CN113132087A - Internet of things, identity authentication and secret communication method, chip, equipment and medium - Google Patents
Internet of things, identity authentication and secret communication method, chip, equipment and medium Download PDFInfo
- Publication number
- CN113132087A CN113132087A CN201911389934.8A CN201911389934A CN113132087A CN 113132087 A CN113132087 A CN 113132087A CN 201911389934 A CN201911389934 A CN 201911389934A CN 113132087 A CN113132087 A CN 113132087A
- Authority
- CN
- China
- Prior art keywords
- authentication
- session key
- ciphertext
- cryptographic algorithm
- security chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims abstract description 69
- 238000004891 communication Methods 0.000 title claims abstract description 66
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000013507 mapping Methods 0.000 claims description 44
- 230000004044 response Effects 0.000 claims description 31
- 238000004590 computer program Methods 0.000 claims description 3
- 230000006855 networking Effects 0.000 abstract 1
- 238000003860 storage Methods 0.000 description 19
- 238000010586 diagram Methods 0.000 description 13
- 238000011161 development Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 238000009826 distribution Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 3
- 239000004576 sand Substances 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides an Internet of things, an identity authentication and secret communication method, a security chip, equipment and a medium. The thing networking includes: the system comprises at least one first device and at least one second device, wherein a security chip is configured in the first device; a white-box cryptographic algorithm is configured inside the second device; and the first equipment performs identity authentication and secret communication with the second equipment through the security chip.
Description
Technical Field
The application relates to the technical field of communication security, in particular to a method, a chip, equipment and a medium for Internet of things, identity authentication and secret communication.
Background
The internet of things is an extension of the internet, and is essentially the interconnection of objects and M2M, and information is collected by various sensors distributed at different geographical positions and integrated together through the network, so that centralized management and processing are realized. The openness of the internet of things makes the devices therein vulnerable. Therefore, to realize the 'everything interconnection', the secure communication is required to be used as a technical support, and the premise for realizing the secure communication is to ensure the authenticity of the identities of the two communication parties, which needs to be ensured by using an identity authentication technology.
M2M is an abbreviation of "Machine to Machine", and may be broadly extended to "Machine to Mobile device", which refers to connection and communication between machines and between machines. M2M is one of important supporting technologies in the internet of things, but in the environment of the internet of things, the M2M system faces a lot of security problems, especially security problems in communication, and an identity authentication key technology is needed to solve the security problems. From a cryptographic perspective, identity authentication may be accomplished through passwords, challenge-response mechanisms, and the like.
The devices in the internet of things are various in types, and not only are the devices with high cost, rich resources and strong computing power, but also the devices with low cost, limited resources and weak computing power, so that how to solve the identity authentication between the devices with large computing resource difference to ensure the safe communication of the M2M is a difficult problem in the safety of the internet of things. Identity authentication based on cryptography is widely applied to the internet, but is expanded to the internet of things, and key creation, distribution, storage and management still have great challenges in view of the scene of resource-limited devices. In the case of identity authentication based on cryptography, updating of keys cannot be guaranteed at the initial distribution of device keys and without human management.
There are many implementations of M2M identity authentication methods based on cryptography, and most commonly implemented by pure software-based cryptographic algorithms. The method has the disadvantages that the security is not high enough, because the software code stored in the device, namely the firmware, is easy to extract, and then the specific algorithm, even the key, is analyzed reversely, and even if the firmware is protected, the cryptographic algorithm realized by the software has side information leakage in the running process, and is difficult to resist side channel attack.
The security chip is a device capable of providing secure cryptographic operation and key storage, and can be loaded into key devices in the internet of things, such as gateway devices, to provide storage protection of sensitive information such as cryptographic operation and keys with high security level.
The white-box password is a password implementation technology capable of resisting white-box attack (an attacker has complete control capability on a device terminal and can observe and change internal data during program operation), and the complexity of an encryption and decryption program is essentially improved, so that the attacker cannot restore a secret key through reverse analysis even if obtaining a source code. Aiming at the Internet of things equipment with limited resources, the identity authentication and data encryption can be realized by adopting a lightweight white-box password when the Internet of things equipment is communicated with other equipment.
Both the security chip and the white-box password can be used for M2M identity authentication, and the security chip can provide the known most secure cryptographic operation and key storage, but has relatively high cost and is suitable for devices with high requirements on security. Compared with the common software-implemented cryptographic algorithm, the white-box cipher has improved security, relatively low cost and is suitable for equipment with moderate security requirements.
Disclosure of Invention
The embodiment of the application provides an Internet of things, which comprises at least one first device and at least one second device, wherein a security chip is configured in the first device; a white-box cryptographic algorithm is configured inside the second device; and the first equipment performs identity authentication and secret communication with the second equipment through the security chip.
According to some embodiments, the first device comprises at least one of a gateway, a server.
According to some embodiments, the second device comprises a user terminal device.
According to some embodiments, the secure chip comprises an authentication key generation module and a first authentication module, wherein the authentication key generation module generates a corresponding authentication key for the second device; and the first authentication module encrypts mapping information of the serial number of the communication message and the session key by using the authentication key by using a hardware cryptographic algorithm, and performs identity authentication with the second equipment.
According to some embodiments, the algorithm employed by the authentication key generation module comprises an ALG algorithm.
According to some embodiments, the hardware cryptographic algorithm is identical to the white-box cryptographic algorithm.
According to some embodiments, the session key is updated when the sequence number is an integer multiple of a preset session key update threshold.
An embodiment of the present application further provides an identity authentication and secure communication method, which is applied to the first device, and the method includes: receiving an authentication request from second equipment by using a security chip, wherein the authentication request comprises a serial number and an authentication code of a communication message; based on the authentication code, generating an authentication key corresponding to the second device by using a preset authentication key generation algorithm; determining a session key by using a true random number generator; encrypting the mapping information of the serial number and the session key by using the authentication key by using a hardware cryptographic algorithm in the security chip, and mutually authenticating the mapping information and the session key with the second device, wherein the hardware cryptographic algorithm is consistent with a white-box cryptographic algorithm; receiving encrypted data from the second device, the encrypted data being encrypted based on the session key.
According to some embodiments, before the receiving, by the secure chip, the authentication request from the second device, the method further includes: and sending an authentication invitation to the second equipment by utilizing the security chip, wherein the authentication invitation comprises the serial number.
According to some embodiments, encrypting, by a hardware cryptographic algorithm in the secure chip, mapping information of the serial number and the session key using the authentication key to perform mutual authentication with the second device includes: encrypting the combination of the serial number and the session key by using the authentication key by using the hardware cryptographic algorithm to obtain a first ciphertext; sending the first ciphertext to the second device; receiving a second ciphertext from the second device encrypted by the white-box cryptographic algorithm on the combination of the first mapping information of the serial number and the session key; decrypting and authenticating the second ciphertext using the hardware cryptographic algorithm; and sending a response ciphertext to the second device.
According to some embodiments, before sending the response ciphertext to the second device, the method further includes: and encrypting the second mapping information of the serial number, the confirmer, the session key and a preset session key updating threshold value by using the hardware cryptographic algorithm to obtain a response ciphertext.
According to some embodiments, the session key is updated when the sequence number is an integer multiple of the session key update threshold.
An embodiment of the present application further provides an identity authentication and secure communication method, which is applied to the second device, and the method includes: the second equipment sends an authentication request to the security chip, wherein the authentication request comprises a serial number and an authentication code of the communication message; receiving a first ciphertext sent from the security chip; decrypting the first ciphertext by using a white-box cryptographic algorithm to obtain a session key; encrypting the mapping information of the serial number and the session key by using a white-box cryptographic algorithm, and performing mutual authentication with the security chip; and sending encrypted data to the security chip, wherein the encrypted data is encrypted based on the session key by using a software cryptographic algorithm.
According to some embodiments, before the second device sends the authentication request to the secure chip, the method further includes: the second device receives an authentication invitation from the security chip, the authentication invitation including the serial number.
According to some embodiments, the encrypting the mapping information of the serial number and the session key by using a white-box cryptographic algorithm to perform mutual authentication with the security chip includes: encrypting the combination of the first mapping information of the serial number and the session key by using the white-box cryptographic algorithm to form a second ciphertext; sending the second ciphertext to the security chip; receiving a response ciphertext from the security chip; and decrypting and authenticating the response ciphertext by using the white-box cryptographic algorithm.
According to some embodiments, the first ciphertext is obtained by the security chip encrypting the combination of the serial number and the session key using an authentication key using a hardware cryptographic algorithm that is consistent with the white-box cryptographic algorithm.
According to some embodiments, the response ciphertext is obtained by the security chip encrypting, by using the hardware cryptographic algorithm, a combination of the second mapping information of the serial number, the confirmer, the session key, and a preset session key update threshold.
According to some embodiments, the secure chip updates the session key when the sequence number is an integer multiple of the session key update threshold.
The embodiment of the application also provides a security chip, which comprises an authentication request receiving module, an authentication key generating module, a session key determining module, a first authentication module and a data receiving module, wherein the authentication request receiving module receives an authentication request from second equipment, and the authentication request comprises a serial number and an authentication code of a communication message; the authentication key generation module generates an authentication key corresponding to the second device by using a preset authentication key generation algorithm based on the authentication code; the session key determining module determines a session key by using a true random number generator; the first authentication module encrypts mapping information of the serial number and the session key by using the authentication key through a hardware cryptographic algorithm, and performs mutual authentication with the second device, wherein the hardware cryptographic algorithm is consistent with a white-box cryptographic algorithm; the data receiving module receives encrypted data from the second device, the encrypted data being encrypted based on the session key.
According to some embodiments, the security chip further comprises an authentication invitation sending module, the authentication invitation sending module sends an authentication invitation to the second device, and the authentication invitation comprises the serial number.
According to some embodiments, the first authentication module includes a first ciphertext determining unit, a first ciphertext transmitting unit, a second ciphertext receiving unit, a second ciphertext decrypting unit, and a response ciphertext transmitting unit, where the first ciphertext determining unit uses the hardware cryptographic algorithm to encrypt the combination of the serial number and the session key using the authentication key to obtain a first ciphertext; the first ciphertext sending unit sends the first ciphertext to the second device; the second ciphertext receiving unit receives a second ciphertext obtained by encrypting the combination of the first mapping information of the serial number and the session key by the second device by adopting the white-box cryptographic algorithm; the second ciphertext decryption unit decrypts and authenticates the second ciphertext by using the hardware cryptographic algorithm; and the response ciphertext sending unit sends a response ciphertext to the second device.
The embodiment of the application also provides equipment, which comprises an authentication request sending module, a receiving module, a decryption module, a second authentication module and a data sending module, wherein the authentication request sending module sends an authentication request to the security chip, and the authentication request comprises a serial number and an authentication code of a communication message; the receiving module receives a first ciphertext sent from the security chip; the decryption module decrypts and authenticates the first ciphertext by using a white-box cryptographic algorithm to obtain a session key; the second authentication module encrypts the mapping information and the session key of the serial number by using a white-box cryptographic algorithm, and performs mutual authentication with the security chip; and the data sending module sends encrypted data to the security chip, and the encrypted data is encrypted based on the session key by using a software encryption algorithm.
According to some embodiments, the device further comprises an authentication invitation receiving module that receives an authentication invitation from the secure chip, the authentication invitation including the serial number.
According to some embodiments, the second authentication module comprises an encryption unit, a sending unit, a receiving unit and an authentication unit, wherein the encryption unit encrypts a combination of the first mapping information of the serial number and the session key by using the white-box cryptographic algorithm to form a second ciphertext; the sending unit sends the second ciphertext to the security chip; the receiving unit receives a response ciphertext from the security chip; the authentication unit decrypts and authenticates the response ciphertext using the white-box cryptographic algorithm.
Embodiments of the present application also provide a computer readable medium, on which a computer program is stored, which when executed by a processor performs the method as described above.
According to the technical scheme, the safety chip and the white box password are respectively adopted according to the safety requirements of the terminal equipment of the Internet of things, the initialization of the equipment key can be well solved, in the era that various equipment and systems generally pursue safety and low cost in the internet of everything, economic and effective safety protection can be provided for M2M identity authentication, communication data encryption and decryption and sensitive information storage, the universality is strong, specific design is not required to be carried out again aiming at different application scenes, the development and deployment cycle of the Internet of things system can be shortened, and the development cost is saved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram illustrating a composition of an internet of things according to an embodiment of the present disclosure;
FIG. 2 is a flow chart illustrating a method for identity authentication and secure communication according to an embodiment of the present application;
fig. 3 is a schematic diagram of an identity authentication process provided in an embodiment of the present application;
FIG. 4 is a flow chart illustrating another method for identity authentication and secure communication according to an embodiment of the present application;
fig. 5 is a schematic diagram of another identity authentication process provided in the embodiment of the present application;
fig. 6 is a functional block diagram of a security chip according to an embodiment of the present disclosure;
fig. 7 is a functional block diagram of a first authentication module of a security chip according to an embodiment of the present disclosure;
FIG. 8 is a block diagram of a functional component of an apparatus provided in an embodiment of the present application;
FIG. 9 is a functional block diagram of a second authentication module of an apparatus according to an embodiment of the present disclosure;
fig. 10 is a functional block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a schematic view of a composition of an internet of things provided in an embodiment of the present application.
The Internet of things comprises at least one first device M1And at least one second device M2. First device M1The security chip SE is internally configured. Second device M2First device M internally configured with white-box cryptographic algorithm1Through the security chip SE and the second device M2And performing identity authentication and secret communication.
The internet of things is an extension of the internet, and is essentially the interconnection of objects and M2M, and information is collected by various sensors distributed at different geographical positions and integrated together through the network, so that centralized management and processing are realized. The openness of the internet of things makes the devices therein vulnerable. Therefore, to realize the 'everything interconnection', the secure communication is required to be used as a technical support, and the premise for realizing the secure communication is to ensure the authenticity of the identities of the two communication parties, which needs to be ensured by using an identity authentication technology.
The equipment in the Internet of things is various in types, and not only is the equipment high in cost, rich in resources and strong in computing power, but also the equipment low in cost, limited in resources and weak in computing power. Therefore, the examples of this application are toThe identity authentication between the devices with large computing resource difference is solved to ensure the safe communication of M2M and the terminal device (M) of the Internet of things with high requirement on the safety1) The loading of the security chip SE realizes the security encryption and decryption, the key algorithm execution and the sensitive information storage, and the terminal equipment (M) of the Internet of things with low security requirement2) And a white-box cryptographic algorithm and a software cryptographic algorithm are adopted to realize encryption and decryption. For the sake of distinction, the terminal device M1 is referred to as a first device, and the device M2 is referred to as a second device.
First device M1Including but not limited to at least one of a gateway, a server. The second device includes, but is not limited to, a user terminal device.
The secure chip SE internally comprises a preset authentication key generation algorithm, a hardware password algorithm and a true random number generator. Authentication key generation algorithm including, but not limited to, ALG algorithm, which is the second device M2A corresponding authentication key is generated. The hardware cryptographic algorithm HWC is consistent with the white-box cryptographic algorithm WBC, and the hardware cryptographic algorithm HWC is utilized to encrypt the mapping information of the serial number of the communication message and the session key by using the authentication key, and the mapping information and the session key are encrypted with the second equipment M2And performing identity authentication. The true random number generator TRNG is used to determine the session key.
Second device M2Comprises a software cryptographic algorithm SWC, and after the authentication is passed, the second device M2Encrypting data based on session key by using software cryptographic algorithm SWC, and sending to first device M1。
Alternatively, at the time of identity authentication, the initial distribution of the session key during M2M communication and in case of unattended operation, the updating of the key cannot be guaranteed. According to the embodiment of the application, the session key updating threshold is preset, and when the serial number of the communication message is integral multiple of the preset session key updating threshold, the session key is updated. The safety identity authentication during M2M communication is realized at lower cost, the risks of secret key leakage and identity counterfeiting are reduced, the attack difficulty is improved, and the safety can be improved.
According to the technical scheme provided by the embodiment, the safety chip and the white box password are respectively adopted according to the safety requirements of the terminal equipment of the Internet of things, so that the equipment key initialization can be well solved, economic and effective safety protection can be provided for M2M identity authentication, communication data encryption and decryption and sensitive information storage in the era that various equipment and systems generally pursue safety and low cost in the world of internet of everything, the universality is high, specific design is not required to be carried out again aiming at different application scenes, the development and deployment cycle of the Internet of things system can be shortened, and the development cost is saved.
Fig. 2 is a flowchart illustrating an identity authentication and secure communication process between a security chip and a second device according to an embodiment of the present application.
In S110, the first device M1And receiving an authentication request from the second equipment by using the security chip, wherein the authentication request comprises the serial number and the authentication code SN of the communication message.
According to the safety requirements of the terminal equipment of the Internet of things, the two ends of the M2M respectively adopt a safety chip and common equipment. M2M is an abbreviation of "Machine to Machine", and may be broadly extended to "Machine to Mobile device", which refers to connection and communication between machines and between machines. M2M is one of the important supporting technologies in the internet of things.
The secure chip can provide the most secure known cryptographic operation and key storage, but the cost is relatively high, and the secure chip is suitable for devices with high requirements on security. Compared with the common software-implemented cryptographic algorithm, the white-box cipher has improved security, relatively low cost and is suitable for equipment with moderate security requirements. The security chip and the white-box password are combined for M2M identity authentication, and meanwhile, the initial distribution and automatic updating strategy of the secret key are combined, so that economic and effective security protection can be provided for M2M identity authentication, communication data encryption and decryption and sensitive information storage.
The method is characterized in that a security chip SE is loaded on the Internet of things terminal equipment (M1) with high security requirement to realize secure encryption and decryption, key algorithm execution and sensitive information storage, and the Internet of things terminal equipment (M) with low security requirement is loaded2) And encryption and decryption are realized by adopting a symmetric white-box password and a software password. For distinction, the terminal device M1 is calledDevice M2 is referred to as a second device, being a first device. Second device M2The authentication key of (a) is implemented in its white-box cipher at the production stage, i.e. after being generated according to its SN according to a specific algorithm. At the second device M2Needs to communicate with the first device M1When the communication interaction is carried out, the first equipment M1With the second device M2And performing bidirectional identity authentication.
First device M1Receiving a message from a second device M using a security chip SE2The authentication request Seq | | SN of (1), the authentication request includes a serial number Seq and an authentication code SN of the communication packet. The serial number Seq is used as a security chip SE and a second device M2An identification of the communication. The authentication code SN is the second device M2Is the second device M2The factory unique serial number or the value of the unique serial number of the main control chip after special transformation (such as hash) can be traced back to each link of chip manufacturing and a circulation channel of a certain batch of products.
Optionally, a first device M1And a second device M2May act as the master initiating authentication. First device M1Or actively sending authentication invitation to the second device M by utilizing the security chip SE2The authentication invitation includes a serial number of the communication packet. Second device M2After receiving the authentication invitation, sending an authentication request to the first device M1The authentication request comprises the serial number of the communication message and the authentication code SN of the second equipment, and the first equipment M1An authentication request is received from the second device using the secure chip.
In S120, the first device M1Generating equipment M by utilizing a preset authentication key generation algorithm based on an authentication code SN through a security chip SE2Corresponding authentication key K2。
The secure chip SE internally presets an authentication key generation algorithm, which includes but is not limited to ALG algorithm. The ALG algorithm is an authentication key generation algorithm preset in the secure chip SE, and one implementation scheme of the ALG algorithm is to perform byte position transformation, namely scrambling operation, on the value of SN. Another implementation scheme of ALG algorithm is to obtain the authentication key by hashing the transformed SN. Device M generation using an authentication key generation algorithm based on an authentication code SN2Corresponding authentication key K2。
According to some embodiments, the security chip SE communicates with a plurality of devices, each device generating a respective authentication key, here an authentication key K2Is a device M2A corresponding authentication key.
In S130, the first device M1The session key is determined by means of a true random number generator of the security chip SE.
The security chip SE may provide a true random number generator TRNG of high security level, which is a device that generates random numbers by collecting random noise signals during the operation of the chip, unlike random numbers generated by computer programs. Obtaining a random number R by means of a true random number generator TRNG1By a random number R1As a session key.
In S140, the first device M1Encrypting the mapping information of the serial number and the session key by using the authentication key and the equipment M by using the hardware cryptographic algorithm of the security chip SE2And performing mutual authentication, wherein the hardware cryptographic algorithm is consistent with the white-box cryptographic algorithm.
Second device M with lower security requirements2And the encryption and decryption are carried out by adopting a white-box cryptographic algorithm, so that the cryptographic algorithm adopted by the security chip is consistent with the white-box cryptographic algorithm so as to facilitate mutual decryption.
Hardware cryptographic algorithm HWC is a cryptographic algorithm implemented using an integrated circuit, including, but not limited to, international cryptographic algorithm AES and domestic cryptographic algorithm SM 4.
In S150, the secure chip SE receives encrypted data from the device, the encrypted data being encrypted based on the session key.
Device M2Using software cryptographic algorithms based on session key R1Data to be transmitted is encrypted. Software cryptographic algorithm SWC includes, but is not limited to, international cryptographic algorithm AES and domestic cryptographic algorithm SM 4.
Optionally, a first device M1Receiving device M each time2After the transmitted encrypted data packet, the sequence of the communication data packet is checkedNumber Seq, updating threshold value W whenever the value of Seq is preset session keysAt integer multiple of (D), the first device M1Ready to use M2Encrypts a new random number Rn and sends it as a new session key to M2Thereby ensuring a regular update of the session key.
According to the technical scheme provided by the embodiment, the safety chip and the white box password are respectively adopted according to the safety requirements of the terminal equipment of the Internet of things, the initialization of the equipment key can be well solved, the automatic updating of the session key can be carried out in the M2M confidential communication process, in the era of universal Internet of things that various equipment and systems generally pursue safety and low cost, economic and effective safety protection can be provided for M2M identity authentication, communication data encryption and decryption and sensitive information storage, the universality is strong, specific design does not need to be carried out again aiming at different application scenes, the development and deployment cycle of the Internet of things system can be shortened, and the development cost is saved.
Fig. 3 is a schematic diagram of an identity authentication process provided in an embodiment of the present application, and illustrates an identity authentication process S140 between the secure chip and the second device in fig. 2.
As shown in fig. 3, in S141, the first device M1Using hardware cryptographic algorithm of secure chip SE, authentication key K2Encrypting sequence number Seq and session key R1Is of the combination Seq | | | R1To obtain a first ciphertext C1。
The hardware cryptographic algorithm HWC is identical to the white-box cryptographic algorithm. Hardware cryptographic algorithms HWC include, but are not limited to, at least one of the international cryptographic algorithm AES and the domestic cryptographic algorithm SM 4.
In S142, the first device M1Sending a first ciphertext C using a security chip SE1To the second device M2。
In S143, the first device M1Receiving a message from a second device M using a security chip SE2And a second ciphertext encrypted by using a white-box cryptographic algorithm to the combination of the first mapping information of the serial number and the session key.
Second device M2Receiving a first ciphertext C1Then, call white-box cipher algorithm WBC toLine decryption, and comparing the decrypted Seq | | | R1If the sequence number Seq in (1) is correct, the first device M is considered to be correct1Trusted, second device M2Authenticating a first device M1And (4) passing.
M2Calling the white-box cryptography algorithm WBC, encrypting the first mapping information of the sequence number (Seq +1) and the session key R1Combination of (Seq +1) | | R1Obtain a second ciphertext C2The second ciphertext C2Is sent to the first device M1。
In S144, the first device M1Decrypting and authenticating the second ciphertext C by using a hardware cryptographic algorithm HWC of the security chip SE2。
The first device M1 calls the security chip SE to perform the operation with M2Hardware cryptographic algorithm HWC with consistent middle WBC white box cryptographic algorithm, using authentication key K2Decrypt the second ciphertext C2To obtain (Seq +1) | | R1. Alignment (Seq +1) | | R1If the device is in accordance with the expectation, the second device M is considered2Trusted, first device M1Authenticating a second device M2And (4) passing.
In S145, the first device M1Sending a reply cryptogram to the second device M by using the security chip SE2。
Terminal M1Calling the second equipment M in the security chip SE2Hardware cryptographic algorithm HWC with consistent middle WBC white box cryptographic algorithm, using authentication key K2Second mapping information of encryption sequence number Seq, acknowledgement Ack, and session key R1And a preset session key update threshold Ws in combination (Seq +2) | Ack | | R1||WsTo obtain a response ciphertext C3Is sent to the second device M2。
Second device M2Decrypting response ciphertext C by calling WBC white-box cryptographic algorithm3To obtain (Seq +2) | | Ack | | R1||WsAnd data transmission can be started after confirming that the mutual authentication is completed. The session key is R1. Second device M2Subsequent invocation of software cryptographic algorithm SWC Using Session Key R1Sending the encrypted data to the first device M1。
Fig. 4 is a flowchart of another method for identity authentication and secure communication according to an embodiment of the present application, which illustrates a process of identity authentication and secure communication between a second device and a secure chip.
In S210, the second device M2 sends an authentication request to the security chip SE, where the authentication request includes the serial number Seq and the authentication code SN of the communication packet.
According to the safety requirements of the terminal equipment of the Internet of things, the two ends of the M2M respectively adopt a safety chip and common equipment. M2M is an abbreviation of "Machine to Machine", and may be broadly extended to "Machine to Mobile device", which refers to connection and communication between machines and between machines. M2M is one of the important supporting technologies in the internet of things.
The secure chip SE may provide the most secure known cryptographic operations and key storage, but is relatively costly and suitable for use in devices with high security requirements. Compared with the common software-implemented cryptographic algorithm, the white-box cipher has improved security, relatively low cost and is suitable for equipment with moderate security requirements. The security chip SE and the white-box password are combined for M2M identity authentication, and meanwhile, the initial distribution and automatic updating strategies of the secret key are combined, so that economic and effective security protection can be provided for the M2M identity authentication, the encryption and decryption of communication data and the storage of sensitive information.
Internet of things terminal equipment (M) with high requirement on safety1) The loading of the security chip SE realizes the security encryption and decryption, the key algorithm execution and the sensitive information storage, and the terminal equipment (M) of the Internet of things with low security requirement2) And encryption and decryption are realized by adopting a symmetric white-box password and a software password. For differentiation, terminal device M1Referred to as first device, device M2Referred to as the second device. The authentication key of the second device M2 is implemented in its white-box password at the production stage, i.e. after being generated according to a specific algorithm based on its SN. At the second device M2Needs to communicate with the first device M1When the communication interaction is carried out, the first equipment M1With the second device M2And performing bidirectional identity authentication.
Second device M2And sending an authentication request Seq | | | SN to the security chip SE, wherein the authentication request Seq | | SN comprises a serial number Seq and an authentication code SN of the communication message.
Optionally, a first device M1And a second device M2May act as the master initiating authentication. First device M1Or actively sending authentication invitation to the second device M by utilizing the security chip SE2The authentication invitation includes a serial number of the communication packet. Second device M2After receiving the authentication invitation, sending an authentication request to the first device M1First device M1An authentication request is received from the second device using the secure chip.
In S220, the second device M2And receiving a first ciphertext sent by the security chip SE.
First device M1Generating the second device M by using a preset authentication key generation algorithm based on the authentication code SN by using the security chip SE2Corresponding authentication key K2. The secure chip SE internally presets an authentication key generation algorithm, which includes but is not limited to ALG algorithm. Generating a second device M based on an authentication code SN using an authentication key generation algorithm2Corresponding authentication key K2. The security chip SE can provide a true random number generator TRNG with high security level, and the true random number generator TRNG is used for obtaining the random number R1By a random number R1As a session key.
First device M1Using the authentication key K by the hardware cryptographic algorithm HWC using the security chip SE2Encrypting sequence number Seq and session key R1Is of the combination Seq | | | R1To obtain a first ciphertext C1. Second device M2Receiving a first ciphertext C sent by a security chip SE1。
In S230, the second device M2And decrypting and authenticating the first ciphertext by using a white-box cryptographic algorithm to obtain a session key.
Second device M2Receiving a first ciphertext C1Then, calling a white-box cipher algorithm WBC for decryption to obtain a sequence number Seq and a session key R1. Comparing whether the sequence number Seq is correct or not,if the result is correct, the first device M is considered to be1Trusted, second device M2Authenticating a first device M1And (4) passing.
In S240, the second device M2Encrypting mapping information of sequence number Seq and session key R by using white-box cryptographic algorithm1And mutually authenticating with the security chip.
In S250, the second device M2And sending the encrypted data to the security chip, wherein the encrypted data is encrypted by using a software cryptographic algorithm based on the session key and the second mapping information of the serial number.
After the authentication is passed, the second device M2 sends the encrypted data to the security chip SE. The software cryptographic algorithm includes, but is not limited to, at least one of the software-implemented international cryptographic algorithm AES and the domestic cryptographic algorithm SM 4.
Optionally, a first device M1Each time a second device M is received2After the transmitted data packet, checking the sequence number Seq of the communication data packet, and whenever the value of Seq is the preset session key threshold value WsAt integer multiple of (D), the first device M1I.e. the second device M2Encrypts a new random number Rn as a new session key to be sent to the second device M2Thereby ensuring a regular update of the session key.
According to the technical scheme provided by the embodiment, the safety chip and the white box password are respectively adopted according to the safety requirements of the terminal equipment of the Internet of things, the initialization of the equipment key can be well solved, the automatic updating of the session key can be carried out in the M2M confidential communication process, in the era of universal Internet of things that various equipment and systems generally pursue safety and low cost, economic and effective safety protection can be provided for M2M identity authentication, communication data encryption and decryption and sensitive information storage, the universality is strong, specific design does not need to be carried out again aiming at different application scenes, the development and deployment cycle of the Internet of things system can be shortened, and the development cost is saved.
Fig. 5 is a schematic diagram of another identity authentication process provided in an embodiment of the present application, which illustrates an identity authentication process S220 between the second device and the secure chip of fig. 4.
In S221, the firstTwo devices M2First mapping information of sequence number Seq and session key R by using white-box cryptographic algorithm1The combined encryption of (a) forms a second ciphertext.
Second device M2Calling the white-box cryptography algorithm WBC, encrypting the first mapping information of the sequence number (Seq +1) and the session key R1Combination of (Seq +1) | | R1Obtain a second ciphertext C2The second ciphertext C2Is sent to the first device M1。
In S222, the second device M2And sending the second ciphertext to the security chip.
The first device M1 calls the second device M in the security chip SE2Hardware cryptographic algorithm HWC with white-box cryptographic algorithm WBC consistent, using authentication key K2Decrypt the second ciphertext C2To obtain (Seq +1) | | R1. Alignment (Seq +1) | | R1If the device is in accordance with the expectation, the second device M is considered2Trusted, first device M1Authenticating a second device M2And (4) passing.
In S223, the second device M2And receiving the response ciphertext from the security chip.
First device M1Calling the second equipment M in the security chip SE2Hardware cryptographic algorithm HWC with consistent middle WBC white-box cryptographic algorithm, using authentication key K2Second mapping information of encryption sequence number Seq, acknowledgement Ack, and session key R1And a preset session key update threshold Ws in combination (Seq +2) | Ack | | R1||WsTo obtain a response ciphertext C3Is sent to the second device M2。
Second device M2WBC decryption answer ciphertext C by calling white-box cipher algorithm3To obtain (Seq +2) | | Ack | | R1||WsAnd data transmission can be started after confirming that the mutual authentication is completed. The session key is R1. Second device M2Subsequent invocation of SWC Using Session Key R1Sending the encrypted data to the first device M1。
In S224, the second device M2And decrypting and authenticating the response ciphertext by using a white-box cryptographic algorithm.
Second device M2WBC decryption answer ciphertext C by calling white-box cipher algorithm3To obtain (Seq +2) | | Ack | | R1||WsAnd data transmission can be started after confirming that the mutual authentication is completed. The session key is R1. Second device M2Subsequent invocation of software cryptographic algorithm SWC Using Session Key R1Sending the encrypted data to the first device M1。
Fig. 6 is a functional block diagram of a security chip according to an embodiment of the present disclosure, where the security chip SE includes an authentication request receiving module 11, an authentication key generating module 12, a session key determining module 13, a first authentication module 14, and a data receiving module 15.
The authentication request receiving module 11 receives a request from the second device M2The authentication request comprises a serial number Seq and an authentication code SN of the communication message. The authentication key generation module 12 generates an authentication key K based on the authentication code SN by using a preset authentication key generation algorithm2. The session key determination module 13 determines the session key R using a true random number generator1. The first authentication module 14 uses the authentication key K with the hardware cryptographic algorithm HWC2Mapping information of encrypted sequence number Seq and session key R1With the second device M2And (4) mutual authentication is carried out, and the hardware cryptographic algorithm HWC is consistent with the white-box cryptographic algorithm and can be mutually decrypted. The data receiving module 15 receives data from the second device M2Based on the session key R1And the mapping information of the sequence number Seq.
Optionally, a first device M1And a second device M2May act as the master initiating authentication. First device M1Or actively sending authentication invitation to the second device M by utilizing the security chip SE2The authentication invitation includes a serial number of the communication packet. Second device M2After receiving the authentication invitation, sending an authentication request to the first device M1. At this time, the secure chip SE further includes an authentication invitation sending module, and the authentication invitation sending module sends the authentication invitation to the second device M2The authentication invitation includes, but is not limited to, a sequence number Seq.
According to some embodiments, the first authentication module 14 includes a first ciphertext determination unit 141, a first ciphertext transmission unit 142, a second ciphertext reception unit 143, a second ciphertext decryption unit 144, and a reply ciphertext transmission unit 145, as shown in fig. 7.
The first ciphertext determination unit 141 may use the authentication key K using a hardware cryptographic algorithm HWC2Encrypting sequence number Seq and session key R1To obtain a first ciphertext C1. The first ciphertext transmitting unit 142 transmits the first ciphertext C1To the second device M2. The second ciphertext receiving unit 143 receives the ciphertext from the second device M2The first mapping information of the sequence number Seq and the session key R by adopting the white-box cryptographic algorithm1The second ciphertext C of the combined encryption2. The second ciphertext decryption unit 144 decrypts and authenticates the second ciphertext C using the hardware cryptographic algorithm HWC2. Response ciphertext transmitting unit 145 transmits response ciphertext C3To the second device M2。
Fig. 8 is a functional block diagram of a device provided in the embodiment of the present application, in which the second device M is a device2The system comprises an authentication request sending module 21, a receiving module 22, a decryption module 23, a second authentication module 24 and a data sending module 25.
The authentication request sending module 21 sends an authentication request Seq | | | SN to the security chip SE, where the authentication request Seq | | SN includes a serial number Seq and an authentication code SN of the communication packet. The receiving module 22 receives the first ciphertext C from the security chip SE1. The decryption module 23 decrypts and authenticates the first ciphertext C using the white-box cryptographic algorithm1To obtain a session key R1. The second authentication module 24 encrypts the mapping information of the sequence number Seq and the session key R using the white-box cryptographic algorithm1Mutually authenticating with a security chip SE, a session key R1The first cipher text C sent by the safety chip SE1. The data transmission module 25 transmits the encrypted data to the security chip SE, the encrypted data being based on the session key R using the software cryptographic algorithm1Encryption is performed.
Optionally, a first device M1And a second device M2Can be used as the initiative party for initiating authentication. First device M1Or actively sending authentication invitation to the second device M by utilizing the security chip SE2The authentication invitation includes a serial number of the communication packet. Second device M2After receiving the authentication invitation, sending an authentication request to the first device M1. At this time, the second device M2The system also comprises an authentication invitation receiving module, wherein the authentication invitation receiving module receives an authentication invitation from the security chip SE, and the authentication invitation comprises a serial number Seq.
According to some embodiments, the second authentication module 24 includes an encryption unit 241, a sending unit 242, a receiving unit 243, and an authentication unit 244, as shown in fig. 9.
The encryption unit 241 maps the first mapping information of the sequence number Seq and the session key R using the white-box cipher algorithm1Is combined and encrypted to form a second ciphertext C2. The transmission unit 242 transmits the second ciphertext C2To the security chip SE. The receiving unit 243 receives the response ciphertext C from the security chip SE3. Authentication unit 244 decrypts and authenticates the response ciphertext C using a white-box cryptographic algorithm3。
Fig. 10 is a functional block diagram of an electronic device according to an embodiment of the present disclosure.
The electronic device may include an output unit 301, an input unit 302, a processor 303, a storage 304, a communication interface 305, and a memory unit 306.
The memory 304 is provided as a non-transitory computer readable memory that can be used to store software programs, computer executable programs, and modules. When the one or more programs are executed by the one or more processors 303, the one or more processors 303 are caused to implement the methods as described above.
The memory 304 may include a program storage area and a data storage area. The storage program area can store an operating system and an application program required by at least one function. The storage data area may store data created according to use of the electronic device, and the like. Further, the memory 304 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 304 may optionally include memory located remotely from the processor 303, which may be connected to the electronic device via a network.
The foregoing detailed description of the embodiments of the present application has been presented to illustrate the principles and implementations of the present application, and the description of the embodiments is only intended to facilitate the understanding of the methods and their core concepts of the present application. Meanwhile, a person skilled in the art should, according to the idea of the present application, change or modify the embodiments and applications of the present application based on the scope of the present application. In view of the above, the description should not be taken as limiting the application.
Claims (25)
1. An internet of things, comprising:
at least one first device, which is internally provided with a security chip;
at least one second device, which is internally configured with a white-box cryptographic algorithm; wherein,
and the first equipment performs identity authentication and secret communication with the second equipment through the security chip.
2. The internet of things as claimed in claim 1, wherein the first device comprises:
gateway, server.
3. The internet of things as claimed in claim 1, wherein the second device comprises: and (4) user terminal equipment.
4. The internet of things of claim 1, wherein the security chip comprises:
the authentication key generation module is used for generating a corresponding authentication key for the second equipment;
and the first authentication module encrypts the mapping information of the serial number of the communication message and the session key by using the authentication key by using a hardware cryptographic algorithm, and performs identity authentication with the second equipment.
5. The internet of things of claim 3, wherein the algorithm employed by the authentication key generation module comprises an ALG algorithm.
6. The internet of things as claimed in claim 1, wherein the hardware cryptographic algorithm is identical to the white-box cryptographic algorithm.
7. The internet of things as claimed in claim 4, wherein the session key is updated when the sequence number is an integer multiple of a preset session key update threshold.
8. An identity authentication and secret communication method applied to the first device of any one of claims 1 to 7, the method comprising:
receiving an authentication request from the second equipment by using the security chip, wherein the authentication request comprises a serial number and an authentication code of a communication message;
based on the authentication code, generating an authentication key corresponding to the second device by using a preset authentication key generation algorithm;
determining a session key by using a true random number generator;
encrypting the mapping information of the serial number and the session key by using the authentication key by using a hardware cryptographic algorithm in the security chip, and mutually authenticating the mapping information and the session key with the second device, wherein the hardware cryptographic algorithm is consistent with a white-box cryptographic algorithm;
receiving encrypted data from the second device, the encrypted data being encrypted based on the session key.
9. The method of claim 8, wherein prior to receiving, with the secure chip, the authentication request from the second device, further comprising:
and sending an authentication invitation to the second equipment by utilizing the security chip, wherein the authentication invitation comprises the serial number.
10. The method of claim 8 or 9, wherein encrypting the mapping information of the serial number and the session key by using the authentication key using a hardware cryptographic algorithm in the secure chip to mutually authenticate with the second device comprises:
encrypting the combination of the serial number and the session key by using the authentication key by using the hardware cryptographic algorithm to obtain a first ciphertext;
sending the first ciphertext to the second device;
receiving a second ciphertext from the second device encrypted by the white-box cryptographic algorithm on the combination of the first mapping information of the serial number and the session key;
decrypting and authenticating the second ciphertext using the hardware cryptographic algorithm;
and sending a response ciphertext to the second device.
11. The method of claim 10, wherein before sending the response ciphertext to the second device, further comprising:
and encrypting the second mapping information of the serial number, the confirmer, the session key and a preset session key updating threshold value by using the hardware cryptographic algorithm to obtain a response ciphertext.
12. The method of claim 11, wherein the session key is updated when the sequence number is an integer multiple of the session key update threshold.
13. An identity authentication and secret communication method applied to the second device of any one of claims 1 to 7, the method comprising:
the second equipment sends an authentication request to the security chip, wherein the authentication request comprises a serial number and an authentication code of the communication message;
receiving a first ciphertext sent from the security chip;
decrypting the first ciphertext by using a white-box cryptographic algorithm to obtain a session key;
encrypting the mapping information of the serial number and the session key by using the white-box cryptographic algorithm, and performing mutual authentication with the security chip;
and sending encrypted data to the security chip, wherein the encrypted data is encrypted based on the session key by using a software cryptographic algorithm.
14. The method of claim 13, wherein before the second device sends the authentication request to the secure chip, further comprising:
the second device receives an authentication invitation from the security chip, the authentication invitation including the serial number.
15. The method according to claim 13 or 14, wherein the encrypting the mapping information of the serial number and the session key by using a white-box cryptographic algorithm and mutually authenticating with the secure chip comprises:
encrypting the combination of the first mapping information of the serial number and the session key by using the white-box cryptographic algorithm to form a second ciphertext;
sending the second ciphertext to the security chip;
receiving a response ciphertext from the security chip;
and decrypting and authenticating the response ciphertext by using the white-box cryptographic algorithm.
16. The method of claim 13, wherein the first ciphertext is obtained by the security chip encrypting the combination of the sequence number and the session key using an authentication key using a hardware cryptographic algorithm consistent with the white-box cryptographic algorithm.
17. The method of claim 15, wherein the response cipher text is obtained by the security chip encrypting a combination of the second mapping information of the serial number, the confirmer, the session key and a preset session key update threshold value by using the hardware cryptographic algorithm.
18. The method of claim 17, wherein the security chip updates the session key when the sequence number is an integer multiple of the session key update threshold.
19. A security chip, comprising:
the authentication request receiving module receives an authentication request from the second device, wherein the authentication request comprises a serial number and an authentication code of the communication message;
the authentication key generation module is used for generating an authentication key corresponding to the second equipment by using a preset authentication key generation algorithm based on the authentication code;
the session key determining module is used for determining a session key by utilizing a true random number generator;
the first authentication module encrypts the mapping information of the serial number and the session key by using the authentication key through a hardware cryptographic algorithm, and performs mutual authentication with the second device, wherein the hardware cryptographic algorithm is consistent with a white-box cryptographic algorithm;
and the data receiving module is used for receiving encrypted data from the second equipment, and the encrypted data is encrypted based on the session key.
20. The security chip of claim 19, further comprising:
and the authentication invitation sending module is used for sending an authentication invitation to the second equipment, wherein the authentication invitation comprises the serial number.
21. The secure chip of claim 19 or 20, wherein the first authentication module comprises:
a first ciphertext determining unit, configured to encrypt, using the hardware cryptographic algorithm, the combination of the serial number and the session key using the authentication key to obtain a first ciphertext;
the first ciphertext sending unit is used for sending the first ciphertext to the second device;
a second ciphertext receiving unit, configured to receive a second ciphertext obtained by encrypting, by the second device, the combination of the first mapping information of the serial number and the session key by using the white-box cryptographic algorithm;
the second ciphertext decryption unit decrypts and authenticates the second ciphertext by using the hardware cryptographic algorithm;
and the response ciphertext sending unit is used for sending the response ciphertext to the second equipment.
22. An apparatus, comprising:
the authentication request sending module is used for sending an authentication request to the security chip, wherein the authentication request comprises a serial number and an authentication code of the communication message;
the receiving module is used for receiving a first ciphertext sent from the security chip;
the decryption module decrypts and authenticates the first ciphertext by using a white-box cryptographic algorithm to obtain a session key;
the second authentication module encrypts the mapping information and the session key of the serial number by using a white-box cryptographic algorithm and performs mutual authentication with the security chip;
and the data sending module is used for sending encrypted data to the security chip, and the encrypted data is encrypted based on the session key by using a software encryption algorithm.
23. The apparatus of claim 22, further comprising:
and the authentication invitation receiving module is used for receiving the authentication invitation from the security chip, and the authentication invitation comprises the serial number.
24. The device of claim 22 or 23, wherein the second authentication module comprises:
the encryption unit encrypts the combination of the first mapping information of the serial number and the session key by using the white-box cryptographic algorithm to form a second ciphertext;
a transmitting unit that transmits the second ciphertext to the security chip;
the receiving unit is used for receiving the response ciphertext from the security chip;
and the authentication unit is used for decrypting and authenticating the response ciphertext by using the white-box cryptographic algorithm.
25. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 8 to 18.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911389934.8A CN113132087A (en) | 2019-12-30 | 2019-12-30 | Internet of things, identity authentication and secret communication method, chip, equipment and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911389934.8A CN113132087A (en) | 2019-12-30 | 2019-12-30 | Internet of things, identity authentication and secret communication method, chip, equipment and medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113132087A true CN113132087A (en) | 2021-07-16 |
Family
ID=76767431
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911389934.8A Pending CN113132087A (en) | 2019-12-30 | 2019-12-30 | Internet of things, identity authentication and secret communication method, chip, equipment and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113132087A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113965364A (en) * | 2021-10-12 | 2022-01-21 | 西安电子科技大学 | Lightweight safety communication method and system for unmanned equipment |
CN114301596A (en) * | 2021-11-18 | 2022-04-08 | 成都市卡蛙科技有限公司 | OTA (over the air) secure communication method and device for vehicle intranet, vehicle-mounted system and storage medium |
CN115396121A (en) * | 2022-10-26 | 2022-11-25 | 广州万协通信息技术有限公司 | Security authentication method for security chip OTA data packet and security chip device |
WO2023031517A1 (en) * | 2021-08-31 | 2023-03-09 | Leo Hatjasalo | A securely controllable apparatus and system |
CN116939599A (en) * | 2023-08-20 | 2023-10-24 | 敦和安全科技(武汉)有限公司 | High-speed encryption communication method and device for low-performance equipment |
CN118631590A (en) * | 2024-08-08 | 2024-09-10 | 杭州海康威视数字技术股份有限公司 | Lightweight identity authentication method, system and device |
-
2019
- 2019-12-30 CN CN201911389934.8A patent/CN113132087A/en active Pending
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023031517A1 (en) * | 2021-08-31 | 2023-03-09 | Leo Hatjasalo | A securely controllable apparatus and system |
CN113965364A (en) * | 2021-10-12 | 2022-01-21 | 西安电子科技大学 | Lightweight safety communication method and system for unmanned equipment |
CN113965364B (en) * | 2021-10-12 | 2022-07-15 | 西安电子科技大学 | Lightweight secure communication method and system for unmanned equipment |
CN114301596A (en) * | 2021-11-18 | 2022-04-08 | 成都市卡蛙科技有限公司 | OTA (over the air) secure communication method and device for vehicle intranet, vehicle-mounted system and storage medium |
CN115396121A (en) * | 2022-10-26 | 2022-11-25 | 广州万协通信息技术有限公司 | Security authentication method for security chip OTA data packet and security chip device |
CN116939599A (en) * | 2023-08-20 | 2023-10-24 | 敦和安全科技(武汉)有限公司 | High-speed encryption communication method and device for low-performance equipment |
CN116939599B (en) * | 2023-08-20 | 2024-06-07 | 敦和安全科技(武汉)有限公司 | High-speed encryption communication method and device for low-performance equipment |
CN118631590A (en) * | 2024-08-08 | 2024-09-10 | 杭州海康威视数字技术股份有限公司 | Lightweight identity authentication method, system and device |
CN118631590B (en) * | 2024-08-08 | 2024-10-11 | 杭州海康威视数字技术股份有限公司 | Lightweight identity authentication method, system and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3619884B1 (en) | Secure dynamic threshold signature scheme employing trusted hardware | |
CN105162772B (en) | A kind of internet of things equipment certifiede-mail protocol method and apparatus | |
CN113132087A (en) | Internet of things, identity authentication and secret communication method, chip, equipment and medium | |
CN110572804B (en) | Bluetooth communication authentication request, receiving and communication method, mobile terminal and equipment terminal | |
CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
US9118661B1 (en) | Methods and apparatus for authenticating a user using multi-server one-time passcode verification | |
US11374910B2 (en) | Method and apparatus for effecting a data-based activity | |
EP0661845B1 (en) | System and method for message authentication in a non-malleable public-key cryptosystem | |
CN108111497A (en) | Video camera and server inter-authentication method and device | |
US20220385642A1 (en) | Method and apparatus for effecting a data-based activity | |
CN110855667B (en) | Block chain encryption method, device and system | |
CN111614621A (en) | Internet of things communication method and system | |
TWI787974B (en) | Method and system for generating dynamic key | |
CN105262773A (en) | A verification method and apparatus for an IOT system | |
CN114143108A (en) | Session encryption method, device, equipment and storage medium | |
CN117081736A (en) | Key distribution method, key distribution device, communication method, and communication device | |
US11240661B2 (en) | Secure simultaneous authentication of equals anti-clogging mechanism | |
CN111654481A (en) | Identity authentication method, identity authentication device and storage medium | |
CN110611679A (en) | Data transmission method, device, equipment and system | |
CN115314284B (en) | Public key authentication searchable encryption method and system based on trusted execution environment | |
Li et al. | A simple and robust anonymous two‐factor authenticated key exchange protocol | |
CN114257419B (en) | Device authentication method, device, computer device and storage medium | |
CN111431846B (en) | Data transmission method, device and system | |
CN114065170A (en) | Method and device for acquiring platform identity certificate and server | |
CN118488443B (en) | Encryption communication method and system for unmanned aerial vehicle |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |