CN118057760A - Authentication method and device - Google Patents
Authentication method and device Download PDFInfo
- Publication number
- CN118057760A CN118057760A CN202211444441.1A CN202211444441A CN118057760A CN 118057760 A CN118057760 A CN 118057760A CN 202211444441 A CN202211444441 A CN 202211444441A CN 118057760 A CN118057760 A CN 118057760A
- Authority
- CN
- China
- Prior art keywords
- terminal
- signature
- parameter
- authentication
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 110
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 118
- 230000005540 biological transmission Effects 0.000 claims abstract description 38
- 238000012795 verification Methods 0.000 claims description 23
- 238000003860 storage Methods 0.000 claims description 14
- 239000000758 substrate Substances 0.000 claims 1
- 238000004891 communication Methods 0.000 abstract description 34
- 230000002457 bidirectional effect Effects 0.000 abstract description 13
- 230000036541 health Effects 0.000 description 84
- 238000012806 monitoring device Methods 0.000 description 45
- 238000012544 monitoring process Methods 0.000 description 23
- 230000008569 process Effects 0.000 description 17
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 239000008280 blood Substances 0.000 description 6
- 210000004369 blood Anatomy 0.000 description 6
- WQZGKKKJIJFFOK-GASJEMHNSA-N Glucose Natural products OC[C@H]1OC(O)[C@H](O)[C@@H](O)[C@@H]1O WQZGKKKJIJFFOK-GASJEMHNSA-N 0.000 description 4
- 239000008103 glucose Substances 0.000 description 4
- 238000007405 data analysis Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- LEHOTFFKMJEONL-UHFFFAOYSA-N Uric Acid Chemical compound N1C(=O)NC(=O)C2=C1NC(=O)N2 LEHOTFFKMJEONL-UHFFFAOYSA-N 0.000 description 2
- TVWHNULVHGKJHS-UHFFFAOYSA-N Uric acid Natural products N1C(=O)NC(=O)C2NC(=O)NC21 TVWHNULVHGKJHS-UHFFFAOYSA-N 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- QVGXLLKOCUKJST-UHFFFAOYSA-N atomic oxygen Chemical compound [O] QVGXLLKOCUKJST-UHFFFAOYSA-N 0.000 description 2
- 230000036772 blood pressure Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000002950 deficient Effects 0.000 description 2
- 229910052760 oxygen Inorganic materials 0.000 description 2
- 239000001301 oxygen Substances 0.000 description 2
- 229940116269 uric acid Drugs 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The disclosure provides an authentication method and device, and relates to the technical field of communication. The method comprises the following steps: acquiring an authentication key corresponding to the address information of the second terminal; transmitting a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; receiving feedback information for verifying that the first signature is valid by the second terminal; receiving a second signature sent by a second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; verifying whether the second signature is valid; when the second signature is valid, data transmission is performed; wherein the first parameter and/or the second parameter comprises an authentication key. The method and the device realize bidirectional authentication, solve the safety problem existing in the existing unidirectional authentication, ensure that both communication parties are mutually trusted parties, and improve the use safety of equipment.
Description
Technical Field
The disclosure relates to the field of communication technologies, and in particular, to an authentication method and device.
Background
In recent years, with the improvement of living standard, people pay more attention to their own health. Effective protection of user privacy data, particularly personal health information, has been a security concern of major concern in the industry. Health monitoring devices are a common type of sensor device that can provide one or more indicators related to human health. The health monitoring equipment is authenticated, so that the counterfeits of the health monitoring equipment with defective functions can be identified in time, and the risks that health information is easy to leak and the like are avoided.
However, in the related technology, mostly, one-way authentication is adopted, so that safety problems such as health data leakage and data analysis errors are easy to occur.
Disclosure of Invention
The disclosure provides an authentication method, an authentication device, electronic equipment and a storage medium.
According to a first aspect of the present disclosure, there is provided an authentication method, which is applied to a first terminal, the method comprising: acquiring an authentication key corresponding to the address information of the second terminal; transmitting a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; receiving feedback information for verifying that the first signature is valid by the second terminal; receiving a second signature sent by a second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; verifying whether the second signature is valid; when the second signature is valid, data transmission is performed; wherein the first parameter and/or the second parameter comprises the authentication key.
In some embodiments, the method further comprises: generating a public key of the first terminal and a private key of the first terminal; transmitting a public key of the first terminal; a public key of the second terminal is received.
In some embodiments, the first parameter comprises a public key of the first terminal; and/or the second parameter comprises a public key of the second terminal; and/or the first parameter comprises a current time, the method further comprising transmitting the current time; and/or the second parameter comprises a current time, the method further comprising receiving the current time; and/or the first parameter and/or the second parameter comprises address information; and/or the authentication key comprises more than two authentication keys, and the method further comprises sending the number of the authentication key comprising the first parameter and/or receiving the number of the authentication key comprising the second parameter.
In some embodiments, performing the data transmission includes: generating a shared key of the first terminal and the second terminal based on the public key of the second terminal and the private key of the first terminal; the transmitted data is encrypted or decrypted using the shared secret key.
According to the embodiment of the disclosure, the authentication key corresponding to the address information of the second terminal is obtained; transmitting a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; receiving feedback information for verifying that the first signature is valid by the second terminal; receiving a second signature sent by a second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; verifying whether the second signature is valid; when the second signature is valid, data transmission is performed; wherein the first parameter and/or the second parameter comprises an authentication key; the bidirectional authentication is realized, the safety problem existing in the existing unidirectional authentication is solved, both communication parties are ensured to be mutually trusted parties, and the use safety of the equipment is improved.
According to a second aspect of the present disclosure, there is provided an authentication method applied to a second terminal, the method comprising: receiving a first signature sent by a first terminal, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; verifying whether the first signature is valid; when the first signature is valid, a second signature is sent, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; receiving feedback information for verifying that the second signature is valid by the first terminal; carrying out data transmission; wherein the first parameter and/or the second parameter comprises an authentication key corresponding to address information of the second terminal.
In some embodiments, the method further comprises: receiving a public key of the first terminal; generating a public key of the second terminal and a private key of the second terminal; and sending the public key of the second terminal.
In some embodiments, the first parameter comprises a public key of the first terminal; and/or the second parameter comprises a public key of the second terminal; and/or the first parameter comprises a current time, the method further comprising receiving the current time; and/or the second parameter comprises a current time, the method further comprising transmitting the current time; and/or the first parameter and/or the second parameter comprises address information; and/or the authentication key comprises more than two authentication keys, the method further comprises receiving the number of the authentication key comprised by the first parameter and/or transmitting the number of the authentication key comprised by the second parameter.
In some embodiments, performing the data transmission includes: generating a shared key of the first terminal and the second terminal based on the public key of the first terminal and the private key of the second terminal; the transmitted data is encrypted or decrypted using the shared secret key.
According to the embodiment of the disclosure, by receiving a first signature sent by a first terminal, the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; verifying whether the first signature is valid, and when the first signature is valid, transmitting a second signature, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; receiving feedback information for verifying that the second signature is valid by the first terminal; carrying out data transmission; wherein the first parameter and/or the second parameter comprises an authentication key corresponding to the address information of the second terminal; the bidirectional authentication is realized, the safety problem existing in the existing unidirectional authentication is solved, both communication parties are ensured to be mutually trusted parties, and the use safety of the equipment is improved.
According to a third aspect of the present disclosure, there is provided an authentication apparatus, the apparatus being applied to a first terminal, the apparatus comprising: an acquisition unit for acquiring an authentication key corresponding to address information of the second terminal; the sending unit is used for sending a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; the first receiving unit is used for receiving feedback information for verifying that the first signature is valid by the second terminal; the second receiving unit is used for receiving a second signature sent by the second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; a verification unit for verifying whether the second signature is valid; the data transmission unit is used for transmitting data when the second signature is valid; wherein the first parameter and/or the second parameter comprises an authentication key.
According to the embodiment of the disclosure, an authentication key corresponding to address information of a second terminal is obtained through the authentication device applied to the first terminal; transmitting a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; receiving feedback information for verifying that the first signature is valid by the second terminal; receiving a second signature sent by a second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; verifying whether the second signature is valid; when the second signature is valid, data transmission is performed; wherein the first parameter and/or the second parameter comprises the authentication key; the bidirectional authentication is realized, the safety problem existing in the existing unidirectional authentication is solved, both communication parties are ensured to be mutually trusted parties, and the use safety of the equipment is improved.
According to a fourth aspect of the present disclosure, there is provided an authentication apparatus, the apparatus being applied to a second terminal, the apparatus comprising: the first receiving unit is used for receiving a first signature sent by the first terminal, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; a verification unit configured to verify whether the first signature is valid; the sending unit is used for sending a second signature when the first signature is valid, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; the second receiving unit is used for receiving feedback information for verifying that the second signature is valid by the first terminal; the data transmission unit is used for carrying out data transmission; wherein the first parameter and/or the second parameter comprises an authentication key corresponding to the address information of the second terminal.
According to the embodiment of the disclosure, through the authentication device applied to the second terminal, a first signature sent by the first terminal is received, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; verifying whether the first signature is valid, and when the first signature is valid, transmitting a second signature, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; receiving feedback information for verifying that the second signature is valid by the first terminal; carrying out data transmission, wherein the first parameter and/or the second parameter comprises an authentication key corresponding to the address information of the second terminal; the bidirectional authentication is realized, the safety problem existing in the existing unidirectional authentication is solved, both communication parties are ensured to be mutually trusted parties, and the use safety of the equipment is improved.
According to a fifth aspect of the present disclosure, there is provided an electronic device comprising:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores executable instructions that enable the at least one processor to perform the method of the first or second aspect described above.
According to a sixth aspect of the present disclosure there is provided a non-transitory computer readable storage medium storing computer instructions for performing the method of the foregoing first or second aspect.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the application or to delineate the scope of the application. Other features of the present application will become apparent from the description that follows.
Drawings
The drawings are for a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
Fig. 1 is a schematic flow chart of an authentication method according to an embodiment of the disclosure;
fig. 2 is a schematic flow chart of an authentication method according to an embodiment of the disclosure;
Fig. 3 is a schematic flow chart of an authentication method according to an embodiment of the disclosure;
Fig. 4 is a schematic flow chart of an authentication method according to an embodiment of the disclosure;
Fig. 5 is an interaction schematic diagram of an authentication method according to an embodiment of the disclosure
Fig. 6 is a schematic structural diagram of an authentication device according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an authentication device according to an embodiment of the present disclosure;
fig. 8 is a schematic block diagram of an example electronic device 800 provided by an embodiment of the disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
An authentication method, apparatus, electronic device, and storage medium of embodiments of the present disclosure are described below with reference to the accompanying drawings.
In recent years, with the improvement of living standard, people pay more attention to their own health. Effective protection of user privacy data, particularly personal health information, has been a security concern of major concern in the industry. Health monitoring devices are a common type of sensor device that can provide one or more indicators related to human health. The health monitoring equipment is authenticated, so that the counterfeits of the health monitoring equipment with defective functions can be identified in time, and the risks that health information is easy to leak and the like are avoided.
However, in the related technology, mostly, one-way authentication is adopted, so that safety problems such as health data leakage and data analysis errors are easy to occur.
In particular, in the authentication, two-way authentication is rarely performed in the related art. For example, if the health device lacks authentication of the monitoring software, health data leakage is easily caused; if the monitoring software lacks authentication on the health equipment, data analysis errors can occur to different types or versions of health software due to inconsistent data formats, so that the reliability of the health monitoring system is affected; the healthy equipment imitated by the third party cannot be correctly screened if the third party exists.
In addition, in the aspect of encryption, a plurality of health monitoring devices and health monitoring software communicate through Bluetooth, in the aspect of data transmission, the encryption which is simply dependent on a Bluetooth protocol stack cannot prevent Bluetooth sniffing software from stealing health data, and the safety is low. Other devices and software use symmetric encryption algorithms, but only use a preset set or sets of keys, which risk leakage after the software is decompiled, and theft if the keys are transmitted in the bluetooth channel.
To this end, the present disclosure proposes an authentication method, which includes: acquiring an authentication key corresponding to the address information of the second terminal; transmitting a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; receiving feedback information for verifying that the first signature is valid by the second terminal; receiving a second signature sent by a second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; verifying whether the second signature is valid; when the second signature is valid, data transmission is performed; wherein the first parameter and/or the second parameter comprises an authentication key. The authentication method provided by the disclosure realizes bidirectional authentication, solves the security problem existing in the existing unidirectional authentication, ensures that both communication parties are mutually trusted parties, and improves the use security of equipment.
The authentication method provided by the present disclosure may be applied to a device having a wireless communication function, and the application scenario is not limited in the embodiment of the present disclosure, and the health monitoring scenario is mainly taken as an example in the present disclosure.
An authentication method, apparatus, electronic device, storage medium, and program product for implementing the present disclosure are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of an authentication method according to an embodiment of the disclosure. As shown in fig. 1, the method is applied to a first terminal, which may be a client, such as a personal computer, a mobile terminal, a dedicated client device, etc., preferably a smart phone, comprising the steps of:
Step 101, an authentication key corresponding to the address information of the second terminal is obtained.
In one implementation of the present disclosure, a user may log into monitoring software of a first terminal (e.g., a client) using an account and password; the client may obtain sets of authentication keys corresponding to address information of the second terminal (e.g., the health monitoring device) from the authentication server. The address information is a unique number of the health monitoring device, and may be a product Serial Number (SN) of the device, a UUID, a MAC address of the device, or other unique number for identifying the device.
Step 102, a first signature is sent, wherein the first signature is obtained by the first terminal through a first signature algorithm based on the first parameter.
In one implementation of the disclosure, the client generates a first signature according to a first signature algorithm by using an authentication key corresponding to address information of the health monitoring device, which is acquired from an authentication server, and sends the first signature to the health monitoring device. The first parameter is a corresponding parameter required for generating the first signature, and comprises an authentication key, a public key of the first terminal, current time and address information.
The first signature algorithm is a signature algorithm built in the client, and the first signature algorithm can be a hash algorithm.
The Hash algorithm (Hash algorithm, hash formula, hash algorithm, message digest algorithm) maps binary values of arbitrary length to shorter fixed length binary values, this small binary value being called the Hash value. Hash values are a unique and extremely compact representation of a piece of data. The hash value of the data may verify the integrity of the data. Typically for fast look-up and encryption algorithms. Briefly, a Hash (Hash) algorithm, i.e., a Hash function. It is a one-way cryptosystem, i.e. it is an irreversible mapping from plaintext to ciphertext, with only encryption and no decryption. Meanwhile, the hash function can obtain the output with fixed length after the input with any length is changed. This unidirectional feature of the hash function and the fixed length of the output data enable it to generate messages or data.
And step 103, receiving feedback information for verifying that the first signature is valid by the second terminal.
In one embodiment of the disclosure, the health monitoring device verifies whether the first signature sent by the client is valid, sends feedback information to the client if the first signature is valid, and ends the communication if the first signature is invalid.
And 104, receiving a second signature sent by the second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter.
In one embodiment of the present disclosure, the health monitoring device generates a signature according to a second signature algorithm and sends the second signature to the client. The second parameter is a corresponding parameter required for generating the second signature, and comprises an authentication key, a public key of the second terminal, current time and address information.
The second signature is a signature algorithm built in the health monitoring device, and the second signature algorithm and the first signature algorithm may be the same or different, for example, may be a hash algorithm, but some algorithm parameters or variables are different.
Step 105, verifies whether the second signature is valid.
In one embodiment of the disclosure, the client verifies whether the second signature sent by the health monitoring device is valid through a built-in signature verification algorithm of the second terminal.
And 106, when the second signature is valid, performing data transmission.
In one embodiment of the present disclosure, the second signature is considered valid if the current time is greater than the time of the previous authentication and the second signature is equal to the verification signature of the client. And when the second signature is valid, data transmission is performed. Wherein the client and the health monitoring device each generate a shared key; the client and health monitoring device may encrypt and decrypt data information via the shared key. If the current time is less than or equal to the time of the previous authentication, the second signature is verified to be invalid, and the communication is ended.
Thus, according to an embodiment of the present disclosure, by acquiring an authentication key corresponding to address information of a second terminal; transmitting a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; receiving feedback information for verifying that the first signature is valid by the second terminal; receiving a second signature sent by a second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; verifying whether the second signature is valid; when the second signature is valid, data transmission is performed, wherein the first parameter and/or the second parameter comprises an authentication key, bidirectional authentication is realized, the safety problem existing in the existing unidirectional authentication is solved, both communication parties are mutually trusted parties, and the use safety of equipment is improved.
Fig. 2 is a flow chart of an authentication method according to an embodiment of the disclosure. Step 102 is further defined in fig. 2 based on the embodiment shown in fig. 1. In the embodiment shown in fig. 2, step 203 (corresponding to step 102 in fig. 1) is preceded by step 202. As shown in fig. 2, the method is applied to a first terminal, which may be a client, such as a personal computer, a mobile terminal, a dedicated client device, etc., preferably a smart phone, the method comprising the steps of:
step 201, an authentication key corresponding to the address information of the second terminal is obtained.
In some embodiments of the present disclosure, the client obtains an authentication key corresponding to address information of the health monitoring device from the authentication server, and generates a first signature from the authentication key.
Specifically, the client acquires an authentication key corresponding to address information of the health monitoring device from the server in an encrypted data transmission mode. The client monitoring software stores the authentication key in an encrypted manner. The health monitoring device stores the authentication key in an encrypted manner at the time of shipment.
The authentication keys corresponding to the address information of the health monitoring equipment can be one group or multiple groups, and when the authentication keys are multiple groups, one group of authentication keys is randomly selected at a time to generate a signature. The address information, also referred to as device identification information, is a unique number of the health monitoring device, and may be a product Serial Number (SN) of the device, a UUID, a MAC address of the device, or other unique number identifying the device. The MAC Address (MEDIA ACCESS Control Address), which is interpreted as a medium access Control Address, also called a local area network Address (LAN ADDRESS), a MAC Address, an ethernet Address (ETHERNET ADDRESS) or a physical Address (PHYSICAL ADDRESS), is an Address used to identify the location of the network device.
It should be noted that, the client monitoring software may obtain the address information of the health monitoring device through manual input, code scanning, NFC, bluetooth, and the like. The authentication key corresponding to the address information of the health monitoring equipment is written into the database of the embedded software and the authentication server of the health monitoring equipment before the health monitoring equipment leaves the factory.
Step 202, generating a public key of the first terminal and a private key of the first terminal.
In some embodiments of the present disclosure, the first terminal monitoring software generates a public key and a private key of the first terminal using its corresponding ECDH algorithm, and transmits the generated public key to the second terminal while receiving the public key of the second terminal. In other words, the first terminal negotiates a key with the second terminal by exchanging public keys through the ECDH algorithm.
ECDH is known as elliptic curve diffie-hellman key Exchange (Elliptic Curve Diffie-HELLMAN KEY Exchange), which is used to establish secure common encrypted data in an insecure channel, and is generally exchanged for public keys. The ECDH algorithm parties may generate a shared key from the exchanged public key, which is typically used by both parties in subsequent data transmissions as a "symmetric encryption" key.
Step 203, a first signature is sent, wherein the first signature is obtained by the first terminal through a first signature algorithm based on the first parameter.
In some embodiments of the present disclosure, the first signature algorithm may generate the first signature using address information of the health monitoring device, the current time, and the public key of the first terminal generated in step 202, in addition to the authentication key. The first parameter includes a public key of the first terminal, address information, an authentication key, a current time. It will be appreciated that the first signature is generated based on the first parameter.
In addition, in some embodiments, the client further obtains encryption algorithm parameters of the first signature algorithm from the authentication server. Or in other embodiments, the encryption algorithm parameters of the first signature algorithm are built into the client monitoring software. It should be understood that the encryption algorithm parameters of the signature algorithm refer to some parameters of the algorithm itself, not the variables required by the signature algorithm to generate the signature or the parameters corresponding to the generated signature (e.g., the first parameter or the second parameter). The value of the encryption algorithm parameter employed by the same device or terminal during use is unchanged, while the value of the first parameter or the second parameter employed by the same device or terminal each time a signature is generated is different. The aforementioned parameters of address information, authentication key, current time, public key, etc. belong to variables required for the signature algorithm to generate the signature, or corresponding parameters (such as the first parameter or the second parameter) called the signature, and are not encryption algorithm parameters of the signature algorithm.
In some embodiments of the present disclosure, the method further comprises transmitting the current time, the number of the authentication key included in the first parameter, and the public key of the first terminal, concurrently with transmitting the first signature.
Specifically, when the client sends the generated first signature to the health monitoring device, a part of first parameters except the authentication key need to be sent, including the current time, the public key of the first terminal, and the number of the authentication key (under the condition that the health monitoring device has multiple groups of corresponding authentication keys), which are used for assisting the second terminal to verify whether the first signature is valid.
And if a plurality of groups of authentication keys exist, the number of the authentication key is the number of the authentication key which is randomly selected from the plurality of groups of authentication keys and is used for generating the first signature by the secondary authentication.
And step 204, receiving feedback information for verifying that the first signature is valid by the second terminal.
In some embodiments of the disclosure, the health monitoring device receives the first signature, performs calculation verification according to a built-in client signature verification algorithm, and considers the first signature valid and returns correct information to the client if the current time is greater than the previous authentication time and the verification signature of the health monitoring device is equal to the first signature; otherwise, returning error information to the client, and ending the flow.
Step 205 verifies whether the second signature is valid.
In some embodiments of the present disclosure, the second signature is obtained by the second terminal through a second signature algorithm based on the second parameter. In some embodiments of the present disclosure, a second signature transmitted by a second terminal is received, while a portion of a second parameter transmitted by the second terminal is received. The second parameter includes a public key of the second terminal, a current time, address information of the second terminal, and an authentication key, but the second terminal does not transmit the authentication key, but transmits a number of the authentication key employed in the generation of the second signature by the current authentication process in the case that there are multiple sets of authentication keys. Meanwhile, the address information of the second terminal is known information for the first terminal, the second terminal does not need to send the address information at the moment, and the first terminal does not need to receive the address information at the moment.
Specifically, the client receives the second signature, and the public key, the current time and the number of the authentication key of the second terminal, which are sent from the second terminal; based on the authentication key and a part of the second parameters received from the second terminal, and according to a built-in signature verification algorithm of the health monitoring equipment, calculating so as to verify the second signature. And if the current time is greater than the time of the previous authentication and the second signature is equal to the verification signature of the client, the second signature is considered to be valid.
At step 206, when the second signature is valid, data transmission is performed.
Generating a shared key of the first terminal and the second terminal based on the public key of the second terminal and the private key of the first terminal when the second signature is valid; the transmitted data is encrypted or decrypted using the shared secret key.
The private key of the first terminal is generated by the first terminal at the same time of generating the public key of the first terminal, the public key of the second terminal is received from the second terminal, and the shared key is obtained through a corresponding ECDH algorithm. The client and health monitoring device encrypt and decrypt data information using the AES algorithm with the calculated shared key. It will be appreciated by those skilled in the art that due to the nature of the ECDH algorithm, the shared key may be generated by the first terminal based on the public key of the second terminal and the private key of the first terminal, or may be generated by the second terminal based on the public key of the first terminal and the private key of the second terminal, where the shared keys generated by the first terminal and the second terminal are identical.
The AES encryption algorithm is known as Advanced Encryption Standard (advanced encryption standard), also called Rijndael encryption, and is a symmetric encryption algorithm.
It should be noted that each time the client is disconnected from the health monitoring device, it is necessary to re-authenticate and generate a new shared key.
In summary, according to the embodiment of the present disclosure, by adopting the bidirectional authentication, it is ensured that both communication parties are mutually trusted parties, so that the use security of the device is improved; meanwhile, the running time information is added in the authentication process, so that data replay attack is prevented; each device uses different authentication key groups, the authentication keys are not transmitted in a communication channel, and one key is randomly selected in each authentication process, so that the security of the authentication process is improved; the authentication process carries an asymmetrically encrypted public key, so that data interaction in the authentication process is reduced; the ECDH algorithm is used for calculating the private key, the public key and the shared key, so that the key distribution problem is solved, the transmission of the data encryption and decryption key in a communication channel is prevented, and the security of subsequent data encryption and decryption is greatly improved.
Fig. 3 is a flowchart of an authentication method according to an embodiment of the disclosure. As shown in fig. 3, the method is applied to a second terminal, which may be a health monitoring device, such as a blood glucose monitor, an oxygen blood monitor, a blood pressure monitor, a uric acid detector, etc., which may be a wearable device or an implantable medical device, such as a continuous blood glucose monitoring device, the method comprising the steps of:
Step 301, a first signature sent by a first terminal is received, where the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter.
In some embodiments of the present disclosure, the health monitoring device receives a first signature generated by the client through a first signature algorithm based on a first parameter. The first parameter comprises an authentication key corresponding to the address information of the second terminal and optionally a public key of the first terminal, a current time or the address information of the second terminal.
Step 302, verifies whether the first signature is valid.
In some embodiments of the present disclosure, the first signature is considered valid if the current time is greater than the time of the previous authentication and the verification signature by the health monitoring device according to the built-in client signature verification algorithm is equal to the first signature.
And step 303, when the first signature is valid, transmitting a second signature, wherein the second signature is obtained by the second terminal through a second signature algorithm based on the second parameter.
In some embodiments of the present disclosure, the health monitoring device verifies whether the first signature sent by the client is valid, and if the current time is not greater than the time of the previous authentication, verifies that the first signature is invalid, and the communication ends; and if the current time is greater than the previous authentication time and the first signature is equal to the verification signature of the health monitoring equipment, the first signature is valid, and the second signature is sent. The second signature is obtained by the second terminal through a second signature algorithm based on a second parameter, wherein the second parameter comprises an authentication key and optionally a public key of the second terminal, a current time or device address information of the second terminal.
The second signature algorithm is a signature algorithm built in the health monitoring device, and the second signature algorithm and the first signature algorithm may be the same or different, for example, may be a hash algorithm, but some algorithm parameters or variables are different.
And step 304, receiving feedback information for verifying that the second signature is valid by the first terminal.
In some embodiments of the disclosure, the client verifies whether the second signature sent by the health monitoring device is valid, and if the second signature is valid, sends feedback information to the health device and performs data transmission; if the second signature is invalid the communication ends.
In step 305, data transmission is performed.
In some embodiments of the present disclosure, upon receiving feedback information that the second signature is valid, the client and the health monitoring device each generate a shared key; the client and health monitoring device may encrypt and decrypt data information via the shared key.
In summary, by receiving a first signature sent by a first terminal, the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; verifying whether the first signature is valid, and when the first signature is valid, transmitting a second signature, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; receiving feedback information for verifying that the second signature is valid by the first terminal; carrying out data transmission, wherein the first parameter and/or the second parameter comprises an authentication key corresponding to the address information of the second terminal; the bidirectional authentication is realized, the safety problem existing in the existing unidirectional authentication is solved, both communication parties are ensured to be mutually trusted parties, and the use safety of the equipment is improved.
Fig. 4 is a flowchart of an authentication method according to an embodiment of the present disclosure. Fig. 4 further defines step 302 based on the embodiment shown in fig. 3. As shown in fig. 4, the method is applied to a second terminal, which may be a health monitoring device, such as a blood glucose monitor, an oxygen blood monitor, a blood pressure monitor, a uric acid monitor, etc., the health monitoring device may be a wearable device or an implantable medical apparatus, such as a continuous blood glucose monitoring device, and the first terminal may be a client, the method comprising the steps of:
Step 401, a first signature sent by a first terminal is received.
In some embodiments of the present disclosure, the health monitoring device receives a first signature generated by a client through a hash algorithm. The first signature is obtained by the first terminal through a first signature algorithm based on the first parameter. The first parameter may comprise an authentication key, optionally a public key of the first terminal, address information or a current time.
A portion of the first parameter of the first signature, such as the current time, the public key of the first terminal, and the number of the authentication key, is received simultaneously with the receipt of the first signature. It will be appreciated that the second terminal need only receive the unknown second parameter information and need not receive the authentication key and address information known to the second terminal. Correspondingly, the first terminal does not need to send the authentication key and the address information in any way either.
In some embodiments of the present disclosure, when receiving the first signature sent by the client, it is further necessary to receive a part of the first parameter sent by the client, such as the current time, the public key of the first terminal, and if there are multiple sets of authentication keys, the number of the authentication key that is used randomly. The part of the first parameter sent by the client is used for assisting the health monitoring equipment to verify the first signature.
It should be noted that the public key of the second terminal and the private key of the second terminal are generated while receiving the public key of the first terminal, and the public key of the second terminal is transmitted to the first terminal.
Step 402, based on a first parameter, verifies a first signature.
In some embodiments of the present disclosure, the first parameter comprises: an authentication key corresponding to the address information of the second terminal, and optionally a public key of the first terminal, a current time or the address information of the second terminal. The health monitoring device receives the first signature and performs calculation verification based on the first parameter according to a built-in client signature verification algorithm.
In some embodiments, the first parameter comprises a current time, and the method further comprises receiving the current time. In some embodiments, the authentication key comprises more than two authentication keys, the method further comprising receiving a number of the authentication key comprised by the first parameter.
In step 403, a second signature is sent when the first signature is valid.
In some embodiments of the present disclosure, if the current time is greater than the time of the previous authentication and the verification signature of the health detection device is equal to the first signature, the first signature is considered valid, correct information is returned to the client, and a second signature is sent; otherwise, returning error information to the client, and ending the flow.
And step 404, receiving feedback information for verifying that the second signature is valid by the first terminal.
In some embodiments of the present disclosure, generating, by the second terminal, a public key corresponding to the second terminal; the second terminal sends the public key of the second terminal to the first terminal. Wherein the first terminal receives the second signature and the public key of the second terminal; based on the authentication key and the optional public key of the second terminal, and according to the built-in signature verification algorithm of the health monitoring equipment, the second signature is verified. And if the current time is greater than the time of the previous authentication and the second signature is equal to the verification signature of the client, the second signature is considered to be valid.
Step 405, data transmission is performed.
In some embodiments of the present disclosure, when the second signature is valid, generating a shared key of the first terminal and the second terminal based on the public key of the first terminal and the private key of the second terminal; the transmitted data is encrypted or decrypted using the shared secret key.
The private key of the second terminal is generated by the second terminal at the same time of generating the public key of the second terminal, the public key of the first terminal is received from the first terminal, and the shared key is obtained through a corresponding ECDH algorithm. The client and health monitoring device encrypt and decrypt data information using the AES algorithm with the calculated shared key. It will be appreciated by those skilled in the art that due to the nature of the ECDH algorithm, the shared key may be generated by the first terminal based on the public key of the second terminal and the private key of the first terminal, or may be generated by the second terminal based on the public key of the first terminal and the private key of the second terminal, where the shared keys generated by the first terminal and the second terminal are identical.
It should be noted that each time the client is disconnected from the health monitoring device, it is necessary to re-authenticate and generate a new shared key.
In summary, according to the embodiment of the disclosure, by adopting the bidirectional authentication, both communication parties are ensured to be mutually trusted parties, so that the use safety of the equipment is improved; meanwhile, the running time information is added in the authentication process, so that data replay attack is prevented; each device uses different authentication key groups, the authentication keys are not transmitted in a communication channel, and one key is randomly selected in each authentication process, so that the security of the authentication process is improved; the authentication process carries an asymmetrically encrypted public key, so that data interaction in the authentication process is reduced; the ECDH algorithm is used for calculating the private key, the public key and the shared key, so that the key distribution problem is solved, the transmission of the data encryption and decryption key in a communication channel is prevented, and the security of subsequent data encryption and decryption is greatly improved.
Fig. 5 shows an interactive schematic diagram of an authentication method according to an embodiment of the present disclosure. As shown in fig. 5, this embodiment involves a data/signaling interaction between the first terminal and the second terminal in performing the authentication method procedure. Based on the embodiment shown in fig. 1 to 4, the method comprises the steps of:
Generating a plurality of groups of keys C1, C2 … Cn corresponding to the health monitoring equipment by a Manufacturing Execution System (MES), writing the keys into embedded software of the health monitoring equipment, and storing the keys into a database of an authentication server;
The mobile phone client and the health monitoring equipment negotiate a secret key by an ECDH algorithm;
The mobile phone client obtains address information of the health monitoring equipment through code scanning (the equipment serial number SN is taken as an example here);
The mobile client generates a signature using the following signature algorithm:
S' =hash (f 1 (device SN, C x,t,HA)),
T is the current time, x (1 < = x < = n) is a random number, and H A is the current ECDH public key of the APP side;
The mobile phone client sends t, x and H A and S' to the health monitoring equipment;
The health monitoring device calculates S "=hash (f 1 (device SN, C x,t,HA)) according to the built-in client signature verification algorithm, and considers S 'valid if t and t p of the previous authentication satisfy t > t p, and S' =s"; otherwise, returning error information to the mobile phone client, and ending the flow;
The health monitoring device generates a signature using the following signature algorithm: t '=hash (f 2 (device SN, C y,t,HB)), T' is the current time, y (1 < = y < = n) is a random number, and H B is the device side ECDH public key;
The health monitoring equipment sends T ', y, HB and T' to the mobile phone client;
The client calculates T '=HASH (f 2 (equipment SN, C y,t,HB)) according to a built-in signature verification algorithm of the health monitoring equipment end, and if T' and T 'p of the previous authentication meet T' > T 'p and T' =T ', the signature T' is considered to be valid;
the mobile phone client and the health monitoring equipment respectively generate a shared secret key S=d B*HA=dA*HB,dA as an APP side private key, and d B as an equipment side private key;
The health monitoring device encrypts the data using the AES algorithm and the APP decrypts the data using the AES algorithm.
The ECDH algorithm parameters comprise p, a, b, G, n and h, wherein p is prime number, a and b are parameters of an elliptic curve, G is a base point for generating a subgroup, n is a order of the subgroup, and h is a cofactor of the subgroup.
H A=dA*G(dA < n, random number, different each time), H B=dB*G(dB < n, random number, different each time).
The shared key of the mobile phone client and the health monitoring device is in the form of s= (S x,Sy), and the key of the AES algorithm used for encrypting the data is extracted by S. For example, 8 bytes are extracted from each of S x and S y, constituting a key for AES algorithm of length 16 bytes.
And each time after the mobile phone client is disconnected from the health monitoring equipment, re-authentication is needed to be carried out, and a new shared secret key is generated by re-authentication.
According to the embodiment of the disclosure, by adopting the bidirectional authentication, both communication parties are ensured to be mutually trusted parties, so that the use safety of the equipment is improved; meanwhile, the running time information is added in the authentication process, so that data replay attack is prevented; each device uses different authentication key groups, the authentication keys are not transmitted in a communication channel, and one key is randomly selected in each authentication process, so that the security of the authentication process is improved; the authentication process carries an asymmetrically encrypted public key, so that data interaction in the authentication process is reduced; the ECDH algorithm is used for calculating the private key, the public key and the shared key, so that the key distribution problem is solved, the transmission of the data encryption and decryption key in a communication channel is prevented, and the security of subsequent data encryption and decryption is greatly improved.
Corresponding to the authentication method, the disclosure further provides an authentication device, which is applied to the first terminal. Fig. 6 is a schematic structural diagram of an authentication device 600 according to an embodiment of the disclosure. As shown in fig. 6, includes:
an acquiring unit 610, configured to acquire an authentication key corresponding to address information of the second terminal;
A transmitting unit 620, configured to transmit a first signature, where the first signature is obtained by the first terminal through a first signature algorithm based on the first parameter;
A first receiving unit 630, configured to receive feedback information that the second terminal verifies that the first signature is valid;
A second receiving unit 640, configured to receive a second signature sent by a second terminal, where the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter;
A verification unit 650 for verifying whether the second signature is valid;
A data transmission unit 660 for transmitting data when the second signature is valid;
wherein the first parameter and/or the second parameter comprises an authentication key.
In some embodiments, the apparatus 600 further comprises: the generating unit is used for generating a public key of the first terminal and a private key of the first terminal; meanwhile, the transmitting unit 620 is further configured to transmit the public key of the first terminal; the first receiving unit 630 or the second receiving unit 640 is also used for receiving the public key of the second terminal.
In some embodiments, the first parameter comprises a public key of the first terminal; and/or the second parameter comprises a public key of the second terminal; and/or the first parameter includes a current time, and the sending unit 620 is further configured to send the current time; and/or the second parameter includes a current time, and the first receiving unit 630 or the second receiving unit 640 is further configured to receive the current time; and/or the first parameter and/or the second parameter comprises address information; and/or the authentication key comprises more than two authentication keys, the sending unit 620 is further configured to send the number of the authentication key comprised by the first parameter and/or the first receiving unit 630 or the second receiving unit 640 is further configured to receive the number of the authentication key comprised by the second parameter.
In some embodiments, the data transmission unit 660 is further configured to: generating a shared key of the first terminal and the second terminal based on the public key of the second terminal and the private key of the first terminal; the transmitted data is encrypted or decrypted using the shared secret key.
In summary, according to an embodiment of the present disclosure, an authentication key corresponding to address information of a second terminal is acquired through an authentication device; transmitting a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; receiving feedback information for verifying that the first signature is valid by the second terminal; receiving a second signature sent by a second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; verifying whether the second signature is valid, and transmitting data when the second signature is valid; wherein the first parameter and/or the second parameter comprises an authentication key; the bidirectional authentication is realized, the safety problem existing in the existing unidirectional authentication is solved, both communication parties are ensured to be mutually trusted parties, and the use safety of the equipment is improved.
It should be noted that, since the embodiment of the apparatus of the present disclosure corresponds to the above embodiment of the method, the foregoing explanation of the embodiment of the method is also applicable to the apparatus of the present embodiment, and the principles are the same, and details not disclosed in the embodiment of the apparatus may refer to the above embodiment of the method, which is not described in detail in the present disclosure. The authentication device mentioned in the present disclosure corresponds to a functional module architecture, rather than an entity device, where functional modules may not correspond to entity physical units one by one.
With respect to the apparatus in the above embodiments, where the operations performed by the respective modules correspond to the method embodiments described in the present disclosure, the specific manner in which the operations are performed has been described in detail in the embodiments related to the method, and will not be described in detail herein.
Corresponding to the authentication method, the disclosure also provides an authentication device, which is applied to the second terminal. Fig. 7 is a schematic structural diagram of an authentication device 700 according to an embodiment of the disclosure. As shown in fig. 7, includes:
a first receiving unit 710, configured to receive a first signature sent by a first terminal, where the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter;
a verification unit 720 for verifying whether the first signature is valid;
A transmitting unit 730, configured to transmit a second signature when the first signature is valid, where the second signature is obtained by a second signature algorithm;
a second receiving unit 740, configured to receive feedback information that the first terminal verifies that the second signature is valid;
A data transmission unit 750 for performing data transmission;
wherein the first parameter and/or the second parameter comprises an authentication key corresponding to the address information of the second terminal.
In some embodiments, the apparatus 700 further comprises: the generating unit is used for generating a public key of the second terminal and a private key of the second terminal; meanwhile, the first receiving unit 710 is further configured to receive a public key of the first terminal; the transmitting unit 730 is further configured to transmit the public key of the second terminal.
In some embodiments, the first parameter comprises a public key of the first terminal; and/or the second parameter comprises a public key of the second terminal; and/or the first parameter includes a current time, the first receiving unit 710 is further configured to receive the current time; and/or the second parameter includes a current time, and the transmitting unit 730 is further configured to transmit the current time; and/or the first parameter and/or the second parameter comprises address information; and/or the authentication key comprises more than two authentication keys, the first receiving unit 710 is further configured to receive the number of the authentication key comprised by the first parameter and/or the transmitting unit 730 is further configured to transmit the number of the authentication key comprised by the second parameter.
In some embodiments, the data transmission unit 750 is configured to: generating a shared key of the first terminal and the second terminal based on the public key of the first terminal and the private key of the second terminal; the transmitted data is encrypted or decrypted using the shared secret key.
In summary, according to an embodiment of the present disclosure, a first signature transmitted by a first terminal is received by an authentication device, where the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter; verifying whether the first signature is valid, and when the first signature is valid, transmitting a second signature, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter; receiving feedback information for verifying that the second signature is valid by the first terminal; carrying out data transmission; wherein the first parameter and/or the second parameter comprises an authentication key corresponding to the address information of the second terminal; the bidirectional authentication is realized, the safety problem existing in the existing unidirectional authentication is solved, both communication parties are ensured to be mutually trusted parties, and the use safety of the equipment is improved.
It should be noted that, since the embodiment of the apparatus of the present disclosure corresponds to the above embodiment of the method, the foregoing explanation of the embodiment of the method is also applicable to the apparatus of the present embodiment, and the principles are the same, and details not disclosed in the embodiment of the apparatus may refer to the above embodiment of the method, which is not described in detail in the present disclosure. The authentication device mentioned in the present disclosure corresponds to a functional module architecture, rather than an entity device, where functional modules may not correspond to entity physical units one by one.
With respect to the apparatus in the above embodiments, where the operations performed by the respective modules correspond to the method embodiments described in the present disclosure, the specific manner in which the operations are performed has been described in detail in the embodiments related to the method, and will not be described in detail herein.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 8 illustrates a schematic block diagram of an example electronic device 800 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 8, the apparatus 800 includes a computing unit 801 that can perform various appropriate actions and processes according to a computer program stored in a ROM (Read-Only Memory) 802 or a computer program loaded from a storage unit 808 into a RAM (Random Access Memory ) 803. In the RAM 803, various programs and data required for the operation of the device 800 can also be stored. The computing unit 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An I/O (Input/Output) interface 805 is also connected to bus 804.
Various components in device 800 are connected to I/O interface 805, including: an input unit 806, such as a keyboard, mouse, touch pad, touch screen, etc.; an output unit 807 such as various types of displays, speakers, and the like; a storage unit 808, such as a magnetic disk, optical disk, etc.; and a communication unit 809, such as a network card, modem, wireless communication transceiver, or the like. The communication unit 809 allows the device 800 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 801 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 501 include, but are not limited to, a CPU (Central Processing Unit ), a GPU (Graphic Processing Units, graphics processing unit), various specialized AI (ARTIFICIAL INTELLIGENCE ) computing chips, various computing units running machine learning model algorithms, a DSP (DIGITAL SIGNAL Processor ), and any suitable Processor, controller, microcontroller, etc. The computing unit 801 performs the various methods and processes described above, such as the authentication method. For example, in some embodiments, the method of authentication may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 808. In some embodiments, part or all of the computer program may be loaded and/or installed onto device 800 via ROM 802 and/or communication unit 809. When a computer program is loaded into RAM 803 and executed by computing unit 801, one or more steps of the methods described above may be performed. Alternatively, in other embodiments, the computing unit 801 may be configured to perform the aforementioned method of authentication by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated circuitry, FPGA (Field Programmable GATE ARRAY ), ASIC (Application-SPECIFIC INTEGRATED Circuit, application-specific integrated Circuit), ASSP (Application SPECIFIC STANDARD Product, application-specific standard Product), SOC (System On Chip), CPLD (Complex Programmable Logic Device ), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, RAM, ROM, EPROM (ELECTRICALLY PROGRAMMABLE READ-Only-Memory, erasable programmable read-Only Memory) or flash Memory, an optical fiber, a CD-ROM (Compact Disc Read-Only Memory), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., CRT (Cathode-Ray Tube) or LCD (Liquid CRYSTAL DISPLAY) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: LAN (Local Area Network ), WAN (Wide Area Network, wide area network), internet and blockchain networks.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service ("Virtual PRIVATE SERVER" or simply "VPS") are overcome. The server may also be a server of a distributed system or a server that incorporates a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (12)
1. An authentication method, wherein the method is applied to a first terminal, the method comprising:
acquiring an authentication key corresponding to the address information of the second terminal;
transmitting a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter;
receiving feedback information for verifying that the first signature is valid by the second terminal;
Receiving a second signature sent by the second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter;
verifying whether the second signature is valid;
When the second signature is valid, data transmission is performed;
wherein the first parameter and/or the second parameter comprises the authentication key.
2. The method according to claim 1, wherein the method further comprises:
Generating a public key of the first terminal and a private key of the first terminal;
Transmitting the public key of the first terminal;
And receiving the public key of the second terminal.
3. The method of claim 2, wherein the step of determining the position of the substrate comprises,
The first parameter comprises a public key of the first terminal; and/or
The second parameter includes a public key of the second terminal; and/or
The first parameter comprises a current time, and the method further comprises sending the current time; and/or
The second parameter includes a current time, the method further comprising receiving the current time; and/or
The first parameter and/or the second parameter comprises the address information; and/or
The authentication key comprises more than two authentication keys, and the method further comprises sending the number of the authentication key comprised by the first parameter and/or receiving the number of the authentication key comprised by the second parameter.
4. A method according to claim 2 or 3, wherein said transmitting data comprises:
Generating a shared key of the first terminal and the second terminal based on the public key of the second terminal and the private key of the first terminal;
And encrypting or decrypting the transmitted data by using the shared key.
5. An authentication method, wherein the method is applied to a second terminal, the method comprising:
receiving a first signature sent by a first terminal, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter;
Verifying whether the first signature is valid;
When the first signature is valid, a second signature is sent, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter;
receiving feedback information for verifying that the second signature is valid by the first terminal;
Carrying out data transmission;
Wherein the first parameter and/or the second parameter comprises an authentication key corresponding to address information of the second terminal.
6. The method of claim 5, wherein the method further comprises:
receiving a public key of the first terminal;
Generating a public key of the second terminal and a private key of the second terminal;
And sending the public key of the second terminal.
7. The method of claim 6, wherein the step of providing the first layer comprises,
The first parameter comprises a public key of the first terminal; and/or
The second parameter includes a public key of the second terminal; and/or
The first parameter includes a current time, and the method further includes receiving the current time; and/or
The second parameter comprises a current time, and the method further comprises sending the current time; and/or
The first parameter and/or the second parameter comprises the address information; and/or
The authentication key comprises more than two authentication keys, and the method further comprises receiving the number of the authentication key comprised by the first parameter and/or sending the number of the authentication key comprised by the second parameter.
8. The method according to claim 6 or 7, wherein said transmitting data comprises:
Generating a shared key of the first terminal and the second terminal based on the public key of the first terminal and the private key of the second terminal;
And encrypting or decrypting the transmitted data by using the shared key.
9. An authentication apparatus, wherein the apparatus is applied to a first terminal, the apparatus comprising:
An acquisition unit for acquiring an authentication key corresponding to address information of the second terminal;
The sending unit is used for sending a first signature, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter;
The first receiving unit is used for receiving feedback information for verifying that the first signature is valid by the second terminal;
The second receiving unit is used for receiving a second signature sent by the second terminal, wherein the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter;
a verification unit configured to verify whether the second signature is valid;
The data transmission unit is used for transmitting data when the second signature is valid;
wherein the first parameter and/or the second parameter comprises the authentication key.
10. An authentication apparatus, the apparatus being applied to a second terminal, the apparatus comprising:
The first receiving unit is used for receiving a first signature sent by a first terminal, wherein the first signature is obtained by the first terminal through a first signature algorithm based on a first parameter;
a verification unit configured to verify whether the first signature is valid;
A sending unit, configured to send a second signature when the first signature is valid, where the second signature is obtained by the second terminal through a second signature algorithm based on a second parameter;
the second receiving unit is used for receiving feedback information for verifying that the second signature is valid by the first terminal;
the data transmission unit is used for carrying out data transmission;
Wherein the first parameter and/or the second parameter comprises an authentication key corresponding to address information of the second terminal.
11. An electronic device, comprising:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores executable instructions that enable the at least one processor to perform the method of any one of claims 1-4 or 5-8.
12. A non-transitory computer readable storage medium storing computer instructions for performing the method of any one of claims 1-4 or 5-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211444441.1A CN118057760A (en) | 2022-11-18 | 2022-11-18 | Authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211444441.1A CN118057760A (en) | 2022-11-18 | 2022-11-18 | Authentication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118057760A true CN118057760A (en) | 2024-05-21 |
Family
ID=91068596
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211444441.1A Pending CN118057760A (en) | 2022-11-18 | 2022-11-18 | Authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118057760A (en) |
-
2022
- 2022-11-18 CN CN202211444441.1A patent/CN118057760A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108833101B (en) | Data transmission method of Internet of things equipment, internet of things equipment and authentication platform | |
| WO2021196915A1 (en) | Encryption and decryption operation-based data transmission methods and systems, and computer device | |
| TW201812630A (en) | Block chain identity system | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| CN112235107B (en) | Data transmission method, device, equipment and storage medium | |
| CN110299996A (en) | Authentication method, equipment and system | |
| US20190319795A1 (en) | Method, apparatus and system for establishing biometric identification information transmission and storage medium | |
| CN111294203B (en) | Information transmission method | |
| CN103701598A (en) | SM2 signature algorithm-based double-check signature method and digital signature equipment | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| WO2018120938A1 (en) | Offline key transmission method, terminal and storage medium | |
| CN108964893A (en) | A kind of cipher key processing method, device, equipment and medium | |
| CN110635901A (en) | Local Bluetooth dynamic authentication method and system for Internet of things equipment | |
| WO2015135398A1 (en) | Negotiation key based data processing method | |
| WO2018161862A1 (en) | Private key generation method, device and system | |
| CN111654481B (en) | Identity authentication method, identity authentication device and storage medium | |
| CN113422832B (en) | File transmission method, device, equipment and storage medium | |
| CN114139176A (en) | Industrial internet core data protection method and system based on state secret | |
| CN113365264B (en) | Block chain wireless network data transmission method, device and system | |
| US10333703B2 (en) | Key exchange process | |
| CN102739660B (en) | Key exchange method for single sign on system | |
| TW202123051A (en) | Security authentication method, apparatus, and electronic device | |
| CN114793178B (en) | Network distribution method, device, equipment and storage medium | |
| US20220368522A1 (en) | Bluetooth peripheral and central apparatuses and verification method | |
| CN116318654A (en) | SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |