises a local hardware feature code and an equipment serial number calculated by the industrial control terminal;
the authentication server checks and approves the hardware feature code and the equipment serial number of the local computer, and a random authorization code is generated after the check and approval are passed;
the authentication server adopts a cryptographic algorithm to calculate a first hash value comprising the hardware feature code of the authentication server, the equipment serial number and the random authorization code;
the random authorization code is also used for calculating a second hash value by combining the hardware feature code of the local computer and the equipment serial number through an industrial control terminal by adopting a cryptographic algorithm;
the authentication server receives a first dynamic password sent by the industrial control terminal, and the first dynamic password is obtained by the industrial control terminal according to the acquired current local time and a second hash value;
the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same;
and the authentication server sends the verification result to the industrial control terminal.
Embodiment 4 of the present invention is a description of a scheme corresponding to the hardware aspect of embodiment 2, and specific implementation details are similar to those of embodiment 2 and are not described herein again.
In summary, the present invention includes a seed key distribution stage and an identity authentication stage; the seed key distribution stage comprises: the industrial control terminal initiates a device registration request, calculates a hardware feature code and a device serial number of the local machine and sends the hardware feature code and the device serial number of the local machine to the authentication server; inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated after the authentication server checks and approves the hardware feature code and the equipment serial number of the local machine, and the random authorization code is also used for calculating a first hash value by combining the hardware feature code and the equipment serial number of the local machine and adopting a cryptographic algorithm through the authentication server; the industrial control terminal adopts a cryptographic algorithm to calculate a second hash value comprising a hardware feature code of the industrial control terminal, the equipment serial number and the random authorization code; the identity authentication phase comprises the following steps: the industrial control terminal obtains the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value; the industrial control terminal sends the hardware feature code of the industrial control terminal, the current local time and the first dynamic password to the authentication server; the industrial control terminal receives a verification result sent by the authentication server, and the verification result obtaining process is as follows: and the authentication server queries the database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password is the same as the second dynamic password. According to the method, the seed key is obtained by the two communication parties through calculation respectively, and the safe distribution of the key is realized on the premise of ensuring that the key is not transmitted through a network; when the terminal equipment needs to log in, the dynamic password is automatically calculated and submitted to the authentication server without manual participation, so that the accuracy and the safety of identity authentication are improved.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.

Claims (10)

1. The industrial control equipment identity authentication method based on the dynamic password is characterized by comprising a seed secret key distribution stage and an identity authentication stage;
the seed key distribution stage comprises:
the industrial control terminal initiates a device registration request, calculates a hardware feature code and a device serial number of the industrial control terminal, and sends the hardware feature code and the device serial number of the industrial control terminal to an authentication server;
inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated after the authentication server checks and approves the hardware feature code and the equipment serial number of the local machine, and the random authorization code is also used for calculating a first hash value by combining the hardware feature code and the equipment serial number of the local machine and adopting a cryptographic algorithm through the authentication server;
the industrial control terminal adopts a cryptographic algorithm to calculate a second hash value comprising the hardware feature code of the industrial control terminal, the equipment serial number and the random authorization code;
the identity authentication phase comprises:
the industrial control terminal obtains the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value;
the industrial control terminal sends the hardware feature code of the local machine, the current local time and the first dynamic password to an authentication server;
the industrial control terminal receives the verification result sent by the authentication server, and the verification result obtaining process is as follows: and the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same.
2. The dynamic password-based industrial control equipment identity authentication method according to claim 1, wherein the random authorization code, in combination with the local hardware feature code and the equipment serial number, is used by an authentication server to calculate a first hash value by using a cryptographic algorithm SM 3;
and the industrial control terminal adopts a cryptographic algorithm SM3 to calculate a second hash value comprising the local hardware feature code, the equipment serial number and the random authorization code.
3. The dynamic password-based industrial control equipment identity authentication method according to claim 2, wherein the first hash value is used as a seed key of the authentication server, and the second hash value is used as a seed key of the industrial control terminal;
the first hash value and the second hash value are equal.
4. The method as claimed in claim 1, wherein the authentication server verifies whether the received current local time is within an error range, and determines that the current local time is used if the current local time is out of the error range.
5. The method for authenticating the identity of the industrial control equipment based on the dynamic password as claimed in claim 1, wherein when the first dynamic password is the same as the second dynamic password, the authentication is successful, the industrial control terminal is allowed to process subsequent operations according to the login result, and the identity authentication of the industrial control terminal is completed.
6. The industrial control equipment identity authentication method based on the dynamic password is characterized by comprising a seed secret key distribution stage and an identity authentication stage;
the seed key distribution stage comprises:
receiving an equipment registration request sent by an industrial control terminal through an authentication server, wherein the equipment registration request comprises a local hardware feature code and an equipment serial number calculated by the industrial control terminal;
the authentication server checks and approves the hardware feature code and the equipment serial number of the local computer, and a random authorization code is generated after the check and approval are passed;
the authentication server adopts a cryptographic algorithm to calculate a first hash value comprising the hardware feature code of the authentication server, the equipment serial number and the random authorization code;
the random authorization code is also used for calculating a second hash value by combining the hardware feature code of the local computer and the equipment serial number through an industrial control terminal by adopting a cryptographic algorithm;
the identity authentication phase comprises:
the authentication server receives a first dynamic password sent by the industrial control terminal, wherein the first dynamic password is obtained by the industrial control terminal according to the acquired current local time and a second hash value;
the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same;
and the authentication server sends the verification result to the industrial control terminal.
7. The dynamic password-based industrial control equipment identity authentication method as claimed in claim 6, wherein the authentication server adopts a cryptographic algorithm SM3 to calculate a first hash value comprising the native hardware feature code, the equipment serial number and the random authorization code;
the random authorization code is also used for calculating a second hash value by combining the hardware feature code of the local computer and the equipment serial number through an industrial control terminal by adopting a cryptographic algorithm SM 3;
the first hash value is used as a seed key of the authentication server, and the second hash value is used as a seed key of the industrial control terminal;
the first hash value and the second hash value are equal.
8. The method of claim 6, wherein the authentication server verifies whether the received current local time is within an error range, and determines that the current local time is used if the current local time is out of the error range;
and when the first dynamic password is the same as the second dynamic password, the verification is successful, the industrial control terminal is allowed to process subsequent operation according to the login result, and the identity authentication of the industrial control terminal is completed.
9. The industrial control equipment identity authentication device based on the dynamic password is characterized by comprising an industrial control terminal:
the industrial control terminal initiates a device registration request, calculates a hardware feature code and a device serial number of the industrial control terminal, and sends the hardware feature code and the device serial number of the industrial control terminal to an authentication server;
inputting a random authorization code to the industrial control terminal, wherein the random authorization code is generated after the authentication server checks and approves the hardware feature code and the equipment serial number of the local machine, and the random authorization code is also used for calculating a first hash value by combining the hardware feature code and the equipment serial number of the local machine and adopting a cryptographic algorithm through the authentication server;
the industrial control terminal adopts a cryptographic algorithm to calculate a second hash value comprising the hardware feature code of the industrial control terminal, the equipment serial number and the random authorization code;
the industrial control terminal acquires the current local time, and the industrial control terminal obtains a first dynamic password according to the current local time and the second hash value;
the industrial control terminal sends the hardware feature code of the local machine, the current local time and the first dynamic password to an authentication server;
the industrial control terminal receives the verification result sent by the authentication server, and the verification result obtaining process is as follows: and the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same.
10. The industrial control equipment identity authentication device based on the dynamic password is characterized by comprising an authentication server:
the authentication server receives an equipment registration request sent by the industrial control terminal, wherein the equipment registration request comprises a local hardware feature code and an equipment serial number calculated by the industrial control terminal;
the authentication server checks and approves the hardware feature code and the equipment serial number of the local computer, and a random authorization code is generated after the check and approval are passed;
the authentication server adopts a cryptographic algorithm to calculate a first hash value comprising the hardware feature code of the authentication server, the equipment serial number and the random authorization code;
the random authorization code is also used for calculating a second hash value by combining the hardware feature code of the local computer and the equipment serial number through an industrial control terminal by adopting a cryptographic algorithm;
the authentication server receives a first dynamic password sent by the industrial control terminal, and the first dynamic password is obtained by the industrial control terminal according to the acquired current local time and a second hash value;
the authentication server queries a database according to the hardware feature code of the local computer to obtain a first hash value, obtains a second dynamic password according to the first hash value, and verifies whether the first dynamic password and the second dynamic password are the same;
and the authentication server sends the verification result to the industrial control terminal.
CN202110674424.6A 2021-06-17 2021-06-17 Industrial control equipment identity authentication method and device based on dynamic password Pending CN113507368A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110674424.6A CN113507368A (en) 2021-06-17 2021-06-17 Industrial control equipment identity authentication method and device based on dynamic password

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110674424.6A CN113507368A (en) 2021-06-17 2021-06-17 Industrial control equipment identity authentication method and device based on dynamic password

Publications (1)

Publication Number Publication Date
CN113507368A true CN113507368A (en) 2021-10-15

Family

ID=78010109

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110674424.6A Pending CN113507368A (en) 2021-06-17 2021-06-17 Industrial control equipment identity authentication method and device based on dynamic password

Country Status (1)

Country Link
CN (1) CN113507368A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101076807A (en) * 2004-10-15 2007-11-21 弗里塞恩公司 Disposable cepher
CN104104672A (en) * 2014-06-30 2014-10-15 重庆智韬信息技术中心 Method for establishing dynamic authorization code based on identity authentication
CN104683357A (en) * 2015-03-26 2015-06-03 上海众人网络安全技术有限公司 Dynamic password authentication method and system based on software token
CN106341372A (en) * 2015-07-08 2017-01-18 阿里巴巴集团控股有限公司 Terminal authentication processing method and device, and terminal authentication method, device and system
CN107770126A (en) * 2016-08-16 2018-03-06 国民技术股份有限公司 Personal identification method, system and dynamic token, mobile terminal, gateway device
CN108400868A (en) * 2018-01-17 2018-08-14 深圳市文鼎创数据科技有限公司 Storage method, device and the mobile terminal of seed key
US20200074070A1 (en) * 2018-08-28 2020-03-05 Michael Boodaei Risk based time-based one-time password (totp) authenticator

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101076807A (en) * 2004-10-15 2007-11-21 弗里塞恩公司 Disposable cepher
CN104104672A (en) * 2014-06-30 2014-10-15 重庆智韬信息技术中心 Method for establishing dynamic authorization code based on identity authentication
CN104683357A (en) * 2015-03-26 2015-06-03 上海众人网络安全技术有限公司 Dynamic password authentication method and system based on software token
CN106341372A (en) * 2015-07-08 2017-01-18 阿里巴巴集团控股有限公司 Terminal authentication processing method and device, and terminal authentication method, device and system
CN107770126A (en) * 2016-08-16 2018-03-06 国民技术股份有限公司 Personal identification method, system and dynamic token, mobile terminal, gateway device
CN108400868A (en) * 2018-01-17 2018-08-14 深圳市文鼎创数据科技有限公司 Storage method, device and the mobile terminal of seed key
US20200074070A1 (en) * 2018-08-28 2020-03-05 Michael Boodaei Risk based time-based one-time password (totp) authenticator

Similar Documents

Publication Publication Date Title
Uymatiao et al. Time-based OTP authentication via secure tunnel (TOAST): A mobile TOTP scheme using TLS seed exchange and encrypted offline keystore
CN107295011B (en) Webpage security authentication method and device
US7975139B2 (en) Use and generation of a session key in a secure socket layer connection
US20190052622A1 (en) Device and method certificate generation
WO2019079356A1 (en) Authentication token with client key
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
TW201812630A (en) Block chain identity system
US10374802B2 (en) Multi-factor simple password exponential key exchange (SPEKE) authentication
US11263298B2 (en) Persistent authentication system incorporating one time pass codes
CN110099048B (en) Cloud storage method and equipment
WO2017185911A1 (en) Network user authentication method
CN105391734A (en) Secure login system, secure login method, login server and authentication server
CN107517194B (en) Return source authentication method and device of content distribution network
CN113411187A (en) Identity authentication method and system, storage medium and processor
CN111586023B (en) Authentication method, authentication equipment and storage medium
CN110493177B (en) Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number
WO2022135391A1 (en) Identity authentication method and apparatus, and storage medium, program and program product
CN114070568A (en) Data processing method and device, electronic equipment and storage medium
US11888822B1 (en) Secure communications to multiple devices and multiple parties using physical and virtual key storage
CN112242993A (en) Bidirectional authentication method and system
CN113507368A (en) Industrial control equipment identity authentication method and device based on dynamic password
CN114666114A (en) Mobile cloud data security authentication method based on biological characteristics
CN111404680B (en) Password management method and device
CN114386020A (en) Quick secondary identity authentication method and system based on quantum security
CN115913521A (en) Method for identity authentication based on quantum key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211015