[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN114257419A - Equipment authentication method and device, computer equipment and storage medium - Google Patents

Equipment authentication method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN114257419A
CN114257419A CN202111436807.6A CN202111436807A CN114257419A CN 114257419 A CN114257419 A CN 114257419A CN 202111436807 A CN202111436807 A CN 202111436807A CN 114257419 A CN114257419 A CN 114257419A
Authority
CN
China
Prior art keywords
server
information
equipment
authentication
registered
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111436807.6A
Other languages
Chinese (zh)
Other versions
CN114257419B (en
Inventor
钱正浩
刘鑫
刘晔
伍江瑶
温柏坚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Southern Power Grid Digital Grid Research Institute Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN202111436807.6A priority Critical patent/CN114257419B/en
Publication of CN114257419A publication Critical patent/CN114257419A/en
Application granted granted Critical
Publication of CN114257419B publication Critical patent/CN114257419B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to a device authentication method, a device, a computer device and a storage medium. The method comprises the steps that equipment registration information containing a first public key of equipment to be registered is sent to a second server through a first server, the second server generates response information and sends the response information to the first server through a block chain, a corresponding digital signature is generated through the equipment to be registered, authentication request information is generated according to the digital signature and the equipment information and sent to the first server, the first server sends the authentication request information to the block chain of the second server, and therefore the second server receives the authentication request information through the block chain and conducts identity authentication on the digital signature and the equipment information in the authentication request information based on the first public key through the block chain. Compared with the traditional authentication mode which lacks of industrial equipment facing to the internal network and the external network, the scheme utilizes the block chain to realize the authentication of the industrial equipment of the external network under the condition that the internal network server and the external network server have network isolation, and the convenience of equipment authentication is improved.

Description

Equipment authentication method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of identity authentication technologies, and in particular, to a device authentication method and apparatus, a computer device, and a storage medium.
Background
The industrial equipment identity authentication is a precondition for ensuring that an industrial task can be executed correctly and safely, and aims to confirm that an operator has legality and can access and use certain resources, further ensure that the equipment has a certain access strategy and the operation behavior is legal, and if the identity authentication mechanism fails, behaviors such as identity impersonation, illegal access, operation behavior violation and the like are easy to appear, so that the normal execution of the industrial task is threatened, and therefore a strict identity authentication mechanism must be established. For the security of data and prevent that enterprise's internal information from revealing, current enterprise all adopts the environment that an intranet and extranet keeps apart, and this kind of mode can stop the information that intranet and extranet mixed use caused to a certain extent and leak, but the same has also brought certain difficulty for equipment authentication.
Therefore, the existing equipment authentication method facing the internal network and the external network has the defect of inconvenient authentication.
Disclosure of Invention
In view of the above, it is desirable to provide a device authentication method, apparatus, computer device, and storage medium that can improve the convenience of device authentication when there are internal and external networks.
An equipment authentication method is applied to a second server, the second server is arranged in an intranet, a block chain is arranged in the second server, and the method comprises the following steps:
receiving equipment registration information sent by a first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to a block chain of a second server through the first server;
and receiving the authentication request information through the block chain, and performing identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
In one embodiment, the device registration information includes a first generation time of the device registration request and a second generation time of the device registration information;
after receiving the device registration information sent by the first server, the method further includes:
and detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, if so, executing the step of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain.
In one embodiment, the device registration information further includes a device identification;
generating corresponding response information according to the device registration information includes:
generating a second public key and a second private key corresponding to the second server according to an elliptic encryption algorithm;
and generating the response information according to the second public key, the equipment identifier of the equipment to be registered and the current time.
In one embodiment, after performing identity authentication on the digital signature and the device information in the authentication request information according to the first public key through the blockchain, the method further includes:
if the identity authentication is passed, authentication passing information corresponding to the equipment information is generated through the block chain;
adding the digital signature of the second server to the authentication passing information, and sending the authentication passing information added with the digital signature of the second server to the first server; the first server is used for generating a first session key according to the authentication passing information and sending the authentication passing information to the device to be registered, and the device to be registered is used for generating a second session key according to the authentication passing information, so that the device to be registered communicates with the first server through the second session key, and the first server communicates with the second server through the first session key.
A device authentication method is applied to a first server, the first server is arranged in an external network, and the method comprises the following steps:
acquiring a device registration request sent by a device to be registered arranged in an external network; the device registration request comprises a first public key corresponding to the device to be registered;
generating corresponding equipment registration information according to the first public key, and sending the equipment registration information to a second server; a block chain is arranged in the second server; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain;
sending the response information to the equipment to be registered; the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to the first server;
sending the authentication request information to the block chain of the second server; and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
In one embodiment, the first server stores a second public key of the second server, and a third public key and a third private key of the first server; the device to be registered stores a first private key of the device to be registered and a third public key of the first server;
after sending the authentication request message to the blockchain of the second server, the method further includes:
acquiring authentication passing information returned by the second server; the authentication passing information comprises the equipment information and a digital signature of the second server;
verifying the authentication passing information according to the second public key, and if the authentication passing information passes, generating a first session key according to the third private key and the first public key so as to communicate with the second server through the first session key;
adding the third private key into the authentication passing information, and sending the authentication passing information added with the third private key to the equipment to be registered; the device to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passing information passes, a second session key is generated according to the first private key and the third public key of the device to be registered so as to communicate with the first server through the second session key.
A device authentication system, the system comprising: the device to be registered comprises a device to be registered, a first server and a second server; the equipment to be registered and the first server are arranged in an extranet, the second server is arranged in an intranet, and a block chain is arranged in the second server;
the device to be registered is used for sending a device registration request to the first server; the device registration request comprises a first public key corresponding to the device to be registered;
the first server is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to a second server;
the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain;
the first server is used for sending the response information to the equipment to be registered;
the device to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the device information of the device to be registered, and sending the authentication request information to the first server;
the first server is used for sending the authentication request information to the block chain of the second server;
and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
The utility model provides an equipment authentication device, is applied to the second server, the second server sets up in the intranet, be provided with the block chain in the second server, the device includes:
the receiving module is used for receiving the equipment registration information sent by the first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
the response module is used for generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to a block chain of a second server through the first server;
and the authentication module is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
An apparatus for authenticating a device, the apparatus being applied to a first server provided in an external network, the apparatus comprising:
the device comprises an acquisition module, a registration module and a registration module, wherein the acquisition module is used for acquiring a device registration request sent by a device to be registered arranged in an external network; the device registration request comprises a first public key corresponding to the device to be registered;
the first sending module is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to a second server; a block chain is arranged in the second server; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain;
the second sending module is used for sending the response information to the equipment to be registered; the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to the first server;
a third sending module, configured to send the authentication request message to the block chain of the second server; and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method described above when executing the computer program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method.
The device authentication method, the device, the computer device and the storage medium generate device registration information according to the first public key of the device to be registered through the first server, and sends the device registration information to the second server, the second server generates corresponding response information according to the device registration information and sends the response information to the first server through the block chain, generating a corresponding digital signature by the device to be registered based on the response information forwarded by the first server, and generates authentication request information according to the digital signature and the device information, sends the authentication request information to the first server, the first server sends the authentication request information to the block chain of the second server, and the second server receives the authentication request information through the block chain and performs identity authentication on the digital signature and the equipment information in the authentication request information based on the first public key through the block chain. Compared with the traditional authentication mode which lacks of industrial equipment facing to the internal network and the external network, the scheme utilizes the block chain to realize the authentication of the industrial equipment of the external network under the condition that the internal network server and the external network server have network isolation, and the convenience of equipment authentication is improved.
Drawings
FIG. 1 is a diagram of an application environment of a device authentication method in one embodiment;
FIG. 2 is a diagram of an application environment of a device authentication method according to another embodiment;
FIG. 3 is a flow diagram that illustrates a method for device authentication, according to one embodiment;
FIG. 4 is a flowchart illustrating a method for authenticating a device according to another embodiment;
FIG. 5 is a flowchart illustrating a method for authenticating a device according to yet another embodiment;
FIG. 6 is a block diagram showing the structure of an apparatus authentication device according to an embodiment;
fig. 7 is a block diagram showing the structure of an apparatus authentication device according to another embodiment;
FIG. 8 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The device authentication method provided by the application can be applied to the application environment shown in fig. 1. The first server 102 may communicate with the second server 104 and the device, respectively. The second server 104 may be provided with a blockchain, and the second server 104 may receive the device registration information sent by the first server 102, so that the second server 104 may start a registration process for the device based on the device registration information and return response information to the first server 102, and after receiving the response information, the first server 102 may receive authentication information generated by the device and initiate an authentication request to the second server, so that the second server 104 receives the authentication request through the blockchain and performs identity authentication on the device. Fig. 2 is a diagram of an application environment of a device authentication method in another embodiment, as shown in fig. 2. The first server 102 may be an external network server, the second server 104 may be an internal network server, a block chain is disposed in the internal network server, the internal network server and the external network server have network isolation but can communicate through the block chain, and the external network server may also be in communication connection with various industrial devices. The first server 102 and the second server 104 may be implemented by separate servers or a server cluster composed of a plurality of servers.
In one embodiment, as shown in fig. 3, a device authentication method is provided, which is described by taking the method as an example applied to the second server in fig. 1, and includes the following steps:
step S202, receiving equipment registration information sent by a first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered arranged in an external network; the device registration request contains a first public key corresponding to the device to be registered.
The first server 102 may be an extranet server, and the extranet server may be set in a public network, and push an application to an intranet according to an identity registration and an identity authentication application submitted by a device, and forward a message to the device after the registration and the device authentication of the device are completed in the intranet. The second server 104 may be disposed in the intranet and is responsible for completing registration and authentication of the device. And the second server 104 may have a blockchain set therein, and the blockchain in the second server 104 may have a blockchain: and receiving equipment registration and authentication information from an external network, verifying the legality of the equipment during identity authentication, and verifying the freshness of the information by using an intelligent contract to prevent repeated authentication of the equipment and verify the signature of the equipment. The device to be registered can be various industrial devices, and can communicate with the intranet only by completing identity identification and validity verification.
The second server 104 may receive the device registration information sent from the first server 102, where the registration information may be generated by the first server 102 according to a device registration request sent by a device to be registered installed in an extranet, and the device registration request may be a request generated by the device to be registered based on its first public key, and the device to be registered may send the device registration request to the first server 102, that is, the device registration information includes the first public key of the device to be registered. Therefore, the second server 104 may start the registration process of the device to be registered after receiving the device registration request sent by the first server 102.
After receiving the device registration information, the second server 104 may also verify the validity of the device registration information. For example, in one embodiment, after receiving the device registration information sent by the first server, the method further includes: and detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, if so, executing a step of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain. In this embodiment, the device registration information includes a first generation time for setting the registration request and a second generation time for setting the device registration information; second serviceThe device 104 may receive the device registration information from the extranet server, i.e., the first server 102, through the blockchain provided in the second server 104, and verify the freshness of the device authentication information, i.e., the validity of the device registration information, through the blockchain call intelligent contract. The second server 104 may detect whether a difference between the second generation time and the first generation time is less than or equal to a preset time difference threshold by using the blockchain, and if so, determine that the device registration information is valid, and continue to perform the step of responding according to the device registration information; if not, it indicates that the device registration information has lost validity, and at this time, the second server 104 may end the flow of device registration. The above-described process of verifying validity may prevent the device from repeatedly verifying. Wherein the first generation time in the device registration information may be T1The second generation time in the device registration information may be T2Then the second server 104 may be based on T1And T2Determines the validity of the device registration information. For example, the second server 104 may verify | T through the blockchain2-T1And if the | ≦ Δ T is true, terminating the session if the | ≦ Δ T is false, and finally entering a step of responding to the equipment registration information if the | ≦ Δ T is false. In addition, the device registration information may further include a first public key of the device to be registered, and the second server 104 may use the first public key P of the device in the device registration informationde,xStored on the block chain.
Step S204, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the equipment information of the equipment to be registered, and the authentication request information is sent to the block chain of the second server through the first server.
The second server 104 may respond to the received device registration information, and if the second server 104 determines that the device registration information is valid, the second server may generate corresponding response information according to the received device registration information, and send the response information to the first server 102 through the block chain. For example, second server 104 may generate a corresponding public-private key pair for this registration, thereby generating corresponding response information based on the public key of second server 104. After receiving the response information, the first server 102 may perform relevant processing on the response information and then send the response information to the device to be registered, so that the device to be registered may generate a corresponding digital signature according to the response information and generate authentication request information according to the digital signature and the device information of the device to be registered, and the device to be registered may send the authentication request information to the first server 102, so that the first server 102 may send the authentication request information to a block chain of a second server to perform identity authentication.
Step S206, receiving the authentication request information through the block chain, and performing identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
The second server 104 may receive the authentication request information sent by the first server 102 through the blockchain, and perform identity authentication on the digital signature and the device information in the authentication request information by using the first public key of the device to be registered in the blockchain. For example, the blockchain in the second server 104 may receive the authentication request message, and utilize the stored first public key Pde,xVerifying the signature of the device to be registered, verifying the identity of the device to be registered, and if the verification is successful, forwarding the verification success information to the second server 104 by the blockchain, where the message format may be<Auth_verified,KeyInfo>The KeyInfo may be key information of the device to be registered, for example, device information of the device to be registered, and the Auth _ verified may be information that the verification is successful. The second server 104 receives the verification success message of the blockchain, may store key information of the device to be registered, and returns authentication passing information containing the signature of the second server 104 to the first server 102, where the format of the authentication passing information may be<Auth_comfirm_ins>(ii) a Thus, the authenticated device of the first server 102 can perform corresponding processing based on the authentication passing information to realize communication with the second server 104.
According to the equipment authentication method, equipment registration information is generated through a first server according to a first public key of equipment to be registered, the equipment registration information is sent to a second server, the second server generates corresponding response information according to the equipment registration information and sends the response information to the first server through a block chain, a corresponding digital signature is generated through the equipment to be registered based on the response information forwarded by the first server, authentication request information is generated according to the digital signature and the equipment information, the authentication request information is sent to the first server, the first server sends the authentication request information to the block chain of the second server, and therefore the second server receives the authentication request information through the block chain and conducts identity authentication on the digital signature in the authentication request information and the equipment information based on the first public key through the block chain. Compared with the traditional authentication mode which lacks of industrial equipment facing to the internal network and the external network, the scheme utilizes the block chain to realize the authentication of the industrial equipment of the external network under the condition that the internal network server and the external network server have network isolation, and the convenience of equipment authentication is improved.
In one embodiment, generating corresponding response information according to the device registration information includes: generating a second public key and a second private key corresponding to the second server according to the elliptic encryption algorithm; and generating response information according to the second public key, the equipment identifier of the equipment to be registered and the current time.
In this embodiment, the information of the device to be registered includes a device identifier. After receiving the device registration information sent by the first server 102, the second server 104 may generate a second public key and a second private key corresponding to the second server 104 by using an elliptic encryption algorithm, and the second server 104 may also generate corresponding response information according to the second public key, the device identifier of the device to be registered, and the current time. Wherein, the second public key and the second private key may be generated based on random numbers. For example, after the second server 104 receives the device registration information from the first server 102, a pair of public and private keys may be generated for the registration, and the second server 104 generates a random number k, then the second server 104 may generate the pair of public and private keys including the second and private keys by using an elliptic encryption algorithmKey Sde,kAnd a second public key Pde,k(ii) a And returns a response message to the first server 102 via the blockchain, the format of the response message being<register_agr,ID,T3,Pde,k>Wherein ID is the device identification of the device to be registered, T3The response may characterize, for the current timestamp, that the second server 104 agrees to the device to be registered to enter the registration procedure. In addition, since the response information passes through the block chain, the block chain can also store the response by thinking that you want to uplink.
Through this embodiment, the second server 104 may generate response information corresponding to the device registration information based on the public key generated by itself and the device-related information, so as to notify the device to enter a device registration process, thereby improving convenience of registering the extranet device in the intranet.
In one embodiment, after performing identity authentication on the digital signature in the authentication request information and the device information according to the first public key through the blockchain, the method further includes: if the identity authentication is passed, authentication passing information corresponding to the equipment information is generated through the block chain; adding the digital signature of the second server into the authentication passing information, and sending the authentication passing information added with the digital signature of the second server to the first server; the first server is used for generating a first session key according to the authentication passing information and sending the authentication passing information to the device to be registered, and the device to be registered is used for generating a second session key according to the authentication passing information so that the device to be registered communicates with the first server through the second session key and the first server communicates with the second server through the first session key.
In this embodiment, the second server 104 may authenticate the authentication request information sent by the first server 102 through the blockchain, and may also return corresponding confirmation passing information to the first server 102 after the authentication passes. The second server 104 may generate authentication passing information corresponding to the device information through the blockchain when the device authentication passing is confirmed, add the digital signature of the second server 104 to the authentication passing information after the authentication passing information of the blockchain is received, and send the authentication passing information added with the digital signature of the second server 104 to the first server 102. When the first server 102 receives the authentication passing information to which the digital signature of the second server 104 is added, the first session key may be generated according to the authentication passing information, and the first server 102 may further transmit the received authentication passing information to the device that passes the registration, so that the device that passes the authentication may generate a corresponding second session key according to the authentication passing information. Therefore, the first server 102 may communicate with the second server 104 according to the first session key, and the device to be registered that has successfully registered may communicate with the first server 102 through the second session key, that is, the device that has successfully registered may communicate with the second server 104 of the intranet through the first server 102. The authentication passing information generated by the block chain may be < Auth _ verified, keyyin >; the authentication passing information, which is sent by the second server 104 to the first server 102 after adding the digital signature of the second server 104, may be < Auth _ verified, KeyInfo >.
Through the embodiment, the second server 104 can send the authentication passing information containing the digital signature of the second server to the registered device after the device to be registered passes the authentication, so that the authenticated device can communicate with the second server 104 of the intranet based on the first server 102, and the convenience of the identity authentication of the extranet device in the intranet is improved.
In one embodiment, as shown in fig. 4, a device authentication method is provided, which is described by taking the method as an example applied to the first server in fig. 1, and includes the following steps:
step S302, obtaining a device registration request sent by a device to be registered arranged in an external network; the device registration request includes a first public key corresponding to the device to be registered.
The device to be registered may be various industrial devices installed in an external network, and the first server 102 may be a server installed in the external network. The device to be registered may generate a device registration request based on the first public key thereof and send the device registration request to the first server 102, and the first server 102 may obtain the device to be registered and send the device to be registeredThereby starting the device registration authentication process for the device to be registered. The first public key may be generated by the device to be registered based on a random number. For example, when the device to be registered needs to be authenticated, the device may generate a random number x, and further generate its own public and private keys including the first private key S by using an elliptic encryption algorithmde,xAnd a first public key Pde,xThe device then initiates a device registration request with the extranet server, i.e., the first server 102 described above. The request message is in the format of<register,ID,T1,Pde,x>Where ID refers to the identity of the device, T1Indicating the current timestamp.
Step S304, generating corresponding device registration information according to the first public key, and sending the device registration information to a second server; a block chain is arranged in the second server; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain
The first public key may be a public key generated by the device to be registered, and the first server 102 may generate device registration information including the first public key, and send the device registration information to the second server 104 in the intranet, so that the second server 104 may receive the device registration information, generate corresponding response information according to the device registration information, and send the response information to the first server 102 through the block chain. The first server 102 may be an extranet server, and the device registration information may be sent to the second server 104 through the extranet server. For example, after receiving the registration information sent by the device, the extranet server generates a pair of registered public and private keys for the device, specifically, the extranet server generates a random number S, and then generates an extranet public and private key pair including a third private key S by using an elliptic encryption algorithmde,sAnd a third public key Pde,sAnd forwards the registration information to the second server 104 of the intranet, wherein the message format of the device registration information is<register,ID,T1,Pde,x,T2>Wherein T is2Indicating the current timestamp.
Step S306, sending the response information to the equipment to be registered; the device to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the device information of the device to be registered, and sending the authentication request information to the first server.
After receiving the device registration information of the first server 102, the second server 104 may generate corresponding response information and return the response information to the first server 102, where the response information includes the second public key of the second server 104, the device identifier of the device to be registered, and the generation time of the response information. After receiving the response information, the first server 102 may send the response information to the device to be registered, so that the device to be registered may generate a corresponding digital signature according to the response information, generate an authentication request according to the digital signature and the device information of the device to be registered, and send the authentication request information to the first server 102.
After receiving the response message, the first server 102 may perform corresponding processing and then send the processed response message to the device to be registered. For example, the first server 102 may store the second public key given by the second server 104 after receiving the response information of the second server 104 in the intranet, attach the generated third public key information of the first server 102 in the extranet to the message, and send the message to the device, where the message format is<register_agr,ID,T3,Pde,k,T4,Pde,s>(ii) a Wherein ID is the equipment identification, T3Time of generation of response message, Pde,sFor the third public key, T4 is the time of generation, P, for the messagede,kIs the second public key. The equipment receives the response message from the external network server<register_agr,ID,T3,Pde,k,T4,Pde,s>First, the timestamp | T is verified4-T3If | ≦ Δ T is true, terminating the session, otherwise, computing the digital signature α ═ Sig (ID | | Type | | | Attrribute | | T) for the key information using the device's own first private key5). In addition, the device to be registered may also use the extranet public key generated by the extranet server, i.e., the third mentioned abovePublic key, to encrypt the public key to obtain the message
Figure BDA0003381765910000131
Where KeyInfo is expressed as key information, including<ID,Type,Attribute>Etc., ID refers to the identity of the device, Type identifies the Type of device, Attribute indicates the attributes of the device, such as size, etc., T5And calculating the generation time of the digital signature for the information based on the first private key. The device may then send an authentication request message to the extranet server in the format of<Auth,β>。
Step S308, sending the authentication request information to the block chain of the second server; and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
The authentication request information may be information sent by a device to be registered, and the first server 102 may send the authentication request information to a blockchain of the second server 104, so that the second server 104 may perform identity authentication on the digital signature and the device information in the authentication request information by using the first public key in the blockchain after receiving the authentication request information based on the blockchain. The first server 102 may be an extranet server, the authentication request may also be information in an encrypted form, and the first server 102 may decrypt the information in the encrypted form and then upload the decrypted information to the blockchain of the second server 104. For example, after receiving the authentication information sent by the device, the first server 102 may utilize the generated extranet private key, such as the third private key S mentioned abovede,sDecrypting beta to obtain key information KeyInfo and device signature alpha, and then acquiring the current time stamp T of the system6Verification of | T6-T5If | ≦ Δ T is successful, if so, the first server 102 may initiate a signature authentication to the blockchain in the intranet, i.e., the authentication request message in the message format<Auth,KeyInfo,α>。
According to the equipment authentication method, equipment registration information is generated through a first server according to a first public key of equipment to be registered, the equipment registration information is sent to a second server, the second server generates corresponding response information according to the equipment registration information and sends the response information to the first server through a block chain, a corresponding digital signature is generated through the equipment to be registered based on the response information forwarded by the first server, authentication request information is generated according to the digital signature and the equipment information, the authentication request information is sent to the first server, the first server sends the authentication request information to the block chain of the second server, and therefore the second server receives the authentication request information through the block chain and conducts identity authentication on the digital signature in the authentication request information and the equipment information based on the first public key through the block chain. Compared with the traditional authentication mode which lacks of industrial equipment facing to the internal network and the external network, the scheme utilizes the block chain to realize the authentication of the industrial equipment of the external network under the condition that the internal network server and the external network server have network isolation, and the convenience of equipment authentication is improved.
In one embodiment, after the block chain of the second server to which the authentication request information is sent, the method further includes: acquiring authentication passing information returned by the second server; the authentication passing information comprises equipment information and a digital signature of the second server; verifying the authentication passing information according to the second public key, and if the authentication passing information passes, generating a first session key according to the third private key and the first public key so as to communicate with the second server through the first session key; adding a third private key in the authentication passing information, and sending the authentication passing information added with the third private key to the equipment to be registered; the device to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passing information passes, a second session key is generated according to the first private key and the third public key of the device to be registered so as to communicate with the first server through the second session key.
In this embodiment, the first server 102 stores the second public key P of the second server 104de,kAnd a third public key P of the first server 102de,sAnd a third private key Sde,s(ii) a The device to be registered stores a first private key S of the device to be registeredde,xAnd a third public of the first server 102Key Pde,s. The second server 104 may return authentication pass information containing the device information and the digital signature of the second server 104 to the first server 102 after the authentication of the device passes. The first server 102 may verify the authentication passing information based on the second public key to determine whether the authentication passing information is from the second server 104, and if the authentication passing information is verified, the first server 102 may generate a first session key according to the third private key and the first public key, so that the first server 102 may communicate with the second server 104 through the first session key. The first server 102 may further send the verification information to the registered device to be registered after the verification of the authentication passing information passes, so that the device may verify the authentication passing information based on the third public key, determine that the device is sent by the first server 102, and if the verification passes, the device generates a second session key according to the first private key and the third public key, so that the device may communicate with the first server 102 through the second session key.
The first server 102 may further process the authentication passing information and then send the processed authentication passing information to the device. For example, if the first server 102 verifies that the message is actually sent from the second server 104 of the intranet using the second public key of the second server 104 of the intranet, the first server 102 of the extranet starts to calculate a session key to generate the session key sk, where sk is h ((S)de,s*PKde,x) | x | s), and the first server 102 may send the confirmation message, i.e., the authentication pass information, to the device in the format of signed by the third private key of the external network<Auth_comfirm_out>Otherwise, discarding the authentication. The device receives the authentication confirmation message from the first server 102 of the external network<Auth_comfirm_out>Thereafter, the signature is verified with the third public key of the external network, ensuring that the message was sent by the first server 102 of the external network, and if the verification is successful, the device may calculate a session key sk 'based on the third public key and the first private key, and the corresponding random number, where sk' is h ((S)de,x*PKde,s) | x | s), otherwise the device may discard the authentication.
Through the embodiment, the first server 102 may communicate with the second server 104 through the first session key generated by itself, and the device may communicate with the first server 102 through the second session key generated by itself, so that the device after passing the authentication communicates with the second server 104 of the intranet through the first server 102. The efficiency of device authentication and communication is improved.
In one embodiment, as shown in fig. 5, fig. 5 is a flowchart illustrating a device authentication method in another embodiment. The device may be the above-mentioned device to be registered, the first server 102 may be an extranet server, the second server 104 may be an intranet server, and the blockchain may be set in the intranet server.
The method comprises the following steps:
the method comprises the following steps: the equipment generates a random number x, and further generates a public and private key S of the equipment by utilizing an elliptic encryption algorithmde,s,Pde,xThe device then initiates a device registration request to the extranet server. The request message is in the format of<register,ID,T1,Pde,x>Where ID refers to the identity of the device, T1Indicating the current timestamp.
Step two: after receiving the register information sent by the equipment, the external network server generates a pair of registered public and private keys for the equipment, specifically, the external network server generates a random number S, and then generates a pair S of the external network public and private keys by utilizing an elliptic encryption algorithmde,sAnd Pde,sAnd forwards the registration information to the intranet server in the format of<register,ID,T1,Pde,x,T2>Where T2 represents the current timestamp.
Step three: after the intranet server receives a request from the extranet server through the block chain, the block chain calls the intelligent contract to verify the freshness of the authentication information of the equipment, so that the repeated authentication of the equipment can be prevented; for example, the intranet server verifies | T in the blockchain2-T1If | ≦ Δ T is true, terminating the session if not true, otherwise entering the fourth step; in addition, the intranet server can also use the device public key P in the messagede,xStored on the block chain.
Step four: the intranet server receives the registration information from the extranet server, and generates a pair of registered public and private keys for the registration, for example, generates a public and private key pair S by using an elliptic encryption algorithmde,k,Pde,kAnd returning response information to the extranet server, wherein the response information is block chain<register_agr,ID,T3,Pde,k>Where T3 represents the current timestamp.
Step five: the block chain transmits the response information of the intranet server<register_agr,ID,T3,Pde,k>And linking up the chain for storing the certificate.
Step six: after the outer network server receives the response information of the inner network server, the public key P given by the inner network server is storedde,kAttaching the generated public key information P of the extranet server to the messagede,sIs sent to the device in the message format of<register_agr,ID,T3,Pde,k,T4,Pde,s>。
Step seven: the device receives the reply message from the extranet server and first verifies the timestamp | T4-T3If | ≦ Δ T is true, terminating the session, otherwise, calculating a digital signature α ═ sig (ID | | | Type | | | Attrribute | | | T) for the key information by using the private key of the terminal device5) And encrypting the public key by using the external network public key generated by the external network server to obtain the message
Figure BDA0003381765910000161
Where KeyInfo is expressed as key information, including<ID,Type,Attribute>Etc., ID refers to the identity of the device, Type identifies the Type of the device, Attribute indicates the properties of the device, such as size, etc. The device may then send an authentication request message to the extranet server in the format of<Auth,β>。
Step eight: the extranet server receives the authentication request message from the device and utilizes the generated extranet private key Sde,sDecrypting beta to obtain key information KeyInfo and device signature alpha, and thenObtaining the current time stamp T6 of the system, verifying T6-T5If | < delta T is successful, initiating signature authentication to a block chain in an intranet if the | < delta T is successful, wherein the message format is<Auth,KeyInfo,α>。
Step nine: the blockchain utilizes the device public key P saved during the registration phasede,xVerifying the signature of the equipment, verifying the identity of the equipment, and if the verification is successful, forwarding a message of successful verification to the intranet server, wherein the message format is<Auth_verified,KeyInfo>Otherwise, the authentication process is ended.
Step ten: the intranet server receives the verification success information from the block chain, then saves the key information of the equipment, and returns an authentication confirmation message containing the digital signature of the intranet server, wherein the message format is < Auth _ confirm _ ins >.
Step eleven: public key P of intranet server for extranet serverde,kThe message is verified, and if the verification is really from the intranet server, the extranet server starts to calculate a session key to generate a session key sk, wherein sk is h ((S)de,s*PKde,x) | x | S) and uses the extranet private key S to validate the messagede,sA signature, sent to the device, in the format of<Auth_comfirm_out>Otherwise, discarding the authentication.
Step twelve: after the equipment receives the identity authentication confirmation message from the external network server, the equipment uses the external network public key Pde,sVerifying the signature, ensuring that the message is sent by an external network, and if the verification is successful, calculating a session key sk ', wherein sk' is h ((S)de,x*PKde,s) | x | s), otherwise, discarding the authentication.
Through the above embodiment, the second server 104 uses the block chain to authenticate the industrial equipment of the external network under the condition that the internal and external network servers have network isolation, so that the convenience of equipment authentication is improved. And a session key can be created, and the identity authentication of the equipment and the intranet and the communication between the equipment and the intranet are realized through the interaction between the extranet and the intranet. By utilizing the block chain technology, the trust between the internal network and the external network can be increased, the block chain is used as an intermediary, the external network sends authentication information to the block chain, the identity of equipment is verified on the block chain, then the verification result is confirmed by the internal network, and the authentication information is returned to the external network after the internal network is confirmed.
It should be understood that, although the respective steps in the flowcharts of fig. 3 to 5 are sequentially shown as indicated by arrows, the steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 3 to 5 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least some of the other steps or stages.
In one embodiment, there is provided a device authentication system including: the device to be registered comprises a device to be registered, a first server and a second server; the device to be registered and the first server are arranged in an outer network, the second server is arranged in an inner network, and a block chain is arranged in the second server;
the device to be registered is used for sending a device registration request to the first server; the device registration request comprises a first public key corresponding to the device to be registered;
the first server is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to the second server;
the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain;
the first server is used for sending the response information to the equipment to be registered;
the device to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the device information of the device to be registered, and sending the authentication request information to the first server;
the first server is used for sending the authentication request information to the block chain of the second server;
and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
For specific limitations and beneficial effects of each device authentication system, refer to the above limitations on the corresponding device authentication method, which are not described herein again.
In one embodiment, as shown in fig. 6, there is provided a device authentication apparatus including: a receiving module 500, a response module 502, and an authentication module 504, wherein:
a receiving module 500, configured to receive device registration information sent by a first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered arranged in an external network; the device registration request contains a first public key corresponding to the device to be registered.
A response module 502, configured to generate corresponding response information according to the device registration information and send the response information to the first server through the block chain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the equipment information of the equipment to be registered, and the authentication request information is sent to the block chain of the second server through the first server.
The authentication module 504 is configured to receive the authentication request information through the blockchain, and perform identity authentication on the digital signature and the device information in the authentication request information according to the first public key through the blockchain.
In one embodiment, the above apparatus further comprises: and the verification module is used for detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, if so, executing the step of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain.
In an embodiment, the response module 502 is specifically configured to generate a second public key and a second private key corresponding to the second server according to an elliptic encryption algorithm; and generating response information according to the second public key, the equipment identifier of the equipment to be registered and the current time.
In one embodiment, the above apparatus further comprises: the confirmation module is used for generating authentication passing information corresponding to the equipment information through the block chain if the identity authentication passes; adding the digital signature of the second server into the authentication passing information, and sending the authentication passing information added with the digital signature of the second server to the first server; the first server is used for generating a first session key according to the authentication passing information and sending the authentication passing information to the device to be registered, and the device to be registered is used for generating a second session key according to the authentication passing information so that the device to be registered communicates with the first server through the second session key and the first server communicates with the second server through the first session key.
In one embodiment, as shown in fig. 7, there is provided a device authentication apparatus including: an obtaining module 600, a first sending module 602, a second sending module 604, and a third sending module 606, wherein:
an obtaining module 600, configured to obtain a device registration request sent by a device to be registered that is set in an external network; the device registration request includes a first public key corresponding to the device to be registered.
A first sending module 602, configured to generate corresponding device registration information according to the first public key, and send the device registration information to the second server; a block chain is arranged in the second server; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain.
A second sending module 604, configured to send the response information to the device to be registered; the device to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the device information of the device to be registered, and sending the authentication request information to the first server.
A third sending module 606, configured to send the authentication request message to the blockchain of the second server; and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
In one embodiment, the above apparatus further comprises: the communication module is used for acquiring authentication passing information returned by the second server; the authentication passing information comprises equipment information and a digital signature of the second server; verifying the authentication passing information according to the second public key, and if the authentication passing information passes, generating a first session key according to the third private key and the first public key so as to communicate with the second server through the first session key; adding a third private key in the authentication passing information, and sending the authentication passing information added with the third private key to the equipment to be registered; the device to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passing information passes, a second session key is generated according to the first private key and the third public key of the device to be registered so as to communicate with the first server through the second session key.
For specific limitations of each device authentication apparatus, reference may be made to the above limitations of the corresponding device authentication method, which is not described herein again. The modules in the device authentication apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing authentication data and the like sent by the device. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a device authentication method.
Those skilled in the art will appreciate that the architecture shown in fig. 8 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory in which a computer program is stored and a processor which, when executing the computer program, implements the device authentication method described above.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, carries out the above-mentioned device authentication method.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (11)

1. An equipment authentication method is applied to a second server, the second server is arranged in an intranet, a block chain is arranged in the second server, and the method comprises the following steps:
receiving equipment registration information sent by a first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to a block chain of a second server through the first server;
and receiving the authentication request information through the block chain, and performing identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
2. The method of claim 1, wherein the device registration information comprises a first generation time of the device registration request and a second generation time of the device registration information;
after receiving the device registration information sent by the first server, the method further includes:
and detecting whether the difference value between the second generation time and the first generation time is smaller than or equal to a preset time difference threshold value, if so, executing the step of generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain.
3. The method of claim 1, wherein the device registration information further comprises a device identification;
generating corresponding response information according to the device registration information includes:
generating a second public key and a second private key corresponding to the second server according to an elliptic encryption algorithm;
and generating the response information according to the second public key, the equipment identifier of the equipment to be registered and the current time.
4. The method according to claim 1, wherein after performing identity authentication on the digital signature and the device information in the authentication request information according to the first public key through the blockchain, the method further comprises:
if the identity authentication is passed, authentication passing information corresponding to the equipment information is generated through the block chain;
adding the digital signature of the second server to the authentication passing information, and sending the authentication passing information added with the digital signature of the second server to the first server; the first server is used for generating a first session key according to the authentication passing information and sending the authentication passing information to the device to be registered, and the device to be registered is used for generating a second session key according to the authentication passing information, so that the device to be registered communicates with the first server through the second session key, and the first server communicates with the second server through the first session key.
5. A device authentication method is applied to a first server, the first server is arranged in an external network, and the method comprises the following steps:
acquiring a device registration request sent by a device to be registered arranged in an external network; the device registration request comprises a first public key corresponding to the device to be registered;
generating corresponding equipment registration information according to the first public key, and sending the equipment registration information to a second server; a block chain is arranged in the second server; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain;
sending the response information to the equipment to be registered; the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to the first server;
sending the authentication request information to the block chain of the second server; and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
6. The method of claim 5, wherein the first server stores a second public key of the second server, and a third public key and a third private key of the first server; the device to be registered stores a first private key of the device to be registered and a third public key of the first server;
after sending the authentication request message to the blockchain of the second server, the method further includes:
acquiring authentication passing information returned by the second server; the authentication passing information comprises the equipment information and a digital signature of the second server;
verifying the authentication passing information according to the second public key, and if the authentication passing information passes, generating a first session key according to the third private key and the first public key so as to communicate with the second server through the first session key;
adding the third private key into the authentication passing information, and sending the authentication passing information added with the third private key to the equipment to be registered; the device to be registered is used for verifying the authentication passing information according to the third public key, and if the authentication passing information passes, a second session key is generated according to the first private key and the third public key of the device to be registered so as to communicate with the first server through the second session key.
7. A device authentication system, the system comprising: the device to be registered comprises a device to be registered, a first server and a second server; the equipment to be registered and the first server are arranged in an extranet, the second server is arranged in an intranet, and a block chain is arranged in the second server;
the device to be registered is used for sending a device registration request to the first server; the device registration request comprises a first public key corresponding to the device to be registered;
the first server is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to a second server;
the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain;
the first server is used for sending the response information to the equipment to be registered;
the device to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the device information of the device to be registered, and sending the authentication request information to the first server;
the first server is used for sending the authentication request information to the block chain of the second server;
and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
8. The utility model provides an equipment authentication device which characterized in that is applied to the second server, the second server sets up in the intranet, be provided with the block chain in the second server, the device includes:
the receiving module is used for receiving the equipment registration information sent by the first server; the equipment registration information is generated according to an equipment registration request sent by equipment to be registered arranged in an external network; the equipment registration request comprises a first public key corresponding to the equipment to be registered;
the response module is used for generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain; the first server is used for sending the response information to the equipment to be registered, the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating authentication request information according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to a block chain of a second server through the first server;
and the authentication module is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
9. An apparatus for authenticating a device, the apparatus being applied to a first server, the first server being installed in an external network, the apparatus comprising:
the device comprises an acquisition module, a registration module and a registration module, wherein the acquisition module is used for acquiring a device registration request sent by a device to be registered arranged in an external network; the device registration request comprises a first public key corresponding to the device to be registered;
the first sending module is used for generating corresponding equipment registration information according to the first public key and sending the equipment registration information to a second server; a block chain is arranged in the second server; the second server is used for receiving the equipment registration information sent by the first server, generating corresponding response information according to the equipment registration information and sending the response information to the first server through the block chain;
the second sending module is used for sending the response information to the equipment to be registered; the equipment to be registered is used for generating a corresponding digital signature according to the response information, generating an authentication request according to the digital signature and the equipment information of the equipment to be registered, and sending the authentication request information to the first server;
a third sending module, configured to send the authentication request message to the block chain of the second server; and the second server is used for receiving the authentication request information through the block chain and carrying out identity authentication on the digital signature and the equipment information in the authentication request information according to the first public key through the block chain.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202111436807.6A 2021-11-29 2021-11-29 Device authentication method, device, computer device and storage medium Active CN114257419B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111436807.6A CN114257419B (en) 2021-11-29 2021-11-29 Device authentication method, device, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111436807.6A CN114257419B (en) 2021-11-29 2021-11-29 Device authentication method, device, computer device and storage medium

Publications (2)

Publication Number Publication Date
CN114257419A true CN114257419A (en) 2022-03-29
CN114257419B CN114257419B (en) 2023-06-30

Family

ID=80793561

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111436807.6A Active CN114257419B (en) 2021-11-29 2021-11-29 Device authentication method, device, computer device and storage medium

Country Status (1)

Country Link
CN (1) CN114257419B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580415A (en) * 2022-12-12 2023-01-06 南方电网数字电网研究院有限公司 Data interaction authentication method, device and system in block chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981633A (en) * 2019-03-19 2019-07-05 全链通有限公司 Access method, equipment and the computer readable storage medium of server
CN110493237A (en) * 2019-08-26 2019-11-22 深圳前海环融联易信息科技服务有限公司 Identity management method, device, computer equipment and storage medium
CN112039848A (en) * 2020-08-05 2020-12-04 北京链飞未来科技有限公司 Web authentication method, system and device based on block chain public key digital signature

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981633A (en) * 2019-03-19 2019-07-05 全链通有限公司 Access method, equipment and the computer readable storage medium of server
CN110493237A (en) * 2019-08-26 2019-11-22 深圳前海环融联易信息科技服务有限公司 Identity management method, device, computer equipment and storage medium
CN112039848A (en) * 2020-08-05 2020-12-04 北京链飞未来科技有限公司 Web authentication method, system and device based on block chain public key digital signature

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580415A (en) * 2022-12-12 2023-01-06 南方电网数字电网研究院有限公司 Data interaction authentication method, device and system in block chain

Also Published As

Publication number Publication date
CN114257419B (en) 2023-06-30

Similar Documents

Publication Publication Date Title
Wang et al. A secure and efficient multiserver authentication and key agreement protocol for internet of vehicles
CN109729523B (en) Terminal networking authentication method and device
CN113268715A (en) Software encryption method, device, equipment and storage medium
TWI776404B (en) Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium
EP3808025B1 (en) Decentralised authentication
CN113395166B (en) Edge computing-based power terminal cloud edge terminal collaborative security access authentication method
CN112312393A (en) 5G application access authentication method and 5G application access authentication network architecture
WO2024212512A1 (en) Remote attestation method, apparatus and device, and readable storage medium
Vangala et al. Provably secure signature‐based anonymous user authentication protocol in an Internet of Things‐enabled intelligent precision agricultural environment
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
US20230052608A1 (en) Remote attestation
CN113316149A (en) Identity security authentication method, device, system, wireless access point and medium
CN115022868A (en) Satellite terminal entity authentication method, system and storage medium
US11240661B2 (en) Secure simultaneous authentication of equals anti-clogging mechanism
CN112733129A (en) Trusted access method for out-of-band management of server
Lauser et al. Formal Security Analysis of Vehicle Diagnostic Protocols
CN115913677A (en) Block chain-based collaboration edge storage data privacy protection system and method
CN114257419B (en) Device authentication method, device, computer device and storage medium
Liu et al. TR‐AKA: A two‐phased, registered authentication and key agreement protocol for 5G mobile networks
CN111836260B (en) Authentication information processing method, terminal and network equipment
WO2023236925A1 (en) Authentication method and communication device
CN113872986B (en) Power distribution terminal authentication method and device and computer equipment
CN114978542B (en) Full life cycle-oriented internet of things equipment identity authentication method, system and storage medium
CN115955320A (en) Video conference identity authentication method
CN113297563B (en) Method and device for accessing privileged resources of system on chip and system on chip

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant