[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113286305B - Equipment authentication method, device, equipment and storage medium - Google Patents

Equipment authentication method, device, equipment and storage medium Download PDF

Info

Publication number
CN113286305B
CN113286305B CN202010098368.1A CN202010098368A CN113286305B CN 113286305 B CN113286305 B CN 113286305B CN 202010098368 A CN202010098368 A CN 202010098368A CN 113286305 B CN113286305 B CN 113286305B
Authority
CN
China
Prior art keywords
authentication
designated area
message
equipment
successful
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010098368.1A
Other languages
Chinese (zh)
Other versions
CN113286305A (en
Inventor
吕浩洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lumi United Technology Co Ltd
Original Assignee
Lumi United Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lumi United Technology Co Ltd filed Critical Lumi United Technology Co Ltd
Priority to CN202010098368.1A priority Critical patent/CN113286305B/en
Publication of CN113286305A publication Critical patent/CN113286305A/en
Application granted granted Critical
Publication of CN113286305B publication Critical patent/CN113286305B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a device authentication method, a device and a storage medium, wherein the device authentication method comprises the following steps: the first equipment generates a first authentication message for starting equipment authentication, outputs the first authentication message, and prompts a user to move the second equipment to a first designated area through the output of the first authentication message; based on an antenna array deployed in first equipment, carrying out position positioning on second equipment according to a first positioning message sent by the second equipment to obtain a first position of the second equipment relative to the first equipment; when the first position of the second device relative to the first device is located in the first designated area, the azimuth authentication of the first designated area is successful, and the azimuth authentication of the second designated area is performed for the device movement performed again by the user; if the azimuth authentication with respect to the second specified area is successful, the device authentication is successful. The invention solves the problem that the equipment authentication in the prior art is difficult to realize both high safety and low cost.

Description

Equipment authentication method, device, equipment and storage medium
Technical Field
The present invention relates to the field of device authentication technologies, and in particular, to a device authentication method, apparatus, device, and storage medium.
Background
With the development of computer technology, wireless communication between devices is vulnerable to an attacker, also called a man-in-the-middle (MITM), and therefore, before wireless communication, the devices performing wireless communication need to be authenticated to ensure the security of wireless communication.
Currently, the device authentication based on the bluetooth protocol mainly includes two schemes, namely passkey and OOB (out of band). The first scheme is based on an in-band transmission key, and as long as the master device and the slave device use the same key for authentication, the device authentication is considered to be successful; the second scheme is based on an out-of-band transmission key, such as two-dimensional code or NFC, and further considers that device authentication is successful when the master device and the slave device use the same key for authentication.
However, the inventor has found that, in the first scheme, the key is limited by the bandwidth, and usually has only 6 bits, and a computer with strong performance can be cracked in a short time, while in the second scheme, although the key is transmitted out of band, the additional device configuration, such as NFC, increases the cost of the master device and the slave device, and for example, the two-dimensional code is easy to break and leak, which not only makes it difficult to ensure the security of the device authentication, but also has poor compatibility. Furthermore, for a device that cannot support an out-of-band transport key, the security of device authentication will also be difficult to guarantee.
As can be seen from the above, the conventional device authentication still has the problem that it is difficult to achieve both high security and low cost.
Disclosure of Invention
Embodiments of the present invention provide a device authentication method, apparatus, device and storage medium, so as to solve the problem that high security and low cost of device authentication in the related art are difficult to be considered at the same time.
The technical scheme adopted by the invention is as follows:
according to an aspect of the present invention, a device authentication method includes: the method comprises the steps that first equipment generates a first authentication message for starting equipment authentication, the first authentication message is output, and a user is prompted to move second equipment to a first designated area through the output of the first authentication message; based on an antenna array deployed in the first device, performing position location on the second device according to a first location message sent by the second device, and obtaining a first position of the second device relative to the first device; when the first position of the second device relative to the first device is located in the first designated area, the position authentication of the first designated area is successful, and the position authentication of the second designated area is performed for the device movement performed again by the user; if the orientation authentication with respect to the second specified area is successful, the device authentication is successful
According to an aspect of the present invention, a device authentication apparatus includes: the message output module is used for generating a first authentication message for starting equipment authentication by the first equipment, outputting the first authentication message and prompting a user to move the second equipment to a first designated area through the output of the first authentication message; a position location module, configured to perform position location on the second device according to a first positioning message sent by the second device based on an antenna array deployed in the first device, and obtain a first position of the second device relative to the first device; a position authentication module, configured to perform position authentication on a second designated area for device movement performed again by the user when the position of the second device relative to the first position of the first device is within the first designated area and the position authentication on the first designated area is successful; and the equipment authentication module is used for successfully authenticating the equipment if the azimuth authentication of the second designated area is successful.
In one embodiment, the apparatus as described above further comprises: a distance determination module configured to determine a distance between the first device and the second device when the orientation authentication with respect to the first designated area is successful; restarting the device authentication if the determined distance does not conform to the specified distance range.
In one embodiment, the orientation authentication module includes: a first message output unit, configured to, when the location authentication on the first specified area is successful, the first device generates a second authentication message for starting location authentication on the second specified area, and outputs the second authentication message, and prompts the user to move the second device to the second specified area through output of the second authentication message; a first position location unit, configured to perform position location on the second device according to a second location message sent by the second device based on an antenna array deployed in the first device, to obtain a second position of the second device relative to the first device; a first orientation authentication unit, configured to, when a second position of the second device with respect to the first device is located within the second specified area, successfully authenticate the orientation with respect to the second specified area.
In one embodiment, the first message output unit includes: an angle determining subunit, configured to determine, by the first device according to a distance between the first device and the second device, a movement angle of the second device moving to the second specified area; and the message generating subunit is used for generating the second authentication message according to the determined movement angle.
In one embodiment, the orientation authentication module includes: a second message output unit, configured to, when the location authentication on the first specified area is successful, the second device generates a third authentication message for starting the location authentication on the second specified area, outputs the third authentication message, and prompts the user to move the first device to the second specified area through output of the third authentication message; a second position location unit, configured to perform position location on the first device according to a third positioning message sent by the first device based on an antenna array deployed in the second device, to obtain a position of the first device relative to the second device; a second position authentication unit configured to, when the position of the first device relative to the second device is within the second designated area, successfully perform position authentication with respect to the second designated area.
In one embodiment, the position-location module includes: a field extracting unit, configured to extract a tone extension field from a first positioning message sent by the second device, and determine, through the tone extension field, that the first device receives a radio frequency signal of the second device through the antenna array; an arrival angle calculation unit configured to calculate an arrival angle of the radio frequency signal of the second device, where the arrival angle is used to indicate a position of the second device relative to the first device.
In one embodiment, the apparatus further comprises: the counter starting module is used for starting a time counter when the position of the second equipment is positioned; and the equipment authentication restarting module is used for restarting the equipment authentication when the time value of the time counter is not less than a specified time threshold value and the second equipment is not moved to the first specified area.
In one embodiment, the apparatus further comprises: a key exchange module, configured to perform key exchange between the first device and the second device; and the link establishing module is used for establishing an encrypted link between the first equipment and the second equipment according to the exchanged secret key and realizing message transmission between the first equipment and the second equipment through the established encrypted link.
In one embodiment, the apparatus further comprises: and the success prompting module is used for generating an authentication success message and outputting the authentication success message when the authentication is successful, wherein the authentication success message is used for prompting the user that the direction authentication is successful or the equipment authentication is successful.
According to one aspect of the invention, a device comprises a processor and a memory having computer-readable instructions stored thereon which, when executed by the processor, implement a device authentication method as described above.
According to an aspect of the invention, a storage medium has stored thereon a computer program which, when executed by a processor, implements a device authentication method as described above.
In the technical scheme, high-safety equipment authentication is ensured through orientation authentication of different designated areas, and the deployment of the antenna array can only exist in the main equipment or the slave equipment, so that the over-high cost of the equipment authentication is avoided.
Specifically, the first device generates and outputs a first authentication message for starting device authentication, so as to prompt a user to move the second device to a first specified area through the output of the first authentication message, then performs position positioning on the second device according to a first positioning message sent by the second device based on an antenna array deployed in the first device, obtains a first position of the second device relative to the first device, determines that the position authentication on the first specified area is successful when the first position of the second device relative to the first device is in the first specified area, further performs the position authentication on the second specified area for the device movement performed again by the user, and finally determines that the device authentication is successful if the position authentication on the second specified area is successful, thereby ensuring that an attacker cannot pretend to be a slave device through the different position placement of the slave device relative to a master device in which the antenna array is deployed, and effectively solving the problem that the device authentication in the prior art is difficult to achieve both high security and low cost.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a schematic illustration of an implementation environment in accordance with the present invention.
FIG. 2 is a hardware block diagram of an apparatus shown in accordance with an example embodiment.
Fig. 3 is a flow chart illustrating a method of device authentication according to an example embodiment.
Fig. 4 is a schematic diagram of a first designated area according to a corresponding embodiment of fig. 3.
Fig. 5 is a flow chart illustrating another method of device authentication in accordance with an example embodiment.
FIG. 6 is a flow diagram of one embodiment of step 430 in a corresponding embodiment of FIG. 5.
Fig. 7 is a flow chart of step 430 in another embodiment in the corresponding embodiment of fig. 5.
FIG. 8 is a flowchart of one embodiment of step 4311 in the corresponding embodiment of FIG. 7.
FIG. 9 is a flow chart of one embodiment of step 330 of the corresponding embodiment of FIG. 3.
Fig. 10 is a schematic illustration of angles of arrival according to the corresponding embodiment of fig. 9.
Fig. 11 is a flow chart illustrating another method of device authentication in accordance with an example embodiment.
Fig. 12 is a flow chart illustrating a method of device authentication according to an example embodiment.
Fig. 13 is a block diagram illustrating a device authentication apparatus according to an example embodiment.
FIG. 14 is a block diagram illustrating a device according to an example embodiment.
While specific embodiments of the invention have been shown by way of example in the drawings and will be described in detail hereinafter, such drawings and description are not intended to limit the scope of the inventive concepts in any way, but rather to explain the inventive concepts to those skilled in the art by reference to the particular embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
Fig. 1 is a schematic diagram of an implementation environment related to a device authentication method. The implementation environment includes a first device 110, a second device 130.
The first device 110 and the second device 130 may be a smart phone, a smart printer, a smart fax machine, a smart camera, a smart air conditioner, a smart door lock, or an electronic device with a wireless communication function, such as a human body sensor, a door and window sensor, a temperature and humidity sensor, a water sensor, a vision sensor, a natural gas alarm, a smoke alarm, a buzzer alarm, a wall switch, a wall socket, a wireless switch wireless wall switch, a magic cube controller, a curtain motor, and the like, which are connected to a network, and are not limited specifically herein.
Before establishing the wireless communication connection between the first device 110 and the second device 130, device authentication is performed, and in the device authentication process, the first device 110 may perform device authentication on a slave device such as the second device 130 as a master device, or perform device authentication on a slave device such as the first device with the second device 130 as a master device.
In terms of the master device, an antenna array is deployed, so that position location of the slave device is achieved, and position authentication of the slave device by the master device in terms of the first designated area and position authentication in terms of the second designated area are achieved based on the located positions.
When the location authentication on the first designated area and the location authentication on the second designated area both succeed, and the device authentication succeeds, at this time, wireless communication can be established between the first device 110 and the second device 130, and thus, high-security data transmission between the first device 110 and the second device 130 is realized through the wireless communication.
Fig. 2 is a block diagram illustrating a hardware configuration of a device according to an example embodiment. Such devices are suitable for use in the first device 110 and the second device 130 of the implementation environment shown in fig. 1.
It should be noted that this device is only an example adapted to the invention and should not be considered as providing any limitation to the scope of use of the invention. Nor should such a device be construed as requiring reliance on, or necessity of, one or more components of the exemplary device 200 shown in fig. 2.
The hardware structure of the apparatus 200 may have a large difference due to the difference of configuration or performance, as shown in fig. 2, the apparatus 200 includes: a power supply 210, an interface 230, at least one memory 250, and at least one Central Processing Unit (CPU) 270.
Specifically, power supply 210 is used to provide operating voltages for various hardware devices on device 200.
The interface 230 includes at least one wired or wireless network interface for interacting with external devices. For example, data transfer between the first device 110 and the second device 130 in the implementation environment shown in fig. 1 is performed.
Of course, in other examples of the present invention, the interface 230 may further include at least one serial-to-parallel conversion interface 233, at least one input/output interface 235, at least one USB interface 237, etc., as shown in fig. 2, which is not limited herein.
The storage 250 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon include an operating system 251, an application 253, data 255, etc., and the storage manner may be a transient storage or a permanent storage.
The operating system 251 is used for managing and controlling various hardware devices and application programs 253 on the device 200, so as to implement the operation and processing of the mass data 255 in the memory 250 by the central processing unit 270, which may be Windows server, mac OS XTM, unix, linux, freeBSDTM, and the like.
The application 253 is a computer program that performs at least one specific task on top of the operating system 251, and may include at least one module (not shown in FIG. 2), each of which may contain a respective series of computer-readable instructions for the device 200. For example, the device authentication apparatus can be regarded as an application 253 deployed in the device 200.
The data 255 may be a photograph, a picture, etc. stored in the disk, and may also be a first authentication message, a second authentication message, etc. stored in the memory 250.
The central processor 270 may include one or more processors and is configured to communicate with the memory 250 via at least one communication bus to read computer-readable instructions stored in the memory 250, and further to implement operations and processing on the mass data 255 in the memory 250. The device authentication method is accomplished, for example, by central processor 270 reading a series of computer readable instructions stored in memory 250.
Furthermore, the present invention can be implemented by hardware circuits or by a combination of hardware circuits and software, and thus, the implementation of the present invention is not limited to any specific hardware circuits, software, or a combination of both.
Referring to fig. 3, in an exemplary embodiment, a device authentication method is applied to the device in the implementation environment shown in fig. 1, and the structure of the device may be as shown in fig. 2.
The device authentication method may be executed by a device, or may be understood as being executed by an application (i.e., a device authentication apparatus) running in the device. In the following method embodiments, for convenience of description, the main body of execution of each step is described as an apparatus, but the present invention is not limited thereto.
The device authentication method may include the steps of:
and 310, generating a first authentication message for starting equipment authentication by the first equipment, outputting the first authentication message, and prompting a user to move the second equipment to a first designated area through the output of the first authentication message.
In this embodiment, the device authentication includes position authentication with respect to the first designated area, that is, if the user moves the second device to the first designated area as instructed by the first device, it may be determined that the position authentication with respect to the first designated area is successful.
Based thereon, a first authentication message is generated by the first device instructing the user to move the second device to the first designated area.
For example, as shown in fig. 4, the first designated area may refer to an area 401 directly in front of the first device 400, and may also refer to a left area 402 or a right area 403 of the first device 400. It should be noted that, in the present embodiment, the region refers to a circular region surrounded by a fixed radius, but in other embodiments, the region may also be a region of another shape, and the present invention is not limited to this.
Then, when the user receives the first authentication message, the second device can be moved to the first designated area as indicated by the first authentication message.
Regarding the output of the first authentication message, depending on the output component of the first device configuration, accordingly, the output manner of the first authentication message will be differentiated according to the difference of the output component of the first device configuration. For example, the output component configured by the first device is a screen, and the first authentication message is to be output to the user by being displayed in the screen; alternatively, the output component configured by the first device is an indicator light, and the first authentication message is output to the user by flashing of the indicator light, which is not limited in this embodiment.
Step 330, based on the antenna array deployed in the first device, performing position location on the second device according to the first positioning message sent by the second device, and obtaining a first position of the second device relative to the first device.
It should be understood that, as the user moves the second device, the first location of the second device relative to the first device will also change, and at this time, in order to detect whether the user moves the second device to the first designated area, the first location of the second device relative to the first device needs to be located to obtain the first location of the second device relative to the first device, so as to determine whether the first location of the second device relative to the first device is located in the first designated area, that is, whether the second device has moved to the first designated area, and further determine whether the location authentication on the first designated area is successful.
In this embodiment, the position location is implemented based on an angle of arrival (AOA) mode in the bluetooth protocol.
The AOA method is to deploy an antenna array in a first device, and receive a radio frequency signal transmitted by a second device through different antennas in the antenna array to determine a transmission direction of the second device, that is, a first position of the second device relative to the first device.
For the second device, a first positioning message is sent to the first device, and the first device is enabled to receive the radio-frequency signal sent by the second device based on the deployed antenna array through the sending of the first positioning message. It is also understood that the first positioning message is essentially a signal carrying a fixed frequency.
It should be noted that, for the AOA method, the device that deploys the antenna array is regarded as the master device, and the device that sends the positioning message is regarded as the slave device, so that many slave devices with low cost requirements do not need to deploy the antenna array, thereby effectively reducing the cost of the slave device, and further solving the problem that it is difficult to consider both high security and low cost in the device authentication process.
Step 350, when the first location of the second device relative to the first device is located in the first designated area, the location authentication about the first designated area is successful, and the location authentication about the second designated area is performed for the device movement performed again by the user.
After the first position of the second device relative to the first device is obtained, it can be determined whether the first position of the second device relative to the first device is within the first designated area, and thus whether the second device moves to the first designated area.
If the second device has moved to the first specified area, the position authentication with respect to the first specified area is successful.
At this time, the inventors have recognized that, assuming that an attacker just moves the second device to the first designated area, it is impossible for the first device to determine how different the attacker is from the user holding the second device, and it may be mistaken that the azimuth authentication with respect to the first designated area is successful, which may lead to wiretapping of wireless communication.
Therefore, in the present embodiment, after the azimuth authentication with respect to the first designated area is successful, the distance authentication with respect to the first designated area needs to be performed first.
Specifically, as shown in fig. 5, in an implementation of an embodiment, before performing the position authentication with respect to the second designated area, the method as described above may further include the steps of:
step 410, when the position authentication about the first designated area is successful, determining the distance between the first device and the second device.
The Distance determination method may be based on calculating RSSI (Received Signal Strength) of the radio frequency Signal sent by the second device, and may also be calculated by using an HADM (High Accuracy Distance Measurement) algorithm, which is not limited herein.
Step 430, if the determined distance does not meet the specified distance range, restarting the device authentication.
The specified distance range may be flexibly adjusted according to the actual requirements of the application scenario, which is not limited herein.
In other words, even if the attacker happens to move the second device to the first designated area, the probability that the distance between the second device and the first device just fits the designated distance range is not high, and thus, the attacker who moves the second device to the first designated area can be preliminarily excluded, making it more difficult for the attacker to successfully pretend.
Further, in this embodiment, after the azimuth authentication on the first designated area is successful, the azimuth authentication on the second designated area needs to be performed, so as to sufficiently improve the security of the wireless communication and further prevent the wireless communication from being eavesdropped. The second designated area is different from the first designated area, and for example, as shown in fig. 4, the first designated area is a left area 402, and the second designated area is a right area 403.
Optionally, the positional authentication with respect to the second designated area is still initiated by the first device. At this time, the antenna array is only deployed on the first device, that is, the first device is used as a master device, so that low cost of the slave device in the device authentication process is sufficiently ensured.
As shown in fig. 6, based on the first device deploying the antenna array, step 430 may include the steps of:
step 4311, when the orientation authentication on the first designated area is successful, the first device generates a second authentication message for starting the orientation authentication on the second designated area, outputs the second authentication message, and prompts the user to move the second device to the second designated area through the output of the second authentication message.
Step 4313, based on the antenna array deployed in the first device, perform position location on the second device according to the second positioning message sent by the second device, and obtain a second position of the second device relative to the first device.
Step 4315, when the second location of the second device relative to the first device is located in the second designated area, the location authentication regarding the second designated area is successful.
That is to say, in the two azimuth authentication processes, the second device moves relative to the first device, so that an attacker cannot pretend to be the second device, and the security of wireless communication between the first device and the second device is ensured.
Optionally, the positional authentication with respect to the second designated area is initiated by the second device. In this case, the second device also needs to deploy an antenna array, that is, the second device may also serve as a master device. In other words, the roles of the master device and the slave device of the first device and the second device, both of which are deployed with the antenna array, may be interchanged, or it may be understood that the authentication roles of the master device and the slave device may be interchanged, so as to expand the generality of the device authentication.
As shown in fig. 7, if an antenna array is also deployed in the second device, step 430 may further include the following steps:
step 4312, when the orientation authentication on the first designated area is successful, the second device generates a third authentication message for starting the orientation authentication on the second designated area, outputs the third authentication message, and prompts the user to move the first device to the second designated area through the output of the third authentication message.
Step 4314, based on the antenna array deployed in the second device, performing position location on the first device according to the third positioning message sent by the first device, to obtain a position of the first device relative to the second device.
Step 4316, when the position of the first device relative to the second device is located within the second designated area, the location authentication regarding the second designated area is successful.
That is to say, in the second time of the azimuth authentication, the second device does not move, but the first device moves to the second designated area according to the indication of the second device, that is, the master device and the slave device move respectively, so as to prevent the other devices from forging messages, which not only further improves the security of wireless communication, but also meets the actual requirements for application scenarios with higher security requirements, and further expands the universality of the device authentication.
In step 370, if the orientation authentication with respect to the second designated area is successful, the device authentication is successful.
If the first device or the second device has moved to the second designated area as instructed, the location authentication with respect to the second designated area is successful.
Then, after the orientation authentication with respect to the first specified area and the orientation authentication with respect to the second specified area are both successful, it can be preliminarily determined that the device authentication is successful.
Further, as previously described, the inventors have recognized that, assuming that an attacker happens to move the first device or the second device to the second specified area, the azimuth authentication with respect to the second specified area may be mistaken for success, thereby causing wiretapping of wireless communication.
In this case, in the present embodiment, after the direction authentication for the second designated area is successful, the distance authentication for the second designated area may also be performed. When the distance authentication on the second designated area passes, that is, the distance between the first device and the second device conforms to the designated distance range, the device authentication is regarded as successful, so as to further improve the security of the wireless communication.
Further, in an embodiment, upon successful authentication, an authentication success message is generated and output. Wherein the authentication success message is used for prompting the user that the azimuth authentication is successful or the equipment authentication is successful.
Here, the output of the authentication success message is also dependent on the output component of the first device configuration, and for example, the authentication success message may be output to the user by being displayed in a screen, or may be output to the user by flashing an indicator light, which is not limited herein.
Therefore, the user can timely know each step of the whole equipment authentication process based on the output of the authentication success message, and the user experience is further improved.
Through the process, the equipment authentication based on the AOA mode is realized, the orientation authentication of different designated areas is used for ensuring that an attacker cannot masquerade as the slave equipment, so that the equipment authentication with high security is ensured, the arrangement of the antenna array can only exist in the master equipment or the slave equipment, the cost of the equipment authentication is avoided being too high, and the high security and the low cost are simultaneously considered in the equipment authentication process.
In addition, the AOA mode not only solves the problem of security authentication of the device which cannot support the key for external transmission, but also adds another device authentication mode for the device which can support the key for external transmission, which is beneficial to expanding the universality of device authentication.
Referring to FIG. 8, in an exemplary embodiment, step 4311 may include the steps of:
step 510, the first device determines a moving angle of the second device to the second designated area according to a distance between the first device and the second device.
Step 530, generating the second authentication message according to the determined movement angle.
The inventors have realized that if the movement angle is too small, an error may be generated if the distance between the first device and the second device is relatively close, that is, the position authentication with respect to the second designated area is mistakenly considered to be successful, and if the movement angle is not appropriate, for example, the distance between the first device and the second device is relatively far, the difficulty of the position authentication may be increased.
Therefore, in this embodiment, the second authentication message is substantially generated based on the movement angle.
Specifically, the angle of movement of the second device to the second designated area is determined according to the distance between the first device and the second device. For example, assuming that the distance between the first device and the second device is 10 meters, the angle of movement of the second device to the second designated area is determined to be 45 °.
Therefore, the equipment moving according to the moving angle not only fully ensures the accuracy of the orientation authentication, but also can reduce the difficulty of the orientation authentication and is beneficial to increasing the success rate of the orientation authentication.
Referring to fig. 9, in an exemplary embodiment, step 330 may include the following steps:
step 331, extracting a tone extension field from the first positioning message sent by the second device, and determining, through the tone extension field, that the first device receives the radio frequency signal of the second device through the antenna array.
As mentioned above, the first positioning message is substantially a signal carrying a fixed frequency, so that the first device can receive the radio frequency signal transmitted by the second device through the first positioning message based on the deployed antenna array.
In this embodiment, the first positioning message is formed by adding a single Tone Extension (CTE) field to the original broadcast packet, so that a signal with a fixed frequency can be carried by the single Tone Extension field.
Therefore, for the first device, after receiving the first positioning message sent by the second device, the tone extension field can be extracted from the first positioning message, so as to obtain a signal with a fixed frequency carried by the tone extension field, that is, a radio frequency signal sent by the second device.
Step 333, calculating an arrival angle of the radio frequency signal of the second device.
After the radio frequency signal transmitted by the second device is obtained, the position of the second device relative to the first device can be determined accordingly.
In this embodiment, the position of the second device relative to the first device is implemented by calculating an angle of arrival of a radio frequency signal of the second device. I.e. the angle of arrival is used to indicate the position of the second device relative to the first device.
The calculation process of the angle of arrival is explained in detail below.
As shown in fig. 10, it is assumed that the Antenna array disposed in the first device at least includes an Antenna 1 (Antenna 1) and an Antenna 2 (Antenna 2), where the distance between the Antenna 1 and the Antenna 2 is d.
For the antenna 1, the Radio signal of the second device received by the antenna 1 can be simplified into a parallel line, and if a perpendicular line is made from the position of the antenna 2 to the Radio signal (i.e., the parallel line) received by the antenna 1, the stroke difference l of the Radio signal received by the antenna 2 and the antenna 1 can be calculated, that is, the distance d between the antenna 1 and the antenna 2 is multiplied by cos θ, and then the phase difference ψ can be calculated according to the following calculation formula (1):
ψ=(2πd cos(θ))/λ (1)。
where d is the distance between the antenna 1 and the antenna 2, λ is the wavelength of the radio frequency signal, and θ is the arrival angle of the radio frequency signal of the second device.
Thus, the arrival angle θ = arccos ((ψ λ)/(2 π d)) can be calculated.
Through the process, the position positioning based on the AOA mode is realized, and a judgment basis is provided for judging whether the orientation authentication is successful or not, so that the equipment authentication is realized.
Referring to fig. 11, in an exemplary embodiment, the method as described above may include the steps of:
step 610, starting a time counter when the position of the second device is located.
Step 630, when the time value of the time counter is not less than a specified time threshold and the second device does not move to the first specified area, restarting the device authentication.
The specified time threshold is used to represent a specified time range of the second device movement, and may be flexibly adjusted according to actual requirements of an application scenario, which is not specifically limited herein. For example, the specified time threshold is 16 seconds, the specified time range indicating movement of the second device must be within 16 seconds, otherwise the movement is deemed to be timed out.
Therefore, the time counter is started when the second device starts to perform position location, the time value of the time counter is changed correspondingly as the second device moves, if the time value of the time counter exceeds a specified time threshold value and the second device does not move to the first specified area, the second device moves overtime, at this time, the orientation authentication about the first specified area is considered to fail, and the device authentication is restarted.
Otherwise, when the time value of the time counter is within the specified time threshold, the second device has moved to the first specified area, which means that the second device has not moved overtime, and at this time, the location authentication of the second specified area can be continued.
In the process, the restriction condition of successful azimuth authentication is increased through the device movement timeout scheme, so that the security of wireless communication is further ensured.
Referring to fig. 12, in an exemplary embodiment, the method as described above may further include the steps of:
step 710, performing a key exchange between the first device and the second device.
Step 730, an encrypted link is established between the first device and the second device according to the exchanged key, and message transmission between the first device and the second device is realized through the established encrypted link.
The inventors have realized that there is a risk of forgery by other devices when transmitting between a first device and a second device, whether authentication messages or positioning messages.
Therefore, in this embodiment, the message transmission between the first device and the second device is implemented by an encrypted link. The encryption link is established based on a key exchanged between the first device and the second device, wherein the key exchange can be realized based on an ECDH key exchange protocol, and can also be realized through a two-dimensional code or an NFC mode. For example, a first device may scan a two-dimensional code carried by a second device to obtain a key.
After the establishment of the encrypted link is completed, a message may be transmitted between the first device and the second device based on the encrypted link. That is, the first device encrypts the message using the encryption key and transmits the encrypted message to the second device, which decrypts the encrypted message using the decryption key.
The encryption key and the decryption key may be the same or symmetric, and are generated according to an encryption algorithm, which includes a symmetric encryption algorithm and an asymmetric encryption algorithm, such as an information digest algorithm (MD 5), a Secure Hash Algorithm (SHA), a hash message authentication code algorithm (HMAC), and the like, and are not limited herein.
Through the cooperation of the above embodiments, when the first device and the second device perform message transmission through the encrypted link, it is possible to avoid the message falsification by other devices, and ensure that the message transmission originates from the same device, thereby fully ensuring that the message transmission is not attacked by an eavesdropper, and laying a solid foundation for more fully ensuring the security of wireless communication.
The following is an embodiment of the apparatus of the present invention, which can be used to execute the device authentication method according to the present invention. For details that are not disclosed in the embodiments of the apparatus of the present invention, refer to the method embodiments of the apparatus authentication method according to the present invention.
Referring to fig. 13, in an exemplary embodiment, a device authentication apparatus 900 includes, but is not limited to: a message output module 910, a position location module 930, a position authentication module 950, and a device authentication module 970.
The message output module 910 is configured to generate a first authentication message for initiating device authentication by the first device, output the first authentication message, and prompt the user to move the second device to the first designated area through output of the first authentication message.
A position locating module 930, configured to perform position locating on the second device according to the first positioning message sent by the second device based on the antenna array deployed in the first device, to obtain a first position of the second device relative to the first device.
A position authentication module 950, configured to perform position authentication on a second designated area for the device movement performed again by the user when the position authentication of the second device with respect to the first designated area is successful when the first position of the second device with respect to the first device is within the first designated area.
A device authentication module 970, configured to, if the location authentication on the second designated area is successful, the device authentication is successful.
It should be noted that, when the device authentication apparatus provided in the foregoing embodiment performs device authentication, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed to different functional modules according to needs, that is, the internal structure of the device authentication apparatus is divided into different functional modules to complete all or part of the functions described above.
In addition, the device authentication apparatus and the device authentication method provided by the above embodiments belong to the same concept, and the specific manner in which each module performs operations has been described in detail in the method embodiments, and is not described again here.
Referring to fig. 14, in an exemplary embodiment, an apparatus 1000 includes a processor 1001 and a memory 1002.
Wherein the memory 1002 has stored thereon computer readable instructions.
The computer readable instructions, when executed by the processor 1001, implement the device authentication method in the embodiments described above.
In an exemplary embodiment, a storage medium has a computer program stored thereon, and the computer program realizes the device authentication method in the above embodiments when executed by a processor.
The above-mentioned embodiments are merely preferred examples of the present invention, and are not intended to limit the embodiments of the present invention, and those skilled in the art can easily make various changes and modifications according to the main concept and spirit of the present invention, so that the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (12)

1. A device authentication method, comprising:
the first equipment generates a first authentication message for starting equipment authentication, outputs the first authentication message, and prompts a user to move the second equipment to a first designated area through the output of the first authentication message;
based on an antenna array deployed in the first device, performing position location on the second device according to a first location message sent by the second device, and obtaining a first position of the second device relative to the first device;
when the first position of the second device relative to the first device is located in the first designated area, the position authentication of the first designated area is successful, and the position authentication of the second designated area is performed for the device movement performed again by the user;
the device authentication is successful if the azimuth authentication with respect to the second designated area is successful.
2. The method of claim 1, wherein prior to said performing the azimuth authentication with respect to the second specified area, the method further comprises:
when the position authentication about the first designated area is successful, determining a distance between the first device and the second device;
restarting the device authentication if the determined distance does not conform to the specified distance range.
3. The method of claim 1 or 2, wherein said performing orientation authentication with respect to the second designated area comprises:
when the position authentication about the first designated area is successful, the first equipment generates a second authentication message for starting the position authentication about the second designated area, outputs the second authentication message, and prompts the user to move the second equipment to the second designated area through the output of the second authentication message;
based on an antenna array deployed in the first device, performing position location on the second device according to a second location message sent by the second device, and obtaining a second position of the second device relative to the first device;
and when the second position of the second device relative to the first device is positioned in the second designated area, the position authentication about the second designated area is successful.
4. The method of claim 3, wherein the first device generating a second authentication message for initiating location authentication with respect to the second designated area comprises:
the first device determines a moving angle of the second device to the second designated area according to the distance between the first device and the second device;
and generating the second authentication message according to the determined movement angle.
5. The method of claim 1 or 2, wherein said performing orientation authentication with respect to the second designated area comprises:
when the position authentication about the first designated area is successful, the second device generates a third authentication message for starting the position authentication about the second designated area, outputs the third authentication message, and prompts the user to move the first device to the second designated area through the output of the third authentication message;
based on an antenna array deployed in the second device, performing position location on the first device according to a third positioning message sent by the first device, and obtaining a position of the first device relative to the second device;
and when the position of the first device relative to the second device is positioned in the second designated area, the azimuth authentication about the second designated area is successful.
6. The method of claim 1, wherein the obtaining the position of the second device relative to the first device by performing position location on the second device according to a first positioning message sent by the second device based on an antenna array deployed in the first device comprises:
extracting a tone extension field from a first positioning message sent by the second device, and determining that the first device receives a radio frequency signal of the second device through the antenna array through the tone extension field;
calculating an angle of arrival of radio frequency signals of the second device, the angle of arrival being indicative of a location of the second device relative to the first device.
7. The method of claim 1, wherein the method further comprises:
starting a time counter when the position of the second equipment is positioned;
and when the time value of the time counter is not less than a specified time threshold value and the second device does not move to the first specified area, restarting the device authentication.
8. The method of claim 1, wherein the method further comprises:
performing a key exchange between the first device and the second device;
and establishing an encryption link between the first device and the second device according to the exchanged key, and realizing message transmission between the first device and the second device through the established encryption link.
9. The method of claim 1, wherein the method further comprises:
and when the authentication is successful, generating an authentication success message and outputting the authentication success message, wherein the authentication success message is used for prompting the user that the azimuth authentication is successful or the equipment authentication is successful.
10. An apparatus for authenticating a device, comprising:
the message output module is used for generating a first authentication message for starting equipment authentication by the first equipment, outputting the first authentication message and prompting a user to move the second equipment to a first designated area through the output of the first authentication message;
a position location module, configured to perform position location on the second device according to a first positioning message sent by the second device based on an antenna array deployed in the first device, and obtain a first position of the second device relative to the first device;
a position authentication module, configured to perform position authentication on a second designated area for device movement performed again by the user when the position of the second device relative to the first position of the first device is within the first designated area and the position authentication on the first designated area is successful;
and the equipment authentication module is used for successfully authenticating the equipment if the azimuth authentication of the second designated area is successful.
11. An apparatus, comprising:
a processor; and
a memory having stored thereon computer readable instructions which, when executed by the processor, implement the device authentication method of any one of claims 1 to 9.
12. A storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements a device authentication method according to any one of claims 1 to 9.
CN202010098368.1A 2020-02-18 2020-02-18 Equipment authentication method, device, equipment and storage medium Active CN113286305B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010098368.1A CN113286305B (en) 2020-02-18 2020-02-18 Equipment authentication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010098368.1A CN113286305B (en) 2020-02-18 2020-02-18 Equipment authentication method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113286305A CN113286305A (en) 2021-08-20
CN113286305B true CN113286305B (en) 2023-02-24

Family

ID=77274850

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010098368.1A Active CN113286305B (en) 2020-02-18 2020-02-18 Equipment authentication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113286305B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101114901A (en) * 2006-07-26 2008-01-30 联想(北京)有限公司 Safety authentication system, apparatus and method for non-contact type wireless data transmission
CN101960463A (en) * 2008-03-04 2011-01-26 夏普株式会社 Authentication method and input device
CN102111204A (en) * 2009-12-29 2011-06-29 中兴通讯股份有限公司 Method and system for reporting terminal space angle of arrival
DE102015121384A1 (en) * 2015-12-08 2017-06-08 Schneider Electric Industries Sas Method and device for high-precision positioning of a mobile device and method for localization or positioning of fixed devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101114901A (en) * 2006-07-26 2008-01-30 联想(北京)有限公司 Safety authentication system, apparatus and method for non-contact type wireless data transmission
CN101960463A (en) * 2008-03-04 2011-01-26 夏普株式会社 Authentication method and input device
CN102111204A (en) * 2009-12-29 2011-06-29 中兴通讯股份有限公司 Method and system for reporting terminal space angle of arrival
DE102015121384A1 (en) * 2015-12-08 2017-06-08 Schneider Electric Industries Sas Method and device for high-precision positioning of a mobile device and method for localization or positioning of fixed devices

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种基于位置的匿名连续认证模型;罗云锋等;《计算机与数字工程》;20150920(第09期);第1640-1643页 *

Also Published As

Publication number Publication date
CN113286305A (en) 2021-08-20

Similar Documents

Publication Publication Date Title
Zhang et al. Proximity based IoT device authentication
US10785040B2 (en) Secure communications
US8285994B2 (en) Two-way authentication between two communication endpoints using a one-way out-of-band (OOB) channel
KR102062162B1 (en) Security authentication method, configuration method and related devices
EP2272271B1 (en) Method and system for mutual authentication of nodes in a wireless communication network
EP3308519B1 (en) System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource
CN113099443B (en) Equipment authentication method, device, equipment and system
US20160360407A1 (en) Distributed configurator entity
CN110678770A (en) Location information verification
KR101762013B1 (en) Method for registering device and setting secret key using two factor communacation channel
EP4068675A1 (en) Method and device for certificate application
US20220369103A1 (en) Method and apparatus for performing uwb secure ranging
CN114449512A (en) Vehicle-end secure communication method and device
CN110740109A (en) Network device, method for security, and computer-readable storage medium
CN113286305B (en) Equipment authentication method, device, equipment and storage medium
CN115868189A (en) Method, vehicle, terminal and system for establishing vehicle safety communication
JP2023527408A (en) Verification method and device
US20230345245A1 (en) Methods, devices and systems for automatically adding devices to network using wireless positioning techniques
CN115801388B (en) Message transmission method, device and storage medium
CN115767541A (en) Method for establishing wireless connection, electronic device, program product and storage medium
CN115767529A (en) Method for establishing wireless connection, electronic device, program product and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant