CN115643022A - Equipment authentication generation method and equipment product - Google Patents

Equipment authentication generation method and equipment product Download PDF

Info

Publication number
CN115643022A
CN115643022A CN202211240294.6A CN202211240294A CN115643022A CN 115643022 A CN115643022 A CN 115643022A CN 202211240294 A CN202211240294 A CN 202211240294A CN 115643022 A CN115643022 A CN 115643022A
Authority
CN
China
Prior art keywords
certificate
equipment
product
manufacturer
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211240294.6A
Other languages
Chinese (zh)
Inventor
张旭
夏渊
卜勤练
江华峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Accelink Technologies Co Ltd
Original Assignee
Accelink Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Accelink Technologies Co Ltd filed Critical Accelink Technologies Co Ltd
Priority to CN202211240294.6A priority Critical patent/CN115643022A/en
Publication of CN115643022A publication Critical patent/CN115643022A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to the technical field of communication, and provides a device authentication generation method and a device product, wherein the method comprises the following steps: the device manufacturer obtaining a device manufacturer certificate issued by a consuming user; the equipment manufacturer also obtains an equipment identifier of an equipment product, signs the second certificate main body by using an equipment manufacturer private key to obtain a second certificate signature, and generates an equipment certificate by the second certificate main body and the second certificate signature; burning the device certificate and the device private key into a storage area of a device product; the user certificate is transmitted to the host by the consuming user, and the host completes the authentication process of the equipment product. The invention generates the equipment manufacturer certificate and the equipment certificate through the interaction of the consumer, the equipment manufacturer and the equipment product, so that when the equipment product is inserted into the host, the equipment product is authenticated, and the tampered or illegal equipment product is identified, thereby ensuring the legality and safety of the equipment product and the overall safety of the communication network.

Description

Equipment authentication generation method and equipment product
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a device authentication generation method and a device product.
Background
In an optical transmission rack system, with the development of a data center, more and more pluggable modules are used (for example, pluggable optical modules packaged by SFP, QSFP-DD, OSFP, and the like). Due to the pluggable nature of the modules, the modules may be unplugged and replaced, which may cause serious security problems for the entire communication network if the pluggable devices that steal confidential equipment or are used to disrupt communications replace the modular plug-in chassis.
In view of the above, overcoming the drawbacks of the prior art is an urgent problem in the art.
Disclosure of Invention
The invention aims to solve the technical problem that the existing pluggable equipment can be unplugged and replaced, so that the safety problem is caused.
In a first aspect, the present invention provides a device authentication generation method involving at least a device manufacturer, a consumer and a device product, wherein the device product is produced by the device manufacturer, the authentication generation comprising:
the device manufacturer obtaining a device manufacturer certificate issued by a consuming user; the device merchant certificate is generated by a first certificate main body and a first certificate signature, the first certificate main body is composed of a device merchant identifier and a device merchant public key in a device merchant key pair, and the first certificate signature is obtained by issuing a user certificate of the consuming user to the first certificate main body;
the equipment manufacturer also obtains an equipment identifier of an equipment product, a second certificate main body is formed by the equipment manufacturer certificate, the equipment identifier of the equipment product and an equipment public key in an equipment key pair, the second certificate main body is signed and issued by an equipment manufacturer private key in the equipment manufacturer key pair to obtain a second certificate signature, and the second certificate main body and the second certificate signature jointly generate an equipment certificate;
burning the device certificate and a device private key in a device key pair into a storage area of the device product; the user certificate is transmitted to a host by a consuming user so that the host installing the equipment product completes the authentication process of the equipment product.
Preferably, the step of completing the authentication process of the device product by the host computer on which the device product is installed specifically includes:
the host acquires an equipment manufacturer certificate from the equipment certificate, acquires a first certificate signature from the equipment manufacturer certificate, and verifies the validity of the first certificate signature by using a user certificate;
after the validity of the first certificate signature is verified to pass, acquiring an equipment provider public key in an equipment provider key pair from the equipment provider certificate, acquiring a second certificate signature from the equipment certificate, and verifying the validity of the second certificate signature by using the equipment provider public key;
and after the validity of the second certificate signature is verified to pass, acquiring an equipment public key in an equipment private key from the equipment certificate, verifying whether the equipment public key is matched with the equipment private key in the storage area of the equipment product, and finishing the authentication process of the equipment product if the equipment public key is verified to be matched with the equipment private key.
Preferably, the verifying whether the device public key matches with a device private key in a storage area of a device product specifically includes:
the host sends the generated random number to the equipment product and obtains an encryption result obtained by encrypting the random number by the equipment product according to the equipment private key;
the host machine decrypts the encrypted result by using the equipment public key to obtain a decrypted result, and judges whether the decrypted result is consistent with the random number or not;
and if the decryption result is consistent with the random number, verifying to obtain that the equipment public key is matched with the equipment private key.
Preferably, the verifying the validity of the first certificate signature by using the user certificate specifically includes:
the host acquires a first certificate main body in the equipment merchant certificate and uses the user certificate to sign the first certificate main body to obtain a signing and issuing result;
and judging whether the issuing result is consistent with the first certificate signature or not, and if so, verifying that the validity of the first certificate signature is passed.
Preferably, the equipment product comprises at least one of pluggable optical module equipment, on-chip storage space of a chip and other pluggable devices suitable for the blade server; wherein the pluggable optical module device comprises at least one of an SFP package, a QSFP-DD package and an OSFP packaged optical module.
In a second aspect, the present invention further provides a device authentication generation method, involving at least a device manufacturer, a consumer and a device product, wherein the device product is produced by the device manufacturer, and the authentication generation comprises:
the device manufacturer obtaining a device manufacturer certificate issued by a consuming user; the device merchant certificate is generated by a first certificate main body and a first certificate signature, the first certificate main body is composed of a device merchant identifier and a device merchant public key in a device merchant key pair, and the first certificate signature is obtained by issuing a user certificate of the consuming user to the first certificate main body;
the equipment manufacturer also obtains an equipment identifier of an equipment product, a second certificate main body is formed by the equipment identifier of the equipment product and an equipment public key in an equipment key pair, the second certificate main body is signed and issued by an equipment private key in the equipment key pair to obtain a second certificate signature, and the second certificate main body and the second certificate signature jointly generate an equipment certificate;
burning the device certificate and a device private key in a device key pair into a storage area of the device product; the user certificate and the device merchant certificate are transmitted to a host by a consuming user so that the host installing the device product completes the authentication process of the device product.
Preferably, the step of completing the authentication process of the device product by the host computer on which the device product is installed specifically includes:
the host acquires a first certificate signature from the equipment certificate and verifies the validity of the first certificate signature by using the user certificate;
after the validity of the first certificate signature is verified to pass, acquiring an equipment provider public key in an equipment provider key pair from the equipment provider certificate, acquiring a second certificate signature from the equipment certificate, and verifying the validity of the second certificate signature by using the equipment provider public key;
and after the validity of the second certificate signature is verified to pass, acquiring an equipment public key in an equipment private key from the equipment certificate, verifying whether the equipment public key is matched with the equipment private key in a storage area of an equipment product, and finishing the authentication process of the equipment product if the equipment public key is verified to be matched with the equipment private key.
Preferably, the verifying whether the device public key is matched with a device private key in a storage area of a device product specifically includes:
the host sends the generated random number to the equipment product and obtains an encryption result obtained by encrypting the random number by the equipment product according to the equipment private key;
the host machine decrypts the encrypted result by using the equipment public key to obtain a decrypted result, and judges whether the decrypted result is consistent with the random number or not;
and if the decryption result is consistent with the random number, verifying to obtain that the equipment public key is matched with the equipment private key.
Preferably, the verifying the validity of the first certificate signature by using the user certificate specifically includes:
the host acquires a first certificate main body in the equipment merchant certificate and uses the user certificate to sign the first certificate main body to obtain a signing and issuing result;
and judging whether the issuing result is consistent with the first certificate signature, and if so, verifying that the validity of the first certificate signature is passed.
In a third aspect, the present invention further provides a device product, where the device product is produced by a device manufacturer, and a device private key in a device certificate and a device key pair is written in a storage area of the device product, where the device certificate and the device key pair are generated based on the device authentication generation method in the first aspect or the second aspect.
In a fourth aspect, the present invention further provides an apparatus for generating a device authentication, which is used to implement the device authentication generating method in the first aspect or the second aspect, and the apparatus includes:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor for performing the device authentication generation method of the first or second aspect.
In a fourth aspect, the present invention also provides a non-transitory computer storage medium storing computer-executable instructions for performing the device authentication generation method according to the first or second aspect, where the computer-executable instructions are executed by one or more processors.
The invention generates the equipment manufacturer certificate and the equipment certificate through the interaction of the consumer, the equipment manufacturer and the equipment product, so that when the equipment product is inserted into the host, the equipment product is authenticated, and the tampered or illegal equipment product is identified, thereby ensuring the legality and safety of the equipment product and the overall safety of the communication network.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic flowchart of a device authentication generation method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a device authentication generation method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a device certificate according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a device certificate according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating a device authentication generation method according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a device authentication generation method according to an embodiment of the present invention;
fig. 7 is a flowchart illustrating a device authentication generation method according to an embodiment of the present invention;
fig. 8 is a flowchart illustrating a device authentication generation method according to an embodiment of the present invention;
fig. 9 is a flowchart illustrating a device authentication generation method according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a device certificate according to an embodiment of the present invention;
fig. 11 is a flowchart illustrating a device authentication generation method according to an embodiment of the present invention;
fig. 12 is a flowchart illustrating a method for generating a device authentication according to an embodiment of the present invention;
fig. 13 is a flowchart illustrating a device authentication generation method according to an embodiment of the present invention;
fig. 14 is a flowchart illustrating a device authentication generation method according to an embodiment of the present invention;
fig. 15 is a flowchart illustrating a device authentication generation method according to an embodiment of the present invention;
FIG. 16 is a schematic diagram of a storage area in an article of equipment provided by an embodiment of the invention;
fig. 17 is a schematic structural diagram of an apparatus authentication generating device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the description of the present invention, the terms "inner", "outer", "longitudinal", "lateral", "upper", "lower", "top", "bottom", and the like indicate orientations or positional relationships based on those shown in the drawings, and are for convenience only to describe the present invention without requiring the present invention to be necessarily constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
In addition, the technical features involved in the respective embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Example 1:
an embodiment 1 of the present invention provides an apparatus authentication generation method, which at least relates to an apparatus manufacturer, a consumer, and an apparatus product, where the apparatus product is produced by the apparatus manufacturer, and as shown in fig. 1 and fig. 2, the authentication generation includes:
in step 201, the device manufacturer obtains a device manufacturer certificate issued by the consuming user; the device merchant certificate is generated by a first certificate main body and a first certificate signature, the first certificate main body is composed of a device merchant identifier and a device merchant public key in a device merchant key pair, and the first certificate signature is obtained by issuing a user certificate of the consuming user to the first certificate main body; the generated device merchant certificate is shown in fig. 3.
Wherein, the device manufacturer may be one or more, and the device identifier may be manufacturer information of the device manufacturer. The number of the equipment products may be one or more. In the authentication generation process of this embodiment, three parties are mainly involved, including a consuming user, a device manufacturer, and a device product, where one consuming user corresponds to one or more user certificates, and one device manufacturer corresponds to one or more device manufacturer key pairs. The pair of device vendor keys is pre-generated by the device manufacturer using an asymmetric encryption algorithm. The asymmetric encryption algorithm has various types, including RSA, ECDSA, ECC, AES, SM2, and the like.
The equipment product comprises at least one of pluggable optical module equipment, an on-chip storage space of a chip and other pluggable devices suitable for a blade server; wherein the pluggable optical module device comprises at least one of an SFP package, a QSFP-DD package and an OSFP packaged optical module.
The consuming user generates a user certificate without issuing or via self, and the user certificate is generated in various ways, such as:
in the first way, an arbitrarily customized character string is used as a user certificate.
In a second mode, the consuming user generates a user key pair, a user identifier and a user public key in the user key pair form a certificate main body of the user certificate, the user private key in the user key pair is used for signing and issuing the certificate main body of the user certificate to obtain a certificate signature, and the certificate main body of the user certificate and the certificate signature form the user certificate.
The user certificate is the most fundamental basis for the validity of all device manufacturer certificates and device certificate verifications.
Each equipment manufacturer corresponds to one or more equipment manufacturer certificates, the equipment manufacturer sends the equipment manufacturer identification and the equipment manufacturer public key (namely the first certificate main body) of the equipment manufacturer to a consumer, requests the equipment manufacturer certificate from the consumer, and the consumer generates the equipment manufacturer certificate after verifying that the equipment manufacturer is a legal equipment manufacturer according to the equipment manufacturer identification. And if the equipment provider is verified to be illegal, not generating the certificate of the equipment provider.
The first certificate signature is issued by a user certificate of a consuming user to the first certificate main body, and an optional implementation manner of the first certificate signature is specifically as follows: and calculating the abstract of the first certificate main body, and encrypting the calculated abstract by using a user private key to obtain a first certificate signature. There are many methods for calculating the abstract, including MD4, MD5, SHA-1, SHA-256, SHA-384, and SHA-512.
In step 202, the device manufacturer further obtains a device identifier of the device product, and uses the device manufacturer certificate, the device identifier of the device product, and the device public key in the device key pair to form a second certificate main body, and uses the device manufacturer private key in the device manufacturer key pair to issue the second certificate main body to obtain a second certificate signature, and the second certificate main body and the second certificate signature jointly generate a device certificate; the generated device certificate is shown in fig. 4.
Each device product corresponds to a device certificate generated by the device manufacturer that manufactured the device product. Each device product also corresponds to a device key pair, which is pre-generated by the device manufacturer. Each device has a unique device identification. The device identification is obtained from the respective device by the device manufacturer.
After the equipment manufacturer obtains the equipment identifier of the equipment product, the equipment manufacturer verifies whether the equipment product is a legal equipment product according to the equipment identifier, if so, an equipment certificate is generated, otherwise, the equipment certificate is not generated.
In step 203, burning the device private key of the device certificate and device key pair into a storage area of the device product; the user certificate is transmitted to a host by a consuming user so that the host installing the equipment product completes the authentication process of the equipment product.
In this embodiment, the consumer may be understood as a manager of the device production authentication process, which has an absolute authority to manage whether the device product is legal or not and whether the device manufacturer is legal or not. For example, the consumer user may be a user, a seller or a manufacturer of the host, and the consumer user may also delegate the device manufacturer to manufacture the device product available to the host as a delegate, where the authority of the device manufacturer to manufacture the device product is controlled by the consumer user, and if the consumer user does not provide a valid device certificate to the device manufacturer, the device manufacturer cannot generate a valid device certificate, and thus cannot generate a valid device. Or the consuming user does not transmit a valid user certificate to the host, valid authentication of the device product cannot be performed, and the device cannot be installed on the host.
In the embodiment, the corresponding device certificate is generated for the device product through the interaction of the consumer, the device manufacturer and the device product, so that when the device product is inserted into the host, the device product can be authenticated through the device certificate, and the tampered or illegal device product can be identified, thereby ensuring the legality and safety of the device product and the overall safety of a communication network.
Based on the device product in the foregoing embodiment, this embodiment further provides a set of specific implementation manners for how to authenticate the device product, that is, the host computer that is convenient for installing the device product completes the authentication process of the device product, as shown in fig. 5 and fig. 6, specifically including:
in step 301, the host obtains an equipment certificate from the equipment certificate, obtains a first certificate signature from the equipment certificate, and verifies the validity of the first certificate signature by using a user certificate;
in step 302, after the validity of the first certificate signature is verified, an equipment public key in an equipment key pair is obtained from the equipment certificate, a second certificate signature is obtained from the equipment certificate, and the validity of the second certificate signature is verified by using the equipment public key.
In step 303, after the validity of the second certificate signature is verified to pass, an equipment public key in an equipment private key is obtained from the equipment certificate, whether the equipment public key is matched with an equipment private key in a storage area of an equipment product is verified, and if the equipment public key is verified to be matched with the equipment private key, the authentication process of the equipment product is completed.
Wherein said verifying said validity of said first certificate signature is to verify whether an equipment vendor certificate is valid, and said verifying said validity of said second certificate signature is to verify whether an equipment certificate is valid.
The host is matched with the equipment product, for example, when the equipment product is a pluggable optical module, the host can be an OLT (optical line terminal) equipment.
An alternative embodiment of verifying the validity of the first certificate signature using the user certificate is also provided, as shown in fig. 7, specifically including:
in step 401, the host obtains a first certificate principal in the device-merchant certificate, and issues the first certificate principal using the user certificate to obtain an issuing result.
In step 402, it is determined whether the issuance result is consistent with the first certificate signature, and if the issuance result is consistent with the first certificate signature, the validity of the first certificate signature obtained through verification passes.
In both of the above-described first and second user certificate generation methods, this embodiment can be applied to the process of authenticating the validity of the first certificate signature.
In view of the second generation method of the user certificate, another optional implementation is provided, which specifically includes:
and the host acquires a first certificate signature in the equipment merchant certificate, acquires a user public key in the user certificate, and decrypts the first certificate signature by using the user public key to obtain a decryption result.
The host also obtains a first certificate main body in the equipment merchant certificate, and calculates the abstract of the first certificate main body to obtain an abstract result.
And judging whether the digest result is consistent with the decryption result, and if so, verifying that the validity of the first certificate signature is passed.
After the validity of the first certificate signature and the second certificate signature is verified to pass, the validity of the device key pair needs to be verified, which provides an optional implementation manner in this embodiment, as shown in fig. 8, the verifying whether the device public key is matched with the device private key in the storage area of the device product specifically includes:
in step 501, the host sends the generated random number to the device product, and obtains an encryption result obtained by encrypting the random number by the device product according to the device private key.
In step 502, the host decrypts the encrypted result using the device public key to obtain a decrypted result, and determines whether the decrypted result is consistent with the random number.
In step 503, if the decryption result is consistent with the random number, the device public key is verified to be matched with the device private key.
As an optional implementation manner, in step 501, the host sends the generated random number to the device product, which may also be a hash value of the sent random number, and correspondingly, in step 502, it is determined whether the decryption result is consistent with the hash value of the random number; in step 503, if the decryption result is consistent with the hash value of the random number, the device public key is verified to be matched with the device private key.
The terms "first," "second," and "third" in the present embodiment are not intended to be limited, and are used only for convenience of description in order to distinguish different individuals from one another, and should not be interpreted as having a special meaning in order or otherwise.
Example 2:
compared with the embodiment in which the device-merchant certificate is directly embedded in the device certificate in embodiment 1, this embodiment also provides another embodiment, that is, the device-merchant certificate is not embedded in the device certificate, but the consumer transmits the device-merchant certificate to the host.
The device authentication generation method provided by this embodiment at least relates to a device manufacturer, a consumer and a device product, where the device product is produced by the device manufacturer, and as shown in fig. 9, the authentication generation includes:
in step 601, the device manufacturer obtains a device manufacturer certificate issued by a consuming user; the device merchant certificate is generated by a first certificate main body and a first certificate signature, the first certificate main body is composed of a device merchant identifier and a device merchant public key in a device merchant key pair, and the first certificate signature is obtained by issuing a user certificate of the consuming user to the first certificate main body.
In step 602, the device manufacturer further obtains a device identifier of a device product, forms a second certificate main body with the device identifier of the device product and a device public key of a device key pair, signs the second certificate main body with a device private key of the device private key pair to obtain a second certificate signature, and generates a device certificate by the second certificate main body and the second certificate signature; the generated device certificate is shown in fig. 10.
In step 603, burning the device certificate and the device private key of the device key pair into a storage area of the device product; the user certificate and the equipment manufacturer certificate are transmitted to a host by a consuming user so that the host installing the equipment product can complete the authentication process of the equipment product.
The equipment product can be pluggable optical module equipment, an on-chip storage space of a chip and other pluggable devices suitable for a blade server; wherein the pluggable optical module device comprises at least one of an SFP packaged, QSFP-DD packaged and OSFP packaged optical module.
The generation process of the device certificate and the user certificate is based on the same concept as that of embodiment 1, and is not described herein again.
However, different from embodiment 1, in this embodiment, when generating the device certificate, the device public key and the device identifier are used as the second certificate main body, but the device vendor certificate is not placed therein, and then the device vendor private key is used to sign and issue the second certificate main body to obtain the second certificate signature, thereby generating the device certificate.
At the same time, the device merchant credentials are transmitted by the consuming user to the host, thereby bringing about a different authentication process.
The step of completing the authentication process of the device product by the host computer on which the device product is installed, as shown in fig. 11, specifically includes:
in step 701, the host obtains a first certificate signature from the device merchant certificate and verifies the validity of the first certificate signature using the user certificate.
In step 702, after the validity of the first certificate signature is verified, an equipment public key in an equipment key pair is obtained from the equipment certificate, a second certificate signature is obtained from the equipment certificate, and the validity of the second certificate signature is verified by using the equipment public key.
In step 703, after the validity of the second certificate signature is verified to pass, an equipment public key in an equipment private key is obtained from the equipment certificate, whether the equipment public key matches with an equipment private key in a storage area of an equipment product is verified, and if the equipment public key matches with the equipment private key, the authentication process of the equipment product is completed.
In authentication, since the device merchant certificate is transmitted to the host by the consuming user in advance, the first certificate signature can be directly extracted from the device merchant certificate and subsequent authentication can be performed.
The verifying whether the device public key is matched with a device private key in a storage area of a device product specifically includes:
and the host sends the generated random number to the equipment product and obtains an encryption result obtained by encrypting the random number by the equipment product according to the equipment private key.
And the host decrypts the encrypted result by using the equipment public key to obtain a decrypted result, and judges whether the decrypted result is consistent with the random number or not.
And if the decryption result is consistent with the random number, verifying to obtain that the equipment public key is matched with the equipment private key.
As an optional implementation manner, the host sends the generated random number to the device product, and may also be a hash value of the sent random number, and correspondingly, when performing authentication, it is determined whether the decryption result is consistent with the hash value of the random number; and if the decryption result is consistent with the hash value of the random number, verifying to obtain that the equipment public key is matched with the equipment private key.
This embodiment provides an optional implementation manner for verifying validity of a first certificate signature, that is, the verifying validity of the first certificate signature by using a user certificate specifically includes:
and the host acquires a first certificate main body in the equipment merchant certificate and uses the user certificate to sign the first certificate main body to obtain an issuing result.
And judging whether the issuing result is consistent with the first certificate signature or not, and if so, verifying that the validity of the first certificate signature is passed.
In this embodiment, the device vendor certificate is not placed in the device certificate, but the device vendor certificate is transmitted to the host by the consuming user, and compared to embodiment 1, this embodiment is more suitable for a scenario where the device vendor certificate transmission between the consuming user and the host is completely secure, for example, when the consuming user is a manufacturer of the host, the device vendor certificate is directly transmitted to the host without placing the device vendor certificate in the device certificate, so that the security of the authentication generation process can be ensured while the authentication generation process is simplified.
Example 3:
based on the methods described in embodiments 1 and 2, the invention combines specific application scenarios, and explains the implementation process in the characteristic scenarios of the invention by means of technical expressions in related scenarios.
Taking embodiment 1 as an example, if there is a pluggable optical module, which is manufactured by a device manufacturer V and is used to be plugged into a corresponding OLT device, and the OLT device is manufactured by a consumer C, in this scenario, the device product is the pluggable optical module, and the host is the OLT device.
The authentication production method in the pluggable optical module is shown in fig. 2 and 12, and specifically includes:
in step 801, the device manufacturer V generates a device vendor Key pair comprising a device vendor public Key V _ Key _ public and a device vendor Private Key V _ Key _ Private.
In step 802, device manufacturer V sends device manufacturer Public Key V _ Key _ Public and vendor information (equivalent to device manufacturer identification in embodiment 1) to consumer user C, requesting a device manufacturer certificate.
In step 803, the consumer user C generates an un-issued device manufacturer certificate for the device manufacturer V, which includes the device manufacturer public key and the vendor information, and issues the device manufacturer certificate Cert _ V using the user certificate.
In step 804, the consuming user C sends the device manufacturer certificate Cert _ V to the device manufacturer V.
In step 805, the device manufacturer V generates a device Key pair for each pluggable optical module, including a device public Key Dev _ Key _ public and a device Private Key Dev _ Key _ Private.
In step 806, the device manufacturer V generates an un-issued device certificate for each pluggable optical module, which includes the unique security identifier of the device (equivalent to the device identifier in embodiment 1), the device Public Key Dev _ Key _ Public, and the generated device certificate Cert _ V; and the private key of the equipment merchant is used for signing and issuing the private key of the equipment merchant to obtain an issued equipment certificate Cert _ Dev.
In step 807, the device manufacturer V writes the device Private Key Dev _ Key _ Private and the device certificate Cert _ Dev into a device secure storage area of the device product, for example, into a Read-only memory ROM (Read-only memory), and performs an authentication process of the pluggable optical module when the pluggable optical module is plugged.
Meanwhile, the consumer user C transmits the user certificate to the OLT apparatus, so as to authenticate the pluggable optical module.
As shown in fig. 13, the authentication of the pluggable optical module specifically includes:
in step 901, when the pluggable optical module is plugged into the OLT device, the OLT device obtains a device certificate Cert _ Dev from the pluggable optical module.
In step 902, the OLT apparatus extracts an apparatus-merchant certificate from the apparatus certificate Cert _ Dev, verifies the validity of the apparatus-merchant certificate using the user certificate; if the verification is valid, verifying the validity of the equipment certificate by using an equipment public key in the equipment certificate; if the equipment merchant certificate obtained through verification is invalid or the equipment certificate obtained through verification is invalid, the equipment is judged to be illegal equipment, the process is ended, and the OLT equipment does not load the pluggable optical module; if the device certificate and the device certificate are valid, the device Public Key Dev _ Key _ Public is extracted from the device certificate.
In step 903, the OLT apparatus generates a random number Rand, and sends the random number Rand to the pluggable optical module.
In step 904, the pluggable optical module encrypts the random with the device Private Key Dev _ Key _ Private, and sends the encryption result random _ sign to the OLT device.
In step 905, the OLT apparatus decrypts the Rand _ sign with the Dev _ Key _ Public to obtain Rand _ a; and comparing whether the Rand and the Rand _ a are equal, if so, judging that the pluggable optical module is legal equipment, and accepting the loading of the pluggable optical module, otherwise, judging that the pluggable optical module is illegal equipment, and refusing to load the pluggable optical module.
Based on embodiment 2, taking the pluggable optical module as an example, as shown in fig. 14, the authentication production method in the pluggable optical module also performs the steps 801 to 805, then proceeds to step 806', and then performs step 807.
In step 806', the device manufacturer V generates an unissued device certificate for each pluggable optical module, which contains the unique security identifier of the device (corresponding to the device identifier in embodiment 1) and the device Public Key Dev _ Key _ Public; and the private key of the equipment merchant is used for signing and issuing the private key of the equipment merchant to obtain an issued equipment certificate Cert _ Dev.
Meanwhile, the consumer user C transmits the user certificate and the equipment manufacturer certificate to the OLT equipment, so as to authenticate the pluggable optical module. In the pluggable optical module authentication, as shown in fig. 15, the above step 901 is executed, and then step 902' is executed, followed by steps 903 to 905.
In step 902', the OLT device verifies the validity of the device-merchant certificate using the user certificate according to the device-merchant certificate stored in itself; if the verification is valid, verifying the validity of the equipment certificate by using an equipment public key in the equipment certificate; if the equipment merchant certificate obtained through verification is invalid or the equipment certificate obtained through verification is invalid, the equipment is judged to be illegal equipment, the process is finished, and the OLT equipment does not load the pluggable optical module; if the device certificate and the equipment certificate obtained through verification are both valid, the equipment Public Key Dev _ Key _ Public is extracted from the equipment certificate, and subsequent authentication is continued.
Through the authentication process, the host can judge whether the inserted equipment product is legal or not, and if the equipment product is legal, subsequent operations, such as installation of the equipment product, are executed. If not, the equipment is not installed.
Example 4:
on the basis of the device authentication generation method according to any one of embodiments 1 to 3, this embodiment further provides a device product, where the device product is produced by a device manufacturer, and as shown in fig. 16, a device certificate and a device private key in a device key pair are written in a storage area of the device product, and the device certificate and the device private key pair are generated based on the device authentication generation method according to any one of embodiments 1 to 3. The method for generating the device authentication is described in detail in embodiments 1 to 3, and is not described herein again.
The equipment product comprises at least one of pluggable optical module equipment, an on-chip storage space of a chip and other pluggable devices suitable for a blade server; wherein the pluggable optical module device comprises at least one of an SFP package, a QSFP-DD package and an OSFP packaged optical module.
The device product is used in cooperation with a corresponding host, and the host authenticates the device product before the device product is installed. When the device certificate and the device key pair are generated according to the device authentication generation method described in embodiment 1, the device certificate includes a device manufacturer certificate, and the host includes a user certificate. When the device certificate and the device key pair are generated according to the device authentication generation method described in embodiment 2, the device certificate does not include a device-side certificate, and the host includes the device-side certificate and a user certificate.
Example 5:
fig. 17 is a schematic diagram of an architecture of a device authentication generation apparatus according to an embodiment of the present invention. The device authentication generation apparatus of the present embodiment includes one or more processors 21 and a memory 22. In fig. 17, one processor 21 is taken as an example.
The processor 21 and the memory 22 may be connected by a bus or other means, and the bus connection is exemplified in fig. 17.
The memory 22, which is a nonvolatile computer-readable storage medium, may be used to store a nonvolatile software program and a nonvolatile computer-executable program, such as the device authentication generation method in embodiment 1. The processor 21 executes the device authentication generation method by executing the nonvolatile software program and instructions stored in the memory 22.
The memory 22 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 22 may optionally include memory located remotely from the processor 21, and these remote memories may be connected to the processor 21 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The program instructions/modules are stored in the memory 22 and, when executed by the one or more processors 21, perform the device authentication generation methods of embodiments 1-3 described above, for example, perform the steps shown in fig. 1, fig. 5, fig. 7-9, and fig. 11-15 described above.
It should be noted that, for the information interaction, execution process and other contents between the modules and units in the apparatus and system, the specific contents may refer to the description in the embodiment of the method of the present invention because the same concept is used as the embodiment of the processing method of the present invention, and are not described herein again.
Those of ordinary skill in the art will appreciate that all or part of the steps of the various methods of the embodiments may be implemented by associated hardware as instructed by a program, which may be stored on a computer-readable storage medium, which may include: a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic or optical disk, and the like.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (10)

1. A device authentication generation method involving at least a device manufacturer, a consumer user and a device product, wherein the device product is produced by the device manufacturer, the authentication generation comprising:
the device manufacturer obtains a device manufacturer certificate issued by a consuming user; the device merchant certificate is generated by a first certificate main body and a first certificate signature, the first certificate main body is composed of a device merchant identifier and a device merchant public key in a device merchant key pair, and the first certificate signature is obtained by issuing a user certificate of the consuming user to the first certificate main body;
the equipment manufacturer also obtains an equipment identifier of an equipment product, a second certificate main body is formed by the equipment manufacturer certificate, the equipment identifier of the equipment product and an equipment public key in an equipment key pair, the second certificate main body is signed by an equipment manufacturer private key in the equipment key pair to obtain a second certificate signature, and the second certificate main body and the second certificate signature jointly generate an equipment certificate;
burning the device certificate and a device private key in the device key pair into a storage area of the device product; the user certificate is transmitted to a host by a consuming user so that the host installing the equipment product completes the authentication process of the equipment product.
2. The method according to claim 1, wherein the step of completing the authentication process of the device product by a host that installs the device product includes:
the host acquires an equipment manufacturer certificate from the equipment certificate, acquires a first certificate signature from the equipment manufacturer certificate, and verifies the validity of the first certificate signature by using a user certificate;
after the validity of the first certificate signature is verified to pass, acquiring an equipment provider public key in an equipment provider key pair from the equipment provider certificate, acquiring a second certificate signature from the equipment certificate, and verifying the validity of the second certificate signature by using the equipment provider public key;
and after the validity of the second certificate signature is verified to pass, acquiring an equipment public key in an equipment private key from the equipment certificate, verifying whether the equipment public key is matched with the equipment private key in the storage area of the equipment product, and finishing the authentication process of the equipment product if the equipment public key is verified to be matched with the equipment private key.
3. The method for generating device authentication according to claim 2, wherein the verifying whether the device public key matches the device private key in the storage area of the device product specifically includes:
the host sends the generated random number to the equipment product and obtains an encryption result obtained by encrypting the random number by the equipment product according to the equipment private key;
the host machine decrypts the encrypted result by using the equipment public key to obtain a decrypted result, and judges whether the decrypted result is consistent with the random number or not;
and if the decryption result is consistent with the random number, verifying to obtain that the equipment public key is matched with the equipment private key.
4. The device authentication generation method according to claim 2, wherein the verifying the validity of the first certificate signature using the user certificate specifically includes:
the host acquires a first certificate main body in the equipment merchant certificate, and uses the user certificate to sign the first certificate main body to obtain a signing and issuing result;
and judging whether the issuing result is consistent with the first certificate signature or not, and if so, verifying that the validity of the first certificate signature is passed.
5. The device authentication generation method according to any one of claims 1 to 4, wherein the device product comprises at least one of pluggable optical module devices, on-chip storage space of a chip, and other pluggable devices suitable for use on a blade server; wherein the pluggable optical module device comprises at least one of an SFP packaged, QSFP-DD packaged and OSFP packaged optical module.
6. A device authentication generation method involving at least a device manufacturer, a consumer and a device product, wherein the device product is produced by said device manufacturer, the authentication generation comprising:
the device manufacturer obtaining a device manufacturer certificate issued by a consuming user; the device merchant certificate is generated by a first certificate main body and a first certificate signature together, the first certificate main body is composed of a device merchant identifier and a device merchant public key in a device merchant key pair, and the first certificate signature is obtained by issuing a user certificate of the consuming user to the first certificate main body;
the equipment manufacturer also obtains an equipment identifier of an equipment product, the equipment identifier of the equipment product and an equipment public key in an equipment key pair form a second certificate main body, the equipment private key in the equipment key pair is used for signing and issuing the second certificate main body to obtain a second certificate signature, and the second certificate main body and the second certificate signature jointly generate an equipment certificate;
burning the device certificate and a device private key in a device key pair into a storage area of the device product; the user certificate and the device merchant certificate are transmitted to a host by a consuming user so that the host installing the device product completes the authentication process of the device product.
7. The method according to claim 6, wherein the step of completing the authentication process of the device product by a host computer that installs the device product includes:
the host acquires a first certificate signature from the equipment certificate and verifies the validity of the first certificate signature by using the user certificate;
after the validity of the first certificate signature is verified to pass, acquiring an equipment provider public key in an equipment provider key pair from the equipment provider certificate, acquiring a second certificate signature from the equipment certificate, and verifying the validity of the second certificate signature by using the equipment provider public key;
and after the validity of the second certificate signature is verified to pass, acquiring an equipment public key in an equipment private key from the equipment certificate, verifying whether the equipment public key is matched with the equipment private key in the storage area of the equipment product, and finishing the authentication process of the equipment product if the equipment public key is verified to be matched with the equipment private key.
8. The method for generating device authentication according to claim 7, wherein the verifying whether the device public key matches the device private key in the storage area of the device product specifically includes:
the host sends the generated random number to the equipment product and obtains an encryption result obtained by encrypting the random number by the equipment product according to the equipment private key;
the host machine decrypts the encrypted result by using the equipment public key to obtain a decrypted result, and judges whether the decrypted result is consistent with the random number or not;
and if the decryption result is consistent with the random number, verifying to obtain that the equipment public key is matched with the equipment private key.
9. The device authentication generation method according to claim 7, wherein the verifying the validity of the first certificate signature using the user certificate specifically includes:
the host acquires a first certificate main body in the equipment merchant certificate and uses the user certificate to sign the first certificate main body to obtain a signing and issuing result;
and judging whether the issuing result is consistent with the first certificate signature or not, and if so, verifying that the validity of the first certificate signature is passed.
10. A device product, wherein the device product is manufactured by a device manufacturer, and a device private key of a device certificate and device key pair is written in a storage area of the device product, and the device certificate and device key pair is generated based on the device authentication generation method according to any one of claims 1 to 9.
CN202211240294.6A 2022-10-11 2022-10-11 Equipment authentication generation method and equipment product Pending CN115643022A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211240294.6A CN115643022A (en) 2022-10-11 2022-10-11 Equipment authentication generation method and equipment product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211240294.6A CN115643022A (en) 2022-10-11 2022-10-11 Equipment authentication generation method and equipment product

Publications (1)

Publication Number Publication Date
CN115643022A true CN115643022A (en) 2023-01-24

Family

ID=84944433

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211240294.6A Pending CN115643022A (en) 2022-10-11 2022-10-11 Equipment authentication generation method and equipment product

Country Status (1)

Country Link
CN (1) CN115643022A (en)

Similar Documents

Publication Publication Date Title
CN108377190B (en) Authentication equipment and working method thereof
CN106656488B (en) Key downloading method and device for POS terminal
CN107743067B (en) Method, system, terminal and storage medium for issuing digital certificate
JP4067985B2 (en) Application authentication system and device
EP3001598B1 (en) Method and system for backing up private key in electronic signature token
CA3164765A1 (en) Secure communication method and device based on identity authentication
US20220038287A1 (en) Protection device and dongle and method for using the same
CN110677376A (en) Authentication method, related device and system and computer readable storage medium
KR100939725B1 (en) Certification method for a mobile phone
CN111431840B (en) Security processing method and device, computer equipment and readable storage medium
CN112769574B (en) Key injection method and system, key management system, device and machine readable medium
WO2019178762A1 (en) Method, server, and system for verifying validity of terminal
CN110838919B (en) Communication method, storage method, operation method and device
KR102459592B1 (en) Electronic device and method for operating the same to generate and authenticate identification information of hardware device
CN112118229B (en) Internet of things equipment, server security authentication method and device and electronic equipment
TWI657350B (en) APP certification system and method
CN107968764B (en) Authentication method and device
WO2014187208A1 (en) Method and system for backing up private key in electronic signature token
JP2021111925A (en) Electronic signature system
KR20200043855A (en) Method and apparatus for authenticating drone using dim
CN115643022A (en) Equipment authentication generation method and equipment product
WO2014187209A1 (en) Method and system for backing up information in electronic signature token
CN115643060A (en) Firmware file execution method and device
TWI782678B (en) Authentication system and method applied to digital signature component
CN116248280B (en) Anti-theft method for security module without key issue, security module and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination