CN114978543B - Method and system for registering and authenticating certificates - Google Patents

Method and system for registering and authenticating certificates Download PDF

Info

Publication number
CN114978543B
CN114978543B CN202210563864.9A CN202210563864A CN114978543B CN 114978543 B CN114978543 B CN 114978543B CN 202210563864 A CN202210563864 A CN 202210563864A CN 114978543 B CN114978543 B CN 114978543B
Authority
CN
China
Prior art keywords
credential
enterprise
instruction
value
fido
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210563864.9A
Other languages
Chinese (zh)
Other versions
CN114978543A (en
Inventor
陆舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN202210563864.9A priority Critical patent/CN114978543B/en
Publication of CN114978543A publication Critical patent/CN114978543A/en
Application granted granted Critical
Publication of CN114978543B publication Critical patent/CN114978543B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a method and a system for registering and authenticating a certificate, wherein the method comprises a certificate registering process and a certificate authenticating process, wherein the certificate registering process is as follows: the method comprises the steps that the FIDO equipment judges that a registered enterprise credential parameter in a registered credential instruction sent by an upper-layer application is a first preset value, and when a relying party identifier exists in a preset relying party identifier list, a credential ciphertext and a first signature value are generated according to a generated public key of a user key pair, and enterprise authentication parameters, the credential ciphertext, the first signature value and the public key of the user key pair form a registered credential instruction response; and when the upper layer application judges that the value of the enterprise authentication parameter in the response of the FIDO device sending the registration credential instruction is a preset value and the first signature value is successfully checked, correspondingly storing the credential ciphertext and the public key of the user key pair. The invention increases the security management of the enterprise to the key equipment and the relying party in the identity authentication process.

Description

Method and system for registering and authenticating certificates
Technical Field
The invention relates to the field of information security, in particular to a method and a system for registering and authenticating certificates.
Background
In the prior art, the identity authentication flow based on the FIDO cannot realize enterprise customization, cannot control which relying parties are allowed to carry out identity authentication, cannot distinguish legal identity authenticators such as the FIDO equipment, and is inconvenient for the distribution management of enterprise specific authorities.
Disclosure of Invention
The invention provides a method and equipment for registering and authenticating certificates, which solve the technical problems.
The invention provides a method for registering and authenticating certificates, which comprises the following steps: a credential registration process and a credential authentication process, wherein the credential registration process comprises:
step 1, an upper layer application generates a registration credential instruction according to configuration information input by a user, and sends the registration credential instruction to FIDO equipment, wherein the configuration information comprises a relying party identifier;
step 2, the FIDO equipment judges whether the registered enterprise credential parameters exist in the registered credential instruction, if yes, the step 3 is executed, and if not, the standard FIDO credential registration flow is executed;
step 3, the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value is a first preset value, the step 4 is executed, and if the value is a second preset value, the step 5 is executed;
step 4, the FIDO equipment judges whether the relying party identifier in the certificate registering instruction is in a preset relying party identifier list, if yes, step 5 is executed, and if not, the standard FIDO certificate registering flow is executed;
step 5, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to obtain credential ciphertext, signs the credential ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as a preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to the upper-layer application;
Step 6, the upper layer application judges that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value, and when the first signature value is successfully checked by using the public key in the preset enterprise certificate, correspondingly stores the credential ciphertext and the public key of the user key pair;
the credential authentication flow includes:
step 1', the upper layer application sends a credential verification instruction to the FIDO equipment;
step 2', the FIDO equipment analyzes the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data;
step 3', the FIDO equipment judges whether the relying party identifier exists in a preset relying party identifier list, if yes, step 4' is executed, and if not, the standard FIDO credential authentication flow is executed;
step 4', the FIDO equipment decrypts the credential ciphertext by using the enterprise encryption and decryption key to obtain credential data, generates a signature original text according to the credential data, the relying party identifier and the client data, signs the signature original text by using a private key of the user key pair to obtain a second signature value, generates a response of the credential verification instruction according to the signature original text and the second signature value, and sends the response of the credential verification instruction to the upper application;
and 5', the upper layer application carries out signature verification on the second signature value according to the signature original text and the public key of the user key pair corresponding to the credential ciphertext, and prompts successful authentication after the signature verification is successful.
In one possible embodiment, step 1 further comprises, before:
m1, an upper layer application sends an instruction for acquiring device information to FIDO (field-effect data) equipment;
step M2, the FIDO equipment returns a response for acquiring the equipment information instruction to the upper layer application;
step M3, the upper layer application judges whether the FIDO equipment supports the registered enterprise credential function according to the response of the equipment information acquisition instruction, if not, the step 1 is executed, if yes, the upper layer application judges whether the registered enterprise credential function of the FIDO equipment is activated, if activated, the step 1 is executed, and if not, the upper layer application sends an instruction for activating the registered enterprise credential function to the FIDO equipment, and the step M4 is executed;
and step M4, the FIDO device sets the registration enterprise credential function status to activated, returns a response for activating the registration enterprise credential function instruction to the upper layer application, and executes step M1.
In one possible implementation, step 3 is specifically: the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value is a first preset value, the step 4a is executed, and if the value is a second preset value, the step 5 is executed;
and 4a, the FIDO equipment displays the value of the relying party identifier in the registration credential instruction to the user, judges whether confirmation information of the user is received, if so, executes the step 4, and if not, returns a failed registration credential instruction response to the upper-layer application.
In one possible embodiment, step 5 further comprises, before:
the FIDO equipment judges the value of the key storage attribute identifier in the register certificate instruction; the step 5 is specifically as follows:
when the value of the key storage attribute identification is a second preset value,
the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair and a private key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to generate credential cryptographs, performs signature operation on the credential cryptographs according to a private key corresponding to a preset enterprise certificate, generates a first signature value, sets an enterprise authentication parameter as a preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential cryptographs, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to an upper layer application;
when the value of the key storage attribute identifier is a first preset value, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to the public key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to generate credential ciphertext, performs signature operation on the credential ciphertext according to a private key corresponding to a preset enterprise certificate, generates a first signature value, stores the credential data, a relying party identifier and the private key of the user key pair after corresponding binding, sets an enterprise authentication parameter as the preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to an upper layer application;
The step 4' further includes: : the FIDO device judges the length of the credential cryptogram, and the step 4' specifically comprises:
when the length of the credential cryptograph is a first preset value, the FIDO equipment uses an enterprise encryption and decryption key to decrypt the credential cryptograph, the decryption is successful to obtain the credential data and a private key of a user key pair, a signature original text is formed according to the credential data, a relying party identifier and client data, the private key of the user key pair is used for signing the signature original text to obtain a second signature value, a response of a credential verification instruction is generated according to the signature original text and the second signature value, and the response of the credential verification instruction is sent to an upper application;
when the length of the credential cryptograph is a second preset value, the FIDO equipment decrypts the credential cryptograph by using an enterprise encryption and decryption key to obtain credential data, searches a private key of a corresponding user key pair according to the credential data, forms a signature original according to the credential data, a relying party identifier and client data, signs the signature original by using the user private key to obtain a second signature value, generates a response of a credential verification instruction according to the signature original and the second signature value, and sends the response of the credential verification instruction to an upper application.
In one possible implementation, step 6 is specifically: and when the upper layer application judges that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value, the certificate chain of the preset enterprise certificate is effective, and the public key in the preset enterprise certificate is used for successfully verifying the first signature value, the public key of the credential ciphertext and the user key pair are correspondingly stored.
In one possible embodiment, step M4 is specifically: the FIDO equipment checks PIN authentication parameters in the certificate function instruction of the activated registered enterprise, when the verification is successful, the certificate function state of the registered enterprise is set to be activated, a successful response for activating the certificate function instruction of the registered enterprise is returned to the upper-layer application, and the step M1 is executed; when the verification fails, a failure response for activating the registered enterprise credential function instruction is returned to the upper layer application.
The invention also provides a system for registering and authenticating the certificates, which comprises: upper-layer application device and FIDO equipment, upper-layer application device includes:
the generation module is used for generating a registration credential instruction according to configuration information input by a user;
the sending module is used for sending a register certificate instruction to the FIDO equipment;
the method is also used for sending a credential verification instruction to the FIDO equipment;
The judging and storing module is used for judging that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value and correspondingly storing the credential ciphertext and the public key of the user key pair when the first signature value is successfully checked by using the public key in the preset enterprise certificate;
and the signature verification prompting module is used for verifying the second signature value according to the public key of the user key pair corresponding to the signature original text and the credential ciphertext, and prompting successful authentication after successful signature verification.
A FIDO device comprising:
the first judging module is used for judging whether the registered enterprise credential parameters exist in the registered credential instruction;
the execution module is used for executing the standard FIDO registration credential flow when the judgment result of the first judgment module is negative; the third judging module is used for judging whether the first judging module judges whether the second judging module judges whether the first judging module judges the second judging module judges the first judging module; and the fourth judgment module is used for judging whether the first judgment module is in the first state or not according to the first judgment result;
the second judging module is used for judging the value of the certificate parameter of the registered enterprise when the judging result of the first judging module is yes;
the third judging module is used for judging whether the relying party identifier in the registered enterprise credential instruction is in a preset relying party identifier list or not when the second judging module judges that the value of the registered enterprise credential parameter is a first preset value, if so, triggering the generation storage module, and if not, triggering the execution module; when the second judging module judges that the value of the registered enterprise credential parameter is a second preset value, triggering to generate a storage module;
The generation storage module is used for generating a user key pair and storing the user key pair, generating credential data according to a public key of the user key pair, encrypting the credential data by using an enterprise encryption and decryption key to obtain a credential ciphertext, signing the credential ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, binding and storing the credential data and a relying party identifier, setting an enterprise authentication parameter as a preset value, and forming a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair;
the return module is used for returning a registration credential instruction response formed by the generation storage module;
the analysis module is used for analyzing the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data;
the fourth judging module is used for judging whether the relying party identifier obtained by the analyzing module exists in a preset relying party identifier list or not;
the decryption generation module is used for decrypting the credential ciphertext by using the enterprise encryption and decryption key to obtain credential data when the judgment result of the fourth judgment module is yes, generating a signature original text according to the credential data, the relying party identifier and the client data, signing the signature original text by using a private key of the user key pair to obtain a second signature value, and generating a response of the credential verification instruction according to the signature original text and the second signature value;
And the sending module is used for sending the response of the certificate verification instruction to the upper-layer application device.
The present invention also provides a FIDO device comprising at least one processor, a memory, and instructions stored on the memory and executable by the at least one processor, the at least one processor executing the instructions to effect operation of the FIDO device in the method of credential registration and authentication described above.
The present invention also provides a computer-readable storage medium comprising a computer program which, when run on a computer, causes the computer to perform the operations of the upper layer application in the above-described method of credential registration and authentication.
The present invention also provides a computer readable storage medium comprising a computer program which, when run on a computer, causes the computer to perform the operations of the FIDO device in the above-described method of credential registration and authentication.
The invention has the beneficial effects that: the invention provides a method and equipment for registering and authenticating certificates, which increases the safety management of enterprises to identity authenticators, such as FIDO equipment and relying parties in the identity authentication process. The enterprise can realize the specific enterprise identity authentication process through simple configuration information in the registration process. In addition, the identity authenticator which enables enterprise authentication can still be used for personal account identity authentication, and the use scene of the identity authenticator is expanded.
Drawings
FIGS. 1 and 2 are flowcharts of a method for credential registration and authentication according to a first embodiment of the present invention;
fig. 3 and fig. 4 are flowcharts of a method for registering and authenticating credentials according to a second embodiment of the present invention;
fig. 5 is a flowchart of a method for registering and authenticating credentials according to a third embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
The embodiment provides a method for registering and authenticating certificates, which comprises the following steps: the credential registration process and the credential authentication process, as shown in fig. 1, include:
step 1, an upper layer application generates a certificate registration instruction according to configuration information input by a user and sends the certificate registration instruction to FIDO equipment;
in this embodiment, the configuration information includes a relying party identifier.
Step 2, the FIDO equipment judges whether the registered enterprise credential parameters exist in the registered credential instruction, if yes, the step 3 is executed, if not, the standard FIDO credential registration flow is executed, and the process is ended;
step 3, the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value is a first preset value, the step 4 is executed, and if the value is a second preset value, the step 5 is executed;
step 4, the FIDO equipment judges whether the relying party identifier in the registration credential instruction exists in a preset relying party identifier list, if so, step 5 is executed, and if not, the standard FIDO credential registration flow is executed;
step 5, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to obtain credential ciphertext, signs the credential ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as a preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to the upper-layer application;
step 6, the upper layer application judges that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value, and when the first signature value is successfully checked by using the public key in the preset enterprise certificate, correspondingly stores the credential ciphertext and the public key of the user key pair;
As shown in fig. 2, the credential authentication flow includes:
step 1', the upper layer application sends a credential verification instruction to the FIDO equipment;
step 2', the FIDO equipment analyzes the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data;
step 3', the FIDO equipment judges whether the relying party identifier exists in a preset relying party identifier list, if yes, step 4' is executed, and if not, the standard FIDO registration credential flow is executed;
step 4', the FIDO equipment decrypts the credential ciphertext by using the enterprise encryption and decryption key to obtain credential data, generates a signature original text according to the credential data, the relying party identifier and the client data, signs the signature original text by using a private key of the user key pair to obtain a second signature value, generates a response of the credential verification instruction according to the signature original text and the second signature value, and sends the response of the credential verification instruction to the upper application;
and 5', the upper layer application carries out signature verification on the second signature value according to the signature original text and the public key of the user key pair corresponding to the credential ciphertext, and prompts successful authentication after the signature verification is successful.
In one possible embodiment, step 1 further comprises, before:
m1, an upper layer application sends an instruction for acquiring device information to FIDO (field-effect data) equipment;
Step M2, the FIDO equipment returns a response for acquiring the equipment information instruction to the upper layer application;
step M3, the upper layer application judges whether the FIDO equipment supports the registered enterprise credential function according to the response of the equipment information acquisition instruction, if not, the step 1 is executed, if yes, the upper layer application judges whether the registered enterprise credential function of the FIDO equipment is activated, if activated, the step 1 is executed, and if not, the upper layer application sends an instruction for activating the registered enterprise credential function to the FIDO equipment, and the step M4 is executed;
and step M4, the FIDO device sets the registration enterprise credential function status to activated, returns a response for activating the registration enterprise credential function instruction to the upper layer application, and executes step M1.
In one possible implementation, step 3 is specifically: the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value is a first preset value, the step 4a is executed, and if the value is a second preset value, the step 5 is executed;
and 4a, the FIDO equipment displays the value of the relying party identifier in the registration credential instruction to the user, judges whether confirmation information of the user is received, if so, executes the step 4, and if not, returns a failed registration credential instruction response to the upper-layer application.
In one possible embodiment, step 5 further comprises, before:
The FIDO equipment judges the value of the key storage attribute identifier in the register certificate instruction; the step 5 is specifically as follows:
when the value of the key storage attribute identifier is a second preset value, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair and a private key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to generate credential ciphertext, performs signature operation on the credential ciphertext according to a private key corresponding to a preset enterprise certificate, generates a first signature value, sets an enterprise authentication parameter as a preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to an upper layer application;
when the value of the key storage attribute identifier is a first preset value, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to the public key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to generate credential ciphertext, performs signature operation on the credential ciphertext according to a private key corresponding to a preset enterprise certificate, generates a first signature value, stores the credential data, a relying party identifier and the private key of the user key pair after corresponding binding, sets an enterprise authentication parameter as the preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to an upper layer application;
The step 4' further includes: the FIDO equipment judges the length of the credential cryptogram; the step 4' specifically comprises the following steps:
when the length of the credential cryptograph is a first preset value, the FIDO equipment uses an enterprise encryption and decryption key to decrypt the credential cryptograph, the decryption is successful to obtain the credential data and a private key of a user key pair, a signature original text is formed according to the credential data, a relying party identifier and client data, the private key of the user key pair is used for signing the signature original text to obtain a second signature value, a response of a credential verification instruction is generated according to the signature original text and the second signature value, and the response of the credential verification instruction is sent to an upper application;
when the length of the credential cryptograph is a second preset value, the FIDO equipment decrypts the credential cryptograph by using an enterprise encryption and decryption key to obtain credential data, searches a private key of a corresponding user key pair according to the credential data, forms a signature original according to the credential data, a relying party identifier and client data, signs the signature original by using the user private key to obtain a second signature value, generates a response of a credential verification instruction according to the signature original and the second signature value, and sends the response of the credential verification instruction to an upper application.
In one possible implementation, step 6 is specifically: and when the upper layer application judges that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value, the certificate chain of the preset enterprise certificate is effective, and the public key in the preset enterprise certificate is used for successfully verifying the first signature value, the public key of the credential ciphertext and the user key pair are correspondingly stored.
In one possible embodiment, step M4 is specifically: the FIDO equipment checks PIN authentication parameters in the certificate function instruction of the activated registration enterprise, when the verification is successful, the certificate function state of the registration enterprise is set to be activated, and a response of the successful certificate function instruction of the activated registration enterprise is returned to the upper-layer application, so that the step M1 is executed; when the verification fails, a response of the failed activate registration enterprise credential function instruction is returned to the upper layer application.
Example two
The embodiment provides a method for registering and authenticating a certificate, which comprises a certificate registering process and a certificate authenticating process,
as shown in fig. 3, the credential registration process includes the steps of:
a1, after receiving a legal user name input by a user, the upper layer application prompts the user to input configuration information and receives the configuration information input by the user;
In this embodiment, the upper layer application may be an application program or a website;
in this step, the configuration information includes a relying party identifier, a key storage attribute identifier, a registered enterprise credential parameter, and the like.
Wherein, the relying party identifier is represented by rp id, the key storage attribute identifier is represented by rk, and the registered enterprise credential parameter is represented by enterprisetstation.
A2, the upper layer application sends an instruction for acquiring the device information to the FIDO device;
a3, the FIDO equipment returns a response for acquiring the equipment information instruction to the upper-layer application;
a4, the upper layer application judges whether the FIDO equipment supports the function of registering enterprise certificates according to the response of the equipment information acquisition instruction, if so, the step A5 is executed, and if not, the step A8 is executed;
the method specifically comprises the following steps: the upper layer application analyzes the response of the equipment information acquisition instruction, judges whether the registered enterprise credential function identification exists in the response of the equipment information acquisition instruction, if so, executes the step A5, and if not, executes the step A8;
in this embodiment, step A4 may further include step a'4:
the upper layer application judges whether the FIDO device is a legal device, if so, the step A4 is executed, and if not, the user is prompted that the device operation is not supported.
Specifically, the method comprises the following steps: the upper layer application judges whether the value of the equipment unique identification parameter in the equipment response is a preset value, if so, the step A4 is executed, and if not, the user is prompted that the equipment operation is not supported.
A5, the upper layer application judges whether the FIDO equipment registration enterprise credential function is activated, if so, the step A8 is executed, and if not, the step A6 is executed;
the method specifically comprises the following steps: the upper layer application judges the value of the registered enterprise certificate function identification, if the value is a first preset value, the step A8 is executed, and if the value is a second preset value, the step A6 is executed;
in this embodiment, specifically, the first preset value is true, and the second preset value is false.
A6, the upper layer application sends an instruction for activating and registering enterprise certificate function to the FIDO equipment;
a7, the FIDO equipment sets the state of the registered enterprise credential function to be activated, sends a response for activating the registered enterprise credential function instruction to the upper-layer application, and executes the step A2;
in this step, the FIDO device sets the state of the registered enterprise credential function to be activated specifically as follows: the FIDO device sets a status identifier of the registered enterprise credential function to a first preset value.
A8, the upper layer application sends a register certificate instruction to the FIDO equipment;
For example, the upper layer application sends a registration credential instruction A8 01 58 20 68 71 34 96 82 22 EC 17 20 2E 42 50 5F 8E D2 B1 6A E2 2F 16 BB 05 B8 8C 25 DB 9E 60 26 45 F1 41 02 A2 62 69 64 69 65 70 61 74 74 2E 63 6F 6D 64 6E 61 6D 65 69 74 65 73 74 2E 63 74 61 70 03 A3 62 69 64 58 20 D4 73 5E 3A 26 5E 16 EE E0 3F 59 71 8B 9B 5D 03 01 9C 07 D8 B6 C5 1F 90 DA 3A 66 6E EC 13 AB 35 64 6E 61 6D 65 61 32 6B 64 69 73 70 6C 61 79 4E 61 6D 65 69 54 65 73 74 20 43 74 61 70 04 83 A2 63 61 6C 67 26 64 74 79 70 65 6A 70 75 62 6C 69 63 2D 6B 65 79 A2 63 61 6C 67 39 01 00 64 74 79 70 65 6A 70 75 62 6C 69 63 2D 6B 65 79 A2 63 61 6C 67 38 24 64 74 79 70 65 6A 70 75 62 6C 69 63 2D 6B 65 79 07 A1 62 72 6B F5 08 58 20 B5 3F 72 8F 7D 90 E6 29 A3 AB 0B 5E 7B FC 07 EE 17 DC 19 6D 1D E5 B2 2D 4F 89 35 97 55 C3 DC AF 09 02 0A 02 to the FIDO device;
a9, the FIDO equipment judges whether the received registration certificate instruction has registration enterprise certificate parameters, if so, the step A11 is executed, and if not, the step A10 is executed;
in this embodiment, after receiving the registration credential instruction sent by the upper layer application, the FIDO device parses the registration credential instruction.
For example, after performing COBR parsing on the received registration credential instruction in step A8, the FIDO device obtains:
{1:h'687134968222EC17202E42505F8ED2B16AE22F16BB05B88C25DB9E 602645F141',2:{"id":"epatt.com","name":"test.ctap"},3:{"id":h'D4735 E3A265E16EEE03F59718B9B5D03019C07D8B6C51F90DA3A666EEC13AB35', "name":"2","displayName":"Test Ctap"},4:[{"alg":-7,"type":"public-k ey"},{"alg":-257,"type":"public-key"},{"alg":-37,"type":"public-key "}],7:{"rk":true},8:h'B53F728F7D90E629A3AB0B5E7BFC07EE17DC196 D1DE5B22D4F89359755C3DCAF',9:2,10:2};
wherein, field 2 is the relying party identifier, field 7 is the key storage attribute identifier, and field 10 is the registered enterprise credential parameter enterprisettatest.
A10, the FIDO equipment executes a standard FIDO registration certificate flow and ends;
a11, the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value of the certificate parameter of the registered enterprise is a first preset value, the step A12 is executed, and if the value of the certificate parameter of the registered enterprise is a second preset value, the step A17 is executed;
in this embodiment, the first preset value indicates that the provider assists in enterprise authentication, and the second preset value indicates that the platform manages enterprise authentication; the first preset value is for example 1 and the second preset value is for example 2;
a12, the FIDO device displays the value of the Relying Party Identification (RPID) of the registration credential instruction to the user;
a13, the FIDO equipment judges whether user confirmation information is received, if yes, the step A16 is executed, and if not, the step A14 is executed;
a14, the FIDO equipment generates and returns a failed registration credential instruction response, and the step A15 is executed;
a15, the upper layer application receives a failed registration credential instruction response and prompts the user that registration fails;
A16, the FIDO equipment judges whether the relying party identifier of the registration credential instruction exists in a preset relying party identifier list, if so, the step A17 is executed, and if not, the step A10 is executed;
a17, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair and a private key of the user key pair, encrypts the credential data by using an encryption and decryption key to generate credential cryptograms, and performs signature operation on the credential cryptograms according to a private key corresponding to a preset enterprise certificate to generate a first signature value;
in this step, generating credential data according to the public key of the user key pair and the private key of the user key pair is specifically: and carrying out hash operation according to the public key of the key pair to obtain a credential identifier, and generating credential data according to the credential identifier and the private key of the user key pair.
In this embodiment, before this step, the FIDO device further determines a value of a key storage attribute identifier in the credential registration instruction, and executes step a'17 when the value of the key storage attribute identifier is a first preset value, and executes step a17 when the value of the key storage attribute identifier (rk) is a second preset value;
step A'17 is: the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to the public key of the user key pair, encrypts the credential data by using an encryption and decryption key to generate credential ciphertext, performs signature operation on the credential ciphertext according to a private key corresponding to a preset enterprise certificate, generates a first signature value, and stores the credential data, a relying party identifier and the private key of the user key pair after corresponding binding;
In this step, generating credential data from the user key to the public key is specifically: and carrying out hash operation on the public key of the user key pair to obtain a credential identifier, and generating credential data according to the credential identifier.
In this embodiment, the encryption and decryption keys are generated by the FIDO device before the FIDO device leaves the factory, and the two encryption and decryption keys are one general encryption and decryption key and one general encryption and decryption key, and the general encryption and decryption key is used in the standard FIDO registration credential flow of step a10, and the encryption and decryption keys in step a17 and step a17' are specifically the enterprise encryption and decryption keys.
A18, the FIDO equipment sets the value of the enterprise authentication parameter as a first preset value, and generates a successful registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair;
in this embodiment, the enterprise authentication parameter may be Epatt.
A19, the FIDO equipment returns a registration credential instruction response to the upper layer application;
for example, the FIDO device returns a successful registration credential instruction response A4 01 66 70 61 63 6B 65 64 02 58 A4 70 E0 EA B8 5C FF BD D3 04 1B 52 16 27 B7 B4 90 1A 4A 0F AB AB FB 5D 35 6B 19 17 30 03 B2 D5 8B 45 00 00 0E 03 EE 04 1B CE 25 E5 4C DB 8F 86 89 7F D6 41 84 64 00 20 C4 04 73 F9 A1 28 5D 29 88 51 0C EF D4 B4 D8 3E E0 67 23 06 A5 A7 96 D3 EC F0 75 26 6F 57 48 A0 A5 01 02 03 26 20 01 21 58 20 B7 9D C9 3A C1 49 F0 C4 1F 7F 9E CE 9E 46 04 AE 03 82 93 09 22 29 47 BC 84 D7 F1 7D 3D C9 A8 3C 22 58 20 60 18 F1 D2 BB E4 3C C9 F3 6E 84 D5 D2 3E CD 84 B8 B8 1B 97 89 A6 29 63 1E FF 99 1B 82 CB 01 C8 03 A3 63 61 6C 67 26 63 73 69 67 58 47 30 45 02 21 00 B5 0A E3 82 81 B1 E8 DA D3 37 73 34 B9 6A 24 FD 8F 58 4C 21 73 39 96 F6 8D 46 60 B5 09 3D E3 9A 02 20 74 B3 7F 38 C5 D8 3D 4D 74 40 47 FA 65 38 1C 35 DC 53 2F BA 68 9A 97 38 DD F2 E9 19 76 5B 07 18 63 78 35 63 82 59 02 3F 30 82 02 3B 30 82 01 E1 A0 03 02 01 02 02 10 1D F2 B5 5A 51 DC 4B 68 85 A3 D9 9E 69 7F ED 12 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 49 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 1D 30 1B 06 03 55 04 0A 0C 14 46 65 69 74 69 61 6E 20 54 65 63 68 6E 6F 6C 6F 67 69 65 73 31 1B 30 19 06 03 55 04 03 0C 12 46 65 69 74 69 61 6E 20 46 49 44 4F 20 43 41 20 30 34 30 20 17 0D 31 38 30 35 32 31 30 30 30 30 30 30 5A 180F 32 30 33 33 30 35 32 30 32 33 35 39 35 39 5A 30 68 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 1D 30 1B 06 03 55 04 0A 0C 14 46 65 69 74 69 61 6E 20 54 65 63 68 6E 6F 6C 6F 67 69 65 73 31 22 30 20 06 03 55 04 0B 0C 19 41 75 74 68 65 6E 74 69 63 61 74 6F 72 20 41 74 74 65 73 74 61 74 69 6F 6E 31 16 30 14 06 03 55 04 03 0C 0D 46 54 20 46 49 44 4F 32 20 30 34 33 30 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 B2 7E 0E 8E 39 00 1F 54 EC 9B 6F 4F E8 84 19 03 76 45 20 A8 76 EB 69 8D 3C C0 0D 7D 5B 4D C3 CC D9 56 32 A3 1A 13 AC BD 67 F3 8F 3D 62 B2 A5 A0 DC 0C A5 28 96 40 0D C9 AD 39 78 8B EA 28 80 45 A3 81 89 30 81 86 30 1D 06 03 55 1D 0E 04 16 04 14 DD 32 44 17 1A 67 AB BF 52 20 07 73 D1 3C CF 37 96 AE 77 B1 30 1F 06 03 55 1D 23 04 18 30 16 80 14 93 23 70 66 C5 1D CE C4 AB 1C 2B AD 84 C1 F3 E7 1D CE 60 67 30 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 13 06 0B 2B 06 01 04 01 82 E5 1C 02 01 01 04 04 03 02 04 30 30 21 06 0B 2B 06 01 04 01 82 E5 1C 01 01 04 04 12 04 10 EE 04 1B CE 25 E5 4C DB 8F 86 89 7F D6 41 84 64 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 48 00 30 45 02 20 3F 16 E9 10 B2 A1 BD 7F AC 33 D4 3D A6 81 B9 66 38 67 DD 6F A2 D7 CB 9D 27 47 07 F7 FC F1 B1 B1 02 21 00 A3 3B B8 81 52 39 1F C6 52 BB 9B 7D E3 18 32 E5 02 6B 9A D3 E3 7A C9 4F 25 A6 F4 4E AB F3 44 D6 59 01 FE 30 82 01 FA 30 82 01 A0 A0 03 02 01 02 02 10 18 15 2B 41 B7 43 AE 6D B4 15 99 C3 B1 7D 82 09 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 4B 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 1D 30 1B 06 03 55 04 0A 0C 14 46 65 69 74 69 61 6E 20 54 65 63 68 6E 6F 6C 6F 67 69 65 73 31 1D 30 1B 06 03 55 04 03 0C 14 46 65 69 74 69 61 6E 20 46 49 44 4F 20 52 6F 6F 74 20 43 41 30 20 17 0D 31 38 30 35 32 30 30 30 30 30 30 30 5A 180F 32 30 33 38 30 35 31 39 32 33 35 39 35 39 5A 30 49 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 1D 30 1B 06 03 55 04 0A 0C 14 46 65 69 74 69 61 6E 20 54 65 63 68 6E 6F 6C 6F 67 69 65 73 31 1B 30 19 06 03 55 04 03 0C 12 46 65 69 74 69 61 6E 20 46 49 44 4F 20 43 41 20 30 34 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 C5 A1 16 56 39 8A 92 16 FC 72 BB 28 BA 4A 69 85 39 BF 8F 47 2B 06 6C C8 40 2A 9D A4 9F D0 24 33 EB B5 47 67 47 0F 5D 87 7A 9C 4E 2E 9B 70 47 D2 5A F8 5B CE 20 3D C6 45 51 EA D9 DB 71 EB B8 33 A3 66 30 64 30 1D 06 03 55 1D 0E 04 16 04 14 93 23 70 66 C5 1D CE C4 AB 1C 2B AD 84 C1 F3 E7 1D CE 60 67 30 1F 06 03 55 1D 23 04 18 30 16 80 14 4B BD 87 26 11 AD 1C 89 CF 04 58 BE 70 D2 08 8C 6B 16 23 B7 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 00 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 48 00 30 45 02 20 7F B5 40 C4 3F 46 96 16 24 BD 13 25 48 B4 4A DF 04 B6 61 71 8F E4 2C 32 BA 5F 9A D4 0C 70 6A B5 02 21 00 FA C5 A6 7D DC D5 C7 F7 91 58 A4 19 05 68 99 5B AE C7 53 E2 7A 95 4A 4E 32 21 F7 9E 4A 60 C2 F1 04 F5 to the upper layer application.
A20, the upper layer application receives the response of the certificate registration instruction, when judging that the value of the enterprise authentication parameter is a second preset value, judges the validity of the certificate chain of the preset enterprise certificate to obtain a judgment result, uses the public key in the preset enterprise certificate to carry out signature verification on the first signature value to obtain a signature verification result, and when the signature verification result is successful and the certificate chain of the preset enterprise certificate is valid, correspondingly stores the certificate ciphertext and the public key of the user key pair, and prompts the user that the certificate registration is successful.
In this step, the upper layer application parses the response to the registration credential instruction after receiving the response to the registration credential instruction.
For example, after receiving the response of the registration credential instruction illustrated in step a19, the upper layer application performs COBR parsing on the response of the registration credential instruction, to obtain:
{1:"packed",2:h'70E0EAB85CFFBDD3041B521627B7B4901A4A0FABA BFB5D356B19173003B2D58B4500000E03EE041BCE25E54CDB8F86897FD6418 4640020C40473F9A1285D2988510CEFD4B4D83EE0672306A5A796D3ECF07526 6F5748A0A5010203262001215820B79DC93AC149F0C41F7F9ECE9E4604AE038 29309222947BC84D7F17D3DC9A83C2258206018F1D2BBE43CC9F36E84D5D23 ECD84B8B81B9789A629631EFF991B82CB01C8',3:{"alg":-7,"sig":h'3045 022100B50AE38281B1E8DAD3377334B96A24FD8F584C21733996F68D4660B50 93DE39A022074B37F38C5D83D4D744047FA65381C35DC532FBA689A9738DD F2E919765B0718',"x5c":[h'3082023B308201E1A00302010202101DF2B55A51 DC4B6885A3D99E697FED12300A06082A8648CE3D0403023049310B300906035 5040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6 F67696573311B301906035504030C124665697469616E204649444F204341203034 3020170D3138303532313030303030305A180F32303333303532303233353935395 A3068310B3009060355040613025553311D301B060355040A0C144665697469616 E20546563686E6F6C6F6769657331223020060355040B0C1941757468656E74696 361746F72204174746573746174696F6E3116301406035504030C0D465420464944 4F3220303433303059301306072A8648CE3D020106082A8648CE3D03010703420 004B27E0E8E39001F54EC9B6F4FE8841903764520A876EB698D3CC00D7D5B4 DC3CCD95632A31A13ACBD67F38F3D62B2A5A0DC0CA52896400DC9AD3978 8BEA288045A38189308186301D0603551D0E04160414DD3244171A67ABBF522 00773D13CCF3796AE77B1301F0603551D2304183016801493237066C51DCEC4 AB1C2BAD84C1F3E71DCE6067300C0603551D130101FF040230003013060B2B0 601040182E51C0201010404030204303021060B2B0601040182E51C010104041204 10EE041BCE25E54CDB8F86897FD6418464300A06082A8648CE3D04030203480 0304502203F16E910B2A1BD7FAC33D43DA681B9663867DD6FA2D7CB9D2747 07F7FCF1B1B1022100A33BB88152391FC652BB9B7DE31832E5026B9AD3E37A C94F25A6F44EABF344D6',h'308201FA308201A0A003020102021018152B41B7 43AE6DB41599C3B17D8209300A06082A8648CE3D040302304B310B300906035 5040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6 F67696573311D301B06035504030C144665697469616E204649444F20526F6F7420 43413020170D3138303532303030303030305A180F3230333830353139323335393 5395A3049310B3009060355040613025553311D301B060355040A0C14466569746 9616E20546563686E6F6C6F67696573311B301906035504030C124665697469616E 204649444F2043412030343059301306072A8648CE3D020106082A8648CE3D030 10703420004C5A11656398A9216FC72BB28BA4A698539BF8F472B066CC8402A 9DA49FD02433EBB54767470F5D877A9C4E2E9B7047D25AF85BCE203DC6455 1EAD9DB71EBB833A3663064301D0603551D0E0416041493237066C51DCEC4A B1C2BAD84C1F3E71DCE6067301F0603551D230418301680144BBD872611AD1 C89CF0458BE70D2088C6B1623B730120603551D130101FF040830060101FF0201 00300E0603551D0F0101FF040403020106300A06082A8648CE3D0403020348003 04502207FB540C43F46961624BD132548B44ADF04B661718FE42C32BA5F9AD4 0C706AB5022100FAC5A67DDCD5C7F79158A4190568995BAEC753E27A954A4 E3221F79E4A60C2F1']},4:true};
wherein, the field 2 contains a credential cryptogram, the field 3 is a first signature value and a certificate chain, and the field 4 represents Epatt.
As shown in fig. 4, the credential authentication flow includes the steps of:
b1, after receiving a user name input by a user, the upper layer application prompts the user to input configuration information and receives the configuration information input by the user;
in this step, the configuration information includes the relying party identification, the credential cryptogram, and the like.
B2, the upper layer application sends an instruction for acquiring the device information to the FIDO device;
b3, the FIDO equipment returns a response for acquiring the equipment information instruction to the client;
b4, the upper layer application sends a credential verification instruction to the FIDO equipment;
in this embodiment, the credential verification instructions include a relying party identification, credential cryptogram, and client data.
B5, the FIDO equipment analyzes the credential verification instruction to obtain a relying party identifier, a credential ciphertext and client data, judges whether the relying party identifier is in a preset relying party identifier list, if so, executes a step B6, if not, executes a standard FIDO authentication credential flow, and ends;
step B6, the FIDO equipment judges the length of the credential cryptogram, when the length is a first preset value, the step B7 is executed, and when the length is a second preset value, the step B7' is executed;
in this step, the first predetermined value is specifically 96, and the second predetermined value is specifically 32.
B7, performing MAC verification on the credential ciphertext by the FIDO equipment, after the MAC verification is successful, decrypting the credential ciphertext by using an encryption and decryption key, successfully obtaining a credential identifier and a private key of a user key pair, forming a signature original according to the credential identifier, a relying party identifier and client data, signing the signature original by using the private key of the user key pair to obtain a second signature value, and executing the step B8;
B7', performing MAC (media access control) verification on the credential ciphertext by the FIDO equipment, after the MAC verification is successful, decrypting the credential ciphertext by using an encryption and decryption key to obtain a credential identifier, searching a private key of a corresponding user key pair according to the credential identifier, forming a signature original according to the credential identifier, a relying party identifier and client data, signing the signature original by using the user private key to obtain a second signature value, and executing the step B8;
in the steps B7 and B7', the encryption and decryption key is specifically an enterprise encryption and decryption key.
In step B7 and step B7', further comprising: and the FIDO equipment decrypts the credential cryptograph by using the enterprise encryption and decryption key, and executes the standard FIDO authentication credential flow after the decryption fails to finish.
The encryption and decryption key used in the execution of the standard FIDO authentication credential is a generic encryption and decryption key.
B8, the FIDO equipment composes a response of the certificate verification instruction according to the signature original text and the second signature value, and sends the response of the certificate verification instruction to the upper layer application;
and B9, analyzing the response of the credential verification instruction by the upper layer application to obtain a signature original text and a second signature value, checking the second signature value by using a public key of a user key pair corresponding to the credential ciphertext, and prompting the user that the signature verification is successful after the signature verification is successful.
Example III
The embodiment provides a method for registering and authenticating certificates, as shown in fig. 5, comprising the following steps:
s1, the FIDO equipment receives an instruction, when the received instruction is an equipment information acquisition instruction, the step S2 is executed, when the received instruction is an enterprise certificate function activating and registering instruction, the step S3 is executed, and when the received instruction is a certificate registering instruction, the step S6 is executed; when the received instruction is a credential verification instruction, executing step S15;
s2, the FIDO equipment returns a response for acquiring the equipment information instruction;
in this embodiment, when the FIDO device supports the registration enterprise authentication function, the response returned to the device information acquisition instruction includes the registration enterprise credential function identifier, and when the FIDO device does not support the registration enterprise authentication function, the response returned to the device information acquisition instruction does not include the registration enterprise credential function identifier.
S3, the FIDO equipment judges the state of the registered enterprise credential function, if the state of the registered enterprise credential function is activated, the step S5 is executed, and if the state of the registered enterprise credential function is not activated, the step S4 is executed;
specifically, in this step, the FIDO device determines the value of the registered enterprise credential function identifier, if the value of the registered enterprise credential function identifier is a second preset value, it indicates that the state of the registered enterprise credential function is inactive, and executes step S4, if the value of the registered enterprise credential function identifier is a first preset value, it indicates that the state of the registered enterprise credential function is active, and executes step S5;
S4, the FIDO equipment sets the state of the registered enterprise certificate function identification to be activated, and S5 is executed;
s5, the FIDO equipment returns a response of an instruction for activating the registration enterprise credential function, wherein the instruction for activating the registration enterprise credential function is activated, and the step S1 is executed;
specifically, in this step, the FIDO device responds to the activate registry key function command based on the success status code, and returns a response to the activate registry key function command.
Specifically, in step S1, the instruction for activating the registered enterprise credential function is: the sub-instruction enable Enterprise Atteststation of the authenticatorConfig instruction.
The step may also be specifically: the FIDO device checks the value of the PIN authentication parameter in the instruction for activating the certificate function of the registered enterprise, when the verification is successful, the state of the certificate function of the registered enterprise is set to be activated, the step S5 is executed, when the verification fails, an error response is returned, and the step S1 is executed.
Specifically, in this step, the value of the PIN authentication parameter in the activate registration enterprise credential function instruction may be a PIN code, and then the FIDO device decrypts the PIN code using a key negotiated in advance, compares the decrypted data with the pre-stored PIN code data, if the decrypted data is the same as the pre-stored PIN code data, the verification is successful, and if the decrypted data is different from the pre-stored PIN code data, the verification is failed.
In this embodiment, the value of the PIN authentication parameter may also be geometric pattern data and biometric data, and the corresponding pre-stored PIN code data may also be corresponding geometric pattern data and biometric data.
In this embodiment, the pre-negotiated key may be implemented by, but is not limited to, the ECDH algorithm.
S6, the FIDO equipment judges whether the registered enterprise credential parameters exist in the registered credential instruction, if so, the step S8 is executed, and if not, the step S7 is executed;
specifically, in this embodiment, before step S6, the method further includes: the FIDO device checks the value of the PIN authentication parameter in the register credential instruction, when the check is successful, the step S6 is executed, when the check is failed, an error response is returned, and the step S1 is executed.
Specifically, in this step, the value of the PIN authentication parameter in the register credential instruction may be PIN code ciphertext data, and then the FIDO device decrypts the PIN code ciphertext data using a key negotiated in advance, compares the decrypted data with pre-stored PIN code data, if the decrypted data is the same as the pre-stored PIN code data, the verification is successful, and if the decrypted data is different from the pre-stored PIN code data, the verification is failed.
In this embodiment, the value of the PIN authentication parameter may also be geometric pattern data and biometric data, and the corresponding pre-stored PIN code data may also be corresponding geometric pattern data and biometric data.
In this embodiment, the pre-negotiated key may be implemented by, but is not limited to, the ECDH algorithm.
S7, the FIDO equipment executes a standard FIDO registration credential flow and returns to the step S1;
the method specifically comprises the following steps: the FIDO equipment searches the universal certificate, generates a signature operation according to a private key corresponding to the universal certificate, generates a signature value, forms credential data, binds the credential data with the relying party identifier, generates a registration credential instruction response according to the signature value, returns the registration credential instruction response, and executes the step S1.
S8, the FIDO equipment judges the value of the registered enterprise credential parameter of the registered credential instruction, if the value of the registered enterprise credential parameter is a first preset value, the step S9 is executed, and if the value of the registered enterprise credential parameter is a second preset value, the step S13 is executed;
in this embodiment, when the received instruction is a registration credential instruction, before step S6, the method further includes: the FIDO device analyzes the registration credential instructions to obtain registration enterprise credential parameters, a relying party identifier and a key storage attribute identifier.
In this embodiment, for example, the first preset value is 1, and the second preset value is 2.
S9, the FIDO equipment displays the value of the relying party identifier of the registration credential instruction to the user;
The method specifically comprises the following steps: the FIDO equipment displays the value of the relying party identifier of the registration credential instruction to the user and waits for the confirmation information of the user;
s10, the FIDO equipment judges whether user confirmation information is received, if yes, step S12 is executed, and if no, step S11 is executed;
s11, the FIDO equipment generates and returns a failed registration credential instruction response, and the step S1 is executed;
s12, the FIDO equipment judges whether the relying party identifier of the registration credential instruction exists in a preset relying party identifier list, if so, the step S13 is executed, and if not, the step S7 is executed;
s13, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair and a private key of the user key pair, encrypts the credential data by using an encryption and decryption key to generate credential cryptograms, and performs signature operation on the credential cryptograms according to a private key corresponding to a preset enterprise certificate to generate a first signature value;
in this step, generating credential data according to the public key of the user key pair and the private key of the user key pair is specifically: and carrying out hash operation according to the public key of the key pair to obtain a credential identifier, and generating credential data according to the credential identifier and the private key of the user key pair.
In this embodiment, the FIDO device is pre-provisioned with an enterprise certificate corresponding to the value of the registered enterprise credential parameter.
Specifically, in this step, the FIDO device searches for a preset enterprise certificate corresponding to the value of the registered enterprise credential parameter according to the value of the registered enterprise credential parameter, for example, when the value of the registered enterprise credential parameter is a first preset value, searches for the preset enterprise certificate corresponding to the first preset value, and when the value of the enterprise credential parameter is a second preset value, searches for the preset enterprise certificate corresponding to the second preset value.
In this embodiment, only one enterprise certificate is preset by the FIDO device, and no matter the value of the enterprise certificate parameter is the first preset value or the second preset value, the corresponding enterprise certificate is the same enterprise certificate.
In this embodiment, before this step, the FIDO device further determines a value of a key storage attribute identifier in the credential registration instruction, and executes step S'13 when the value of the key storage attribute identifier is a first preset value, and executes step S13 when the value of the key storage attribute identifier is a second preset value;
step S'13 is: the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to the public key of the user key pair, encrypts the credential data by using an encryption and decryption key to generate credential ciphertext, performs signature operation on the credential ciphertext according to a private key corresponding to a preset enterprise certificate, generates a first signature value, and stores the credential data, a relying party identifier and the private key of the user key pair after corresponding binding;
In this step, generating credential data from the user key to the public key is specifically: and carrying out hash operation on the public key of the user key pair to obtain a credential identifier, and generating credential data according to the credential identifier.
In this embodiment, the encryption and decryption keys are generated by the FIDO device before the FIDO device leaves the factory, and the two encryption and decryption keys are one general encryption and decryption key and one general encryption and decryption key, and the general encryption and decryption key is used in the standard FIDO registration credential flow of step S7, and the encryption and decryption keys in step S13 and step S'13 are specifically the enterprise encryption and decryption keys.
S14, the FIDO device sets the value of the enterprise authentication parameter as a first preset value, generates a successful registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential cryptograph and the first signature value, returns the successful registration credential instruction response, and executes the step S1.
Specifically, in this step, the FIDO device sets the value of the enterprise authentication parameter to a first preset value True, generates a successful registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential cryptogram and the signature value, returns the successful registration credential instruction response, and executes step S1.
S15, the FIDO equipment analyzes the credential verification instruction to obtain a relying party identifier and a credential ciphertext, judges whether the relying party identifier is in a preset relying party identifier list, if so, executes the step S16, if not, executes a standard FIDO authentication credential flow, and returns to the step S1;
s16, the FIDO equipment judges the length of the credential cryptogram, when the length is a first preset value, the step S17 is executed, and when the length is a second preset value, the step S17' is executed;
in this step, the first predetermined value is specifically 96, and the second predetermined value is specifically 32.
S17, performing MAC (media access control) verification on the credential ciphertext by the FIDO equipment, after the MAC verification is successful, decrypting the credential ciphertext by using an encryption and decryption key, successfully obtaining a credential identifier and a private key of a user key pair, forming a signature original according to the credential identifier, a relying party identifier and client data, signing the signature original by using the private key of the user key pair to obtain a second signature value, and executing step S18;
s17', the FIDO device performs MAC verification on the credential ciphertext, after the MAC verification is successful, decrypts the credential ciphertext by using an encryption and decryption key to obtain a credential identifier, searches a private key of a corresponding user key pair according to the credential identifier, forms a signature original according to the credential identifier, a relying party identifier and client data, signs the signature original by using the user private key to obtain a second signature value, and executes step S18;
In steps S17 and S17', the encryption and decryption key is specifically an enterprise encryption and decryption key.
In steps S17 and S17', further comprising: and the FIDO equipment decrypts the credential cryptograph by using the enterprise encryption and decryption key, and executes the standard FIDO authentication credential flow after the decryption fails to finish.
S18, the FIDO equipment composes a response of the certificate verification instruction according to the signature original text and the second signature value, and sends the response of the certificate verification instruction to the upper layer application, and returns to the step S1.
Example IV
The embodiment also provides a system for registering and authenticating the certificates, which comprises: upper-layer application device and FIDO equipment, upper-layer application device includes:
the generation module is used for generating a registration credential instruction according to configuration information input by a user;
the sending module is used for sending a register certificate instruction to the FIDO equipment; the method is also used for sending a credential verification instruction to the FIDO equipment;
the judging and storing module is used for judging that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value and correspondingly storing the credential ciphertext and the public key of the user key pair when the first signature value is successfully checked by using the public key in the preset enterprise certificate;
and the signature verification prompting module is used for verifying the second signature value according to the public key of the user key pair corresponding to the signature original text and the credential ciphertext, and prompting successful authentication after successful signature verification.
The FIDO device includes:
the first judging module is used for judging whether the registered enterprise credential parameters exist in the registered credential instruction;
the execution module is used for executing the standard FIDO registration credential flow when the judgment result of the first judgment module is negative; the third judging module is used for judging whether the first judging module judges whether the second judging module judges whether the first judging module judges the second judging module judges the first judging module; and the fourth judgment module is used for judging whether the first judgment module is in the first state or not according to the first judgment result;
the second judging module is used for judging the value of the certificate parameter of the registered enterprise when the judging result of the first judging module is yes;
the third judging module is used for judging whether the relying party identifier in the registered enterprise credential instruction is in a preset relying party identifier list or not when the second judging module judges that the value of the registered enterprise credential parameter is a first preset value, if so, triggering the generation storage module, and if not, triggering the execution module; when the second judging module judges that the value of the registered enterprise credential parameter is a second preset value, triggering to generate a storage module;
the generation storage module is used for generating a user key pair and storing the user key pair, generating credential data according to a public key of the user key pair, encrypting the credential data by using an enterprise encryption and decryption key to obtain a credential ciphertext, signing the credential ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, binding and storing the credential data and a relying party identifier, setting an enterprise authentication parameter as a preset value, and forming a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair;
The return module is used for returning a registration credential instruction response formed by the generation storage module;
the analysis module is used for analyzing the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data;
the fourth judging module is used for judging whether the relying party identifier obtained by the analyzing module exists in a preset relying party identifier list or not;
the decryption generation module is used for decrypting the credential ciphertext by using the enterprise encryption and decryption key to obtain credential data when the judgment result of the fourth judgment module is yes, generating a signature original text according to the credential data, the relying party identifier and the client data, signing the signature original text by using a private key of the user key pair to obtain a second signature value, and generating a response of the credential verification instruction according to the signature original text and the second signature value;
and the sending module is used for sending the response of the certificate verification instruction to the upper-layer application device.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs. When the computer program is loaded and executed, the flow or functions according to the embodiments of the present application are produced in whole or in part. The computer program may be stored in or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one base station, server, or data center via wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means to another base station, server, or data center. The computer readable storage medium may be any available medium that can be accessed by an apparatus of the present application or a data storage device comprising one or more servers, data centers, etc., which can be integrated with the medium. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
Although the application is described herein in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method of credential registration and authentication, the method comprising: a credential registration process and a credential authentication process, wherein the credential registration process includes:
Step 1, an upper layer application generates a registration credential instruction according to configuration information input by a user, and sends the registration credential instruction to FIDO equipment, wherein the configuration information comprises a relying party identifier;
step 2, the FIDO equipment judges whether the registered enterprise credential parameters exist in the registered credential instruction, if yes, the step 3 is executed, and if not, the standard FIDO credential registration flow is executed;
step 3, the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value is a first preset value, the step 4 is executed, and if the value is a second preset value, the step 5 is executed;
step 4, the FIDO equipment judges whether the relying party identifier in the registration credential instruction is in a preset relying party identifier list, if so, step 5 is executed, and if not, the standard FIDO credential registration flow is executed;
step 5, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to obtain credential ciphertext, signs the credential ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as a preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to the upper-layer application;
Step 6, the upper layer application judges that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value, and when the first signature value is successfully checked by using the public key in the preset enterprise certificate, correspondingly stores the credential ciphertext and the public key of the user key pair;
the credential authentication process includes:
step 1', the upper layer application sends a credential verification instruction to the FIDO equipment;
step 2', the FIDO equipment analyzes the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data;
step 3', the FIDO equipment judges whether the relying party identifier exists in a preset relying party identifier list, if yes, step 4' is executed, and if not, the standard FIDO credential authentication flow is executed;
step 4', the FIDO equipment decrypts the credential ciphertext by using the enterprise encryption and decryption key to obtain credential data, generates a signature original text according to the credential data, the relying party identifier and the client data, signs the signature original text by using a private key of a user key pair to obtain a second signature value, generates a response of the credential verification instruction according to the signature original text and the second signature value, and sends the response of the credential verification instruction to the upper application;
and 5', the upper layer application carries out signature verification on the second signature value according to the signature original text and the public key of the user key pair corresponding to the credential ciphertext, and prompts successful authentication after the signature verification is successful.
2. The method according to claim 1, wherein the step 1 is preceded by:
m1, an upper layer application sends an instruction for acquiring device information to FIDO (field-effect data) equipment;
step M2, the FIDO equipment returns a response for acquiring the equipment information instruction to the upper layer application;
step M3, the upper layer application judges whether the FIDO equipment supports the registered enterprise credential function according to the response of the equipment information acquisition instruction, if not, the step 1 is executed, if yes, the upper layer application judges whether the registered enterprise credential function of the FIDO equipment is activated, if activated, the step 1 is executed, and if not, the upper layer application sends an instruction for activating the registered enterprise credential function to the FIDO equipment, and the step M4 is executed;
and step M4, the FIDO device sets the registration enterprise credential function status to activated, returns a response for activating the registration enterprise credential function instruction to the upper layer application, and executes step M1.
3. The method according to claim 1, wherein the step 3 is specifically: the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value is a first preset value, the step 4a is executed, and if the value is a second preset value, the step 5 is executed;
and 4a, the FIDO equipment displays the value of the relying party identifier in the registration credential instruction to the user, judges whether confirmation information of the user is received, if so, executes the step 4, and if not, returns a failed registration credential instruction response to the upper-layer application.
4. The method according to claim 1, wherein the step 5 is preceded by: the FIDO equipment judges the value of the key storage attribute identifier in the register certificate instruction; the step 5 specifically comprises the following steps:
when the value of the key storage attribute identifier is a second preset value, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair and a private key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to generate credential ciphertext, performs signature operation on the credential ciphertext according to a private key corresponding to a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as the preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to an upper layer application;
when the value of the key storage attribute identifier is a first preset value, the FIDO equipment generates a user key pair and stores the user key pair, generates credential data according to a public key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to generate credential ciphertext, performs signature operation on the credential ciphertext according to a private key corresponding to a preset enterprise certificate to generate a first signature value, stores the credential data, a relying party identifier and the private key of the user key pair after corresponding binding, sets an enterprise authentication parameter as the preset value, and forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to an upper layer application;
The step 4' further includes: the FIDO equipment judges the length of the credential cryptogram; the step 4' specifically comprises the following steps:
when the length of the credential cryptograph is a first preset value, the FIDO equipment uses an enterprise encryption and decryption key to decrypt the credential cryptograph, the decryption is successful to obtain the credential data and a private key of a user key pair, a signature original text is formed according to the credential data, a relying party identifier and client data, the private key of the user key pair is used for signing the signature original text to obtain a second signature value, a response of a credential verification instruction is generated according to the signature original text and the second signature value, and the response of the credential verification instruction is sent to an upper application;
and when the length of the credential cryptograph is a second preset value, the FIDO equipment decrypts the credential cryptograph by using an enterprise encryption and decryption key to obtain credential data, searches a private key of a corresponding user key pair according to the credential data, forms a signature original according to the credential data, a relying party identifier and client data, signs the signature original by using the user private key to obtain a second signature value, generates a response of a credential verification instruction according to the signature original and the second signature value, and sends the response of the credential verification instruction to an upper application.
5. The method of claim 1, wherein,
the step 6 specifically comprises the following steps: and when the upper layer application judges that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value, the certificate chain of the preset enterprise certificate is effective, and the public key in the preset enterprise certificate is used for successfully verifying the first signature value, the public key of the credential ciphertext and the user key pair are correspondingly stored.
6. The method of claim 2, wherein,
the step M4 specifically comprises the following steps: the FIDO equipment checks PIN authentication parameters in the certificate function instruction of the activated registered enterprise, when the verification is successful, the certificate function state of the registered enterprise is set to be activated, a successful response for activating the certificate function instruction of the registered enterprise is returned to the upper-layer application, and the step M1 is executed; when the verification fails, a failure response for activating the registered enterprise credential function instruction is returned to the upper layer application.
7. A system for credential registration and authentication, the system comprising: upper layer application device and FIDO equipment, upper layer application device includes:
the generation module is used for generating a registration credential instruction according to configuration information input by a user;
the sending module is used for sending the registration credential instruction to the FIDO equipment; and is further configured to send a credential verification instruction to the FIDO device;
The judging and storing module is used for judging that the value of the enterprise authentication parameter in the registration credential instruction response is a preset value and correspondingly storing the credential ciphertext and the public key of the user key pair when the first signature value is successfully checked by using the public key in the preset enterprise certificate;
the signature verification prompting module is used for verifying the second signature value according to the public key of the user key pair corresponding to the signature original text and the credential ciphertext, and prompting successful authentication after successful signature verification;
the FIDO device includes:
the first judging module is used for judging whether the registered enterprise credential parameters exist in the registered credential instruction;
the execution module is used for executing the standard FIDO registration credential flow when the judgment result of the first judgment module is negative; the third judging module is used for judging whether the first judging module judges whether the second judging module judges whether the first judging module judges the second judging module judges the first judging module; and the fourth judgment module is used for judging whether the first judgment module is in the first state or not according to the first judgment result;
the second judging module is used for judging the value of the certificate parameter of the registered enterprise when the judging result of the first judging module is yes;
the third judging module is used for judging whether the relying party identifier in the registration certificate instruction is in a preset relying party identifier list or not when the second judging module judges that the value of the registration enterprise certificate parameter is a first preset value, if so, triggering a generation storage module, and if not, triggering the execution module; when the second judging module judges that the value of the registered enterprise credential parameter is a second preset value, triggering to generate a storage module;
The generation and storage module is used for generating a user key pair and storing the user key pair, generating credential data according to a public key of the user key pair, encrypting the credential data by using an enterprise encryption and decryption key to obtain a credential ciphertext, signing the credential ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, binding and storing the credential data and a relying party identifier, setting an enterprise authentication parameter as a preset value, and forming a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair;
the return module is used for returning the registration credential instruction response formed by the generation and storage module;
the analysis module is used for analyzing the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data;
the fourth judging module is used for judging whether the relying party identifier obtained by the analyzing module exists in a preset relying party identifier list or not;
the decryption generation module is used for decrypting the credential ciphertext by using the enterprise encryption and decryption key to obtain credential data when the judgment result of the fourth judgment module is yes, generating a signature original text according to the credential data, the relying party identifier and the client data, signing the signature original text by using a private key of a user key pair to obtain a second signature value, and generating a response of a credential verification instruction according to the signature original text and the second signature value;
And the sending module is used for sending the response of the certificate verification instruction to the upper-layer application device.
8. A FIDO device comprising at least one processor, a memory, and instructions stored on the memory and executable by the at least one processor, the at least one processor executing the instructions to implement the operations of the FIDO device in the method of any one of claims 1 to 6.
9. A computer readable storage medium, characterized in that the computer readable storage medium comprises a computer program which, when run on a computer, causes the computer to perform the operations of the upper layer application in the method according to any one of claims 1 to 6.
10. A computer readable storage medium comprising a computer program which, when run on a computer, causes the computer to perform the operations of the FIDO device in the method of any of claims 1 to 6.
CN202210563864.9A 2022-05-23 2022-05-23 Method and system for registering and authenticating certificates Active CN114978543B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210563864.9A CN114978543B (en) 2022-05-23 2022-05-23 Method and system for registering and authenticating certificates

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210563864.9A CN114978543B (en) 2022-05-23 2022-05-23 Method and system for registering and authenticating certificates

Publications (2)

Publication Number Publication Date
CN114978543A CN114978543A (en) 2022-08-30
CN114978543B true CN114978543B (en) 2023-09-19

Family

ID=82985603

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210563864.9A Active CN114978543B (en) 2022-05-23 2022-05-23 Method and system for registering and authenticating certificates

Country Status (1)

Country Link
CN (1) CN114978543B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108377190A (en) * 2018-02-14 2018-08-07 飞天诚信科技股份有限公司 A kind of authenticating device and its working method
KR20180119178A (en) * 2017-04-24 2018-11-02 라온시큐어(주) Methods and apparatus for registration of fido and cerificates based on authentication chain
CN112199663A (en) * 2020-12-03 2021-01-08 飞天诚信科技股份有限公司 Authentication method and system for no user name
CN112311558A (en) * 2020-12-28 2021-02-02 飞天诚信科技股份有限公司 Working method of key device and key device
KR20210138322A (en) * 2020-05-12 2021-11-19 주식회사 케이티 Authentication server for 5g non public network connection control, method of the network connection control and connection method of terminal
CN114430324A (en) * 2022-01-02 2022-05-03 西安电子科技大学 On-line quick identity authentication method based on Hash chain

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180167383A1 (en) * 2016-12-12 2018-06-14 Qualcomm Incorporated Integration of password-less authentication systems with legacy identity federation

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180119178A (en) * 2017-04-24 2018-11-02 라온시큐어(주) Methods and apparatus for registration of fido and cerificates based on authentication chain
CN108377190A (en) * 2018-02-14 2018-08-07 飞天诚信科技股份有限公司 A kind of authenticating device and its working method
KR20210138322A (en) * 2020-05-12 2021-11-19 주식회사 케이티 Authentication server for 5g non public network connection control, method of the network connection control and connection method of terminal
CN112199663A (en) * 2020-12-03 2021-01-08 飞天诚信科技股份有限公司 Authentication method and system for no user name
CN112311558A (en) * 2020-12-28 2021-02-02 飞天诚信科技股份有限公司 Working method of key device and key device
CN114430324A (en) * 2022-01-02 2022-05-03 西安电子科技大学 On-line quick identity authentication method based on Hash chain

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于国密算法体系的交互型电子签名;朱鹏飞等;网络空间安全(第01期);45-49 *

Also Published As

Publication number Publication date
CN114978543A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
US8739266B2 (en) Universal authentication token
CN106230784B (en) Equipment verification method and device
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
JP4425859B2 (en) Address-based authentication system, apparatus and program
WO2017185913A1 (en) Method for improving wireless local area network authentication mechanism
WO2016115807A1 (en) Wireless router access processing method and device, and wireless router access method and device
WO2020035009A1 (en) Authentication system and working method therefor
CN111245870A (en) Identity authentication method based on mobile terminal and related device
EP2637351A1 (en) Method and system for single sign-on
CN107969001B (en) Bluetooth pairing bidirectional authentication method and device
US8397281B2 (en) Service assisted secret provisioning
US11777743B2 (en) Method for securely providing a personalized electronic identity on a terminal
US20060026421A1 (en) System and method for making accessible a set of services to users
WO2019137193A1 (en) Implementation method and apparatus for windows10-or-higher system hardware login
JP4823704B2 (en) Authentication system, authentication information delegation method and security device in the same system
TWI652594B (en) Authentication method for login
CN111147471B (en) Terminal network access authentication method, device, system and storage medium
CN110830264B (en) Service data verification method, server, client and readable storage medium
CN114978543B (en) Method and system for registering and authenticating certificates
CN109462846B (en) Method and system for realizing safe pairing of Bluetooth equipment and Bluetooth equipment
CN112953711B (en) Database security connection system and method
CN107426724B (en) Method and system for accessing intelligent household electrical appliance to wireless network, terminal and authentication server
CN114501591A (en) Intelligent equipment network access method and device and computer readable storage medium
CN114244505A (en) Safety communication method based on safety chip
TW202213132A (en) System and method for using a device of fast identity online to certified and signed

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant