CN115865434A - Bidirectional authentication encryption method, system, device and storage medium - Google Patents
Bidirectional authentication encryption method, system, device and storage medium Download PDFInfo
- Publication number
- CN115865434A CN115865434A CN202211463512.2A CN202211463512A CN115865434A CN 115865434 A CN115865434 A CN 115865434A CN 202211463512 A CN202211463512 A CN 202211463512A CN 115865434 A CN115865434 A CN 115865434A
- Authority
- CN
- China
- Prior art keywords
- edge computing
- array
- key
- computing gateway
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a bidirectional authentication encryption method, a system, a device and a storage medium, which are used for improving the security of data interaction between terminal equipment and an edge computing gateway. The method comprises the following steps: the edge computing gateway judges whether the terminal equipment passes the safety certification or not through the first random array; if so, the edge computing gateway sends a second key to the terminal equipment; the terminal equipment judges whether the edge computing gateway passes the safety certification or not through the second random array; if yes, the terminal equipment loads a first secret key; the edge computing gateway judges whether the terminal equipment passes the security authentication or not through the first secret key; if so, the edge computing gateway sends a target temporary key to the terminal equipment; the terminal equipment encrypts or signs the first service data through the target temporary secret key to generate second service data, and sends the second service data to the edge computing gateway; and the edge computing gateway decrypts or checks the label of the second service data to obtain the first service data.
Description
Technical Field
The present application relates to the field of data transmission, and in particular, to a bidirectional authentication encryption method, system, device, and storage medium.
Background
The edge computer gateway is widely applied to an Internet of things system, and terminal equipment interacts with the gateway and a background server in a wireless communication mode. However, some terminal devices are generally made smaller and smaller due to cost considerations, which results in a weak data processing capability, for example, a terminal device of an intelligent cash box cannot possess a secure and reliable authorization and authentication mechanism like a conventional PC computer, which results in that data exchanged between the terminal device and an edge computing gateway can only be simply encrypted by using a fixed key, the terminal device has a possibility of being replaced or forged, and a large safe wind direction exists.
How to improve the security of data interaction between the terminal device and the edge computing gateway under the limitation of weak data processing capability of the terminal device is a problem to be solved at present.
Disclosure of Invention
The application provides a bidirectional authentication encryption method, a system, a device and a storage medium, which are used for improving the security of data interaction between terminal equipment and an edge computing gateway.
The application provides a bidirectional authentication encryption method in a first aspect, which includes:
the edge computing gateway judges whether the terminal equipment passes the safety certification or not through a first random array, wherein the first array is an array randomly generated by the edge computing gateway;
if the terminal equipment passes the security authentication, the edge computing gateway generates a first key, encrypts the first key through an initial key to obtain a second key, and sends the second key to the terminal equipment;
the terminal equipment judges whether the edge computing gateway passes the safety certification or not through a second random array, wherein the second array is an array randomly generated by the terminal equipment;
if the edge computing gateway is determined to pass the security authentication, the terminal equipment decrypts the second key through the initial key to obtain the first key, and loads the first key;
the edge computing gateway judges whether the terminal equipment passes the security authentication or not through the first secret key;
if the terminal equipment passes the security authentication according to the first key, the edge computing gateway generates a target temporary key and sends the target temporary key to the terminal equipment;
the terminal equipment encrypts or signs the first service data through the target temporary secret key to generate second service data, and sends the second service data to the edge computing gateway;
and the edge computing gateway decrypts or checks the label of the second service data to obtain the first service data.
Optionally, the edge computing gateway determines whether the terminal device passes security authentication through a first random array, where the first array is an array randomly generated by the edge computing gateway and includes:
the edge computing gateway generates a first random array and sends the first random array to the terminal equipment;
the terminal equipment encrypts the first random array through an authentication key to obtain a first encrypted array, and sends the first encrypted array to the edge computing gateway;
the edge computing gateway decrypts the first encrypted array through the authentication key to obtain a first decrypted array;
the edge computing gateway judges whether the first decryption array is the same as the first random array;
and if the first decryption array is the same as the first random array, the edge computing gateway determines that the terminal equipment passes the security authentication.
Optionally, after the edge computing gateway determines whether the first decryption array is the same as the first random array, the bidirectional authentication encryption method further includes:
and if the first decryption array is different from the first random array, the edge computing gateway determines that the terminal equipment does not pass the security authentication.
Optionally, the terminal device determines whether the edge computing gateway passes the security authentication through a second random array, where the second array is an array randomly generated by the terminal device and includes:
the terminal equipment generates a second random array and sends the second random array to the edge computing gateway;
the edge computing gateway encrypts the second random array through the authentication key to obtain a second encrypted array, and sends the second encrypted array to the terminal equipment;
the terminal equipment decrypts the second encrypted array through the authentication key to obtain a second decrypted array;
the terminal equipment judges whether the second decryption array is the same as the second random array or not;
and if the second decryption array is the same as the second random array, the terminal equipment determines that the edge computing gateway passes the security authentication.
Optionally, after the terminal device determines whether the second decryption array is the same as the second random array, the bidirectional authentication encryption method further includes:
and if the second decryption array is different from the second random array, the terminal equipment determines that the edge computing gateway does not pass the security authentication.
Optionally, if the terminal device passes the security authentication, the generating, by the edge computing gateway, a target temporary key, and sending the target temporary key to the terminal device includes:
if the terminal equipment passes the security authentication, the edge computing gateway generates a temporary secret key, encrypts the temporary secret key through a service special secret key to generate a target temporary secret key, and sends the target temporary secret key to the terminal equipment;
the terminal equipment encrypts or signs the first service data through the target temporary key to generate second service data, and the sending of the second service data to the edge computing gateway comprises the following steps:
the terminal equipment decrypts the target temporary secret key through the special secret key of the service to obtain the temporary secret key, encrypts or signs first service data through the temporary secret key to generate second service data, and sends the second service data to the edge computing gateway;
the decrypting or signature checking of the second service data by the edge computing gateway to obtain the first service data comprises the following steps:
and the edge computing gateway decrypts or checks the label of the second service data through the temporary key to obtain the first service data.
A second aspect of the present application provides a mutual authentication encryption system, including:
an edge computing gateway and a terminal device;
the edge computing gateway is used for judging whether the terminal equipment passes the safety certification or not through a first random array, and the first array is an array randomly generated by the edge computing gateway;
the edge computing gateway is further used for generating a first key if the terminal equipment is determined to pass the security authentication, encrypting the first key through the initial key to obtain a second key, and sending the second key to the terminal equipment;
the terminal equipment is used for judging whether the edge computing gateway passes the safety certification or not through a second random array, and the second array is an array randomly generated by the terminal equipment;
the terminal device is further configured to decrypt the second key through the initial key to obtain the first key and load the first key if it is determined that the edge computing gateway passes security authentication;
the edge computing gateway is further used for judging whether the terminal equipment passes the security authentication or not through the first secret key;
the edge computing gateway is further used for generating a target temporary key and sending the target temporary key to the terminal equipment if the terminal equipment passes the security authentication according to the first key;
the terminal equipment is also used for encrypting or signing the first service data through the target temporary secret key to generate second service data and sending the second service data to the edge computing gateway;
the edge computing gateway is further configured to decrypt or check the second service data to obtain the first service data.
Optionally, the edge computing gateway is specifically configured to generate a first random array, and send the first random array to a terminal device;
the terminal device is specifically configured to encrypt the first random array through an authentication key, obtain a first encrypted array, and send the first encrypted array to the edge computing gateway;
the edge computing gateway is specifically configured to decrypt the first encrypted array through the authentication key to obtain a first decrypted array;
the edge computing gateway is specifically configured to determine whether the first decryption array is the same as the first random array;
the edge computing gateway is specifically configured to determine that the terminal device passes security authentication if the first decryption array is the same as the first random array.
Optionally, the edge computing gateway is specifically configured to:
and if the first decryption array is different from the first random array, determining that the terminal equipment does not pass the security authentication.
Optionally, the terminal device is specifically configured to generate a second random array, and send the second random array to the edge computing gateway;
the edge computing gateway is specifically configured to encrypt the second random array through the authentication key, obtain a second encrypted array, and send the second encrypted array to the terminal device;
the terminal device is specifically configured to decrypt the second encrypted array through the authentication key to obtain a second decrypted array;
the terminal device is specifically configured to determine whether the second decryption array is the same as the second random array;
and the terminal device is specifically configured to determine that the edge computing gateway passes the security authentication if the second decryption array is the same as the second random array.
Optionally, the terminal device is specifically configured to: and if the second decryption array is different from the second random array, determining that the edge computing gateway does not pass the security authentication.
Optionally, the edge computing gateway is specifically configured to: if the terminal equipment passes the security authentication, generating a temporary secret key, encrypting the temporary secret key through a service special secret key, generating a target temporary secret key, and sending the target temporary secret key to the terminal equipment;
the terminal device is specifically configured to encrypt or sign the first service data by using the target temporary key, generate second service data, and send the second service data to the edge computing gateway, where the sending of the second service data includes:
the terminal device is specifically configured to decrypt the target temporary secret key through the service private secret key to obtain the temporary secret key, encrypt or sign first service data through the temporary secret key to generate second service data, and send the second service data to the edge computing gateway;
the edge computing gateway is specifically configured to decrypt or verify the second service data, and obtaining the first service data includes:
the edge computing gateway is specifically configured to decrypt or verify the second service data through the temporary key to obtain the first service data.
A third aspect of the present application provides a bidirectional encryption apparatus, including:
the device comprises a processor, a memory, an input and output unit and a bus;
the processor is connected with the memory, the input and output unit and the bus;
the memory holds a program that the processor calls to perform the first aspect and the bidirectional encryption method selectable by any one of the first aspects.
A fourth aspect of the present application provides a computer-readable storage medium having a program stored thereon, where the program executes the bidirectional encryption method selectable in any one of the first aspect and the first aspect when executed on a computer.
According to the technical scheme, the method has the following advantages: the method comprises the steps that the edge computing gateway judges whether the terminal equipment passes the security authentication or not through a first random array, if the terminal equipment passes the security authentication, the edge computing gateway sends a second secret key to the terminal, the terminal equipment judges whether the edge computing gateway passes the security authentication or not through the second random array, if the edge computing gateway passes the security authentication, the terminal equipment decrypts the second secret key through an initial secret key to obtain the first secret key and loads the first secret key, through the steps, the bidirectional security authentication of the edge computing gateway and the terminal equipment is achieved, the first secret key can be safely loaded on the terminal equipment and is guaranteed not to be intercepted by other terminal equipment, the edge computing gateway judges whether the terminal equipment passes the security authentication or not through the first secret key, if the terminal equipment passes the security authentication according to the first secret key, the edge computing gateway generates a target temporary secret key and sends the target temporary secret key to the terminal equipment, the terminal equipment encrypts or signs the first business data through the target temporary secret key to generate second business data and sends the second business data to the edge gateway, the edge gateway decrypts or checks the second business data to obtain the first business data, and the interaction of the first business data and improves the interaction of the edge computing gateway.
Drawings
In order to more clearly illustrate the technical solutions in the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flowchart illustrating an embodiment of a bidirectional authentication encryption method provided in the present application;
fig. 2 is a schematic flowchart of another embodiment of a bidirectional authentication encryption method provided in the present application;
fig. 3 is a schematic structural diagram of an embodiment of a bidirectional authentication encryption system provided in the present application;
fig. 4 is a schematic structural diagram of an embodiment of a bidirectional authentication encryption apparatus provided in the present application.
Detailed Description
The application provides a bidirectional authentication encryption method, a system, a device and a storage medium, which are used for improving the security of data interaction between terminal equipment and an edge computing gateway.
It should be noted that the bidirectional authentication encryption method provided by the present application may be applied to a terminal, and may also be applied to a server, for example, the terminal may be a fixed terminal such as a smart phone or a computer, a tablet computer, a smart television, a smart watch, a portable computer terminal, or a desktop computer. For convenience of explanation, the terminal is taken as an execution subject for illustration in the present application.
Referring to fig. 1, fig. 1 is a diagram illustrating an embodiment of a bidirectional authentication encryption method according to the present application, where the bidirectional authentication encryption method includes:
101. the edge computing gateway judges whether the terminal equipment passes the safety certification or not through a first random array, wherein the first array is an array randomly generated by the edge computing gateway;
in this embodiment, the edge computing gateway determines whether the terminal device passes the security authentication through a first random array, where the first array is an array randomly generated by the edge computing gateway, and if the terminal device passes the security authentication, the edge computing gateway executes step 102; and if the terminal equipment does not pass the safety authentication, the edge computing gateway finishes the process. The edge computing gateway judges whether the terminal equipment is legal equipment or not through the first random array, so that data interaction with illegal dropped-packet terminal equipment is avoided, and the safety in the data interaction process is improved.
102. If the terminal equipment passes the security authentication, the edge computing gateway generates a first key, encrypts the first key through the initial key to obtain a second key, and sends the second key to the terminal equipment;
in this embodiment, if the edge computing gateway determines that the terminal device passes the security authentication, the edge computing gateway generates a first key, encrypts the first key by using an initial key to obtain a second key, and sends the second key to the terminal device, where the initial key is a dedicated key protection key, also referred to as a vendor key. For example: the edge computing gateway generates a first key K to be loaded, encrypts the first key K by using the initial key X to obtain a second key K ', and sends the second key K' to the terminal equipment.
103. The terminal equipment judges whether the edge computing gateway passes the safety certification or not through a second random array, wherein the second random array is an array randomly generated by the terminal equipment;
in this embodiment, when the terminal device receives a second key sent by the edge computing gateway, the terminal device determines whether the edge computing gateway passes the security authentication through a second random array, where the second random array is an array randomly generated by the terminal device, and if the terminal device determines that the edge computing gateway passes the security authentication, the terminal device executes step 104; and if the terminal equipment determines that the edge computing gateway does not pass the safety authentication, the terminal equipment ends the process.
104. If the edge computing gateway is confirmed to pass the security authentication, the terminal equipment decrypts the second key through the initial key to obtain a first key, and the first key is loaded;
in this embodiment, if the terminal device determines that the edge computing gateway passes the security authentication, at this time, the terminal device and the edge computing gateway complete mutual bidirectional authentication, the terminal decrypts the second key K' through the initial key X to obtain the first key K, and loads the first key K on the terminal device.
105. The edge computing gateway judges whether the terminal equipment passes the security authentication or not through the first secret key;
in this embodiment, the precondition of the secure transmission mechanism for data interaction between the terminal device and the edge computing gateway is: the terminal device passes the security authentication of the edge computing gateway, and the key used in the security authentication of the edge computing gateway is not the initial key but the first key loaded by the terminal device, if the edge computing gateway determines that the terminal device passes the security authentication according to the first key, the edge computing gateway executes step 106; and if the edge computing gateway determines that the terminal equipment does not pass the security authentication according to the first secret key, the edge computing gateway stops the process.
106. If the terminal equipment passes the security authentication according to the first secret key, the edge computing gateway generates a target temporary secret key and sends the target temporary secret key to the terminal equipment;
in this embodiment, if the edge computing gateway determines that the terminal device passes the security authentication according to the first key, the edge computing gateway generates a target temporary key and sends the target temporary key to the terminal device, so that the terminal device encrypts or signs the service data acquired by the terminal device through the target temporary key, and the target temporary key is generated temporarily by the edge computing gateway and is valid at a time.
107. The terminal equipment encrypts or signs the first service data through the target temporary secret key to generate second service data, and sends the second service data to the edge computing gateway;
in this embodiment, the terminal device encrypts or signs the first service data acquired by the terminal device through the target temporary key to generate second service data, and sends the second service data to the edge computing gateway, so that the second service data sent by the terminal device to the edge computing gateway is guaranteed not to be cracked or intercepted, and the security of data interaction between the terminal device and the edge computing gateway is further improved.
108. And the edge computing gateway decrypts or checks the second service data to obtain the first service data.
In this embodiment, the edge gateway decrypts or verifies the second data according to the target temporary key to obtain the first service data.
In this embodiment, the edge computing gateway determines whether the terminal device passes the security authentication through the first random array, if it is determined that the terminal device passes the security authentication, the edge computing gateway sends the second key to the terminal, the terminal device determines whether the edge computing gateway passes the security authentication through the second random array, if it is determined that the edge computing gateway passes the security authentication, the terminal device decrypts the second key through the initial key to obtain the first key, and loads the first key, and through the above steps, the bidirectional security authentication between the edge computing gateway and the terminal device is achieved, and the first key can be safely loaded onto the terminal device, and it is ensured that the first key cannot be intercepted by other terminal devices, the edge computing gateway determines whether the terminal device passes the security authentication through the first key, if it is determined that the terminal device passes the security authentication according to the first key, the edge computing gateway generates the target temporary key and sends the target temporary key to the terminal device, the terminal device encrypts or signs the first service data through the target temporary key to generate the second service data and sends the second service data to the edge computing gateway, the edge computing gateway decrypts or verifies the second service data, and obtains the first service data, and the security data, and the method improves the security data interaction between the edge computing gateway and the terminal device.
In this embodiment, if the security mechanism of the present application is not adopted, in an internet of things system, a front-end terminal device may be replaced under an unattended condition, an illegal terminal device after replacement may attack the system, or intercept wireless service data for an illegal use, and also forge the service data; the service data is transmitted in the network, if the service data is not encrypted, the service data is visible and can be illegally utilized after being intercepted, and if the service data is statically encrypted, the data can be repeatedly utilized, but the dynamic encryption mechanism in the scheme of the application can avoid the service data from being cracked or repeatedly utilized; in addition, the method can ensure that one service identification system realizes end-to-end safety, thereby ensuring the safety and the robustness of the service in the service identification system.
In order to make the bidirectional authentication encryption method provided by the present application more obvious and understandable, a bidirectional authentication encryption method provided by the present application is described in detail below:
referring to fig. 2, fig. 2 is another embodiment of a bidirectional authentication encryption method provided in the present application, where the bidirectional authentication encryption method includes:
201. the edge computing gateway generates a first random array and sends the first random array to the terminal equipment;
in this embodiment, the edge computing gateway generates a first random array a and sends the first random array a to the terminal device.
202. The terminal equipment encrypts the first random array through the authentication key to obtain a first encrypted array, and sends the first encrypted array to the edge computing gateway;
in this embodiment, the terminal device encrypts the first random array a by using the authentication key, obtains the first encrypted array A1, and sends the first encrypted array A1 to the edge computing gateway. The authentication key is used in the system and has different purposes, different keys are used for authentication and have different service authorities, and the encryption algorithm uses a cryptographic algorithm SM4.
203. The edge computing gateway decrypts the first encrypted array through the authentication key to obtain a first decrypted array;
in this embodiment, the edge computing gateway decrypts the first encrypted array A1 by the authentication key to obtain the first decrypted array a11.
204. The edge computing gateway judges whether the first decryption array is the same as the first random array;
in this embodiment, the edge computing gateway determines whether the first decryption array a11 is the same as the first random array a, and if not, the edge computing gateway executes step 205; if so, the edge computing gateway proceeds to step 206.
205. If the first decryption array is different from the first random array, the edge computing gateway determines that the terminal equipment does not pass the security authentication;
in this embodiment, if the first decryption array is different from the first random array, the edge computing gateway determines that the terminal device does not pass the security authentication, thereby determining that the terminal device is an illegal terminal, and the edge computing gateway ends the flow.
206. If the first decryption array is the same as the first random array, the edge computing gateway determines that the terminal equipment passes the safety certification;
in this embodiment, if the first decryption array is the same as the first random array, the edge computing gateway determines that the terminal device passes the security authentication, so as to determine that the terminal device is a valid terminal.
207. If the terminal equipment passes the security authentication, the edge computing gateway generates a first key, encrypts the first key through the initial key to obtain a second key, and sends the second key to the terminal equipment;
step 207 in this embodiment is similar to step 102 in the embodiment of fig. 1, and detailed description thereof is omitted here.
208. The terminal equipment generates a second random array and sends the second random array to the edge computing gateway;
in this embodiment, the terminal device generates a second random array B, and sends the second random array B to the edge computing gateway.
209. The edge computing gateway encrypts the second random array through the authentication key to obtain a second encrypted array, and sends the second encrypted array to the terminal equipment;
in this embodiment, the edge computing gateway encrypts the second random array B by the authentication key, obtains the second encrypted array B1, and sends the second encrypted array B1 to the terminal device.
210. The terminal equipment decrypts the second encrypted array through the authentication key to obtain a second decrypted array;
in this embodiment, the edge computing gateway decrypts the second encrypted array B1 by the authentication key to obtain the second decrypted array B11.
211. The terminal equipment judges whether the second decryption array is the same as the second random array or not;
in this embodiment, the terminal device determines whether the second decryption array B11 is the same as the second random array B1, and if not, the terminal device executes step 212; if so, the terminal device performs step 213.
212. If the second decryption array is different from the second random array, the terminal equipment determines that the edge computing gateway does not pass the safety certification;
in this embodiment, if the second decryption array is different from the second random array, the terminal device determines that the edge computing gateway does not pass the security authentication, thereby determining that the edge computing gateway is an illegal gateway, and the terminal device ends the process.
213. If the second decryption array is the same as the second random array, the terminal equipment determines that the edge computing gateway passes the safety certification;
in this embodiment, if the second decryption array is the same as the second random array, the terminal device determines that the edge computing gateway passes the security authentication, so as to determine that the edge computing gateway is a legitimate gateway.
214. If the edge computing gateway is confirmed to pass the security authentication, the terminal equipment decrypts the second key through the initial key to obtain a first key, and the first key is loaded;
215. the edge computing gateway judges whether the terminal equipment passes the security authentication or not through the first secret key;
216. If the terminal equipment passes the security authentication according to the first key, the edge computing gateway generates a temporary key, encrypts the temporary key through a service special key to generate a target temporary key, and sends the target temporary key to the terminal equipment;
in this embodiment, if the edge computing gateway determines that the terminal device passes the security authentication according to the first key, the edge computing gateway generates a set of temporary keys D, encrypts the temporary keys D by using the loaded service-specific key E, generates a target temporary key F, and sends the target temporary key F to the terminal device.
217. The terminal equipment decrypts the target temporary key through the special service key to obtain a temporary key, encrypts or signs the first service data through the temporary key to generate second service data, and sends the second service data to the edge computing gateway;
in this embodiment, when the terminal device receives the target temporary secret key F sent by the edge computing gateway, the terminal device decrypts the target temporary secret key F by using the service private secret key E to obtain a temporary secret key D, encrypts or signs the first service data by using the temporary secret key D to generate second service data, and sends the second service data to the edge computing gateway. The first service may be original data of the service or summary data of the service, and the summary algorithm is SHA256 or SM3.
218. The edge computing gateway decrypts or checks the label of the second service data through the temporary key to obtain first service data;
in this embodiment, when the edge computing gateway receives the second service data sent by the terminal device, the edge computing gateway decrypts or de-signs the second service data through the temporary secret key D to obtain the first service data collected by the terminal device. In the above steps, the secret key D is generated temporarily, and is valid once, and may be a symmetric secret key, such as SM4, or an asymmetric secret key, such as a public key or a private key in SM 2.
The above describes a bidirectional authentication encryption method provided by the present application, and a bidirectional authentication encryption system provided by the present application is described as follows:
referring to fig. 3, fig. 3 is a diagram illustrating an embodiment of a bidirectional authentication encryption system according to the present application, where the bidirectional authentication encryption system includes:
an edge computing gateway 301 and a terminal device 302;
the edge computing gateway 301 is configured to determine whether the terminal device 302 passes the security authentication through a first random array, where the first array is an array randomly generated by the edge computing gateway 301;
the edge computing gateway 301 is further configured to generate a first key if it is determined that the terminal device 302 passes the security authentication, encrypt the first key by using the initial key to obtain a second key, and send the second key to the terminal device 302;
the terminal device 302 is configured to determine whether the edge computing gateway 301 passes the security authentication through a second random array, where the second array is an array randomly generated by the terminal device 302;
the terminal device 302 is further configured to, if it is determined that the edge computing gateway 301 passes the security authentication, decrypt the second key with the initial key to obtain the first key, and load the first key;
the edge computing gateway 301 is further configured to determine whether the terminal device 302 passes security authentication through the first key;
the edge computing gateway 301 is further configured to generate a target temporary key if it is determined that the terminal device 302 passes the security authentication according to the first key, and send the target temporary key to the terminal device 302;
the terminal device 302 is further configured to encrypt or sign the first service data with the target temporary key, generate second service data, and send the second service data to the edge computing gateway 301;
the edge computing gateway 301 is further configured to decrypt or verify the second service data to obtain the first service data.
Optionally, the edge computing gateway 301 is specifically configured to generate a first random array, and send the first random array to the terminal device 302;
the terminal device 302 is specifically configured to encrypt the first random array by using the authentication key, obtain a first encrypted array, and send the first encrypted array to the edge computing gateway 301;
the edge computing gateway 301 is specifically configured to decrypt the first encrypted array through the authentication key to obtain a first decrypted array;
the edge computing gateway 301 is specifically configured to determine whether the first decryption array is the same as the first random array;
the edge computing gateway 301 is specifically configured to determine that the terminal device 302 passes the security authentication if the first decryption array is the same as the first random array.
Optionally, the edge computing gateway 301 is specifically configured to:
if the first decryption array is not the same as the first random array, it is determined that the terminal device 302 fails the security authentication.
Optionally, the terminal device 302 is specifically configured to generate a second random array, and send the second random array to the edge computing gateway 301;
the edge computing gateway 301 is specifically configured to encrypt the second random array by using the authentication key, obtain a second encrypted array, and send the second encrypted array to the terminal device 302;
the terminal device 302 is specifically configured to decrypt the second encrypted array through the authentication key to obtain a second decrypted array;
the terminal device 302 is specifically configured to determine whether the second decryption array is the same as the second random array;
the terminal device 302 is specifically configured to determine that the edge computing gateway 301 passes the security authentication if the second decryption array is the same as the second random array.
Optionally, the terminal device 302 is specifically configured to: if the second decryption array is not the same as the second random array, it is determined that the edge computing gateway 301 fails the security authentication.
Optionally, the edge computing gateway 301 is specifically configured to: if the terminal device 302 passes the security authentication, generating a temporary key, encrypting the temporary key by using a service-specific key, generating a target temporary key, and sending the target temporary key to the terminal device 302;
the terminal device 302 is specifically configured to encrypt or sign the first service data by using the target temporary key, generate second service data, and send the second service data to the edge computing gateway 301, where the sending of the second service data includes:
the terminal device 302 is specifically configured to decrypt the target temporary key through the service private key to obtain the temporary key, encrypt or sign the first service data through the temporary key to generate second service data, and send the second service data to the edge computing gateway 301;
the edge computing gateway 301 is specifically configured to decrypt or verify the second service data, and obtaining the first service data includes:
the edge computing gateway 301 is specifically configured to decrypt or verify the second service data by using the temporary key to obtain the first service data.
In the system of this embodiment, the functions executed by each unit correspond to the steps in the method embodiments shown in fig. 1 and fig. 2, and are not described herein again.
Referring to fig. 4, fig. 4 is an embodiment of a bidirectional authentication encryption apparatus provided in the present application, where the bidirectional authentication encryption apparatus includes:
a processor 401, a memory 402, an input-output unit 403, a bus 404;
the processor 401 is connected to the memory 402, the input/output unit 403, and the bus 404;
the memory 402 holds a program that the processor 401 calls to perform any of the methods described above.
The present application also relates to a computer-readable storage medium having a program stored thereon, which, when run on a computer, causes the computer to perform any one of the above-described mutual authentication encryption methods.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application, which are essential or part of the technical solutions contributing to the prior art, or all or part of the technical solutions, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.
Claims (10)
1. A mutual authentication encryption method, characterized in that the mutual authentication encryption method comprises:
the edge computing gateway judges whether the terminal equipment passes the safety certification or not through a first random array, wherein the first array is an array randomly generated by the edge computing gateway;
if the terminal equipment passes the security authentication, the edge computing gateway generates a first key, encrypts the first key through an initial key to obtain a second key, and sends the second key to the terminal equipment;
the terminal equipment judges whether the edge computing gateway passes the safety certification or not through a second random array, wherein the second array is an array randomly generated by the terminal equipment;
if the edge computing gateway is confirmed to pass the security authentication, the terminal equipment decrypts the second key through the initial key to obtain the first key, and loads the first key;
the edge computing gateway judges whether the terminal equipment passes the security authentication or not through the first secret key;
if the terminal equipment passes the security authentication according to the first key, the edge computing gateway generates a target temporary key and sends the target temporary key to the terminal equipment;
the terminal equipment encrypts or signs the first service data through the target temporary secret key to generate second service data, and sends the second service data to the edge computing gateway;
and the edge computing gateway decrypts or checks the label of the second service data to obtain the first service data.
2. The mutual authentication encryption method according to claim 1, wherein the edge computing gateway determines whether the terminal device passes the security authentication through a first random array, and the first array is an array randomly generated by the edge computing gateway and includes:
the edge computing gateway generates a first random array and sends the first random array to the terminal equipment;
the terminal equipment encrypts the first random array through an authentication key to obtain a first encrypted array, and sends the first encrypted array to the edge computing gateway;
the edge computing gateway decrypts the first encrypted array through the authentication key to obtain a first decrypted array;
the edge computing gateway judges whether the first decryption array is the same as the first random array;
and if the first decryption array is the same as the first random array, the edge computing gateway determines that the terminal equipment passes the security authentication.
3. The bi-directional authentication encryption method according to claim 2, wherein after the edge computing gateway determines whether the first decryption array and the first random array are the same, the bi-directional authentication encryption method further comprises:
and if the first decryption array is different from the first random array, the edge computing gateway determines that the terminal equipment does not pass the security authentication.
4. The mutual authentication encryption method according to claim 2, wherein the terminal device determines whether the edge computing gateway passes the security authentication through a second random array, and the second array is an array randomly generated by the terminal device and includes:
the terminal equipment generates a second random array and sends the second random array to the edge computing gateway;
the edge computing gateway encrypts the second random array through the authentication key to obtain a second encrypted array, and sends the second encrypted array to the terminal equipment;
the terminal equipment decrypts the second encrypted array through the authentication key to obtain a second decrypted array;
the terminal equipment judges whether the second decryption array is the same as the second random array or not;
and if the second decryption array is the same as the second random array, the terminal equipment determines that the edge computing gateway passes the security authentication.
5. The mutual authentication encryption method according to claim 4, wherein after the terminal device determines whether the second decryption array and the second random array are the same, the mutual authentication encryption method further comprises:
and if the second decryption array is different from the second random array, the terminal equipment determines that the edge computing gateway does not pass the security authentication.
6. The mutual authentication encryption method according to any one of claims 1 to 5, wherein if the terminal device passes secure authentication, the edge computing gateway generates a target temporary key, and sends the target temporary key to the terminal device includes:
if the terminal equipment passes the security authentication, the edge computing gateway generates a temporary secret key, encrypts the temporary secret key through a service special secret key to generate a target temporary secret key, and sends the target temporary secret key to the terminal equipment;
the terminal equipment encrypts or signs the first service data through the target temporary key to generate second service data, and the sending of the second service data to the edge computing gateway comprises the following steps:
the terminal equipment decrypts the target temporary secret key through the special secret key of the service to obtain the temporary secret key, encrypts or signs first service data through the temporary secret key to generate second service data, and sends the second service data to the edge computing gateway;
the decrypting or signature checking of the second service data by the edge computing gateway to obtain the first service data comprises:
and the edge computing gateway decrypts or checks the label of the second service data through the temporary key to obtain the first service data.
7. A two-way authentication encryption system, comprising:
an edge computing gateway and a terminal device;
the edge computing gateway is used for judging whether the terminal equipment passes the safety certification or not through a first random array, and the first array is an array randomly generated by the edge computing gateway;
the edge computing gateway is further configured to generate a first key if it is determined that the terminal device passes security authentication, encrypt the first key by using an initial key to obtain a second key, and send the second key to the terminal device;
the terminal equipment is used for judging whether the edge computing gateway passes the safety certification or not through a second random array, and the second array is an array randomly generated by the terminal equipment;
the terminal device is further configured to decrypt the second key through the initial key to obtain the first key if it is determined that the edge computing gateway passes security authentication, and load the first key;
the edge computing gateway is also used for judging whether the terminal equipment passes the security authentication or not through the first secret key;
the edge computing gateway is further used for generating a target temporary secret key and sending the target temporary secret key to the terminal equipment if the terminal equipment is determined to pass the security authentication according to the first secret key;
the terminal equipment is also used for encrypting or signing the first service data through the target temporary secret key to generate second service data and sending the second service data to the edge computing gateway;
the edge computing gateway is further configured to decrypt or check the second service data to obtain the first service data.
8. The mutual authentication encryption system according to claim 7, wherein the edge computing gateway is specifically configured to generate a first random number group and send the first random number group to a terminal device;
the terminal device is specifically configured to encrypt the first random array through an authentication key, obtain a first encrypted array, and send the first encrypted array to the edge computing gateway;
the edge computing gateway is specifically configured to decrypt the first encrypted array through the authentication key to obtain a first decrypted array;
the edge computing gateway is specifically configured to determine whether the first decryption array is the same as the first random array;
the edge computing gateway is specifically configured to determine that the terminal device passes security authentication if the first decryption array is the same as the first random array.
9. A mutual authentication encryption apparatus, comprising:
the device comprises a processor, a memory, an input and output unit and a bus;
the processor is connected with the memory, the input and output unit and the bus;
the memory holds a program that the processor calls to perform the method of any one of claims 1 to 6.
10. A computer-readable storage medium having a program stored thereon, the program, when executed on a computer, performing the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211463512.2A CN115865434A (en) | 2022-11-21 | 2022-11-21 | Bidirectional authentication encryption method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211463512.2A CN115865434A (en) | 2022-11-21 | 2022-11-21 | Bidirectional authentication encryption method, system, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115865434A true CN115865434A (en) | 2023-03-28 |
Family
ID=85664696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211463512.2A Pending CN115865434A (en) | 2022-11-21 | 2022-11-21 | Bidirectional authentication encryption method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115865434A (en) |
-
2022
- 2022-11-21 CN CN202211463512.2A patent/CN115865434A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109309565B (en) | Security authentication method and device | |
| US6138239A (en) | Method and system for authenticating and utilizing secure resources in a computer system | |
| CN110519309B (en) | Data transmission method, device, terminal, server and storage medium | |
| CN105427099A (en) | Network authentication method for secure electronic transactions | |
| CN103067401A (en) | Method and system for key protection | |
| CN112232814B (en) | Encryption and decryption methods of payment key, payment authentication method and terminal equipment | |
| CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| CN110855426B (en) | Method for software use authorization | |
| CN101588245A (en) | A kind of method of authentication, system and memory device | |
| CN112565265B (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
| CN101582896A (en) | Third-party network authentication system and authentication method thereof | |
| CN113726733B (en) | Encryption intelligent contract privacy protection method based on trusted execution environment | |
| CN105099705A (en) | Safety communication method and system based on USB protocol | |
| CN115242553B (en) | Data exchange method and system supporting safe multi-party calculation | |
| CN115276978A (en) | Data processing method and related device | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| CN110365472B (en) | Quantum communication service station digital signature method and system based on asymmetric key pool pair | |
| CN116743470A (en) | Service data encryption processing method and device | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| CN109981667B (en) | User data transmission method and device | |
| CN116881936A (en) | Trusted computing method and related equipment | |
| CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
| CN115022057A (en) | Security authentication method, device and equipment and storage medium | |
| CN115865434A (en) | Bidirectional authentication encryption method, system, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |