CN114205082B - Bidirectional identity authentication method and equipment for reader-writer and electronic tag - Google Patents
Bidirectional identity authentication method and equipment for reader-writer and electronic tag Download PDFInfo
- Publication number
- CN114205082B CN114205082B CN202111501201.6A CN202111501201A CN114205082B CN 114205082 B CN114205082 B CN 114205082B CN 202111501201 A CN202111501201 A CN 202111501201A CN 114205082 B CN114205082 B CN 114205082B
- Authority
- CN
- China
- Prior art keywords
- key
- electronic tag
- reader
- writer
- kec
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000002457 bidirectional effect Effects 0.000 title claims abstract description 37
- 238000012795 verification Methods 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 7
- 238000007726 management method Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 239000006185 dispersion Substances 0.000 description 4
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K17/00—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
- G06K17/0022—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisions for transferring data to distant stations, e.g. from a sensing device
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Power Engineering (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the specification discloses a bidirectional identity authentication method and equipment for a reader-writer and an electronic tag, comprising the following steps: the reader-writer generates a public-private key pair, and issues a certificate by using a Certificate Authority (CA); a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage; a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key into a Key Escrow Center (KEC); the Key Escrow Center (KEC) is based on an identity identification algorithm to replace the electronic tag to complete the bidirectional identity authentication with the reader-writer. The invention uses the key escrow center KEC to replace the electronic tag with limited computing and storage capacity to realize the bidirectional identity authentication with the reader-writer with relatively abundant computing resources, thereby ensuring the identity credibility of both communication parties.
Description
Technical Field
The present disclosure relates to the field of wireless communications technologies, and in particular, to a bidirectional identity authentication method and device for a reader-writer and an electronic tag.
Background
In the application scene of ultra-high frequency radio frequency identification acquisition of a high-security-level network, particularly in a cross-domain environment, the most challenging is how to realize bidirectional identity authentication between a reader-writer with severely asymmetric computing capacity and an electronic tag, thereby ensuring that a legal reader-writer reads and writes the legal electronic tag.
Because of the limitation of the storage and operation capability of the ultrahigh frequency passive electronic tag chip, the conventional identity authentication protocol (comprising a public key certificate or an identity identification certificate algorithm) based on an asymmetric cryptographic algorithm cannot finish the operation on the tag. Although manufacturers propose that the ultra-high frequency passive electronic tag chip adopting the symmetric cryptographic algorithm can realize identity authentication and data protection between a reader and a tag in a pre-shared key mode, the chip is not popular, and the pre-shared key mode faces the management challenge of cross-department cross-domain key intercommunication.
Therefore, the ultrahigh frequency radio frequency identification acquisition application scene of the high-security-level network, in particular to a cross-domain environment, is urgently needed to be a safe and reliable authentication algorithm, and bidirectional identity authentication between a reader-writer and a large number of electronic tags is realized.
Disclosure of Invention
In view of this, the embodiment of the application provides a bidirectional identity authentication method and device for a reader-writer and an electronic tag, which are used for solving the problem of bidirectional identity authentication between the reader-writer and a mass electronic tag of the internet of things.
In order to solve the above technical problems, the embodiments of the present specification are implemented as follows:
on the one hand, the bidirectional identity authentication method for the reader-writer and the electronic tag provided by the embodiment of the specification comprises the following steps:
the reader-writer generates a public-private key pair, and issues a certificate by using a Certificate Authority (CA);
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key into a Key Escrow Center (KEC);
the Key Escrow Center (KEC) is based on an identity identification algorithm to replace the electronic tag to complete the bidirectional identity authentication with the reader-writer.
Optionally, based on two certificate generation algorithms, namely PKI and IBC, a reader public key certificate and an electronic tag identity certificate are generated.
Optionally, the reader generates a public-private key pair, and issues a certificate by using a Certificate Authority (CA), which specifically includes:
the reader locally generates a public and private key pair and submits a certificate application to a Certificate Authority (CA) or a digital certificate Registry (RA);
and the Certificate Authority (CA) performs audit and check on the certificate application, and signs and issues the certificate after checking the certificate application.
Optionally, a Key Management Center (KMC) generates a public-private key pair of the electronic tag by using an identification cryptographic algorithm, and specifically includes:
the Key Management Center (KMC) uses a unique tag identification number TID of the electronic tag as a public key of the electronic tag by using an identification cryptographic algorithm, and generates a private key corresponding to the unique tag identification number TID.
Optionally, a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag, which specifically includes:
and a Key Management Center (KMC) establishes a root key of a symmetric key system, the TID of the electronic tag is utilized to perform step-by-step dispersion of the symmetric key, and the HMAC is utilized to perform confidentiality and integrity protection of the key.
Optionally, before the Key Management Center (KMC) generates the encryption and decryption key of the electronic tag and stores the encryption and decryption key in the key management center (KEC), the method further includes:
the RFID card making terminal locally generates a public and private key pair by using an asymmetric algorithm, and issues a certificate by using a Certificate Authority (CA);
the card making terminal reads the TID information of the electronic tag, encrypts the card making data by using a symmetric algorithm and writes the encrypted card making data into a storage area of the electronic tag in a ciphertext mode;
the card making terminal sends the read TID identification of the electronic tag to a Key Management Center (KMC).
Optionally, the Key Escrow Center (KEC) is based on an identity identification algorithm, and replaces the electronic tag to complete bidirectional identity authentication with the reader-writer, and specifically includes:
the method comprises the steps of obtaining public key certificates of each other by utilizing a public key algorithm of an identification password algorithm between a Key Escrow Center (KEC) and a reader-writer, verifying the validity of certificate signatures, verifying the validity period of the certificates, extracting a public key of the certificates, and verifying the identities of the two parties by adopting an authentication protocol of a challenge/response mode;
a Key Escrow Center (KEC) and a reader-writer generate random numbers according to a pre-negotiated signature verification algorithm, and the Key Escrow Center (KEC) carries out digital signature by utilizing a private key of an electronic tag;
and the reader-writer carries out operation according to the certificate identifier and the public parameters of the issuer to obtain a verification result.
Optionally, the Key Escrow Center (KEC) is based on an identity identification algorithm, and replaces the electronic tag to complete bidirectional identity authentication with the reader-writer, and specifically includes:
the reader reads the TID of the electronic tag and the stored tag data ciphertext;
the reader-writer sends the TID of the electronic tag and requests the Key Escrow Center (KEC) to verify the identity of the electronic tag;
the Key Escrow Center (KEC) and the reader-writer verify based on an identity identification algorithm, the key escrow center signs by using a private key of the electronic tag, and the reader-writer verifies by using the TID;
a Key Escrow Center (KEC) and a reader-writer verify based on a PKI public key algorithm;
the Key Escrow Center (KEC) and the reader-writer negotiate a session key, the reader-writer sends ciphertext data read from the electronic tag to the KEC, and the KEC decrypts the ciphertext data by using the symmetric key of the electronic tag and sends the data back to the reader-writer.
Optionally, the Key Escrow Center (KEC) and the reader-writer verify based on a PKI public key algorithm, specifically including:
the Key Escrow Center (KEC) replaces the electronic tag to verify the identity of the reader-writer, the two parties verify based on a public key algorithm, the reader-writer is signed by a private key, and the Key Escrow Center (KEC) verifies by using the public key to determine the identity of the reader-writer.
On the other hand, the bidirectional identity authentication device of the reader-writer and the electronic tag provided in the embodiment of the present specification includes:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
the reader-writer generates a public-private key pair, and issues a certificate by using a Certificate Authority (CA);
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key into a Key Escrow Center (KEC);
the Key Escrow Center (KEC) is based on an identity identification algorithm to replace the electronic tag to complete the bidirectional identity authentication with the reader-writer.
The above-mentioned at least one technical scheme that this description embodiment adopted can reach following beneficial effect:
1. the key escrow center KEC is used for replacing an electronic tag with limited computing and storage capacity to realize bidirectional identity authentication with a reader-writer with relatively abundant computing resources, so that the identity credibility of both communication parties is ensured.
2. Based on the characteristic that the electronic tag has a globally unique TID, an identity certificate is generated for the electronic tag by adopting an identification key algorithm, so that the identity authentication of the electronic tag is realized.
3. The method solves the problems of key leakage, key negotiation, distribution, management and the like in a cross-domain environment faced by adopting a pre-shared key authentication mode, and plays an important role in an identification link in a large-scale Internet of things application scene.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a flow chart of a bidirectional identity authentication method of a reader-writer and an electronic tag according to a first embodiment;
fig. 2 is a flow chart of a bidirectional identity authentication method of a reader-writer and an electronic tag according to a second embodiment.
Detailed Description
For the purposes, technical solutions and advantages of the present application, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The English abbreviations and Chinese language of the English abbreviations related to the invention are explained as follows:
TID (Tag identifier): label identification number
PKI (Public Key Infrastructure): public key infrastructure
IBC (Identity-Based Cryptograph): identification code
CA (CertificateAuthority): certificate authority
KMC (Key Management Center): key management center
KEC (Key Escrow Center): key escrow center
SK (Session Key): session key
The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.
Example 1
Fig. 1 is a flow chart of a bidirectional identity authentication method of a reader-writer and an electronic tag according to a first embodiment. From the program perspective, the execution subject of the flow may be a program or an application client that is installed on an application server.
As shown in fig. 1, the process may include the steps of:
step 102: the reader-writer generates a public-private key pair, and issues a certificate by using a Certificate Authority (CA);
step 104: a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
step 106: a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key into a Key Escrow Center (KEC);
step 108: the Key Escrow Center (KEC) is based on an identity identification algorithm to replace the electronic tag to complete the bidirectional identity authentication with the reader-writer.
Specifically, the method comprises the following steps:
(1) The reader generates a public key certificate. The reader-writer generates a corresponding public-private key pair and issues a certificate by using a Certificate Authority (CA).
(2) The electronic tag encrypts and decrypts the key escrow. The key management center KMC generates encryption and decryption keys of the electronic tag data and stores the encryption and decryption keys in the key management center KEC, so that the unified and safe management of keys of the whole system is realized.
(3) And establishing and hosting an electronic tag identity identification certificate. The key management center KMC uses an identification cipher algorithm, takes a unique tag identification number TID of the ultra-high frequency passive electronic tag as a public key of the electronic tag, generates a private key corresponding to the unique tag identification number TID, and safely hosts the private key into the key hosting center KEC for storage.
(4) And (4) bidirectional identity authentication is performed between the key escrow center KEC and the reader-writer. The key escrow center KEC and the reader-writer complete bidirectional identity authentication by utilizing a public key algorithm negotiated by the two parties.
(5) And finishing the bidirectional identity authentication between the reader-writer and the electronic tag. The reader-writer interacts with the electronic tag to obtain the TID of the electronic tag and the stored encrypted data thereof, and then sends the identity certificate of the electronic tag to be verified to the key escrow center KEC, and the key escrow center KEC replaces the electronic tag to complete the bidirectional identity authentication with the reader-writer.
(6) And the electronic tag data is decrypted and then sent to a reader-writer. The key escrow center KEC decrypts the electronic tag encrypted data sent by the reader-writer by using the stored electronic tag decryption key and returns the electronic tag encrypted data to the reader-writer.
When the bidirectional identity authentication between the reader-writer and the mass electronic tags is realized in a cross-domain environment, the key escrow center KEC is utilized to replace the electronic tags with limited computing and storage capacity to realize the bidirectional identity authentication with the reader-writer which has relatively abundant computing resources, so that the identity credibility of both communication parties is ensured; based on the characteristic that the electronic tag has a globally unique TID, an identity certificate is generated for the electronic tag by adopting an identification key algorithm, so that the identity authentication of the electronic tag is realized. Meanwhile, the method solves the problems of key leakage, key negotiation, distribution, management and the like in a cross-domain environment faced by adopting a pre-shared key authentication mode, and plays an important role in an identification link in a large-scale Internet of things application scene.
Example two
Fig. 2 is a flow chart of a bidirectional identity authentication method of a reader-writer and an electronic tag according to a second embodiment. As shown in fig. 2, the method includes:
(1) The reader generates a public key certificate.
The reader-writer generates a corresponding public-private key pair and issues a certificate by using a Certificate Authority (CA). In particular implementations, conventional credential generation and issuing approaches may be employed. The method comprises the steps of locally generating a public and private key pair by a reader-writer, submitting a certificate application to a (CA) or a digital certificate Registry (RA), checking the certificate by the (CA), signing and issuing the certificate and the like.
(2) The electronic tag encrypts and decrypts the key escrow.
The Key Management Center (KMC) generates encryption and decryption keys of the electronic tag data and stores the encryption and decryption keys in the key management center (KEC) so as to realize the unified and safe management of the keys of the whole system. In the implementation, the encryption and decryption keys of the electronic tag can be generated according to a conventional key generation algorithm, wherein the encryption and decryption keys comprise (KMC) root keys for establishing a symmetric key system, the TID of the tag is utilized for carrying out step-by-step dispersion on the symmetric keys, and the HMAC is utilized for carrying out confidentiality and integrity protection of the keys.
(3) And writing electronic tag data.
And the card making terminal reads the TID information of the electronic tag, encrypts the card making data by using a symmetric algorithm and writes the encrypted card making data into a storage area of the electronic tag in a ciphertext mode. When the method is implemented, the card making terminal and the electronic tag follow the ultra-high frequency air interface protocol instruction to complete the information and data interaction process; the card making terminal calculates an encryption key of the electronic tag according to a key dispersion algorithm by using a dispersion key sent by a Key Management Center (KMC) and the TID of the electronic tag; and the card making terminal encrypts the data by using the encryption key of the electronic tag through a symmetric encryption algorithm and then writes the encrypted data into a data storage area of the electronic tag.
(4) And transmitting the identity information of the electronic tag.
The card making terminal sends the read TID identification of the electronic tag to a Key Management Center (KMC). In particular implementations, this may be performed in accordance with conventional data communication protocols.
(5) And establishing an identity identification certificate of the electronic tag.
The Key Management Center (KMC) uses an identification cipher algorithm, takes a unique tag identification number TID of the ultra-high frequency passive electronic tag as a public key of the electronic tag, generates a private key corresponding to the tag, and safely hosts the private key into the key hosting center (KEC) for storage. In specific implementation, the identification certificate of the electronic tag can be generated and distributed in a conventional manner, and the method comprises the steps of (KMC) applying for the identification certificate by using the TID number of the electronic tag as user identification information; (KMC) generating a user private key matching the electronic tag identity information; and responding, generating and issuing an identity identification certificate containing the public key of the electronic tag and private key information of the user by using a certificate management system, and issuing the identity identification certificate to a Key Escrow Center (KEC) for storage.
(6) The reader-writer acquires the identity information of the electronic tag and the stored data.
And the reader reads the TID identification of the electronic tag and the stored tag data ciphertext. When the method is implemented, the reader-writer and the electronic tag follow the ultra-high frequency air interface protocol instruction, and the information and data interaction process is completed.
(7) The reader-writer requires verification of the identity of the electronic tag.
The reader sends the TID of the electronic tag, asking a Key Escrow Center (KEC) to verify the identity of the electronic tag. In specific implementation, the reader-writer sends the TID information of the electronic tag to be verified to a Key Escrow Center (KEC) as a public key of an identity identification certificate of the electronic tag according to a conventional data communication protocol.
(8) The Key Escrow Center (KEC) replaces the electronic tag for identity authentication.
The Key Escrow Center (KEC) and the reader-writer verify based on an identity identification algorithm, the (KEC) signs by using the private key of the electronic tag, and the reader-writer verifies the identity by using the TID. In the specific implementation, the Key Escrow Center (KEC) replaces the electronic tag to finish the bidirectional identity authentication with the reader-writer according to the conventional identity mark certificate verification mode, and the method comprises the steps that the Key Escrow Center (KEC) and the reader-writer generate random numbers according to a pre-negotiated signature verification algorithm, and the Key Escrow Center (KEC) carries out digital signature by utilizing the private key of the electronic tag; the reader-writer certificate identification and the public parameters of the issuer are operated to obtain a verification result; after the verification is passed, a Key Escrow Center (KEC) negotiates a session key SK of a subsequent operation with the reader-writer; the reader-writer sends the obtained electronic tag encrypted data to a Key Escrow Center (KEC) in a safe way.
(9) A Key Escrow Center (KEC) replaces the electronic tag to verify the identity of the reader-writer.
The Key Escrow Center (KEC) and reader/writer verify based on PKI public key algorithms. In specific implementation, the two-way identity authentication between the Key Escrow Center (KEC) and the reader-writer can be completed according to a conventional public key certificate authentication mode, including negotiation authentication algorithm, obtaining public key certificates of each other, verifying the validity of certificate signature, verifying the validity period of the certificate, extracting the public key of the certificate, adopting the authentication protocol of challenge/response mode to verify the identities of both parties, and the like.
(10) The Key Escrow Center (KEC) decrypts the encrypted data of the electronic tag and returns the decrypted data to the reader-writer.
The Key Escrow Center (KEC) and the reader negotiate the session key SK, the reader sends the ciphertext data read from the electronic tag to the KEC, and the KEC decrypts the ciphertext data by using the symmetric key of the electronic tag and sends the ciphertext data back to the reader. In the specific implementation, the method can be performed according to a conventional key distribution mode, including that a Key Escrow Center (KEC) decrypts the electronic tag encrypted data obtained in the step 7 by using the electronic tag encryption and decryption key obtained in the step 2, and the decrypted electronic tag data is safely transmitted to a reader-writer through the session key SK negotiated in the step 8.
Example III
An embodiment III provides a bidirectional identity authentication device of a reader-writer and an electronic tag, including:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
the reader-writer generates a public-private key pair, and issues a certificate by using a Certificate Authority (CA);
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key into a Key Escrow Center (KEC);
the Key Escrow Center (KEC) is based on an identity identification algorithm to replace the electronic tag to complete the bidirectional identity authentication with the reader-writer.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (2)
1. A bidirectional identity authentication method of a reader-writer and an electronic tag is characterized by comprising the following steps:
the reader-writer generates a public-private key pair, and issues a certificate by using a Certificate Authority (CA);
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key into a Key Escrow Center (KEC);
the Key Escrow Center (KEC) replaces the electronic tag to finish the bidirectional identity authentication with the reader-writer based on the identity identification algorithm;
generating a reader-writer public key certificate based on PKI, and generating an electronic tag identity identification certificate based on an identification cryptography algorithm (IBC);
the reader-writer generates a public-private key pair, and performs certificate issuing by using a Certificate Authority (CA), and specifically comprises the following steps:
the reader locally generates a public and private key pair and submits a certificate application to a Certificate Authority (CA) or a digital certificate Registry (RA);
the Certificate Authority (CA) performs audit and check on the certificate application, and signs and issues the certificate after checking the certificate application;
a Key Management Center (KMC) generates a public-private key pair of an electronic tag using an identification cryptographic algorithm, and specifically includes:
a Key Management Center (KMC) uses a unique tag identification number TID of an electronic tag as a public key of the electronic tag by using an identification cryptographic algorithm, and generates a private key corresponding to the public key;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag, and specifically includes:
a Key Management Center (KMC) generates a key Kroot of a symmetric key system by itself and is used as a root key of the whole system, the Key Management Center (KMC) encrypts the TID of the electronic tag by using the root key, the encryption result is the encryption and decryption key of the electronic tag, and the Key Management Center (KMC) calculates a hash value (also called a hash value) of the encryption and decryption key of the electronic tag by using an HMAC method and the root key to carry out integrity protection on the encryption and decryption key of the electronic tag;
before the Key Management Center (KMC) generates the encryption and decryption key of the electronic tag and stores the key in the key management center (KEC), the method further includes:
the RFID card making terminal locally generates a public and private key pair by using an asymmetric algorithm, and issues a certificate by using a Certificate Authority (CA);
the card making terminal reads the TID information of the electronic tag, encrypts the card making data by using a symmetric algorithm and writes the encrypted card making data into a storage area of the electronic tag in a ciphertext mode;
the card making terminal sends the TID identification of the read electronic tag to a Key Management Center (KMC);
the Key Escrow Center (KEC) is based on an identity identification algorithm, replaces an electronic tag to complete bidirectional identity authentication with a reader-writer, and specifically comprises the following steps:
the method comprises the steps of obtaining public key certificates of each other by utilizing a public key algorithm of an identification password algorithm between a Key Escrow Center (KEC) and a reader-writer, verifying the validity of certificate signatures, verifying the validity period of the certificates, extracting a public key of the certificates, and verifying identities of both parties by adopting an authentication protocol of a challenge response mode;
a Key Escrow Center (KEC) and a reader-writer generate random numbers according to a pre-negotiated signature verification algorithm, and the Key Escrow Center (KEC) carries out digital signature by utilizing a private key of an electronic tag;
the reader-writer carries out operation according to the certificate identification and public parameters of the issuer to obtain a verification result;
the Key Escrow Center (KEC) is based on an identity identification algorithm, replaces an electronic tag to complete bidirectional identity authentication with a reader-writer, and specifically comprises the following steps:
the reader reads the TID of the electronic tag and the stored tag data ciphertext;
the reader-writer sends the TID of the electronic tag and requests the Key Escrow Center (KEC) to verify the identity of the electronic tag;
the Key Escrow Center (KEC) and the reader-writer verify based on an identity identification algorithm, the key escrow center signs the electronic tag by using a private key of the electronic tag, and the reader-writer verifies the identity by using the TID;
a Key Escrow Center (KEC) and a reader-writer verify based on a PKI public key algorithm;
the Key Escrow Center (KEC) and the reader-writer negotiate a session key, the reader-writer sends ciphertext data read from the electronic tag to the KEC, and the KEC decrypts the ciphertext data by using the symmetric key of the electronic tag and sends the data back to the reader-writer;
the Key Escrow Center (KEC) and the reader-writer verify based on PKI public key algorithm, and specifically comprises the following steps:
the Key Escrow Center (KEC) replaces the electronic tag to verify the identity of the reader-writer, the two parties verify based on a public key algorithm, the reader-writer is signed by a private key, and the Key Escrow Center (KEC) verifies by using the public key to determine the identity of the reader-writer.
2. An apparatus applying the bidirectional identity authentication method of the reader/writer and the electronic tag according to claim 1, comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
the reader-writer generates a public-private key pair, and issues a certificate by using a Certificate Authority (CA);
a Key Management Center (KMC) generates a public and private key pair of the electronic tag by using an identification cryptographic algorithm, and hosts the public and private key pair to a key hosting center (KEC) for storage;
a Key Management Center (KMC) generates an encryption and decryption key of the electronic tag and stores the encryption and decryption key into a Key Escrow Center (KEC);
the Key Escrow Center (KEC) is based on an identity identification algorithm to replace the electronic tag to complete the bidirectional identity authentication with the reader-writer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111501201.6A CN114205082B (en) | 2021-12-09 | 2021-12-09 | Bidirectional identity authentication method and equipment for reader-writer and electronic tag |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111501201.6A CN114205082B (en) | 2021-12-09 | 2021-12-09 | Bidirectional identity authentication method and equipment for reader-writer and electronic tag |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114205082A CN114205082A (en) | 2022-03-18 |
| CN114205082B true CN114205082B (en) | 2024-01-26 |
Family
ID=80651781
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111501201.6A Active CN114205082B (en) | 2021-12-09 | 2021-12-09 | Bidirectional identity authentication method and equipment for reader-writer and electronic tag |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114205082B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844687B (en) * | 2022-04-15 | 2024-07-09 | 深圳成谷科技有限公司 | Authentication method, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1949250A (en) * | 2006-07-10 | 2007-04-18 | 王耀 | System and method of identifying electronic tag using mobile communication equipment |
| CN101814991A (en) * | 2010-03-12 | 2010-08-25 | 西安西电捷通无线网络通信股份有限公司 | Mutual authentication method and system based on identity |
| KR20110074441A (en) * | 2009-12-24 | 2011-06-30 | 삼성테크윈 주식회사 | Method for mutual authentication between tag and reader in radio frequency identification system |
| CN102646203A (en) * | 2012-02-29 | 2012-08-22 | 电子科技大学 | RFID (Radio Frequency Identification Device) data transmission and authentication system and method |
| CN103078744A (en) * | 2013-01-25 | 2013-05-01 | 西安电子科技大学 | Public key-based bidirectional radio frequency identification authorization method |
| CN104113414A (en) * | 2014-06-10 | 2014-10-22 | 电子科技大学 | Untraceable RFID label authentication method |
| CN106992861A (en) * | 2017-05-24 | 2017-07-28 | 广东工业大学 | A kind of wireless generation method of RFID keys and system with EPC labels |
| CN108600230A (en) * | 2018-04-26 | 2018-09-28 | 深圳市盛路物联通讯技术有限公司 | A kind of radio-frequency identification method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200059363A1 (en) * | 2018-08-17 | 2020-02-20 | Walmart Apollo, Llc | Systems and methods of authenticating items |
-
2021
- 2021-12-09 CN CN202111501201.6A patent/CN114205082B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1949250A (en) * | 2006-07-10 | 2007-04-18 | 王耀 | System and method of identifying electronic tag using mobile communication equipment |
| KR20110074441A (en) * | 2009-12-24 | 2011-06-30 | 삼성테크윈 주식회사 | Method for mutual authentication between tag and reader in radio frequency identification system |
| CN101814991A (en) * | 2010-03-12 | 2010-08-25 | 西安西电捷通无线网络通信股份有限公司 | Mutual authentication method and system based on identity |
| CN102646203A (en) * | 2012-02-29 | 2012-08-22 | 电子科技大学 | RFID (Radio Frequency Identification Device) data transmission and authentication system and method |
| CN103078744A (en) * | 2013-01-25 | 2013-05-01 | 西安电子科技大学 | Public key-based bidirectional radio frequency identification authorization method |
| CN104113414A (en) * | 2014-06-10 | 2014-10-22 | 电子科技大学 | Untraceable RFID label authentication method |
| CN106992861A (en) * | 2017-05-24 | 2017-07-28 | 广东工业大学 | A kind of wireless generation method of RFID keys and system with EPC labels |
| CN108600230A (en) * | 2018-04-26 | 2018-09-28 | 深圳市盛路物联通讯技术有限公司 | A kind of radio-frequency identification method and system |
Non-Patent Citations (1)
| Title |
|---|
| 基于PKI和CPK的RFID系统混合密钥管理机制研究;张兵;秦志光;万国根;;电子科技大学学报(03);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114205082A (en) | 2022-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| US10516538B2 (en) | System and method for digitally signing documents using biometric data in a blockchain or PKI | |
| EP3318043B1 (en) | Mutual authentication of confidential communication | |
| CN101212293B (en) | Identity authentication method and system | |
| KR20190073472A (en) | Method, apparatus and system for transmitting data | |
| CN106789042B (en) | Authentication key negotiation method for user in IBC domain to access resources in PKI domain | |
| CN103546289B (en) | USB (universal serial bus) Key based secure data transmission method and system | |
| US11228450B2 (en) | Method and apparatus for performing multi-party secure computing based-on issuing certificate | |
| JP7292263B2 (en) | Method and apparatus for managing digital certificates | |
| US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
| CN105049434B (en) | Identity identifying method and encryption communication method under a kind of peer to peer environment | |
| CN101090316A (en) | Identify authorization method between storage card and terminal equipment at off-line state | |
| US10887110B2 (en) | Method for digital signing with multiple devices operating multiparty computation with a split key | |
| US20160226837A1 (en) | Server for authenticating smart chip and method thereof | |
| US11070537B2 (en) | Stateless method for securing and authenticating a telecommunication | |
| CN114205082B (en) | Bidirectional identity authentication method and equipment for reader-writer and electronic tag | |
| CN114331456A (en) | Communication method, device, system and readable storage medium | |
| CN114553426B (en) | Signature verification method, key management platform, security terminal and electronic equipment | |
| KR100456624B1 (en) | Authentication and key agreement scheme for mobile network | |
| JP2011250335A (en) | Efficient mutual authentication method, program, and device | |
| CN105812130B (en) | RFID ownership transfer method | |
| EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
| CN116015906B (en) | Node authorization method, node communication method and device for privacy calculation | |
| CN114186292A (en) | Card type certificate secret key initialization method, cipher module, initialization device and system | |
| Xue et al. | A Quantum Multi-proxy Blind Signature Scheme Based on D-dimensional GHZ States |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |