CN115459918A - Identity authentication method and device - Google Patents
Identity authentication method and device Download PDFInfo
- Publication number
- CN115459918A CN115459918A CN202210934275.7A CN202210934275A CN115459918A CN 115459918 A CN115459918 A CN 115459918A CN 202210934275 A CN202210934275 A CN 202210934275A CN 115459918 A CN115459918 A CN 115459918A
- Authority
- CN
- China
- Prior art keywords
- information
- server
- authentication
- identity
- identity authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 104
- 230000004044 response Effects 0.000 claims abstract description 112
- 238000012795 verification Methods 0.000 claims abstract description 97
- 230000008569 process Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 12
- 238000003860 storage Methods 0.000 claims description 9
- 230000001502 supplementing effect Effects 0.000 claims description 7
- 230000011664 signaling Effects 0.000 description 54
- 230000006855 networking Effects 0.000 description 18
- 230000002457 bidirectional effect Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 10
- 238000004422 calculation algorithm Methods 0.000 description 9
- 230000006854 communication Effects 0.000 description 5
- 239000006185 dispersion Substances 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000000007 visual effect Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3278—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the invention provides an identity authentication method and an identity authentication device, wherein terminal equipment comprises a PUF chip, and the method comprises the following steps: receiving authentication challenge information of a server side, wherein the authentication challenge information at least comprises a first element and first identity verification information; determining first response information corresponding to the first element, and generating second identity verification information according to the first response information, wherein the first response information is generated by a PUF chip of the terminal equipment; and when the first identity verification information is matched with the second identity verification information, determining authentication challenge information of the equipment side according to the first response information, and sending the authentication challenge information of the equipment side to the server so that the server performs identity authentication on the terminal equipment. The identity uniqueness of the terminal equipment is ensured based on the physical characteristics of the PUF chip, so that the safety of identity authentication based on the PUF chip is ensured, the identity authentication is carried out based on the PUF chip under the condition that a CA certificate is not required to be deployed, and the project cost is saved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an identity authentication method and an identity authentication apparatus.
Background
The existing identity authentication system usually adopts a PKI (Public Key Infrastructure) authentication system, and each independent project needs to deploy a CA, which increases project cost. And in a PKI authentication system, identity authentication is carried out based on a CA certificate, so that the security is low. Meanwhile, when a plurality of projects are cascaded, the CA certificates cannot be mutually authenticated easily due to the fact that CA products deployed in each project are inconsistent.
Disclosure of Invention
In view of the above problems, embodiments of the present invention are proposed to provide an identity authentication method and an identity authentication apparatus that overcome or at least partially solve the above problems.
In order to solve the above problem, an embodiment of the present invention discloses an identity authentication method, which is applied to a terminal device, where the terminal device includes a PUF chip, and the method includes:
receiving authentication challenge information of a server side, wherein the authentication challenge information at least comprises a first element and first identity verification information;
determining first response information corresponding to the first element, and generating second identity verification information according to the first response information, wherein the first response information is generated by a PUF chip of the terminal equipment;
and when the first identity verification information is matched with the second identity verification information, determining authentication challenge information of the equipment side according to the first response information, and sending the authentication challenge information of the equipment side to the server so that the server performs identity authentication on the terminal equipment.
Optionally, before receiving the authentication challenge information at the server side, the method further includes:
receiving a first element set sent by the server;
generating corresponding second response information according to the elements of the first element set through the PUF chip, and using the second response information as the elements of a second element set;
sending a second element set to the server to cause the server to create a fingerprint database based on the first element set and the second element set; wherein the first element is selected by the server from a first set of elements of the fingerprint database.
Optionally, the generating second authentication information according to the first response information includes:
and encrypting the first response information and the terminal equipment side information to obtain the second identity authentication information.
Optionally, the terminal device side information includes a device ID and/or a first anti-replay random number.
Optionally, the determining, according to the first response information, the authentication challenge information of the device side includes:
and encrypting the first response information and the server side information to obtain authentication challenge information of the equipment side.
Optionally, the server-side information includes a server ID and/or a second secondary playback resistance random number.
The embodiment of the invention also discloses another identity authentication method which is applied to a server and comprises the following steps:
generating authentication challenge information of a server side, and sending the authentication challenge information of the server side to terminal equipment so that the terminal equipment performs identity authentication on the server; the authentication challenge information of the server side at least comprises a first element and first identity verification information, and the first identity verification information is generated according to the second element;
receiving authentication challenge information of an equipment side sent by the terminal equipment, wherein the authentication challenge information of the equipment side comprises third identity verification information;
generating fourth identity verification information according to the second element;
and when the third identity verification information is matched with the fourth identity verification information, the identity authentication of the terminal equipment passes.
Optionally, the generating authentication challenge information of the server side includes:
and determining a corresponding first element and a second element corresponding to the first element according to the equipment ID of the terminal equipment from the fingerprint database.
Optionally, the fingerprint database includes a first element set and a second element set, and the determining, according to the device ID of the terminal device, a corresponding first element and a second element corresponding to the first element includes:
selecting a first element from a first element set corresponding to the equipment ID of the terminal equipment;
and selecting a second element corresponding to the first element from a second element set corresponding to the equipment ID of the terminal equipment.
Optionally, before generating the authentication challenge information on the server side, the method further includes:
generating a plurality of random numbers as elements of a first element set, and sending the first element set to the terminal equipment;
receiving a second element set sent by the terminal equipment;
and creating a fingerprint database according to the device ID corresponding to the terminal device, the first element set and the second element set.
Optionally, the method further comprises:
and when the identity authentication of the terminal equipment passes, deleting the first element and the corresponding second element which are used in the identity authentication process.
Optionally, the method further comprises:
and if the number of the elements in the first element set and the second element set is smaller than a preset number threshold, supplementing the elements in the first element set and the second element set.
Optionally, the method further comprises:
and encrypting the second element and the terminal equipment side information to obtain the first identity verification information.
Optionally, the terminal device side information includes a device ID and/or a first anti-replay random number.
Optionally, the generating fourth authentication information according to the second element includes:
and encrypting the second element and the server side information to obtain fourth identity authentication information.
Optionally, the server-side information includes a server ID and/or a second secondary playback resistance random number.
The embodiment of the invention also discloses an identity authentication device, which is applied to terminal equipment, wherein the terminal equipment comprises a PUF chip, and the identity authentication device comprises:
a receiving module, configured to receive authentication challenge information at a server side, where the authentication challenge information at least includes a first element and a first MAC value;
a generating module, configured to determine first response information corresponding to the first element, and generate second identity verification information according to the first response information, where the first response information is generated by a PUF chip of the terminal device;
and the authentication module is used for determining authentication challenge information of the equipment side according to the first response information when the first identity verification information is matched with the second identity verification information, and sending the authentication challenge information of the equipment side to the server so that the server performs identity authentication on the terminal equipment.
Optionally, before receiving the authentication challenge information at the server side, the method further includes:
the first element set receiving module is used for receiving a first element set sent by the server;
a second element set generation module, configured to generate, by the PUF chip, corresponding second response information according to the elements of the first element set, and use the second response information as the elements of the second element set;
a second element set sending module, configured to send a second element set to the server, so that the server creates a fingerprint database based on the first element set and the second element set; wherein the first element is selected by the server from a first set of elements of the fingerprint database.
Optionally, the generating module includes:
and the second authentication information submodule is used for encrypting the first response information and the terminal equipment side information to obtain the second identity authentication information.
Optionally, the terminal device side information includes a device ID and/or a first anti-replay random number.
Optionally, the authentication module includes:
and the challenge information determining submodule is used for encrypting the first response information and the server side information to obtain authentication challenge information of the equipment side.
Optionally, the server-side information includes a server ID and/or a second secondary playback random number.
The embodiment of the invention also discloses another identity authentication device which is applied to a server, and the device comprises:
the challenge information determining module is used for generating authentication challenge information of a server side and sending the authentication challenge information of the server side to terminal equipment so that the terminal equipment can perform identity authentication on the server; the authentication challenge information of the server side at least comprises a first element and first identity verification information, and the first identity verification information is generated according to the second element;
a verification information receiving module, configured to receive authentication challenge information of an equipment side sent by the terminal equipment, where the authentication challenge information of the equipment side includes third identity verification information;
the verification information generation module is used for generating fourth identity verification information according to the second element;
and the equipment authentication module is used for passing the identity authentication of the terminal equipment when the third identity authentication information is matched with the fourth identity authentication information.
Optionally, the challenge information determining module includes:
and the element selection submodule is used for determining a corresponding first element and a second element corresponding to the first element from the fingerprint database according to the equipment ID of the terminal equipment.
Optionally, the fingerprint database includes a first element set and a second element set, and the element selection sub-module includes:
a first element selection unit, configured to select a first element from a first element set corresponding to a device ID of a terminal device;
and the second element selecting unit is used for selecting a second element corresponding to the first element from a second element set corresponding to the equipment ID of the terminal equipment.
Optionally, the method further comprises:
a first element set sending module, configured to generate multiple random numbers as elements of a first element set, and send the first element set to the terminal device;
a second element set receiving module, configured to receive a second element set sent by the terminal device;
and the database creating module is used for creating a fingerprint database according to the equipment ID corresponding to the terminal equipment, the first element set and the second element set.
Optionally, the method further comprises:
and the deleting module is used for deleting the used first element and the corresponding second element in the identity authentication process when the identity authentication of the terminal equipment passes.
Optionally, the method further comprises:
and the supplementing module is used for supplementing the elements in the first element set and the second element set if the number of the elements in the first element set and the second element set is less than a preset number threshold.
Optionally, the method further comprises:
and the first authentication information generation module is used for encrypting the second element and the terminal equipment side information to obtain the first authentication information.
Optionally, the terminal device side information includes a device ID and/or a first anti-replay random number.
Optionally, the verification information generating module includes:
and the fourth verification information generation submodule is used for encrypting the second element and the server side information to obtain fourth identity verification information.
Optionally, the server-side information includes a server ID and/or a second secondary playback resistance random number.
The embodiment of the invention also discloses an electronic device, which comprises: a processor, a memory and a computer program stored on the memory and being executable on the processor, the computer program, when executed by the processor, implementing the steps of the identity authentication method as described above.
The embodiment of the present invention further discloses a computer-readable storage medium, which is characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the identity authentication method as described above are implemented.
The embodiment of the invention has the following advantages:
the method and the device have the advantages that the PUF chip is arranged on the terminal device, the first element sent by the server is input into the PUF chip to obtain the corresponding first response information, the second identity authentication information and the third identity authentication information are obtained based on the first response information, the identity authentication information generated in the authentication process of the terminal device is matched with the identity authentication information generated by the server to carry out bidirectional identity authentication on the server and the terminal device, so that the identity authentication is carried out under the condition that a CA certificate is not required to be deployed to save project cost, the fact that the device in the network is real or legally authorized to improve system safety is ensured, and the identity authentication can be carried out based on the stored information to avoid the problem that a PKI identity authentication system cannot carry out cross-domain authentication.
Drawings
Fig. 1 is a flowchart illustrating steps of an identity authentication method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating steps of another method for authenticating an identity according to an embodiment of the present invention;
fig. 3 is a block diagram of an identity authentication apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram of another identity authentication apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Existing identity authentication systems typically employ PKI authentication systems, which require the deployment of CAs for each individual project, resulting in increased project costs. And in a PKI authentication system, identity authentication is carried out based on a CA certificate, so that the safety is low. Meanwhile, when a plurality of projects are cascaded, the CA certificates cannot be mutually authenticated easily due to the fact that CA products deployed in each project are inconsistent.
The core idea of the embodiment of the invention is that a PUF chip is arranged on the terminal equipment, and the PUF is a hardware security technology. Unpredictable and uncontrollable random physical factors in the device manufacturing process can cause micro-differences in microscopic physical structures, and mutually independent challenge-response relations among device units are generated on input and output signals, and since the same device structure cannot be cloned, the relations are called as physical unclonable functions, and the advantages of no storage, intrusion prevention, no copying, integration and flexible adaptation are achieved. In the embodiment of the invention, the uniqueness of the identity of the equipment in the video networking can be ensured according to the physical characteristics of the PUF chip, so that the identity authentication is carried out based on the PUF chip on the basis of not reducing the security. The method comprises the steps of inputting a first element sent by a server into a PUF chip to obtain corresponding first response information, obtaining second identity verification information and third identity verification information based on the first response information, matching the identity verification information generated by terminal equipment in the authentication process with the identity verification information generated by the server to perform bidirectional identity authentication on the server and the terminal equipment, performing identity authentication without deploying a CA (certificate) to save project cost, ensuring that equipment in a network is real or legally authorized to improve system safety, and performing identity authentication based on stored information to avoid the problem that a PKI (public key infrastructure) identity authentication system cannot perform cross-domain authentication.
Referring to fig. 1, a flowchart illustrating steps of an identity authentication method provided in an embodiment of the present invention is shown, and is applied to a terminal device, where the terminal device includes a PUF chip, and the method specifically includes the following steps:
The identity authentication method of the embodiment of the invention can be applied to terminal equipment, the terminal equipment can comprise a PUF chip, and before the terminal equipment applies for the development of network business to a server, the terminal equipment can carry out information interaction with the server, so that bidirectional identity authentication between the terminal equipment and the server is carried out based on the PUF chip.
The terminal device may be a device that inputs a program and data to the server or receives a processing result output by the server via a communication facility, and the terminal device may specifically be a network element device, a mobile phone, a tablet computer, a wearable device, a vehicle-mounted device, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, a Personal Digital Assistant (PDA), or other terminal devices.
Illustratively, the terminal device may be a network element device, and the network element device may be composed of one or more machine disks or machine frames, can independently perform a transmission function, and is a minimum unit that can be monitored and managed in network management. Taking the terminal device of the embodiment of the present invention as an example of a network element of a video network, the identity authentication method of the embodiment of the present invention may be applied to a network element of a video network, such as a terminal device of a video network, a border gateway of a video network, a VVoE (video networking protocol driver), a virtual terminal of a video network, and other terminal devices of a video network. The service of the network element of the video network needs to be approved by a video network server, and the video network server can be a service platform with a control function and a service function, such as a video network conference management system, a video network comprehensive management system, and the like. The video network element can comprise a PUF chip, and before the video network element applies for the video network server to develop video network services, the video network element can perform information interaction with the video network server, so that bidirectional identity authentication between the video network element and the video network server is performed based on the PUF chip.
Specifically, before the terminal device applies for developing the network service, the identity authentication may be performed, and the terminal device may send a first signaling to the server, where the first signaling may include a device ID of the terminal device that needs to perform the identity authentication.
The terminal device may receive information returned by the server based on the first signaling. Specifically, the terminal device may receive a second signaling sent by the server based on the first signaling, acquire authentication challenge information of the server side in the second signaling, and perform identity authentication on the server based on the authentication challenge information. The authentication challenge information may be information for initiating an identity authentication challenge, and may include at least a first element and first identity verification information.
The first Authentication information may be specific information used for matching and comparing in server Authentication, and the first Authentication information may be a first MAC (Message Authentication Codes) value.
And 102, determining first response information corresponding to the first element, and generating second identity authentication information according to the first response information, wherein the first response information is generated by the PUF chip of the terminal device.
After the terminal device receives the authentication challenge information, first response information corresponding to the first element may be determined. The first element may be input to a PUF chip of the terminal device, first response information corresponding to the first element is generated by the PUF chip, and second authentication information is generated according to the first response information corresponding to the first element.
The first response information may be information for authentication generated in response to the first element, and may be a first response value output by the PUF chip; the second identity verification information may be information used for matching and comparing in server identity authentication, and may be a second MAC value. Specifically, a first response value corresponding to the first element may be generated by the PUF chip, and a second MAC value may be generated according to the first response value.
In the embodiment of the invention, the first element is input into the PUF chip to generate the corresponding first response information, and due to the physical characteristics of the PUF chip, the PUF chip of the terminal device can uniquely identify the terminal device aiming at the response information generated by the first element, so that the uniqueness of the identity of the terminal device is ensured, the problem of low identity authentication security based on a CA certificate is avoided, and the identity authentication based on the PUF chip is facilitated on the basis of high security.
And 103, when the first identity verification information is matched with the second identity verification information, determining authentication challenge information of the equipment side according to the first response information, and sending the authentication challenge information of the equipment side to the server so that the server performs identity authentication on the terminal equipment.
The server can be authenticated by judging whether the first authentication information sent by the server side is matched with the second authentication information generated by the equipment side. When the first authentication information and the second authentication information are matched, the server can be indicated that the authentication of the server is passed.
Specifically, the first identity verification information may be information used for matching and comparing in server identity authentication, and may be a first MAC value; the second identity verification information may be information used for matching and comparing in server identity authentication, and may be a second MAC value. The terminal equipment can judge whether the first MAC value is matched with the second MAC value, and if the first MAC value is matched with the second MAC value, the identity authentication of the server is passed; and if the first MAC value is not matched with the second MAC value, the identity authentication of the server is not passed, and the terminal equipment does not apply for the development of the network service to the server.
When the server passes the identity authentication, the authentication challenge information of the equipment side can be determined according to the first response information and sent to the server, so that the server performs the identity authentication on the terminal equipment. Specifically, the terminal device may generate a third signaling according to the authentication challenge information of the device side, and send the third signaling to the server, so that the server may obtain the authentication challenge information of the device side from the third signaling after receiving the third signaling, and perform identity authentication on the terminal device according to the authentication challenge information of the device side.
The authentication challenge information of the device side may include third identity verification information, and the third identity verification information may be information used for matching and comparing in device identity authentication, and specifically may be a third MAC value. When the server identity authentication passes, a third MAC value may be generated according to the first response value, and the third MAC value may be sent to the server, so that the server performs identity authentication on the terminal device. The first response information may be information for authentication generated in response to the first element, and may be a first response value output by the PUF chip; the second authentication information may be a second MAC value.
If the server determines that the identity authentication of the terminal device passes, the terminal device may receive a fourth signaling sent by the server, where the fourth signaling may include authentication completion information, thereby ending the bidirectional identity authentication, and the terminal device may apply for the server to develop a network service.
In the embodiment of the invention, due to the physical characteristics of the PUF chip, the generated response information can uniquely identify the corresponding terminal equipment, so that the generated second identity authentication information can also uniquely identify the terminal equipment, and if the second identity authentication information generated by the terminal equipment is matched with the first identity authentication information sent by the server, namely the unique identifier aiming at the terminal equipment sent by the server is matched with the unique identifier generated by the terminal equipment in real time, the identity authentication of the server is determined to pass, so that the identity authentication can be performed based on the uniqueness of the terminal equipment, the security is higher, the problem of lower security of the identity authentication performed based on a CA (certificate) is avoided, the identity authentication is performed without deploying the CA certificate, and the project cost is saved.
In an optional embodiment, before receiving the authentication challenge information at the server side, the method further includes: receiving a first element set sent by the server; generating corresponding second response information according to the elements of the first sequence through the PUF chip, and using the second response information as elements of a second element set; sending a second set of elements to the server to cause the server to create a fingerprint database based on the device ID, the first set of elements, and the second set of elements; wherein the first element is selected by the server from a first set of elements of the fingerprint database.
Specifically, the core switching server may assign a network address of the terminal device to the terminal device, and the terminal device may input the network address into the PUF chip to obtain the device ID, and introduce the device ID into the server in an offline manner, so that the server establishes the fingerprint database according to the introduced device ID, thereby performing identity authentication on the terminal device based on the fingerprint database.
In practical application, the core switching server may assign a network address of each terminal device to each terminal device, and each terminal device may input the network address into a PUF chip of the terminal itself to generate a device ID of each terminal device, where each device ID may uniquely identify each corresponding terminal device. The USB flash disk can be inserted into the terminal equipment to read the generated equipment ID, and the USB flash disk is inserted into the server after the reading is finished, so that the equipment ID of each terminal equipment can be imported into the server in an off-line mode, the server can establish a fingerprint database according to each imported equipment ID, and the identity authentication of each terminal equipment needing authentication is carried out based on the fingerprint database.
The fingerprint may be verification data for performing identity authentication, and in an embodiment of the present invention, the fingerprint may be second response information corresponding to an element of the first element set, where the second response information may be information for authentication generated in response to the element of the first element set, and may be a second response value output by the PUF chip. After receiving a second element set returned by the terminal device based on the first element set, the server may create a fingerprint database based on the device ID, the first element set, and the second element set. In the embodiment of the invention, due to the physical characteristics of the PUF chip, the pre-generated fingerprint, namely the second response information, can uniquely identify the corresponding terminal equipment, so that the identity authentication information generated according to the second response information can also uniquely identify the terminal equipment.
It should be noted that the fingerprint database may include fingerprint data corresponding to a plurality of terminal devices, and for a device ID, the fingerprint database has a corresponding first element set and a corresponding second element set, where the first element set may include a plurality of elements, and the elements of the second element set respectively correspond to the elements of the first element set one to one. Based on the physical characteristics of the PUF chips, if each terminal device inputs the same first element set into its own PUF chip, the corresponding obtained second response information will also be different, that is, the second element sets obtained by each terminal device for the same first element set are different. It should be understood by those skilled in the art that the above-mentioned generation of different second element sets by each terminal device based on the same element set is only an example of the present invention, and in practical applications, each terminal device may receive different first element sets sent by a server, and the present invention is not limited herein.
Before receiving the authentication challenge information of the server side, the terminal device may receive a fifth signaling sent by the server, where the fifth signaling may include a first element set encrypted by using key information, generate, by using the PUF chip, corresponding second response information according to elements of the first element set, and send, to the server, a sixth signaling, where the sixth signaling may include a second element set encrypted by using the key information. The key information may include a symmetric key and a distributed key, the terminal device may perform key agreement with the server to obtain the symmetric key, then perform key distribution on the symmetric key by using the device ID to obtain the distributed key, then encrypt the second element set by using the symmetric key, and perform integrity protection on the encrypted second element set by using the distributed key.
Specifically, after the device ID is imported into the server in an offline manner, the terminal device and the server may perform key agreement by using an SM2 elliptic curve public key cryptographic algorithm, and both negotiate a symmetric key. The terminal device may perform KDF key distribution on the symmetric key using the device ID to obtain a distributed key.
A KDF (Key derivation function) can be used to expand keys to longer keys or to obtain keys in a desired format. Specifically, the terminal device may perform KDF key dispersion on the symmetric key by using the device ID to obtain a dispersed key, encrypt the second element set by using the symmetric key, and perform integrity protection on the encrypted second element set, the user-defined data, the device ID, the server ID, the first anti-replay random number generated by the server, and the second anti-replay random number generated by the terminal device by using the dispersed key.
The terminal device may receive a fifth signaling sent by the server, and decrypt the fifth signaling according to the symmetric key and the distributed key by using a symmetric decryption algorithm to obtain a first element set; the first element set can be input into a PUF chip of the terminal device, and corresponding second response information is generated by the PUF chip according to the elements combined by the first element, as elements of the second element set; and finally, the second element set can be encrypted by adopting a symmetric key and a dispersed key to obtain a sixth signaling, and the sixth signaling is sent to the server.
It should be noted that, in the embodiment of the present invention, in the communication process between the terminal device and the server, the symmetric key may be used to encrypt not only the second element set, but also encrypt/decrypt other transmitted information for authentication; based on the symmetric key, the integrity protection can be performed on the encrypted second element set, and the integrity protection can also be performed on other encrypted messages.
In the embodiment of the invention, the second element set is encrypted and protected by adopting the symmetric key, so that the safety of the second element set sent to the server by the terminal equipment can be ensured; by adopting the distributed key to carry out integrity protection on the transmission information, the integrity and the safety of the information sent to the server by the terminal equipment can be ensured, and Man-in-the-Middle Attack (MITM) is avoided.
In the embodiment of the invention, the information for authentication is encrypted by adopting the symmetric key in the communication process of the terminal equipment and the server, and the PUF authentication process can be protected based on the symmetric key, so that the identity authentication is realized once, and the identity authentication process is simple and quick.
In the embodiment of the invention, the distributed key is obtained by carrying out key dispersion on the symmetric key, and the message is encrypted by adopting the distributed key, so that the message can be subjected to MAC protection based on the symmetric key. The symmetric keys are different, and the MAC calculation results are different; the result of the MAC calculation differs from message to message.
In the embodiment of the present invention, the corresponding second response information is obtained in advance through the PUF chip of the terminal device itself as a second element set element, the element of the second element set may uniquely identify the corresponding terminal device, and a fingerprint database is created in advance based on the device ID, the corresponding first element set, and the second element set, where the fingerprint may be the second response information corresponding to the element of the first element set. The method can match the fingerprint data in the fingerprint database which is created in advance with the data generated in real time in the authentication process to carry out identity authentication, thereby ensuring that equipment which is carrying out identity authentication in the network is real or legally authorized and improving the safety; and the identity authentication is carried out based on the data prestored in the fingerprint database, which is beneficial to avoiding the problem that the cross-domain authentication cannot be carried out by adopting a PKI identity authentication system.
In an alternative embodiment, the step 102 may comprise: and encrypting the first response information and the terminal equipment side information to obtain the second identity authentication information.
The terminal equipment side information can be equipment side information of the terminal equipment needing identity authentication; the first response information may be information for authentication generated in response to the first element, and may be a first response value output by the PUF chip; the second identity verification information may be information used for matching and comparing in server identity authentication, and may be a second MAC value. Specifically, the first response value and the terminal device side information may be encrypted to obtain the second MAC value.
In an alternative embodiment, the terminal device side information may include a device ID and/or a first anti-replay random number.
The terminal device side information may be device side information of a terminal device that needs to perform identity authentication, and specifically may include a device ID and/or a first anti-replay random number. Illustratively, the terminal device may receive a first anti-replay random number sent by the server, and encrypt the first response information, the device ID, and the first anti-replay random number to obtain second authentication information. Specifically, the terminal device may receive a second signaling sent by the server, acquire a first anti-replay random number generated by the server from the second signaling, and encrypt the first response value, the device ID, and the first anti-replay random number to generate a second MAC value.
In an alternative embodiment, the step 103 may include: and encrypting the first response information and the server side information to obtain the authentication challenge information of the equipment side.
The server side information can be information of a server which needs identity authentication; the first response information may be information for authentication generated in response to the first element, and may be a first response value output by the PUF chip; the authentication challenge information of the device side may include third authentication information, and the third authentication information may be information used for matching and comparing in device authentication, and may be a third MAC value. Specifically, the first response value and the server-side information may be encrypted to obtain a third MAC value.
In an alternative embodiment, the server-side information includes a server ID and/or a second secondary playback random number.
The server-side information may be information of a server that needs to perform identity authentication, and specifically may include a server ID and/or a second secondary playback random number. For example, the terminal device may generate a second secondary playback random number, and encrypt the first response information, the server ID, and the second secondary playback random number to obtain third authentication information. Specifically, the terminal device may generate the second secondary playback random number, acquire the server ID from the second signaling transmitted by the server, and encrypt the first response value, the server ID, and the second secondary playback random number to generate the third MAC value.
In the embodiment of the invention, the anti-replay random number is generated and carried in the communication signaling, so that man-in-the-middle attack can be avoided, and the safety of communication information can be ensured.
In the embodiment of the present invention, in the identity authentication process, the terminal device may generate, in real time, corresponding first response information for the first element, and obtain the identity verification information based on the first response information generated in real time, where the fingerprint may be second response information corresponding to elements of the first element set. The method can be matched and compared with fingerprint data in a fingerprint database established in advance to carry out identity authentication, so that the terminal equipment is prevented from applying for developing network services to an illegal server and authorizing the illegal terminal equipment to develop illegal requests of the network services by the server, thereby ensuring that equipment which is carrying out identity authentication in a network is real or legally authorized and improving the safety; and identity authentication is carried out based on data pre-stored in the fingerprint database, so that the problem that cross-domain authentication cannot be carried out by adopting a PKI identity authentication system is solved.
The method and the device have the advantages that the PUF chip is arranged on the terminal device, the first element sent by the server is input into the PUF chip to obtain the corresponding first response information, the second identity authentication information and the third identity authentication information are obtained based on the first response information, the identity authentication information generated in the authentication process of the terminal device is matched with the identity authentication information generated by the server to carry out bidirectional identity authentication on the server and the terminal device, so that the identity authentication is carried out under the condition that a CA certificate is not required to be deployed to save project cost, the fact that the device in the network is real or legally authorized to improve system safety is ensured, and the identity authentication can be carried out based on the stored information to avoid the problem that a PKI identity authentication system cannot carry out cross-domain authentication.
Referring to fig. 2, a flowchart illustrating steps of another identity authentication method provided in an embodiment of the present invention is shown, and is applied to a server, where the method specifically includes the following steps:
The identity authentication method of the embodiment of the invention can be applied to a server, and the server can perform information interaction with the terminal equipment before receiving the application of the terminal equipment for developing the network service, so that the bidirectional identity authentication between the server and the terminal equipment is performed based on the authentication challenge information at the server side.
Exemplarily, taking the server of the embodiment of the present invention as a video network server as an example, the identity authentication method of the embodiment of the present invention may be applied to the video network server, and the video network server may be a service platform with a management and control function and a service function, such as a video network conference management system, a video network comprehensive management system, and the like. The network element of the video network can be a video network terminal device such as a video network terminal, a video network border gateway, a VVoE (video network protocol driven), a video network virtual terminal, and the like. Before the video networking server receives the application of the video networking network element for developing the video networking service, the video networking server can perform information interaction with the video networking network element, so that bidirectional identity authentication between the video networking server and the video networking network element is performed based on the first element and the second element.
In the embodiment of the present invention, before the server receives the application for developing the network service, the first element and the second element corresponding to the first element may be determined, the first identity verification information is generated according to the second element, and the first element and the first identity verification information are sent to the terminal device as the authentication challenge information on the server side, so that the terminal device performs identity authentication on the server according to the authentication challenge information on the server side. The terminal device may obtain the authentication challenge information of the server side from the second signaling to perform identity authentication on the server.
The authentication challenge information may be information for initiating an identity authentication challenge, and may include third identity verification information, where the third identity verification information may be information for performing matching comparison in the process of authenticating the identity of the device, and specifically may be a third MAC value. The server may obtain third authentication information from the third signaling, where the third authentication information may be generated by the terminal device according to the first response information obtained by inputting the first element into the PUF chip. Specifically, when the identity authentication of the server passes, the terminal device may send the third signaling to the server, and the server may obtain the third MAC value from the third signaling and perform the identity authentication on the terminal device according to the third MAC value.
In the embodiment of the present invention, after the server acquires the third authentication information sent by the terminal device, the server may generate fourth authentication information according to the second element, so as to perform authentication on the terminal device. The fourth authentication information may be information used for performing matching comparison when authenticating the identity of the device, and specifically may be a fourth MAC value.
And 204, when the third authentication information is matched with the fourth authentication information, the authentication of the terminal device is passed.
The third identity verification information may be information used for matching and comparing when the device identity is authenticated, and specifically may be a third MAC value; the fourth authentication information may be information used for performing matching comparison in authenticating the device identity, and may be a fourth MAC value. Specifically, the server may determine whether the third MAC value and the fourth MAC value are matched, and if the third MAC value and the fourth MAC value are matched, the server determines that the identity authentication of the terminal device passes; if the third MAC value is not matched with the fourth MAC value, the server fails to pass the identity authentication of the terminal equipment, and does not apply to the server for developing network services.
When the server determines that the identity authentication of the terminal device passes, the server may send a fourth signaling to the terminal device, where the fourth signaling may include an authentication completion message, thereby ending the bidirectional identity authentication, so that the terminal device applies for the network service to be developed to the server after receiving the authentication completion message.
In the embodiment of the invention, due to the physical characteristics of the PUF chip, the third identity verification information can uniquely identify the terminal equipment, and the server can match the third identity verification information with the fourth identity verification information, so that identity authentication is performed based on the uniqueness of the terminal equipment, the security is higher, the problem of lower security of identity authentication performed based on a CA (certificate Authority) certificate is solved, and the identity authentication is performed without deploying the CA certificate, thereby being beneficial to saving project cost.
In an alternative embodiment, the step 201 may include the following substep S21:
and a substep S21 of determining a corresponding first element and a second element corresponding to the first element from the fingerprint database according to the device ID of the terminal device.
The fingerprint database may be a pre-established database in which the device ID of the terminal device and the corresponding fingerprint data are stored. In the embodiment of the present invention, before the server receives the application for developing the network service, the server may receive a first signaling sent by the terminal device, where the first signaling may include a device ID of the terminal device that needs to perform identity authentication, and may search and determine a corresponding first element and a second element corresponding to the first element from the fingerprint database according to the device ID of the terminal device, where the first element and the second element may be used for performing identity authentication. In this embodiment of the present invention, the fingerprint may be a second element corresponding to an element of the first element set.
In an alternative embodiment, the fingerprint database comprises a first set of elements and a second set of elements, the sub-step S21 may comprise the following sub-steps S211-S212:
substep S211 selects a first element from the first element set corresponding to the device ID of the terminal device.
And a substep S212 of selecting a second element corresponding to the first element from a second element set corresponding to the device ID of the terminal device.
Specifically, the fingerprint database may include a device ID of the terminal device, a first set of elements corresponding to the device ID of the terminal device, and a second set of elements corresponding to the device ID of the terminal device. The first element set may be a set including at least one first element, the second element set may be a set including at least one second element, and the second element may be an element corresponding to the first element.
In an example, in the process of performing identity authentication, the server may receive a first signaling sent by the terminal device, obtain a device ID of the terminal device to be authenticated from the first signaling, and query whether a device ID matching the device ID of the terminal device to be authenticated exists from the fingerprint database. If the fingerprint database does not have the equipment ID matched with the equipment ID of the terminal equipment to be authenticated, the terminal equipment is authenticated as the illegal third party terminal equipment, and the server does not accept the application of the illegal third party terminal equipment for developing the network service. In the embodiment of the invention, when identity authentication is carried out, whether the equipment ID matched with the equipment ID of the terminal equipment to be authenticated exists or not is inquired from the fingerprint database, so that the illegal terminal equipment of a third party can be detected, and the condition that a server authorizes the illegal terminal equipment of the third party to carry out network service is avoided.
If the fingerprint database has the device ID matched with the device ID of the terminal device to be authenticated, a first element set corresponding to the device ID may be searched in the fingerprint database, a first element may be selected from the first element set, and a second element corresponding to the first element may be selected from the second element set. After the first element and the second element are selected, first identity verification information can be generated according to the second element, and authentication challenge information of the server side is sent to the terminal device, wherein the authentication challenge information comprises the first element and the first identity verification information, so that the terminal device can perform identity authentication on the server.
In an optional embodiment, before generating the authentication challenge information at the server side, the method further includes: generating a plurality of random numbers as elements of a first element set, and sending the first element set to the terminal equipment; receiving a second element set sent by the terminal equipment; creating a fingerprint database from the device ID, the first set of elements, and the second set of elements.
The core switching server may assign a network address of the terminal to the terminal device, and the terminal device may input the network address into the PUF chip to obtain the device ID. The server can acquire the device ID imported in an offline mode, so that a fingerprint database is established according to the imported device ID, and identity authentication is performed on the terminal device based on the fingerprint database.
After the server receives the second element set sent by the terminal device, the server may create a fingerprint database according to the offline imported device ID, the first element set corresponding to the imported device ID, and the second element set corresponding to the first element set. In this embodiment of the present invention, the fingerprint may be a second element corresponding to an element of the first element set.
Before identity authentication, when the server acquires a new offline imported device ID, the server may query whether fingerprint data corresponding to the device ID is stored in the fingerprint database. If the fingerprint database does not have fingerprint data corresponding to the equipment ID, a plurality of random numbers are generated, the random numbers are used as elements of a first element set, and the random numbers are sequenced according to the generation sequence of the random numbers to obtain a first element set corresponding to the equipment ID.
Before determining the first element and the corresponding second element, the server may generate a plurality of random numbers as elements of the first element set, send fifth signaling to the terminal device, where the fifth signaling may include the first element set encrypted with the key information, and receive sixth signaling sent by the terminal device, where the sixth signaling may include the second element set encrypted with the key information. The key information may include a symmetric key and a distributed key, the server may perform key agreement with the terminal device to obtain the symmetric key, perform key distribution on the symmetric key using the device ID to obtain the distributed key, encrypt the first element set using the symmetric key, and perform integrity protection on the encrypted first element set using the distributed key. Specifically, after the device ID is imported into the server in an offline manner, the terminal device and the server may perform key agreement by using an SM2 elliptic curve public key cryptographic algorithm, and both negotiate a symmetric key. The server may perform KDF key dispersion on the symmetric key using the imported device ID to obtain a dispersed key.
The KDF can be used to extend the key to longer keys or to obtain the key in the desired format. Specifically, the server may perform KDF key dispersion on the symmetric key by using the imported device ID to obtain a dispersed key, encrypt the first element set by using the symmetric key, and perform integrity protection on the encrypted first element set, the user-defined data, the server ID, and the first anti-replay random number generated by the server by using the dispersed key.
The server may encrypt the first element set according to the symmetric key and the distributed key by using a symmetric encryption algorithm, and send the encrypted first element set to the terminal device. The server can decrypt according to the symmetric key and the distributed key by adopting a symmetric decryption algorithm to obtain a second element set.
In the embodiment of the invention, before identity authentication, the fingerprint database is created in advance according to the device ID imported offline, the first element set and the second element set, and the information for authentication generated by the terminal device in the process of identity authentication can be matched with the information for authentication stored in advance to authenticate the terminal device, so that the identity authentication can be performed based on the information stored in advance, and the problem that a PKI identity authentication system cannot perform cross-domain authentication is solved.
In an optional embodiment, the method may further comprise: and when the identity authentication of the terminal equipment passes, deleting the used first element and the corresponding second element in the identity authentication process.
In practical application, when a bidirectional identity authentication process is completed, a first element and a corresponding second element used in the process can be deleted; after the bidirectional identity authentication is completed for multiple times, the first element and the corresponding second element used in the bidirectional identity authentication processes for multiple times in the period of time can be deleted at the same time. It should be understood by those skilled in the art that the foregoing deleting manner is merely an example of the present invention, and those skilled in the art may delete the used first element and the corresponding second element by different deleting manners according to actual needs, and the present invention is not limited herein.
In the embodiment of the invention, when the server judges that the third identity authentication information is matched with the fourth identity authentication information and the server judges that the identity authentication of the terminal equipment passes, the server can delete the first element used in the authentication and the second element corresponding to the first element, so that the security is ensured, and the illegal third-party terminal equipment is prevented from initiating an illegal request to the server by adopting the used first element and the used second element, so that the server is authorized to the illegal third-party terminal equipment to carry out network services.
It should be understood by those skilled in the art that the foregoing deletion of the used first element and the corresponding second element is merely an example of the present invention, and in practical applications, those skilled in the art may also avoid selecting the used first element when performing identity authentication again by setting the used first element and the corresponding second element to a disabled state, hiding the used first element and the corresponding second element, and the present invention is not limited herein.
In an optional embodiment, the method may further comprise: and if the number of the elements in the first element set and the second element set is smaller than a preset number threshold, supplementing the elements in the first element set and the second element set.
In the embodiment of the present invention, since the elements of the first element set and the elements of the second element set are deleted each time the terminal device performs identity authentication, it may be determined whether the number of the elements in the first element set and the second element set corresponding to the device ID is smaller than a preset number threshold. If the number of the elements in the first element set and the second element set corresponding to the device ID is smaller than a preset number threshold, the elements in the first element set and the second element set are supplemented, so that the terminal device can perform identity authentication by using the elements in the first element set and the elements in the second element set, and the problem that the number of the elements is too small to select the elements for performing identity authentication is avoided.
In an optional embodiment, the method may further comprise: and encrypting the second element and the terminal equipment side information to obtain the first identity verification information.
Before the terminal device applies for developing the network service, the identity authentication may be performed, the terminal device may send a first signaling to the server, the first signaling may include device-side information of the terminal device that needs to perform the identity authentication, and the server may obtain the terminal-device-side information from the first signaling.
The terminal equipment side information can be equipment side information of the terminal equipment needing identity authentication; the first identity verification information may be information used for matching and comparing in server identity authentication, and may be a first MAC value. Specifically, the server may encrypt the second element and the terminal device side information to obtain the first MAC value.
In an alternative embodiment, the terminal device side information may include a device ID and/or a first anti-replay random number.
The terminal device side information may be device side information of a terminal device that needs to perform identity authentication, and specifically may include a device ID and/or a first anti-replay random number. For example, the server may generate a first anti-replay random number, and encrypt the first anti-replay random number, the second element, and the device ID to obtain the first authentication information. Specifically, the server may generate a first anti-replay random number, and generate a first MAC value according to the first anti-replay random number, the second element, and the device ID, where the first MAC value may be used for the terminal device to perform identity authentication on the server.
In an alternative embodiment, the step 203 may comprise: and encrypting the second element and the server side information to obtain fourth identity authentication information.
The server side information can be information of a server needing identity authentication; the fourth authentication information may be information used for matching and comparing in the device authentication, and may be a fourth MAC value. Specifically, the server may encrypt the second element and the server-side information to obtain a fourth MAC value.
In an alternative embodiment, the server-side information may include a server ID and/or a second secondary playback random number.
The server-side information may be information of a server that needs to perform identity authentication, and specifically may include a server ID and/or a second secondary playback random number. For example, the server may receive the second secondary playback random number sent by the terminal device, and encrypt the second element, the server ID, and the second secondary playback random number to obtain the fourth authentication information. Specifically, the server may receive a third signaling sent by the terminal device, acquire the second secondary playback random number and the third MAC value generated by the terminal device from the third signaling, and generate a fourth MAC value according to the second element, the server ID, and the second secondary playback random number. Wherein the third MAC value may be generated by the terminal device from the first response value, the server ID, and the second anti-replay random number generated by the PUF chip of the terminal device based on the first element.
Before identity authentication, the PUF chip is arranged on the terminal equipment, the fingerprint database is created in advance based on the second response information output by the PUF chip, identity authentication information generated by the terminal equipment according to the first response information in the identity authentication process can be matched with the identity authentication information generated according to the prestored second response information, and bidirectional identity authentication is carried out on the server and the terminal equipment, so that the identity authentication is carried out under the condition that a CA certificate is not required to be deployed so as to save project cost, equipment in a network is ensured to be real or legally authorized so as to improve system safety, and the identity authentication can be carried out based on the stored information so as to avoid the problem that a PKI identity authentication system cannot carry out cross-domain authentication.
In order to enable those skilled in the art to better understand the embodiment of the present invention, the following description takes the terminal device of the embodiment of the present invention as an example of a view networking network element:
(1) Creating a preset fingerprint library of the video network element at a video network server:
the video network element inputs the video network address of the video network element into the PUF chip of the video network element to obtain the ID of the video network element A ;
Network element ID of video network A Importing the data into a video network server in an offline mode;
carrying out key agreement between the network element of the video network and the server of the video network to obtain a symmetric key DEK; the visual networking network element and the visual networking server respectively adopt visual networking network element IDs A KDF key dispersion is carried out on the symmetric key DEK to obtain a dispersed key DEKmac;
the server of the video network is according to the network element ID of the video network A Querying a fingerprint database; if the fingerprint library does not have the visual network element ID A Generating a plurality of random numbers as the ID of the network elements of the video network according to the corresponding fingerprint information A Corresponding first sequence(s) 1 ,s 2 ,…,s n );
The server of the video network adopts DEK and DEKmac pair(s) 1 ,s 2 ,…,s n ) To carry out protection to obtainTo signalling (1) Info | ID B ‖R B ‖E S (DEK,(s 1 ,s 2 ,…,s n ))‖MAC(DEKmac,msg1),msg1=Info‖ID B ‖R B ‖E S (DEK,(s 1 ,s 2 ,…,s n ) And sending a signaling (1) to a network element of the video network; wherein the Info is used to represent user-defined data, ID B For indicating the visual network server ID, R B For representing a first anti-replay random number, es (DEK,(s) generated by the server of the video network 1 ,s 2 ,…,s n ) Denotes a symmetric algorithm for using the DEK pair(s) 1 ,s 2 ,…,s n ) Encrypting, wherein MAC (DEKmac, msg 1) represents that an MAC algorithm is used for generating a message verification code for msg1 by adopting DEKmac;
the network elements of the video network are coupled through PUF chips(s) 1 ,s 2 ,…,s n ) Generating a second sequence (r) 1 ,r 2 ,…,r n ) (ii) a Using DEK and DEKmac pairs (r) 1 ,r 2 ,…,r n ) Protection is carried out, and a signaling (2) is obtained: info | ID A ‖R A ‖ID B ‖R B ‖E S (DEK,(r 1 ,r 2 ,…,r n ))‖MAC(DEKmac,msg2),msg2=Info‖ID A ‖R A ‖ID B ‖R B ‖E S (DEK,(r 1 ,r 2 ,…,r n ) And sending a signaling (2) to the video network server; wherein R is B For representing a first anti-replay random number, es (DEK, (r) generated by the server of the video network 1 ,r 2 ,…,r n ) Represents a symmetric algorithm for employing the DEK pair (r) 1 ,r 2 ,…,r n ) Encrypting, wherein MAC (DEKmac, msg 2) represents that an MAC algorithm is used for generating a message verification code for msg2 by adopting DEKmac;
video networking server ID A 、(s 1 ,s 2 ,…,s n )、(r 1 ,r 2 ,…,r n ) Storing the fingerprint database into a preset fingerprint database, finishing the creation of the fingerprint database of the video networking network element, and sending a signaling (3) to the video networking network element: info | ID A ‖R A ‖E S (DEK,Finish)‖MAC(DEKmac,msg3),msg3=Info‖ID A ‖R A ‖E S (DEK,Finish)。
(2) Before the network element of the video network applies for developing the video network service to the video network server, identity authentication is carried out:
the video network element sends a signaling (4) to the video network server: info | ID A ‖R A ‖E S (DEK,ID A )‖MAC(DEKmac,msg4),msg4=Info‖ID A ‖R A ‖E S (DEK,ID A )
The server of the video network is according to the ID A Inquiring the preset fingerprint database, if the ID exists in the preset fingerprint database A Then from(s) 1 ,s 2 ,…,s n ) In randomly selecting an element s i According to s i From (r) 1 ,r 2 ,…,r n ) Find the corresponding element r in i According to ID A 、R B 、r i Generating a first MAC value A; using DEK and DEKmac pairs s i And A, protecting, obtaining and sending a signaling (5) to the video networking network element: info | ID A ‖ID B ‖R A ‖R B ‖E S (DEK,s i ‖A)‖MAC(DEKmac,msg5),msg5=Info‖ID A ‖ID B ‖R A ‖R B ‖E S (DEK,s i ‖A);
The video network element receives the signaling (5), and generates s through the PUF chip i According to ID, of the response value x A 、R B X generating a second MAC value A'; if A is consistent with A', the identity authentication of the video network server is passed by the video network element.
Network element of video network according to ID B 、R A And x generates a third MAC value B, protects B by adopting DEK and DEKmac, obtains and sends a signaling (6) to the video networking server: info | ID B ‖ID A ‖R B ‖R A ‖E S (DEK,B)‖MAC(DEKmac,msg6),msg6=Info‖ID B ‖ID A ‖R B ‖R A ‖E S (DEK,B);
The server of the video network receives the signalling (6), according to the ID B 、R A 、r i Generate the thirdMAC value B'; if B is consistent with B', the video network server passes the identity authentication of the video network element, and sends a signaling (7) to the video network element: info | E S (DEK, finish), and finishing the bidirectional identity authentication between the video network server and the video network element.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 3, a block diagram of an identity authentication apparatus provided in an embodiment of the present invention is shown, and is applied to a terminal device, where the terminal device includes a PUF chip, and the apparatus may specifically include:
a receiving module 301, configured to receive authentication challenge information on a server side, where the authentication challenge information at least includes a first element and a first MAC value;
a generating module 302, configured to determine first response information corresponding to the first element, and generate second identity verification information according to the first response information, where the first response information is generated by a PUF chip of the terminal device;
an authentication module 303, configured to determine, according to the first response information, authentication challenge information of the local device side when the first identity verification information matches the second identity verification information, and send the authentication challenge information of the local device side to the server, so that the server performs identity authentication on the terminal device.
In an optional embodiment, before receiving the authentication challenge information at the server side, the method further includes:
the first element set receiving module is used for receiving a first element set sent by the server;
the PUF chip is used for generating corresponding second response information according to the elements of the first element set and using the second response information as the elements of the second element set;
a second element set sending module, configured to send a second element set to the server, so that the server creates a fingerprint database based on the first element set and the second element set; wherein the first element is selected by the server from a first set of elements of the fingerprint database.
In an optional embodiment, the generating module includes:
and the second authentication information submodule is used for encrypting the first response information and the terminal equipment side information to obtain the second identity authentication information.
In an optional embodiment, the terminal device side information includes a device ID and/or a first anti-replay random number.
In an optional embodiment, the authentication module includes:
and the challenge information determining submodule is used for encrypting the first response information and the server side information to obtain authentication challenge information of the equipment side.
In an alternative embodiment, the server-side information includes a server ID and/or a second secondary playback random number.
The method and the device have the advantages that the PUF chip is arranged on the terminal device, the first element sent by the server is input into the PUF chip to obtain the corresponding first response information, the second identity authentication information and the third identity authentication information are obtained based on the first response information, the identity authentication information generated in the authentication process of the terminal device is matched with the identity authentication information generated by the server to carry out bidirectional identity authentication on the server and the terminal device, so that the identity authentication is carried out under the condition that a CA certificate is not required to be deployed to save project cost, the fact that the device in the network is real or legally authorized to improve system safety is ensured, and the identity authentication can be carried out based on the stored information to avoid the problem that a PKI identity authentication system cannot carry out cross-domain authentication.
Referring to fig. 4, a block diagram of another identity authentication apparatus provided in the embodiment of the present invention is shown, and is applied to a server, and specifically includes the following modules:
a challenge information determining module 401, configured to generate authentication challenge information at a server side, and send the authentication challenge information at the server side to a terminal device, so that the terminal device performs identity authentication on the server; the authentication challenge information of the server side at least comprises a first element and first identity verification information, and the first identity verification information is generated according to the second element;
a verification information receiving module 402, configured to receive authentication challenge information of a device side sent by the terminal device, where the authentication challenge information of the device side includes third identity verification information;
a verification information generating module 403, configured to generate fourth identity verification information according to the second element;
and the device authentication module 404 is configured to, when the third authentication information matches the fourth authentication information, pass the authentication of the terminal device.
In an optional embodiment, the challenge information determining module includes:
and the element selection submodule is used for determining a corresponding first element and a second element corresponding to the first element from the fingerprint database according to the equipment ID of the terminal equipment.
In an alternative embodiment, the fingerprint database includes a first element set and a second element set, and the element selection sub-module includes:
a first element selection unit, configured to select a first element from a first element set corresponding to a device ID of a terminal device;
and the second element selecting unit is used for selecting a second element corresponding to the first element from a second element set corresponding to the equipment ID of the terminal equipment.
In an optional embodiment, further comprising:
a first element set sending module, configured to generate multiple random numbers as elements of a first element set, and send the first element set to the terminal device;
a second element set receiving module, configured to receive a second element set sent by the terminal device;
and the database creating module is used for creating a fingerprint database according to the equipment ID corresponding to the terminal equipment, the first element set and the second element set.
In an optional embodiment, further comprising:
and the deleting module is used for deleting the used first element and the corresponding second element in the identity authentication process when the identity authentication of the terminal equipment passes.
In an optional embodiment, the method further comprises:
and the supplementing module is used for supplementing the elements in the first element set and the second element set if the number of the elements in the first element set and the second element set is less than a preset number threshold.
In an optional embodiment, further comprising:
and the first verification information generation module is used for encrypting the second element and the terminal equipment side information to obtain the first identity verification information.
In an optional embodiment, the terminal device side information includes a device ID and/or a first anti-replay random number.
In an optional embodiment, the verification information generating module includes:
and the fourth verification information generation submodule is used for encrypting the second element and the server side information to obtain fourth identity verification information.
In an alternative embodiment, the server-side information includes a server ID and/or a second secondary playback random number.
Before identity authentication, the PUF chip is arranged on the terminal equipment, the fingerprint database is created in advance based on the second response information output by the PUF chip, identity authentication information generated by the terminal equipment according to the first response information in the identity authentication process can be matched with identity authentication information generated according to the second response information stored in advance, and bidirectional identity authentication is carried out on the server and the terminal equipment, so that identity authentication is carried out under the condition that a CA certificate is not required to be deployed so as to save project cost, equipment in a network is ensured to be real or legally authorized so as to improve system safety, and identity authentication can be carried out based on stored information so as to avoid the problem that a PKI identity authentication system cannot carry out cross-domain authentication.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
An embodiment of the present invention further provides an electronic device, including:
the identity authentication method comprises a processor, a memory and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, each process of the identity authentication method embodiment is realized, the same technical effect can be achieved, and the details are not repeated here to avoid repetition.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when being executed by a processor, the computer program implements each process of the above-mentioned embodiment of the identity authentication method, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or terminal apparatus that comprises the element.
The identity authentication method and device provided by the invention are introduced in detail, and the principle and the implementation mode of the invention are explained by applying specific examples, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (20)
1. An identity authentication method is applied to a terminal device, wherein the terminal device comprises a PUF chip, and the method comprises the following steps:
receiving authentication challenge information of a server side, wherein the authentication challenge information at least comprises a first element and first identity verification information;
determining first response information corresponding to the first element, and generating second identity verification information according to the first response information, wherein the first response information is generated by a PUF (physical unclonable function) chip of the terminal equipment;
and when the first identity verification information is matched with the second identity verification information, determining authentication challenge information of the equipment side according to the first response information, and sending the authentication challenge information of the equipment side to the server so that the server performs identity authentication on the terminal equipment.
2. The method of claim 1, further comprising, prior to receiving the authentication challenge information at the server side:
receiving a first element set sent by the server;
generating corresponding second response information according to the elements of the first element set through the PUF chip, and using the second response information as the elements of a second element set;
sending a second element set to the server to cause the server to create a fingerprint database based on the first element set and the second element set; wherein the first element is selected by the server from a first set of elements of the fingerprint database.
3. The method according to claim 1 or 2, wherein the generating second authentication information according to the first response information comprises:
and encrypting the first response information and the terminal equipment side information to obtain the second identity authentication information.
4. The method according to claim 3, wherein the terminal device side information comprises a device ID and/or a first anti-replay random number.
5. The method according to claim 1 or 2, wherein the determining the authentication challenge information of the device side according to the first response information includes:
and encrypting the first response information and the server side information to obtain authentication challenge information of the equipment side.
6. The method according to claim 5, wherein the server-side information comprises a server ID and/or a second secondary playback random number.
7. An identity authentication method applied to a server, the method comprising:
generating authentication challenge information of a server side, and sending the authentication challenge information of the server side to terminal equipment so that the terminal equipment performs identity authentication on the server; the authentication challenge information of the server side at least comprises a first element and first identity verification information, and the first identity verification information is generated according to the second element;
receiving authentication challenge information of an equipment side sent by the terminal equipment, wherein the authentication challenge information of the equipment side comprises third identity verification information;
generating fourth identity verification information according to the second element;
and when the third identity verification information is matched with the fourth identity verification information, the identity authentication of the terminal equipment passes.
8. The method of claim 7, wherein generating server-side authentication challenge information comprises:
and determining a corresponding first element and a second element corresponding to the first element according to the equipment ID of the terminal equipment from the fingerprint database.
9. The method of claim 8, wherein the fingerprint database comprises a first element set and a second element set, and wherein determining a corresponding first element and a corresponding second element for the first element according to a device ID of a terminal device comprises:
selecting a first element from a first element set corresponding to the equipment ID of the terminal equipment;
and selecting a second element corresponding to the first element from a second element set corresponding to the equipment ID of the terminal equipment.
10. The method of claim 7, further comprising, prior to generating the server-side authentication challenge information:
generating a plurality of random numbers as elements of a first element set, and sending the first element set to the terminal equipment;
receiving a second element set sent by the terminal equipment;
and creating a fingerprint database according to the device ID corresponding to the terminal device, the first element set and the second element set.
11. The method of claim 7, further comprising:
and when the identity authentication of the terminal equipment passes, deleting the used first element and the corresponding second element in the identity authentication process.
12. The method of claim 10, further comprising:
and if the number of the elements in the first element set and the second element set is smaller than a preset number threshold, supplementing the elements in the first element set and the second element set.
13. The method of claim 7, further comprising:
and encrypting the second element and the terminal equipment side information to obtain the first identity verification information.
14. The method according to claim 13, wherein the terminal device side information comprises a device ID and/or a first anti-replay nonce.
15. The method of claim 7, wherein generating fourth authentication information from the second element comprises:
and encrypting the second element and the server side information to obtain fourth identity authentication information.
16. The method according to claim 15, wherein the server-side information comprises a server ID and/or a second secondary playback random number.
17. An identity authentication apparatus, applied to a terminal device, the terminal device including a PUF chip, the apparatus comprising:
the authentication system comprises a receiving module, a verification module and a verification module, wherein the receiving module is used for receiving authentication challenge information of a server side, and the authentication challenge information at least comprises a first element and first identity verification information;
a generating module, configured to determine first response information corresponding to the first element, and generate second identity verification information according to the first response information, where the first response information is generated by a PUF chip of the terminal device;
and the matching module is used for determining authentication challenge information of the equipment side according to the first response information when the first identity verification information is matched with the second identity verification information, and sending the authentication challenge information of the equipment side to the server so that the server performs identity authentication on the terminal equipment.
18. An identity authentication device applied to a server, the identity authentication device comprising:
the challenge information generating module is used for generating authentication challenge information of a server side and sending the authentication challenge information of the server side to terminal equipment so that the terminal equipment can carry out identity authentication on the server; the authentication challenge information of the server side at least comprises a first element and first identity verification information, and the first identity verification information is generated according to the second element;
a verification information receiving module, configured to receive authentication challenge information of an equipment side sent by the terminal equipment, where the authentication challenge information of the equipment side includes third identity verification information;
the verification information generation module is used for generating fourth identity verification information according to the second element;
and the equipment identity authentication module is used for passing the identity authentication of the terminal equipment when the third identity authentication information is matched with the fourth identity authentication information.
19. An electronic device, comprising: processor, memory and a computer program stored on the memory and being executable on the processor, the computer program, when executed by the processor, implementing the steps of the identity authentication method as claimed in any one of claims 1-6 or 7-16.
20. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the identity authentication method according to any one of claims 1-6 or 7-16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210934275.7A CN115459918A (en) | 2022-08-04 | 2022-08-04 | Identity authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210934275.7A CN115459918A (en) | 2022-08-04 | 2022-08-04 | Identity authentication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115459918A true CN115459918A (en) | 2022-12-09 |
Family
ID=84297103
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210934275.7A Pending CN115459918A (en) | 2022-08-04 | 2022-08-04 | Identity authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115459918A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115694843A (en) * | 2022-12-29 | 2023-02-03 | 浙江宇视科技有限公司 | Camera access management method, system, device and medium for avoiding counterfeiting |
-
2022
- 2022-08-04 CN CN202210934275.7A patent/CN115459918A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115694843A (en) * | 2022-12-29 | 2023-02-03 | 浙江宇视科技有限公司 | Camera access management method, system, device and medium for avoiding counterfeiting |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6547079B1 (en) | Registration / authorization method, device and system | |
| KR100827650B1 (en) | Methods for authenticating potential members invited to join a group | |
| WO2018040758A1 (en) | Authentication method, authentication apparatus and authentication system | |
| CN109150897B (en) | End-to-end communication encryption method and device | |
| US10171235B2 (en) | User-initiated migration of encryption keys | |
| CN112737774B (en) | Data transmission method, device and storage medium in network conference | |
| CN107920052B (en) | Encryption method and intelligent device | |
| US20190044922A1 (en) | Symmetric key identity systems and methods | |
| CN110635901A (en) | Local Bluetooth dynamic authentication method and system for Internet of things equipment | |
| CN112241527B (en) | Secret key generation method and system of terminal equipment of Internet of things and electronic equipment | |
| CN112651049B (en) | Privacy data sharing method and system based on block chain | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| US20190044721A1 (en) | Device authorization using symmetric key systems and methods | |
| US20240064027A1 (en) | Identity authentication method and apparatus, and storage medium, program and program product | |
| CN108667800B (en) | Access authority authentication method and device | |
| CN115459918A (en) | Identity authentication method and device | |
| CN112364335B (en) | Identification identity authentication method and device, electronic equipment and storage medium | |
| CN114765543A (en) | Encryption communication method and system of quantum cryptography network expansion equipment | |
| US11240661B2 (en) | Secure simultaneous authentication of equals anti-clogging mechanism | |
| CN111934862B (en) | Server access method and device, readable medium and electronic equipment | |
| CN115242471B (en) | Information transmission method, information transmission device, electronic equipment and computer readable storage medium | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
| KR101256114B1 (en) | Message authentication code test method and system of many mac testserver | |
| CN115913521A (en) | Method for identity authentication based on quantum key | |
| CN112925535A (en) | Method and device for installing embedded application of password chip |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |