CN109086598B - Method, device and system for secure pairing - Google Patents
Method, device and system for secure pairing Download PDFInfo
- Publication number
- CN109086598B CN109086598B CN201810789774.5A CN201810789774A CN109086598B CN 109086598 B CN109086598 B CN 109086598B CN 201810789774 A CN201810789774 A CN 201810789774A CN 109086598 B CN109086598 B CN 109086598B
- Authority
- CN
- China
- Prior art keywords
- information
- host device
- host
- security
- secure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method, a device and a system for secure pairing. The method comprises the following steps: in the non-trusted environment, the safety device receives first information sent by the host device, wherein the first information comprises an information identification code of the host device and a certificate of the host device; the safety device generates second information according to the first information, wherein the second information comprises an information identification code of the host device, a certificate of the host device and the information identification code of the safety device; the security device sends second information to the server so that the server judges whether the security device and the host device allow pairing or not; the safety device receives third information sent by the server; the secure device sends fourth information to the host device to pair the secure device and the host device, the fourth information including a certificate of the secure device. By the method, the safety pairing of the safety device and the host device in the non-trusted environment can be realized, and the safety cost is reduced.
Description
Technical Field
The embodiment of the invention relates to the field of mobile computing security, in particular to a method, a device and a system for secure pairing.
Background
With the development of electronic technology, more and more mobile devices are using security devices (such as fingerprint modules) to improve the security of the mobile devices. The fingerprint safety device is an unlocking device which uses fingerprint data to record and verify and avoids extra complex identification process.
In the prior art, in order to ensure that a secure device (such as a fingerprint module) and a host device (such as a mobile device itself) are securely paired in a trusted environment (secure pairing refers to mutual exchange of certificates of each other and mutual trust), the secure pairing of the secure device and the host device is usually performed before shipment, however, the host device is often in an untrusted environment during assembly, testing, maintenance, and the like, and there is no technical solution in the prior art for securely pairing the secure device and the host device in the untrusted environment.
Disclosure of Invention
The invention provides a secure pairing method, device and system, which can realize secure pairing of a secure device and a host device in an untrusted environment and reduce the security cost.
In a first aspect, an embodiment of the present invention provides a method for secure pairing, including:
in an untrusted environment, a security device receives first information sent by a host device, wherein the first information comprises an information identification code of the host device and a certificate of the host device;
the safety device generates second information according to the first information, wherein the second information comprises an information identification code of the host device, a certificate of the host device and the information identification code of the safety device;
the security device sends second information to the server so that the server judges whether the security device and the host device allow pairing or not;
the safety device receives third information sent by the server, wherein the third information is used for indicating that the safety device and the host device allow pairing;
the secure device sends fourth information to the host device to pair the secure device and the host device, wherein the fourth information includes a certificate of the secure device.
Optionally, before the security device sends the fourth information to the host device, the method further includes:
the security device records pairing information, wherein the pairing information comprises the corresponding relation between the information identification code of the host device and the information identification code of the security device, and/or the corresponding relation between the certificate of the host device and the certificate of the security device.
Optionally, the method further includes:
the safety device receives fifth information sent by the host device, wherein the fifth information is used for requesting the safety device and the host device to be paired again;
and the safety device sends sixth information to the host device, wherein the sixth information comprises the encrypted certificate of the safety device and the information identification code of the safety device.
Optionally, the security device is a security device with a biometric function.
In a second aspect, an embodiment of the present invention further provides a method for secure pairing, including:
in the non-trusted environment, the host device sends first information to the security device, wherein the first information comprises an information identification code of the host device and a certificate of the host device;
and the host device receives fourth information sent by the safety device so as to enable the safety device and the host device to be paired, wherein the fourth information comprises the certificate of the safety device.
Optionally, the method further includes:
the host device records pairing information, wherein the pairing information comprises the corresponding relation between the information identification code of the host device and the information identification code of the safety device, and/or the corresponding relation between the certificate of the host device and the certificate of the safety device.
Optionally, the method further includes:
the host device sends fifth information to the security device, wherein the fifth information is used for requesting the security device and the host device to be paired again;
and the host device receives sixth information sent by the safety device, wherein the sixth information comprises the encrypted certificate of the safety device and the information identification code of the safety device.
Optionally, after the host device sends the first information to the security device, and before the host device receives the fourth information sent by the security device, the method further includes:
the host device receives ninth information sent by the server, wherein the ninth information comprises an information identification code and a random number of the safety device;
and the host device sends tenth information to the server according to the ninth information, wherein the tenth information comprises the information identification code of the security device, the information identification code of the host device and the random number, and the tenth information is used for indicating the host device to confirm that the security device and the host device are allowed to be paired.
In a third aspect, an embodiment of the present invention further provides a security device, including a receiving module, a processing module, and a sending module;
the receiving module is used for receiving first information sent by the host device in the non-trusted environment, wherein the first information comprises an information identification code of the host device and a certificate of the host device;
the processing module is used for generating second information according to the first information received by the receiving module, wherein the second information comprises an information identification code of the host device, a certificate of the host device and an information identification code of the safety device;
the sending module is used for sending the second information generated by the processing module to the server so that the server judges whether the security device and the host device allow pairing or not;
the receiving module is further used for receiving third information sent by the server after the sending module sends the second information, wherein the third information is used for indicating that the security device and the host device are allowed to be paired;
and the sending module is further configured to send fourth information to the host device after the receiving module receives the third information sent by the server, so that the security device and the host device are paired, where the fourth information includes a certificate of the security device.
Optionally, the system further comprises a storage module;
and the storage module is used for recording the pairing information before the sending module sends the fourth information to the host device, wherein the pairing information comprises the corresponding relation between the information identification code of the host device and the information identification code of the safety device, and/or the corresponding relation between the certificate of the host device and the certificate of the safety device.
Optionally, the receiving module is further configured to receive fifth information sent by the host apparatus, where the fifth information is used to request the security apparatus and the host apparatus to pair again;
and the sending module is further used for sending sixth information to the host device, wherein the sixth information comprises the encrypted certificate of the security device and the information identification code of the security device.
Optionally, the security device is a security device with a biometric function.
In a fourth aspect, an embodiment of the present invention further provides a host apparatus, including a sending module and a receiving module;
a sending module, configured to send, in an untrusted environment, first information to a secure device, where the first information includes an information identifier of a host device and a certificate of the host device;
and the receiving module is used for receiving fourth information sent by the safety device so as to enable the safety device and the host device to be paired, wherein the fourth information comprises a certificate of the safety device.
Optionally, the system further comprises a storage module;
the storage module is used for recording pairing information, wherein the pairing information comprises the corresponding relation between the information identification code of the host device and the information identification code of the safety device, and/or the corresponding relation between the certificate of the host device and the certificate of the safety device.
Optionally, the sending module is further configured to send fifth information to the security device, where the fifth information is used to request the security device and the host device to pair again;
the receiving module is further configured to receive sixth information sent by the security device, where the sixth information includes an encrypted certificate of the security device and an information identifier of the security device.
Optionally, the receiving module is further configured to receive ninth information sent by the server after the sending module sends the first information to the security device and before the receiving module receives fourth information sent by the security device, where the ninth information includes an information identification code and a random number of the security device;
and the sending module is further configured to send tenth information to the server according to the ninth information received by the receiving module, where the tenth information includes an information identification code of the security device, an information identification code of the host device, and a random number, and the tenth information is used to indicate that the host device confirms that the security device and the host device are allowed to be paired.
In a fifth aspect, an embodiment of the present invention further provides a security device, including:
one or more processors;
a storage device for storing one or more programs,
when executed by one or more processors, cause the one or more processors to implement the method of secure pairing as in the first aspect.
In a sixth aspect, an embodiment of the present invention further provides a host apparatus, including:
one or more processors;
a storage device for storing one or more programs,
when executed by one or more processors, cause the one or more processors to implement a method of secure pairing as in the second aspect.
In a seventh aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the method for secure pairing according to the first aspect and the second aspect.
In an eighth aspect, an embodiment of the present invention further provides a system for secure pairing, including at least: a security device as in the third or fifth aspect, and a host device as in the fourth or sixth aspect.
In the non-trusted environment, the server judges whether the security device and the host device are allowed to be paired or not, and verifies the legality of the security device and the host device, so that the security device and the host device in the non-trusted environment are safely paired, and the security cost is reduced.
Drawings
Fig. 1 is a schematic flowchart of a method for secure pairing according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating another method for secure pairing according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for secure pairing according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for secure pairing according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a safety device according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of another safety device provided in the second embodiment of the present invention;
FIG. 7 is a schematic structural diagram of a host device according to a third embodiment of the present invention;
FIG. 8 is a schematic structural diagram of another host device provided in the third embodiment of the present invention;
fig. 9 is a schematic structural diagram of a server according to a fourth embodiment of the present invention;
fig. 10 is a schematic structural diagram of a safety device according to a fifth embodiment of the present invention;
FIG. 11 is a schematic structural diagram of a host device according to a sixth embodiment of the present invention;
fig. 12 is a schematic structural diagram of a server according to a seventh embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
It should be noted that the terms "system" and "network" are often used interchangeably herein. The terms "first", "second", and the like in the description and claims of the present invention and in the drawings are used for distinguishing between different objects and not for limiting a particular order.
It should be further noted that, in the embodiment of the present invention, both the transmitted information and the received information are transmitted and received through a secure channel, so as to ensure the security of information exchange. The Secure channel may be a Secure Socket Layer (SSL) channel or a Transport Layer Security (TLS) channel. In addition, the "sending information from a to B" described in the embodiment of the present invention may be a process in which a directly sends information to B, or a process in which a sends information to C first and the C forwards information to B; similarly, the "a receives the information sent by B" may be the information sent by B directly received by a, or the information sent by B forwarded by C is received by a from C, where the apparatus C as the forwarding information may be one device or a plurality of devices.
In addition, the "pairing of the secure device and the host device" mentioned in the embodiment of the present invention refers to a process in which the secure device and the host device exchange certificates of each other and mutually trust. The secure device and the host device may be uniquely paired or not (one secure device is paired with multiple host devices, or multiple secure devices are paired with one host device), and the embodiment of the present invention is not particularly limited in this respect. For ease of understanding, the following embodiments of the present invention are described with reference to unique pairing of a security device and a host device.
In addition, the "security device" mentioned in the embodiments of the present invention is a security device having a biometric function, and may specifically be any security device having a biometric function, such as a fingerprint security device, an iris security device, a vein recognition security device, and the like.
Example one
Fig. 1 is a schematic flowchart of a security pairing method according to an embodiment of the present invention, where this embodiment may be applied to a scenario where a security device is paired with a host device and the host device does not have information related to the pairing with the security device, and the method specifically includes the following steps:
and S101, establishing network connection among the safety device, the host device and the server.
The network connection established between the security apparatus, the host apparatus, and the server may be a trusted network connection (i.e., a trusted environment) or an untrusted network connection (i.e., an untrusted environment), which is not specifically limited by the embodiments of the present invention.
It should be noted that the host apparatus may be a user device or an APP loaded in the user device, where the user device includes, but is not limited to, a smart phone, a tablet computer, and the like. Meanwhile, the safety device and the host device can be devices produced by the same manufacturer or devices produced by different manufacturers; the safety device can be an independent chip, can be packaged with a main processor chip of the user equipment, can be directly integrated into the user equipment, and can be virtualized into a plurality of logic chips, and each logic chip is only paired with a separate controller. The server has a function of authenticating the secure device and the host device.
S102, in the non-trusted environment, the host device sends first information to the safety device.
Wherein the first information comprises an information identification code of the host device and a certificate of the host device.
It should be noted that the information identification code of the host device is an information identification code capable of uniquely identifying the host device, such as a serial number of the host device, a code of the host device, or other unique character strings; the certificate of the host device is a certificate which is obtained by the host device from a certificate authority, and the format of the certificate conforms to an X.509 standard (such as X.509v3).
S103, the safety device receives the first information sent by the host device.
And S104, the safety device generates second information according to the first information.
Wherein the second information includes an information identification code of the host device, a certificate of the host device, and an information identification code of the security device.
It should be noted that the information identification code of the security device is an information identification code capable of uniquely identifying the security device, such as a serial number of the security device, a code of the security device, or other unique character string.
S105, the safety device sends second information to the server.
S106, the server receives the second information sent by the safety device.
S107, the server judges whether the secure device and the host device are allowed to be paired.
Specifically, fig. 2 is a schematic flow chart of another secure pairing method according to the first embodiment of the present invention, where step S107 may include steps S107a-S107 f:
s107a, the server determines whether the information identification code of the host device and the information identification code of the secure device are uniquely paired.
If the information identification code of the host device and the information identification code of the security device are uniquely paired, executing the following steps S107b-S107 f; if the information identification code of the host device is not matched with the information identification code of the safety device, the safety device cannot be matched with the host device, the server feeds back error information to the host device, and the safety matching method provided by the embodiment of the invention is stopped.
S107b, if the information identification code of the host device and the information identification code of the secure device are uniquely paired, the server transmits ninth information to the host device.
Wherein the ninth information includes an information identification code of the security device and a random number.
S107c, the host apparatus receives the ninth information transmitted by the server.
S107d, the host device transmits tenth information to the server based on the ninth information.
The tenth information includes an information identification code of the security device, an information identification code of the host device, and a random number, and the tenth information is used to instruct the host device to confirm that the security device and the host device are allowed to be paired.
Specifically, the tenth information may sign the information identifier of the security device, the information identifier of the host device, and the random number using a secret corresponding to the certificate of the host device, thereby ensuring security of information exchange.
S107e, the server receives the tenth information transmitted from the host apparatus.
And S107f, the server records the pairing information.
The pairing information includes a correspondence between an information identification code of the host device and an information identification code of the security device, and/or a correspondence between a certificate of the host device and a certificate of the security device.
And S108, if the secure device and the host device allow pairing, the server sends third information to the secure device.
Wherein the third information is used to indicate that the secure device and the host device allow pairing.
And S109, the safety device receives the third information sent by the server.
And S110, the security device records the pairing information.
The pairing information includes a correspondence between an information identification code of the host device and an information identification code of the security device, and/or a correspondence between a certificate of the host device and a certificate of the security device.
And S111, the safety device sends fourth information to the host device.
Wherein the fourth information comprises a certificate of the security device.
And S112, the host device receives the fourth information sent by the safety device.
And S113, the host device records the pairing information.
S114, pairing the safety device and the host device.
Fig. 3 is a flowchart of another secure pairing method according to an embodiment of the present invention, where after the secure device and the host device are paired, if the host device loses pairing information, the secure device and the host device need to be re-paired, and the process of re-pairing may include steps S115 to S118:
s115, the host device sends the fifth information to the secure device.
Wherein the fifth information is used to request the secure device and the host device to pair again.
S116, the security device receives the fifth information sent by the host device.
S117, the secure device transmits the sixth information to the host device.
And the sixth information comprises the encrypted certificate of the safety device and the information identification code of the safety device.
Specifically, the sixth information may encrypt the certificate of the security device using the certificate of the host device, and sign the encrypted certificate of the security device using a secret corresponding to the certificate of the security device.
S118, the host device receives the sixth information sent by the security device.
After receiving the sixth information sent by the security device, the host device may obtain the certificate of the security device and the information identification code of the security device, and record the pairing information.
The pairing information includes a correspondence between an information identification code of the host device and an information identification code of the security device, and/or a correspondence between a certificate of the host device and a certificate of the security device.
Fig. 4 is a flowchart illustrating a further secure pairing method according to an embodiment of the present invention, where the secure pairing method according to the embodiment of the present invention further includes steps S119 to S122:
s119, in the trusted environment, the secure device sends seventh information to the host device.
Wherein the seventh information includes an information identification code of the security device and a certificate of the security device.
And S120, the host device receives the seventh information sent by the safety device.
S121, the host device sends eighth information to the secure device.
Wherein the eighth information includes an information identification code of the host apparatus and a certificate of the host apparatus.
S122, the secure device receives the eighth information sent by the host device.
By directly exchanging the information identity and certificate of each other in the trusted environment, the secure device and the host device simplify the pairing process.
It should be noted that step S102 and step S119 are parallel steps, and if the environment is in the untrusted environment, step S102 to step S118 are executed, and if the environment is in the trusted environment, step S119 to step S122 are executed, which is not specifically limited in this embodiment of the present invention.
It should be noted that, in the trusted environment, after the secure device and the host device exchange information identification codes and certificates of each other, pairing information needs to be written in the server.
The embodiment of the invention provides a safe pairing method, which comprises the following steps: in an untrusted environment, a security device receives first information sent by a host device, wherein the first information comprises an information identification code of the host device and a certificate of the host device; the safety device generates second information according to the first information, wherein the second information comprises an information identification code of the host device, a certificate of the host device and the information identification code of the safety device; the security device sends second information to the server so that the server judges whether the security device and the host device allow pairing or not; the safety device receives third information sent by the server, wherein the third information is used for indicating that the safety device and the host device allow pairing; the secure device sends fourth information to the host device to pair the secure device and the host device, wherein the fourth information includes a certificate of the secure device. In the non-trusted environment, the server judges whether the security device and the host device are allowed to be paired or not, and verifies the legality of the security device and the host device, so that the security device and the host device in the non-trusted environment are safely paired, and the security cost is reduced.
Example two
Fig. 5 is a schematic structural diagram of a security device according to a second embodiment of the present invention, which includes a receiving module 10, a processing module 11, and a sending module 12.
A receiving module 10, configured to receive, in an untrusted environment, first information sent by a host apparatus, where the first information includes an information identifier of the host apparatus and a certificate of the host apparatus;
a processing module 11, configured to generate second information according to the first information received by the receiving module 10, where the second information includes an information identifier of the host device, a certificate of the host device, and an information identifier of the security device;
a sending module 12, configured to send the second information generated by the processing module 11 to the server, so that the server determines whether the secure device and the host device allow pairing;
the receiving module 10 is further configured to receive third information sent by the server after the sending module 12 sends the second information, where the third information is used to indicate that the secure device and the host device allow pairing;
the sending module 12 is further configured to send fourth information to the host apparatus after the receiving module 10 receives the third information sent by the server, so that the secure apparatus and the host apparatus are paired, where the fourth information includes a certificate of the secure apparatus.
Further, fig. 6 is a schematic structural diagram of another security device according to a second embodiment of the present invention, where the security device further includes a storage module 13.
The storage module 13 is configured to record pairing information before the sending module 12 sends the fourth information to the host apparatus, where the pairing information includes a correspondence between an information identifier of the host apparatus and an information identifier of the security apparatus, and/or a correspondence between a certificate of the host apparatus and a certificate of the security apparatus.
Further, the receiving module 10 is further configured to receive fifth information sent by the host apparatus, where the fifth information is used to request the security apparatus and the host apparatus to pair again;
the sending module 12 is further configured to send sixth information to the host apparatus, where the sixth information includes the encrypted certificate of the security apparatus and the information identifier of the security apparatus.
Further, the sending module 12 is further configured to send, in the trusted environment, seventh information to the host apparatus, where the seventh information includes an information identifier of the secure apparatus and a certificate of the secure apparatus;
the receiving module 10 is further configured to receive eighth information sent by the host apparatus, where the eighth information includes an information identifier of the host apparatus and a certificate of the host apparatus.
The security device provided by the embodiment of the invention can execute the security pairing method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
It should be further noted that the safety device provided in the embodiment of the present invention mainly includes four functions: the fingerprint acquisition and related operation function, the password operation function, the general operation function and the safe storage function provide information safety service based on fingerprints for the host device. The fingerprint acquisition and related operation function realizes the acquisition and related operation of the fingerprint; the password operation function realizes password-related operation; the general operation function realizes general operations except for cryptographic operations and fingerprint acquisition and related operations; the secure storage function enables storage of secure information including, but not limited to, fingerprint information, password information, and the like.
EXAMPLE III
Fig. 7 is a schematic structural diagram of a host apparatus according to a third embodiment of the present invention, including a sending module 20 and a receiving module 21.
A sending module 20, configured to send, in an untrusted environment, first information to a secure device, where the first information includes an information identifier of a host device and a certificate of the host device;
a receiving module 21, configured to receive fourth information sent by the security apparatus, so that the security apparatus and the host apparatus are paired, where the fourth information includes a certificate of the security apparatus.
Further, fig. 8 is a schematic structural diagram of another host apparatus provided in the third embodiment of the present invention, and the host apparatus further includes a storage module 22.
The storage module 22 is configured to record pairing information, where the pairing information includes a correspondence between an information identifier of the host device and an information identifier of the security device, and/or a correspondence between a certificate of the host device and a certificate of the security device.
Further, the sending module 20 is further configured to send fifth information to the security device, where the fifth information is used to request the security device and the host device to pair again;
the receiving module 21 is further configured to receive sixth information sent by the security device, where the sixth information includes an encrypted certificate of the security device and an information identifier of the security device.
Further, the receiving module 21 is further configured to receive, in the trusted environment, seventh information sent by the security device, where the seventh information includes an information identifier of the security device and a certificate of the security device;
the sending module 20 is further configured to send eighth information to the secure device, where the eighth information includes an information identifier of the host device and a certificate of the host device.
Further, the receiving module 21 is further configured to receive ninth information sent by the server after the sending module 20 sends the first information to the security device and before the receiving module receives fourth information sent by the security device, where the ninth information includes an information identification code and a random number of the security device;
the sending module 20 is further configured to send tenth information to the server according to the ninth information received by the receiving module 21, where the tenth information includes an information identifier of the security device, an information identifier of the host device, and a random number, and the tenth information is used to instruct the host device to confirm that the security device and the host device are allowed to be paired.
The host device provided by the embodiment of the invention can execute the method for secure pairing provided by any embodiment of the invention, and has the corresponding functional module and beneficial effect of the execution method.
Example four
Fig. 9 is a schematic structural diagram of a server according to a fourth embodiment of the present invention, including a receiving module 30, a processing module 31, and a sending module 32.
A receiving module 30, configured to receive second information sent by the security device, where the second information includes an information identifier of the host device, a certificate of the host device, and the information identifier of the security device;
a processing module 31, configured to determine whether the secure device and the host device allow pairing;
and a sending module 32, configured to send third information to the secure device if the secure device and the host device allow pairing, so as to pair the secure device and the host device, where the third information is used to indicate that the secure device and the host device allow pairing.
Further, the processing module 31 is specifically configured to determine whether the information identifier of the host device and the information identifier of the security device are uniquely paired; if the information identification code of the host device is uniquely matched with the information identification code of the safety device, ninth information is sent to the host device, wherein the ninth information comprises the information identification code of the safety device and a random number; receiving tenth information sent by the host device, wherein the tenth information comprises an information identification code of the security device, an information identification code of the host device and a random number, and the tenth information is used for indicating the host device to confirm that the security device and the host device are allowed to be paired; and recording pairing information, wherein the pairing information comprises the corresponding relation between the information identification code of the host device and the information identification code of the safety device, and/or the corresponding relation between the certificate of the host device and the certificate of the safety device.
The server provided by the embodiment of the invention can execute the method for secure pairing provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
The embodiment of the present invention provides a safety device, as shown in fig. 10, the safety device shown in fig. 10 is only an example, and should not bring any limitation to the functions and the use range of the embodiment of the present invention.
As shown in fig. 10, the security apparatus is in the form of a general purpose computing device. Components of the security device may include, but are not limited to: one or more processors or processors 40, a storage device 41, and a bus 42 that connects the various system components (including the storage device 41 and the processors 40).
Bus 42 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The security device typically includes a variety of computer system readable media. Such media may be any available media that can be accessed by the security device and includes both volatile and nonvolatile media, removable and non-removable media.
When the one or more programs are executed by the one or more processors 40, the one or more processors 40 implement the method for secure pairing as in embodiment one.
EXAMPLE six
The embodiment of the present invention provides a host device, as shown in fig. 11, the host device shown in fig. 11 is only an example, and should not bring any limitation to the functions and the application scope of the embodiment of the present invention.
As shown in fig. 11, the host apparatus is represented in the form of a general-purpose computing device. Components of the host device may include, but are not limited to: one or more processors or processors 50, a memory device 51, and a bus 52 that connects the various system components (including the memory device 51 and the processors 50).
Bus 52 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The host device typically includes a variety of computer system readable media. Such media may be any available media that is accessible by the host device and includes both volatile and nonvolatile media, removable and non-removable media.
The storage 51 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)510 and/or cache memory 511. The host device may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, the storage device 51 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 11, commonly referred to as a "hard drive"). Although not shown in FIG. 11, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 52 by one or more data media interfaces. Storage device 51 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
When the one or more programs are executed by the one or more processors 50, the one or more processors 50 are caused to implement the method for secure pairing as in embodiment one.
EXAMPLE seven
The embodiment of the present invention provides a server, as shown in fig. 12, the server shown in fig. 12 is only an example, and should not bring any limitation to the functions and the use range of the embodiment of the present invention.
As shown in fig. 12, the server is in the form of a general purpose computing device. Components of the server may include, but are not limited to: one or more processors or processors 60, a memory device 61, and a bus 62 that connects the various system components (including the memory device 61 and the processors 60).
Bus 62 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The server typically includes a variety of computer system readable media. Such media may be any available media that is accessible by the server and includes both volatile and nonvolatile media, removable and non-removable media.
The storage 61 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)610 and/or cache memory 611. The server may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, the storage device 61 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 12, commonly referred to as a "hard drive"). Although not shown in FIG. 12, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 62 by one or more data media interfaces. The memory device 61 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
When the one or more programs are executed by the one or more processors 60, the one or more processors 60 implement the method for secure pairing as in embodiment one.
Example eight
The embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for secure pairing according to the first embodiment.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
Example nine
The embodiment of the invention also provides a system for secure pairing, which at least comprises: a security device as described in the above embodiments, and a host device as described in the above embodiments.
Optionally, the system for secure pairing may further include a server as described in the above embodiments.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments illustrated herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (18)
1. A method for secure pairing, applied to a secure device, includes:
in an untrusted environment, the security device receives first information sent by a host device, wherein the first information comprises an information identification code of the host device and a certificate of the host device;
the safety device generates second information according to the first information, wherein the second information comprises an information identification code of the host device, a certificate of the host device and the information identification code of the safety device;
the security device sends the second information to a server so that the server judges whether the security device and the host device allow pairing or not;
the security device receives third information sent by the server, wherein the third information is used for indicating that the security device and the host device are allowed to be paired;
the secure device sends fourth information to the host device to pair the secure device and the host device, wherein the fourth information includes a certificate of the secure device.
2. The method of claim 1, further comprising, before the secure device sends the fourth information to the host device:
the security device records pairing information, wherein the pairing information comprises a corresponding relation between an information identification code of the host device and an information identification code of the security device, and/or a corresponding relation between a certificate of the host device and a certificate of the security device.
3. The method of claim 1 or 2, further comprising:
the safety device receives fifth information sent by the host device, wherein the fifth information is used for requesting the safety device and the host device to be paired again;
the security device sends sixth information to the host device, wherein the sixth information comprises the encrypted certificate of the security device and the information identification code of the security device.
4. The method of claim 1, wherein the security device is a biometric security device.
5. A method for secure pairing, applied to a host device, includes:
in an untrusted environment, the host device sends first information to a secure device, wherein the first information includes an information identifier of the host device and a certificate of the host device;
the host device receives fourth information sent by the security device so that the security device and the host device are paired, wherein the fourth information comprises a certificate of the security device;
after the host device sends the first information to the security device, and before the host device receives the fourth information sent by the security device, the method further includes:
the host device receives ninth information sent by a server, wherein the ninth information comprises an information identification code and a random number of the safety device;
the host device sends tenth information to the server according to the ninth information, wherein the tenth information includes an information identification code of the secure device, an information identification code of the host device, and the random number, and the tenth information is used for indicating that the host device confirms that the secure device and the host device are allowed to be paired.
6. The method of claim 5, further comprising:
the host device records pairing information, wherein the pairing information comprises a corresponding relation between an information identification code of the host device and an information identification code of the safety device, and/or a corresponding relation between a certificate of the host device and a certificate of the safety device.
7. The method of claim 5 or 6, further comprising:
the host device sends fifth information to the security device, wherein the fifth information is used for requesting the security device and the host device to be paired again;
and the host device receives sixth information sent by the safety device, wherein the sixth information comprises the encrypted certificate of the safety device and the information identification code of the safety device.
8. A safety device is characterized by comprising a receiving module, a processing module and a sending module;
the receiving module is configured to receive, in an untrusted environment, first information sent by a host apparatus, where the first information includes an information identifier of the host apparatus and a certificate of the host apparatus;
the processing module is configured to generate second information according to the first information received by the receiving module, where the second information includes an information identifier of the host device, a certificate of the host device, and an information identifier of the security device;
the sending module is configured to send the second information generated by the processing module to a server, so that the server determines whether the secure device and the host device are allowed to be paired;
the receiving module is further configured to receive third information sent by the server after the sending module sends the second information, where the third information is used to indicate that the secure device and the host device allow pairing;
the sending module is further configured to send fourth information to the host apparatus after the receiving module receives the third information sent by the server, so that the secure apparatus and the host apparatus are paired, where the fourth information includes a certificate of the secure apparatus.
9. The security device of claim 8, further comprising a memory module;
the storage module is configured to record pairing information before the sending module sends fourth information to the host apparatus, where the pairing information includes a correspondence between an information identifier of the host apparatus and an information identifier of the security apparatus, and/or a correspondence between a certificate of the host apparatus and a certificate of the security apparatus.
10. The safety device according to claim 8 or 9,
the receiving module is further configured to receive fifth information sent by the host apparatus, where the fifth information is used to request the secure apparatus and the host apparatus to pair again;
the sending module is further configured to send sixth information to the host apparatus, where the sixth information includes the encrypted certificate of the security apparatus and the information identifier of the security apparatus.
11. The security device of claim 8, wherein the security device is a biometric security device.
12. A host device is characterized by comprising a sending module and a receiving module;
the sending module is configured to send, in an untrusted environment, first information to a secure device, where the first information includes an information identifier of the host device and a certificate of the host device;
the receiving module is configured to receive fourth information sent by the security apparatus, so that the security apparatus and the host apparatus are paired, where the fourth information includes a certificate of the security apparatus;
the receiving module is further configured to receive ninth information sent by a server after the sending module sends the first information to the security device and before the receiving module receives fourth information sent by the security device, where the ninth information includes an information identification code and a random number of the security device;
the sending module is further configured to send tenth information to the server according to the ninth information received by the receiving module, where the tenth information includes an information identifier of the security device, an information identifier of the host device, and the random number, and the tenth information is used to instruct the host device to confirm that the security device and the host device are allowed to be paired.
13. The host device of claim 12, further comprising a storage module;
the storage module is configured to record pairing information, where the pairing information includes a correspondence between an information identification code of the host device and an information identification code of the security device, and/or a correspondence between a certificate of the host device and a certificate of the security device.
14. The host device of claim 12 or 13,
the sending module is further configured to send fifth information to the secure device, where the fifth information is used to request the secure device and the host device to pair again;
the receiving module is further configured to receive sixth information sent by the security device, where the sixth information includes an encrypted certificate of the security device and an information identifier of the security device.
15. A security device, comprising:
one or more processors;
a storage device for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of secure pairing of any of claims 1-4.
16. A host device, comprising:
one or more processors;
a storage device for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of secure pairing of any of claims 5-7.
17. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method of secure pairing according to any one of claims 1 to 7.
18. A system for secure pairing, comprising at least: a security device as claimed in any one of claims 8 to 11, and a host device as claimed in any one of claims 12 to 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810789774.5A CN109086598B (en) | 2018-07-18 | 2018-07-18 | Method, device and system for secure pairing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810789774.5A CN109086598B (en) | 2018-07-18 | 2018-07-18 | Method, device and system for secure pairing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109086598A CN109086598A (en) | 2018-12-25 |
| CN109086598B true CN109086598B (en) | 2020-08-21 |
Family
ID=64837698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810789774.5A Active CN109086598B (en) | 2018-07-18 | 2018-07-18 | Method, device and system for secure pairing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109086598B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539320A (en) * | 2015-01-15 | 2015-04-22 | 北京深思数盾科技有限公司 | Pairing method for Bluetooth devices |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1179244B1 (en) * | 1999-05-21 | 2006-07-05 | International Business Machines Corporation | Method and apparatus for initializing secure communications among, and for exclusively pairing wireless devices |
| US20130018975A1 (en) * | 2011-07-15 | 2013-01-17 | Motorola Solutions, Inc. | Low frequency method of pairing a master device to multiple slave devices |
| CN205721792U (en) * | 2014-09-30 | 2016-11-23 | 苹果公司 | Electronic equipment |
| CN106330822B (en) * | 2015-06-19 | 2019-12-17 | 中兴新能源汽车有限责任公司 | Authentication method, equipment and system for automobile charging terminal and authentication server |
-
2018
- 2018-07-18 CN CN201810789774.5A patent/CN109086598B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539320A (en) * | 2015-01-15 | 2015-04-22 | 北京深思数盾科技有限公司 | Pairing method for Bluetooth devices |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109086598A (en) | 2018-12-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11689516B2 (en) | Application program as key for authorizing access to resources | |
| AU2018250465B2 (en) | Secondary device as key for authorizing access to resources | |
| EP3213487B1 (en) | Step-up authentication for single sign-on | |
| US9401915B2 (en) | Secondary device as key for authorizing access to resources | |
| US9998438B2 (en) | Verifying the security of a remote server | |
| US10078599B2 (en) | Application access control method and electronic apparatus implementing the same | |
| US20150229640A1 (en) | Security model for industrial devices | |
| CN111291339B (en) | Method, device, equipment and storage medium for processing blockchain data | |
| CN110430051B (en) | Key storage method, device and server | |
| US10404689B2 (en) | Password security | |
| US20170118641A1 (en) | Communication device, communication method, and communication system | |
| US20190327093A1 (en) | Cloud-implemented physical token based security | |
| CN112307515B (en) | Database-based data processing method and device, electronic equipment and medium | |
| US20150096058A1 (en) | Information processing apparatus | |
| CN114513310A (en) | Authentication method and device for vehicle diagnosis equipment, electronic equipment and medium | |
| US9894062B2 (en) | Object management for external off-host authentication processing systems | |
| CN109086598B (en) | Method, device and system for secure pairing | |
| US20210012350A1 (en) | Electronic approval system and method and program using biometric authentication | |
| CN115329315A (en) | Service authentication method, device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230412 Address after: 215000, 11th Floor, Building 22, No. 388 Xinping Street, Industrial Park, Suzhou City, Jiangsu Province Patentee after: MICROARRAY MICROELECTRONICS Corp.,Ltd. Address before: 215123 01, 02, 03, 12, Floor 11, Building 22, No. 388, Xinping Street, Suzhou Industrial Park, Suzhou City, Jiangsu Province Patentee before: Li Yangyuan |
|
| TR01 | Transfer of patent right |