[go: up one dir, main page]

CN118632248A - Device authentication method, device, electronic device, storage medium and program product - Google Patents

Device authentication method, device, electronic device, storage medium and program product Download PDF

Info

Publication number
CN118632248A
CN118632248A CN202410725640.2A CN202410725640A CN118632248A CN 118632248 A CN118632248 A CN 118632248A CN 202410725640 A CN202410725640 A CN 202410725640A CN 118632248 A CN118632248 A CN 118632248A
Authority
CN
China
Prior art keywords
signature
key
target
public key
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410725640.2A
Other languages
Chinese (zh)
Inventor
孙宁宁
王首媛
张晓辉
陈礼波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, China Information Technology Designing and Consulting Institute Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202410725640.2A priority Critical patent/CN118632248A/en
Publication of CN118632248A publication Critical patent/CN118632248A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/79Radio fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The application discloses a device authentication method, a device, electronic equipment, a storage medium and a program product, which relate to the technical field of communication and are used for improving the authentication accuracy of terminal equipment. The method comprises the following steps: acquiring an identifier of the terminal equipment, wherein the identifier comprises a fingerprint characteristic value of the terminal equipment; generating a target signature private key based on the identification; the target signature private key corresponds to the target signature public key; generating a target digital signature based on the target signature private key; the target digital signature is used for authenticating the identity of the terminal equipment; the identity and the target digital signature are transmitted to the identity authentication device such that the identity authentication device generates a target signature public key based on the identity and verifies the target digital signature based on the target signature public key. The method and the device are applied to the scene of authenticating the terminal equipment.

Description

设备认证方法、装置、电子设备、存储介质及程序产品Device authentication method, device, electronic device, storage medium and program product

技术领域Technical Field

本申请涉及通信技术领域,尤其涉及一种设备认证方法、装置、电子设备、存储介质及程序产品。The present application relates to the field of communication technology, and in particular to a device authentication method, apparatus, electronic device, storage medium and program product.

背景技术Background Art

当前在认证终端设备的身份时,可以通过对比终端设备发送的身份信息(例如媒体存取控制(media access control,MAC)地址)与终端设备注册时登记的身份信息是否一致,验证终端设备的身份。Currently, when authenticating the identity of a terminal device, the identity of the terminal device can be verified by comparing the identity information (eg, media access control (MAC) address) sent by the terminal device with the identity information registered when the terminal device is registered.

但是,通过对比终端设备的身份信息认证终端设备的身份时,终端设备的身份信息很容易被伪造,导致终端设备认证的准确度较低。However, when the identity of the terminal device is authenticated by comparing the identity information of the terminal device, the identity information of the terminal device can be easily forged, resulting in low accuracy of terminal device authentication.

发明内容Summary of the invention

本申请提供一种设备认证方法、装置、电子设备、存储介质及程序产品,用于解决通过对比终端设备的身份信息认证终端设备的身份时,终端设备的身份信息很容易被伪造,导致终端设备认证的准确度较低的技术问题,从而提高设备认证的准确度。The present application provides a device authentication method, apparatus, electronic device, storage medium and program product, which are used to solve the technical problem that when authenticating the identity of a terminal device by comparing the identity information of the terminal device, the identity information of the terminal device can be easily forged, resulting in low accuracy of terminal device authentication, thereby improving the accuracy of device authentication.

为达到上述目的,本申请采用如下技术方案:In order to achieve the above purpose, this application adopts the following technical solutions:

第一方面,提供了一种设备认证方法,方法包括:获取终端设备的标识,标识包括终端设备的指纹特征值;基于标识,生成目标签名私钥;目标签名私钥与目标签名公钥对应;基于目标签名私钥,生成目标数字签名;目标数字签名用于认证终端设备的身份;向身份认证设备发送标识和目标数字签名,以使得身份认证设备基于标识,生成目标签名公钥,并基于目标签名公钥,验证目标数字签名。In a first aspect, a device authentication method is provided, the method comprising: obtaining an identification of a terminal device, the identification comprising a fingerprint feature value of the terminal device; generating a target signature private key based on the identification; the target signature private key corresponds to a target signature public key; generating a target digital signature based on the target signature private key; the target digital signature is used to authenticate the identity of the terminal device; sending the identification and the target digital signature to an identity authentication device, so that the identity authentication device generates a target signature public key based on the identification, and verifies the target digital signature based on the target signature public key.

在一种可能的实现方式中,基于标识,生成目标签名私钥,包括:基于标识,生成第一签名私钥和第一签名公钥;向密钥管理设备发送标识和第一签名公钥;密钥管理设备用于基于第一签名公钥生成第二签名公钥,以及基于标识和第二签名公钥生成第二签名私钥;接收密钥管理设备发送的第二签名公钥和第二签名私钥;基于第一签名私钥和第二签名私钥,生成目标签名私钥。In one possible implementation, a target signature private key is generated based on an identifier, including: generating a first signature private key and a first signature public key based on the identifier; sending the identifier and the first signature public key to a key management device; the key management device is used to generate a second signature public key based on the first signature public key, and to generate a second signature private key based on the identifier and the second signature public key; receiving the second signature public key and the second signature private key sent by the key management device; generating a target signature private key based on the first signature private key and the second signature private key.

在一种可能的实现方式中,基于每个设备发送的信道测量值和多个设备指纹,生成设备群组对应的密钥,包括:基于每个设备发送的信道测量值,确定第一基线值,第一基线值用于表征每个设备发送的信道测量值之间的差值;在第一基线值小于预设值的情况下,基于第一基线值和多个设备指纹,生成设备群组对应的密钥。In a possible implementation, a key corresponding to a device group is generated based on a channel measurement value sent by each device and multiple device fingerprints, including: determining a first baseline value based on the channel measurement value sent by each device, the first baseline value being used to characterize the difference between the channel measurement values sent by each device; and generating a key corresponding to the device group based on the first baseline value and multiple device fingerprints when the first baseline value is less than a preset value.

在一种可能的实现方式中,向身份认证设备发送标识和目标数字签名,包括:向身份认证设备发送标识、目标数字签名和第二签名公钥;身份认证设备用于基于标识、目标数字签名和第二签名公钥认证终端设备的身份。In a possible implementation, sending an identifier and a target digital signature to an identity authentication device includes: sending an identifier, a target digital signature, and a second signature public key to the identity authentication device; the identity authentication device is used to authenticate the identity of the terminal device based on the identifier, the target digital signature, and the second signature public key.

第二方面,提供了一种设备认证方法,方法包括:接收终端设备发送的终端设备的标识和目标数字签名;目标数字签名为基于签名私钥生成的;目标签名私钥为基于标识生成的;标识包括终端设备的指纹特征值;目标签名私钥与目标签名公钥对应;基于标识,生成目标签名公钥;基于目标签名公钥,验证目标数字签名;在目标数字签名验证通过的情况下,确定终端设备的身份认证通过。In the second aspect, a device authentication method is provided, the method comprising: receiving an identification of a terminal device and a target digital signature sent by the terminal device; the target digital signature is generated based on a signature private key; the target signature private key is generated based on the identification; the identification comprises a fingerprint feature value of the terminal device; the target signature private key corresponds to the target signature public key; based on the identification, a target signature public key is generated; based on the target signature public key, a target digital signature is verified; and when the target digital signature is verified successfully, it is determined that the identity authentication of the terminal device is successful.

在一种可能的实现方式中,接收终端设备发送的终端设备的标识和目标数字签名,包括:接收终端设备发送的标识、目标数字签名和第二签名公钥,第二签名公钥为基于标识生成的;基于标识,生成目标签名公钥,包括:基于标识、第二签名公钥、随机数和密钥管理设备的公钥,生成目标签名公钥。In a possible implementation, receiving an identification of a terminal device and a target digital signature sent by a terminal device includes: receiving an identification, a target digital signature and a second signature public key sent by the terminal device, the second signature public key being generated based on the identification; generating a target signature public key based on the identification, including: generating a target signature public key based on the identification, the second signature public key, a random number and a public key of a key management device.

第三方面,提供了一种设备认证方法,方法包括:接收终端设备发送的终端设备的标识和第一签名公钥,标识包括终端设备的指纹特征值,第一签名公钥为基于标识生成的;基于第一签名公钥,生成第二签名公钥;基于标识和第二签名公钥,生成第二签名私钥;向终端设备发送第二签名公钥和第二签名私钥,终端设备用于基于第二签名公钥和第二签名私钥进行身份认证。According to a third aspect, a device authentication method is provided, the method comprising: receiving an identification of a terminal device and a first signature public key sent by the terminal device, the identification comprising a fingerprint feature value of the terminal device, and the first signature public key being generated based on the identification; generating a second signature public key based on the first signature public key; generating a second signature private key based on the identification and the second signature public key; sending the second signature public key and the second signature private key to the terminal device, the terminal device being used to perform identity authentication based on the second signature public key and the second signature private key.

在一种可能的实现方式中,基于第一签名公钥,生成第二签名公钥,包括:基于第一签名公钥和随机数,生成第二签名公钥;基于标识和第二签名公钥,生成第二签名私钥,包括:基于标识、第一签名公钥、随机数和密钥管理设备的私钥,生成第二签名私钥。In one possible implementation, generating a second signature public key based on the first signature public key includes: generating the second signature public key based on the first signature public key and a random number; generating a second signature private key based on an identifier and the second signature public key includes: generating the second signature private key based on the identifier, the first signature public key, a random number and a private key of a key management device.

第四方面,提供了一种设备认证装置,设备认证装置包括:传输单元和处理单元;传输单元,用于获取终端设备的标识,标识包括终端设备的指纹特征值;处理单元,用于基于标识,生成目标签名私钥;目标签名私钥与目标签名公钥对应;处理单元,还用于基于目标签名私钥,生成目标数字签名;目标数字签名用于认证终端设备的身份;传输单元,还用于向身份认证设备发送标识和目标数字签名,以使得身份认证设备基于标识,生成目标签名公钥,并基于目标签名公钥,验证目标数字签名。In a fourth aspect, a device authentication device is provided, which includes: a transmission unit and a processing unit; the transmission unit is used to obtain an identification of a terminal device, the identification including a fingerprint feature value of the terminal device; the processing unit is used to generate a target signature private key based on the identification; the target signature private key corresponds to the target signature public key; the processing unit is also used to generate a target digital signature based on the target signature private key; the target digital signature is used to authenticate the identity of the terminal device; the transmission unit is also used to send the identification and the target digital signature to an identity authentication device, so that the identity authentication device generates a target signature public key based on the identification, and verifies the target digital signature based on the target signature public key.

在一种可能的实现方式中,处理单元,还用于基于标识,生成第一签名私钥和第一签名公钥;传输单元,还用于向密钥管理设备发送标识和第一签名公钥;密钥管理设备用于基于第一签名公钥生成第二签名公钥,以及基于标识和第二签名公钥生成第二签名私钥;传输单元,还用于接收密钥管理设备发送的第二签名公钥和第二签名私钥;处理单元,还用于基于第一签名私钥和第二签名私钥,生成目标签名私钥。In a possible implementation, the processing unit is further used to generate a first signature private key and a first signature public key based on the identifier; the transmission unit is further used to send the identifier and the first signature public key to the key management device; the key management device is used to generate a second signature public key based on the first signature public key, and to generate a second signature private key based on the identifier and the second signature public key; the transmission unit is further used to receive the second signature public key and the second signature private key sent by the key management device; the processing unit is further used to generate a target signature private key based on the first signature private key and the second signature private key.

在一种可能的实现方式中,传输单元,还用于向身份认证设备发送标识、目标数字签名和第二签名公钥;身份认证设备用于基于标识、目标数字签名和第二签名公钥认证终端设备的身份。In a possible implementation, the transmission unit is further used to send the identification, the target digital signature and the second signature public key to the identity authentication device; the identity authentication device is used to authenticate the identity of the terminal device based on the identification, the target digital signature and the second signature public key.

第五方面,提供了一种设备认证装置,设备认证装置包括:传输单元和处理单元;传输单元,用于接收终端设备发送的终端设备的标识和目标数字签名;目标数字签名为基于签名私钥生成的;目标签名私钥为基于标识生成的;标识包括终端设备的指纹特征值;目标签名私钥与目标签名公钥对应;处理单元,用于基于标识,生成目标签名公钥;处理单元,还用于基于目标签名公钥,验证目标数字签名;处理单元,还用于在目标数字签名验证通过的情况下,确定终端设备的身份认证通过。In a fifth aspect, a device authentication device is provided, which includes: a transmission unit and a processing unit; the transmission unit is used to receive the identification of a terminal device and a target digital signature sent by the terminal device; the target digital signature is generated based on a signature private key; the target signature private key is generated based on the identification; the identification includes a fingerprint feature value of the terminal device; the target signature private key corresponds to the target signature public key; the processing unit is used to generate a target signature public key based on the identification; the processing unit is also used to verify the target digital signature based on the target signature public key; the processing unit is also used to determine that the identity authentication of the terminal device has passed when the target digital signature verification has passed.

在一种可能的实现方式中,传输单元,还用于接收终端设备发送的标识、目标数字签名和第二签名公钥,第二签名公钥为基于标识生成的;处理单元,还用于基于标识、第二签名公钥、随机数和密钥管理设备的公钥,生成目标签名公钥。In a possible implementation, the transmission unit is also used to receive an identification, a target digital signature, and a second signature public key sent by a terminal device, where the second signature public key is generated based on the identification; the processing unit is also used to generate a target signature public key based on the identification, the second signature public key, a random number, and the public key of a key management device.

第六方面,提供了一种设备认证装置,设备认证装置包括:传输单元和处理单元;传输单元,用于接收终端设备发送的终端设备的标识和第一签名公钥,标识包括终端设备的指纹特征值,第一签名公钥为基于标识生成的;处理单元,用于基于第一签名公钥,生成第二签名公钥;处理单元,还用于基于标识和第二签名公钥,生成第二签名私钥;传输单元,还用于向终端设备发送第二签名公钥和第二签名私钥,终端设备用于基于第二签名公钥和第二签名私钥进行身份认证。In a sixth aspect, a device authentication device is provided, which includes: a transmission unit and a processing unit; the transmission unit is used to receive an identification of a terminal device and a first signature public key sent by the terminal device, the identification includes a fingerprint feature value of the terminal device, and the first signature public key is generated based on the identification; the processing unit is used to generate a second signature public key based on the first signature public key; the processing unit is also used to generate a second signature private key based on the identification and the second signature public key; the transmission unit is also used to send the second signature public key and the second signature private key to the terminal device, and the terminal device is used to perform identity authentication based on the second signature public key and the second signature private key.

在一种可能的实现方式中,处理单元,还用于基于第一签名公钥和随机数,生成第二签名公钥;处理单元,还用于基于标识、第一签名公钥、随机数和密钥管理设备的私钥,生成第二签名私钥。In a possible implementation, the processing unit is further used to generate a second signature public key based on the first signature public key and the random number; the processing unit is further used to generate a second signature private key based on the identifier, the first signature public key, the random number and the private key of the key management device.

第七方面,电子设备,包括:处理器以及存储器;其中,存储器用于存储一个或多个程序,一个或多个程序包括计算机执行指令,当电子设备运行时,处理器执行存储器存储的计算机执行指令,以使电子设备执行如第一方面的方法、第二方面的方法或第三方面的方法。In the seventh aspect, an electronic device comprises: a processor and a memory; wherein the memory is used to store one or more programs, and the one or more programs include computer execution instructions. When the electronic device is running, the processor executes the computer execution instructions stored in the memory to enable the electronic device to perform the method of the first aspect, the method of the second aspect, or the method of the third aspect.

第八方面,提供了存储一个或多个程序的计算机可读存储介质,该一个或多个程序包括指令,上述指令当被计算机执行时使计算机执行如第一方面的方法、第二方面的方法或第三方面的方法。In an eighth aspect, a computer-readable storage medium is provided that stores one or more programs, wherein the one or more programs include instructions, and when the instructions are executed by a computer, the computer executes the method of the first aspect, the method of the second aspect, or the method of the third aspect.

第九方面,提供了计算机程序产品,当计算机指令在电子设备上运行时,电子设备执行如第一方面的方法、第二方面的方法或第三方面的方法。In a ninth aspect, a computer program product is provided. When the computer instructions are executed on an electronic device, the electronic device executes the method of the first aspect, the method of the second aspect, or the method of the third aspect.

本申请提供了一种设备认证方法、装置、电子设备、存储介质及程序产品,应用于设备认证的场景中。在需要对终端设备进行身份认证时,终端设备可以获取包括终端设备的指纹特征值的终端设备的标识,并基于标识生成目标签名私钥,进而基于目标签名私钥,生成目标数字签名,进而向身份认证设备发送标识和目标数字签名,以使得身份认证设备基于标识,生成目标签名公钥,并基于目标签名公钥,验证目标数字签名。即通常情况下,基于终端设备的指纹特征值生成的终端设备的标识能够唯一标识终端设备,所以通过基于终端设备的标识生成的签名私钥进行数字签名,以验证终端设备的身份,可以在利用数字签名实现准确认证终端设备的身份的同时,进一步提高身份认证的准确度。The present application provides a device authentication method, apparatus, electronic device, storage medium and program product, which are applied in the scenario of device authentication. When it is necessary to authenticate the terminal device, the terminal device can obtain the identification of the terminal device including the fingerprint characteristic value of the terminal device, and generate a target signature private key based on the identification, and then generate a target digital signature based on the target signature private key, and then send the identification and the target digital signature to the identification authentication device, so that the identification authentication device generates a target signature public key based on the identification, and verifies the target digital signature based on the target signature public key. That is, under normal circumstances, the identification of the terminal device generated based on the fingerprint characteristic value of the terminal device can uniquely identify the terminal device, so by digitally signing with the signature private key generated based on the identification of the terminal device to verify the identity of the terminal device, the accuracy of the identity authentication can be further improved while the identity of the terminal device is accurately authenticated by using the digital signature.

通过上述方法,可以基于终端设备的标识和数字签名,认证终端设备的身份。从而,解决了通过对比终端设备的身份信息认证终端设备的身份时,终端设备的身份信息很容易被伪造,导致终端设备认证的准确度较低的技术问题,提高了设备认证的准确度。Through the above method, the identity of the terminal device can be authenticated based on the identification and digital signature of the terminal device. Thus, the technical problem that when authenticating the identity of the terminal device by comparing the identity information of the terminal device, the identity information of the terminal device is easily forged, resulting in low accuracy of terminal device authentication is solved, and the accuracy of device authentication is improved.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本申请的实施例提供的一种设备认证系统的结构示意图;FIG1 is a schematic diagram of the structure of a device authentication system provided in an embodiment of the present application;

图2为本申请的实施例提供的一种设备认证方法的流程示意图一;FIG2 is a flow chart of a device authentication method provided in an embodiment of the present application;

图3为本申请的实施例提供的一种密钥生成和使用的示意图;FIG3 is a schematic diagram of key generation and use provided by an embodiment of the present application;

图4为本申请的实施例提供的一种设备认证方法的流程示意图二;FIG4 is a second flow chart of a device authentication method provided in an embodiment of the present application;

图5为本申请的实施例提供的一种设备认证方法的流程示意图三;FIG5 is a third flow chart of a device authentication method provided in an embodiment of the present application;

图6为本申请的实施例提供的一种设备认证方法的流程示意图四;FIG6 is a fourth flow chart of a device authentication method provided in an embodiment of the present application;

图7为本申请的实施例提供的一种设备认证方法的流程示意图五;FIG7 is a flowchart diagram 5 of a device authentication method provided in an embodiment of the present application;

图8为本申请的实施例提供的一种设备认证方法的流程示意图六;FIG8 is a sixth flow chart of a device authentication method provided in an embodiment of the present application;

图9为本申请的实施例提供的一种设备认证方法的流程示意图七;FIG9 is a flow chart of a device authentication method according to an embodiment of the present application;

图10为本申请的实施例提供的一种基于PUF的无证书标识密码应用框架的示意图;FIG10 is a schematic diagram of a PUF-based certificateless identification cryptographic application framework provided in an embodiment of the present application;

图11为本申请的实施例提供的一种基于终端设备的身份认证的示意图;FIG11 is a schematic diagram of an identity authentication based on a terminal device provided in an embodiment of the present application;

图12为本申请的实施例提供的一种设备认证装置的结构示意图一;FIG12 is a structural schematic diagram 1 of a device authentication apparatus provided in an embodiment of the present application;

图13为本申请的实施例提供的一种设备认证装置的结构示意图二;FIG13 is a second structural diagram of a device authentication apparatus provided in an embodiment of the present application;

图14为本申请的实施例提供的一种设备认证装置的结构示意图三;FIG14 is a third structural diagram of a device authentication apparatus provided in an embodiment of the present application;

图15为本申请的实施例提供的一种电子设备的结构示意图。FIG15 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application.

在本申请的描述中,除非另有说明,“/”表示“或”的意思,例如,A/B可以表示A或B。本文中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。此外,“至少一个”“多个”是指两个或两个以上。“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。In the description of this application, unless otherwise specified, "/" means "or", for example, A/B can mean A or B. "And/or" in this article is only a description of the association relationship of associated objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone. In addition, "at least one" and "plurality" refer to two or more. The words "first", "second", etc. do not limit the quantity and execution order, and the words "first", "second", etc. do not limit them to be different.

物理不可克隆功能(Physical Unclonable Functions,PUF)(即本申请中的指纹特征值)是指利用终端设备的芯片在制造过程中工艺细微偏差带来的随机分布、无法复制、不可克隆的物理特征,为每个芯片赋予芯片指纹,作为根可信(root of trust)用于芯片的身份认证和数据加密,让芯片更安全。因此,基于PUF产生的密钥有着低成本、易挥发、不可预测且结构简单等优势。Physical Unclonable Functions (PUF) (i.e., fingerprint feature values in this application) refers to the use of random distribution, non-copyable, non-cloneable physical features caused by slight process deviations in the manufacturing process of the terminal device chip to give each chip a chip fingerprint, which is used as a root of trust for chip identity authentication and data encryption, making the chip safer. Therefore, the key generated based on PUF has the advantages of low cost, volatility, unpredictability and simple structure.

当前在泛物联网领域,尤其是三低(低功耗、低存储、低算力)终端设备对于公钥强身份能力的构建,技术可行性较弱,无法准确认证终端设备的身份,因此,亟需一种能够准确认证终端设备的唯一身份的方法。Currently, in the field of pan-Internet of Things, especially for terminal devices with three lows (low power consumption, low storage, and low computing power), the technical feasibility of building public key strong identity capabilities is weak, and the identity of the terminal devices cannot be accurately authenticated. Therefore, there is an urgent need for a method that can accurately authenticate the unique identity of the terminal device.

本申请提供了一种设备认证方法,在需要对终端设备进行身份认证时,终端设备可以获取基于终端设备的指纹特征值和/或集成电路卡识别码生成的终端设备的标识,并基于标识生成目标签名私钥,进而基于目标签名私钥,生成目标数字签名,进而向身份认证设备发送标识和目标数字签名,以使得身份认证设备基于标识和目标数字签名认证终端设备的身份。即通常情况下,基于终端设备的指纹特征值和/或集成电路卡识别码生成的终端设备的标识能够唯一标识终端设备,所以通过基于终端设备的标识生成的签名私钥进行数字签名,以验证终端设备的身份,可以在利用数字签名实现准确认证终端设备的身份的同时,进一步提高身份认证的准确度。The present application provides a device authentication method, when it is necessary to authenticate the identity of a terminal device, the terminal device can obtain the terminal device identification generated based on the fingerprint feature value of the terminal device and/or the integrated circuit card identification code, and generate a target signature private key based on the identification, and then generate a target digital signature based on the target signature private key, and then send the identification and the target digital signature to the identity authentication device, so that the identity authentication device authenticates the identity of the terminal device based on the identification and the target digital signature. That is, under normal circumstances, the terminal device identification generated based on the fingerprint feature value of the terminal device and/or the integrated circuit card identification code can uniquely identify the terminal device, so by digitally signing the signature private key generated based on the identification of the terminal device to verify the identity of the terminal device, the accuracy of identity authentication can be further improved while the identity of the terminal device is accurately authenticated by using the digital signature.

通过上述方法,可以基于终端设备的标识和数字签名认证终端设备的身份。从而,解决了通过对比终端设备的身份信息认证终端设备的身份时,终端设备的身份信息很容易被伪造,导致终端设备认证的准确度较低的技术问题,提高了设备认证的准确度。Through the above method, the identity of the terminal device can be authenticated based on the terminal device's identification and digital signature. Thus, the technical problem that when authenticating the identity of the terminal device by comparing the terminal device's identity information, the terminal device's identity information is easily forged, resulting in low accuracy of terminal device authentication is solved, and the accuracy of device authentication is improved.

本申请实施例提供的一种设备认证方法,可以适用于设备认证系统。图1示出了一种设备认证系统的结构示意图。如图1所示,设备认证系统10包括:终端设备11、密钥管理设备(Key Generation Center,KGC)(也可以称为密钥管理系统)12和身份认证设备(也可以称为安全身份认证网关)13。终端设备11、密钥管理设备12和身份认证设备13之间可以采用有线方式连接,也可以采用无线方式连接,本发明实施例对此不作限定。A device authentication method provided in an embodiment of the present application can be applied to a device authentication system. Figure 1 shows a schematic diagram of the structure of a device authentication system. As shown in Figure 1, the device authentication system 10 includes: a terminal device 11, a key management device (Key Generation Center, KGC) (also referred to as a key management system) 12 and an identity authentication device (also referred to as a secure identity authentication gateway) 13. The terminal device 11, the key management device 12 and the identity authentication device 13 can be connected by wire or by wireless, and the embodiment of the present invention does not limit this.

终端设备11用于基于终端设备11的指纹特征值和/或集成电路卡识别码生成终端设备的标识、基于标识生成第一签名私钥(也称为终端私钥分量1)和第一签名公钥(也称为终端公钥分量1)、向密钥管理设备12发送标识和第一签名公钥、接收密钥管理设备12发送的第二签名公钥和第二签名私钥(也称为终端私钥分量2)、基于第一签名私钥和第二签名私钥生成目标签名私钥、基于目标签名私钥生成目标数字签名、向身份认证设备13发送标识和目标数字签名。The terminal device 11 is used to generate an identification of the terminal device based on the fingerprint feature value and/or the integrated circuit card identification code of the terminal device 11, generate a first signature private key (also called terminal private key component 1) and a first signature public key (also called terminal public key component 1) based on the identification, send the identification and the first signature public key to the key management device 12, receive the second signature public key and the second signature private key (also called terminal private key component 2) sent by the key management device 12, generate a target signature private key based on the first signature private key and the second signature private key, generate a target digital signature based on the target signature private key, and send the identification and the target digital signature to the identity authentication device 13.

密钥管理设备12用于接收终端设备11发送的终端设备11的标识和第一签名公钥、基于第一签名公钥,生成第二签名公钥(也称为终端公钥分量2)、基于标识和第一签名公钥,生成第二签名私钥、向终端设备11发送第二签名公钥和第二签名私钥。The key management device 12 is used to receive the identification of the terminal device 11 and the first signature public key sent by the terminal device 11, generate a second signature public key (also called terminal public key component 2) based on the first signature public key, generate a second signature private key based on the identification and the first signature public key, and send the second signature public key and the second signature private key to the terminal device 11.

身份认证设备13用于接收终端设备11发送的终端设备11的标识和目标数字签名、基于标识,生成目标签名公钥、基于目标签名公钥,验证目标数字签名、在目标数字签名验证通过的情况下,确定终端设备11的身份认证通过。The identity authentication device 13 is used to receive the identification of the terminal device 11 and the target digital signature sent by the terminal device 11, generate the target signature public key based on the identification, verify the target digital signature based on the target signature public key, and determine that the identity authentication of the terminal device 11 is passed when the target digital signature verification is passed.

终端设备11、密钥管理设备12和身份认证设备13可以是物理机,例如:终端设备、物联网设备、服务器、也可以为多个服务器组成的服务器群。The terminal device 11, the key management device 12 and the identity authentication device 13 may be physical machines, such as a terminal device, an Internet of Things device, a server, or a server group consisting of multiple servers.

下面结合附图对本申请实施例提供的一种设备认证方法进行描述。如图2所示,本申请实施例提供的一种设备认证方法,方法包括S201-S204:The following describes a device authentication method provided by an embodiment of the present application in conjunction with the accompanying drawings. As shown in FIG2 , a device authentication method provided by an embodiment of the present application includes S201-S204:

S201、获取终端设备的标识。S201. Obtain the identifier of the terminal device.

其中,标识(即用户身份证明(User Identification,UID))为基于终端设备的指纹特征值和/或集成电路卡识别码(Integrate circuit card identity,ICCID)生成的。The identifier (ie, user identification (UID)) is generated based on a fingerprint feature value and/or an integrated circuit card identity (ICCID) of the terminal device.

可以理解,终端设备可以基于终端设备的标识。It will be appreciated that the terminal device may be based on an identification of the terminal device.

可选地,可以人工在终端设备内部植入国密安全用户身份识别(SubscriberIdentification Module,SIM)卡。进一步的,终端设备可以通过SIM安全标识密码应用对国密安全SIM卡的ICCID和终端设备的指纹特征值(即PUF)进行异或运算,生成终端设备的标识(即SIM卡唯一硬件指纹值,IDA)。Optionally, a national security subscriber identification module (SIM) card can be manually implanted in the terminal device. Further, the terminal device can perform an XOR operation on the ICCID of the national security SIM card and the fingerprint feature value of the terminal device (i.e., PUF) through the SIM security identification password application to generate the terminal device identification (i.e., the unique hardware fingerprint value of the SIM card, ID A ).

需要说明的是,国密安全SIM卡可以通过7816接口,为物联网应用提供设备身份密码服务。It should be noted that the national security SIM card can provide device identity password services for IoT applications through the 7816 interface.

S202、基于标识,生成目标签名私钥。S202: Generate a target signature private key based on the identifier.

其中,目标签名私钥与目标签名公钥对应。Among them, the target signature private key corresponds to the target signature public key.

可以理解,基于标识,终端设备可以生成目标签名私钥。It can be understood that based on the identification, the terminal device can generate a target signature private key.

可选地,如图3所示,终端设备可以基于IDA,通过SIM安全标识密码应用生成第一签名私钥(即d’A)和第一签名公钥(P’A),并通过安全链路将IDA、d’A和P’A发送给密钥管理设备。进一步的,密钥管理设备可以随机生成随机数(即r),并将P’A和r相加得到第二签名公钥(即PA),以及按照密钥生成算法,基于IDA、PA、r和KGC的公钥(即KGC主密钥、s)生成第二签名私钥(即d”A=f(IDA,PA,r,s))。Optionally, as shown in FIG3 , the terminal device may generate a first signature private key (i.e., d' A ) and a first signature public key (P' A ) based on ID A through a SIM security identification password application, and send ID A , d' A and P' A to the key management device through a secure link. Further, the key management device may randomly generate a random number (i.e., r), add P' A and r to obtain a second signature public key (i.e., PA ), and generate a second signature private key (i.e., d" A = f(ID A , PA , r, s)) based on ID A , PA , r and the public key of KGC (i.e., KGC master key, s) according to a key generation algorithm.

进一步的,如图3所示,KGC可以将PA和d”A发送给终端设备。终端设备可以将d”A加密存储在本地,而无需存储PA。进一步的,在需要认证终端设备的身份时,终端设备可以在本地解密得到d”A,并将d”A和d’A相加得到目标签名私钥(即dA)。Further, as shown in FIG3 , KGC may send PA and d” A to the terminal device. The terminal device may encrypt and store d” A locally without storing PA . Further, when the identity of the terminal device needs to be authenticated, the terminal device may decrypt d” A locally and add d” A and d' A to obtain the target signature private key (i.e., d A ).

需要说明的是,(d’A,P’A)为终端密钥分量1,(d”A,PA)为终端密钥分量2。It should be noted that (d' A, P'A ) is terminal key component 1, and (d" A, P A ) is terminal key component 2.

S203、基于目标签名私钥,生成目标数字签名。S203: Generate a target digital signature based on the target signature private key.

其中,目标数字签名用于认证终端设备的身份。Among them, the target digital signature is used to authenticate the identity of the terminal device.

可选地,如图3所示,终端设备可以基于dA对认证请求进行数字签名,生成目标数字签名(即k)。Optionally, as shown in FIG3 , the terminal device may digitally sign the authentication request based on d A to generate a target digital signature (ie, k).

S204、向身份认证设备发送标识和目标数字签名,以使得身份认证设备基于标识,生成目标签名公钥,并基于目标签名公钥,验证目标数字签名。S204: Send the identification and the target digital signature to the identity authentication device, so that the identity authentication device generates a target signature public key based on the identification, and verifies the target digital signature based on the target signature public key.

可选地,如图3所示,终端设备可以向身份认证设备发送IDA、PA、k和认证请求,或者也可以通过KGC向身份认证设备发送IDA、PA。身份认证设备可以基于IDA、PA、k和认证请求,认证终端设备的身份。Optionally, as shown in Figure 3, the terminal device may send ID A , PA , k and an authentication request to the identity authentication device, or may send ID A , PA to the identity authentication device through KGC. The identity authentication device may authenticate the identity of the terminal device based on ID A , PA , k and the authentication request.

示例性的,认证请求可以为时间戳。Exemplarily, the authentication request may be a timestamp.

在一种设计中,如图4所示,本申请实施例提供的一种设备认证方法,上述步骤S202中的方法,具体包括S301-S304:In one design, as shown in FIG. 4 , an embodiment of the present application provides a device authentication method, the method in step S202 specifically includes S301-S304:

S301、基于标识,生成第一签名私钥和第一签名公钥。S301. Generate a first signature private key and a first signature public key based on the identifier.

可选地,基于标识,终端设备可以生成第一签名私钥和第一签名公钥。Optionally, based on the identifier, the terminal device may generate a first signature private key and a first signature public key.

S302、向密钥管理设备发送标识和第一签名公钥。S302: Send an identifier and a first signature public key to a key management device.

其中,密钥管理设备用于基于第一签名公钥生成第二签名公钥,以及基于标识和第二签名公钥生成第二签名私钥。The key management device is used to generate a second signature public key based on the first signature public key, and to generate a second signature private key based on the identifier and the second signature public key.

可选地,终端设备可以向密钥管理设备发送标识和第一签名公钥。Optionally, the terminal device may send the identifier and the first signature public key to the key management device.

S303、接收密钥管理设备发送的第二签名公钥和第二签名私钥。S303: Receive a second signature public key and a second signature private key sent by a key management device.

S304、基于第一签名私钥和第二签名私钥,生成目标签名私钥。S304: Generate a target signature private key based on the first signature private key and the second signature private key.

可选地,终端设备可以接收密钥管理设备发送的第二签名公钥和第二签名私钥,并在需要认证终端设备时,基于第一签名私钥和第二签名私钥,生成目标签名私钥。Optionally, the terminal device may receive the second signature public key and the second signature private key sent by the key management device, and generate a target signature private key based on the first signature private key and the second signature private key when authentication of the terminal device is required.

需要说明的是,第一签名私钥和第二签名私钥均为完整的目标签名私钥的部分私钥,第一签名公钥和第二签名公钥均为完整的目标签名公钥的部分私钥。It should be noted that the first signature private key and the second signature private key are both partial private keys of the complete target signature private key, and the first signature public key and the second signature public key are both partial private keys of the complete target signature public key.

一种可能的实现方式中,通过密钥管理设备管理终端设备的公钥和私钥,可以保障终端设备的公钥和私钥的安全性。In a possible implementation, the public key and private key of the terminal device are managed by a key management device, so that the security of the public key and private key of the terminal device can be guaranteed.

在一种设计中,如图5所示,本申请实施例提供的一种设备认证方法,上述步骤S204中的方法具体包括S401:In one design, as shown in FIG. 5 , an embodiment of the present application provides a device authentication method, and the method in step S204 specifically includes S401:

S401、向身份认证设备发送标识、目标数字签名和第二签名公钥。S401. Send an identifier, a target digital signature, and a second signature public key to an identity authentication device.

其中,身份认证设备用于基于标识、目标数字签名和第二签名公钥认证终端设备的身份。Among them, the identity authentication device is used to authenticate the identity of the terminal device based on the identification, the target digital signature and the second signature public key.

可选地,终端设备可以向身份认证设备发送标识、目标数字签名和第二签名公钥。Optionally, the terminal device may send an identification, a target digital signature, and a second signature public key to the identity authentication device.

一种可能的实现方式中,身份认证设备可以基于标识、第二签名公钥等信息生成目标签名公钥,并通过目标签名公钥验证目标数字签名,以实现验证终端设备的身份,实时生成目标签名公钥,可以保障密钥的安全性。In one possible implementation, the identity authentication device can generate a target signature public key based on information such as the identification and the second signature public key, and verify the target digital signature through the target signature public key to verify the identity of the terminal device. The target signature public key can be generated in real time to ensure the security of the key.

如图6所示,本申请实施例提供的一种设备认证方法,方法包括S501-S504:As shown in FIG6 , an embodiment of the present application provides a device authentication method, the method comprising S501-S504:

S501、接收终端设备发送的终端设备的标识和目标数字签名。S501: Receive a terminal device identifier and a target digital signature sent by a terminal device.

其中,目标数字签名为基于签名私钥生成的;目标签名私钥为基于标识生成的;标识为基于终端设备的指纹特征值和/或集成电路卡识别码生成的;目标签名私钥与目标签名公钥对应。Among them, the target digital signature is generated based on the signature private key; the target signature private key is generated based on the identifier; the identifier is generated based on the fingerprint feature value and/or integrated circuit card identification code of the terminal device; the target signature private key corresponds to the target signature public key.

可选地,身份认证设备可以接收终端设备发送的IDA、PA、k和认证请求。Optionally, the identity authentication device may receive ID A , PA , k and an authentication request sent by the terminal device.

S502、基于标识,生成目标签名公钥。S502: Generate a target signature public key based on the identifier.

可选地,如图3所示,身份认证设备可以获取KGC的公钥(即PPUB),并按照密钥生成算法,基于IDA、PA、k和PPUB,计算得到目标公钥签名(即QA=g(IDA,PA,k,PPUB))。Optionally, as shown in FIG3 , the identity authentication device may obtain the public key of KGC (ie, P PUB ) and calculate the target public key signature (ie, Q A =g(ID A , P A , k, P PUB )) based on ID A , P A , k and P PUB according to the key generation algorithm.

S503、基于目标签名公钥,验证目标数字签名。S503: Verify the target digital signature based on the target signature public key.

可选地,身份认证设备可以基于QA验证目标数字签名。进一步的,身份认证设备可以基于QA,得到目标数字签名对应的认证请求。在基于QA得到的认证请求与终端设备发送的认证请求一致的情况下,身份认证设备可以确定目标数字签名验证通过。在基于QA得到的认证请求与终端设备发送的认证请求不一致的情况下,身份认证设备可以确定目标数字签名验证未通过。Optionally, the identity authentication device may verify the target digital signature based on Q A. Further, the identity authentication device may obtain an authentication request corresponding to the target digital signature based on Q A. In the case where the authentication request obtained based on Q A is consistent with the authentication request sent by the terminal device, the identity authentication device may determine that the target digital signature verification has passed. In the case where the authentication request obtained based on Q A is inconsistent with the authentication request sent by the terminal device, the identity authentication device may determine that the target digital signature verification has not passed.

S504、在目标数字签名验证通过的情况下,确定终端设备的身份认证通过。S504: When the target digital signature is verified, determine that the identity authentication of the terminal device is passed.

可选地,在目标数字签名验证通过的情况下,身份认证设备可以确定终端设备的身份认证通过;在目标数字签名验证未通过的情况下,身份认证设备可以确定终端设备的身份认证未通过。Optionally, when the target digital signature verification passes, the identity authentication device may determine that the identity authentication of the terminal device passes; when the target digital signature verification fails, the identity authentication device may determine that the identity authentication of the terminal device fails.

在一种设计中,如图7所示,本申请实施例提供的一种设备认证方法,上述步骤S501中的方法具体包括S601,以及上述步骤S502中的方法具体包括S602:In one design, as shown in FIG. 7 , an embodiment of the present application provides a device authentication method, wherein the method in step S501 specifically includes S601, and the method in step S502 specifically includes S602:

S601、接收终端设备发送的标识、目标数字签名和第二签名公钥。S601: Receive an identifier, a target digital signature, and a second signature public key sent by a terminal device.

其中,第二签名公钥为基于标识生成的。The second signature public key is generated based on the identifier.

S602、基于标识、第二签名公钥、随机数和密钥管理设备的公钥,生成目标签名公钥。S602: Generate a target signature public key based on the identifier, the second signature public key, the random number and the public key of the key management device.

可选地,身份认证设备可以接收终端设备发送的标识、目标数字签名和第二签名公钥。进一步的,身份认证设备可以基于标识、第二签名公钥、随机数和密钥管理设备的公钥,生成目标签名公钥。Optionally, the identity authentication device may receive the identification, target digital signature and second signature public key sent by the terminal device. Further, the identity authentication device may generate the target signature public key based on the identification, second signature public key, random number and public key of the key management device.

一种可能的方式中,通过随机数和密钥管理设备的公钥生成签名公钥,可以提高签名公钥的安全性。In one possible approach, the security of the signature public key can be improved by generating the signature public key using a random number and a public key of a key management device.

如图8所示,本申请实施例提供的一种设备认证方法,方法包括S701-S704:As shown in FIG8 , an embodiment of the present application provides a device authentication method, the method comprising S701-S704:

S701、接收终端设备发送的终端设备的标识和第一签名公钥。S701. Receive a terminal device identifier and a first signature public key sent by a terminal device.

其中,标识为基于终端设备的指纹特征值和/或集成电路卡识别码生成的,第一签名公钥为基于标识生成的。The identifier is generated based on the fingerprint feature value and/or the integrated circuit card identification code of the terminal device, and the first signature public key is generated based on the identifier.

可选地,KGC可以接收终端设备发送的IDA和P’AOptionally, the KGC may receive ID A and P' A sent by the terminal device.

S702、基于第一签名公钥,生成第二签名公钥。S702: Generate a second signature public key based on the first signature public key.

可选地,KGC可以随机生成r,并将P’A和r相加得到PAAlternatively, KGC may randomly generate r and add P'A and r to obtain PA .

S703、基于标识和第二签名公钥,生成第二签名私钥。S703: Generate a second signature private key based on the identifier and the second signature public key.

可选地,KGC可以按照密钥生成算法,基于IDA、PA、r和s生成第二签名私钥(即d”A=f(IDA,PA,r,s))。Optionally, the KGC may generate a second signature private key (ie, d″ A =f(ID A , PA , r, s)) based on ID A , PA , r, and s according to a key generation algorithm.

S704、向终端设备发送第二签名公钥和第二签名私钥。S704. Send the second signature public key and the second signature private key to the terminal device.

其中,终端设备用于基于第二签名公钥和第二签名私钥进行身份认证。Among them, the terminal device is used to perform identity authentication based on the second signature public key and the second signature private key.

可选地,KGC可以向终端设备发送第二签名公钥和第二签名私钥。Optionally, the KGC may send the second signature public key and the second signature private key to the terminal device.

在一种设计中,如图9所示,本申请实施例提供的一种设备认证方法,上述步骤S702中的方法具体包括S801,以及上述步骤S703中的方法具体包括S802:In one design, as shown in FIG. 9 , an embodiment of the present application provides a device authentication method, the method in step S702 specifically includes S801, and the method in step S703 specifically includes S802:

S801、基于第一签名公钥和随机数,生成第二签名公钥。S801. Generate a second signature public key based on the first signature public key and a random number.

S802、基于标识、第一签名公钥、随机数和密钥管理设备的私钥,生成第二签名私钥。S802: Generate a second signature private key based on the identifier, the first signature public key, the random number, and the private key of the key management device.

可选地,KGC可以基于第一签名公钥和随机数,生成第二签名公钥。进一步的,KGC可以基于标识、第一签名公钥、随机数和密钥管理设备的私钥,生成第二签名私钥。Optionally, the KGC may generate a second signature public key based on the first signature public key and the random number. Further, the KGC may generate a second signature private key based on the identifier, the first signature public key, the random number and the private key of the key management device.

一种可能的实现方式中,通过随机数和密钥管理设备的私钥生成签名私钥,可以提高签名私钥的安全性。In a possible implementation, the signature private key is generated by using a random number and a private key of a key management device, which can improve the security of the signature private key.

一种可能的实现方式中,如图10所示,物联网泛终端(即终端设备)可以包括:国密安全SIM卡和物联网安全模组。其中,国密安全SIM卡包括SIM安全标识密码应用。物联网泛终端可以通过SIM安全标识密码应用获取ICCID和国密安全芯片的唯一特征值(即PUF),并将ICCID和PUF进行异或运算生成SIM唯一硬件指纹值。SIM唯一硬件指纹值作为无证书标识密钥系统(即无证书标识密码服务平台)的设备标识号,用来生成对应的SM2公私钥对(即本申请中的目标签名公钥和目标签名私钥),SM2公私钥对用于对业务指令(即认证请求)进行签名防护。无证书标识密码服务平台用于对签名的数据(即本申请中的目标数字签名)进行验签,以实现双向身份认证。In a possible implementation, as shown in FIG10 , an IoT pan-terminal (i.e., a terminal device) may include: a national secret security SIM card and an IoT security module. Among them, the national secret security SIM card includes a SIM security identification password application. The IoT pan-terminal can obtain the unique characteristic value (i.e., PUF) of the ICCID and the national secret security chip through the SIM security identification password application, and perform an XOR operation on the ICCID and the PUF to generate a SIM unique hardware fingerprint value. The SIM unique hardware fingerprint value is used as the device identification number of the certificateless identification key system (i.e., the certificateless identification password service platform) to generate the corresponding SM2 public-private key pair (i.e., the target signature public key and the target signature private key in this application), and the SM2 public-private key pair is used to sign and protect business instructions (i.e., authentication requests). The certificateless identification password service platform is used to verify the signed data (i.e., the target digital signature in this application) to achieve two-way identity authentication.

之后,SIM安全标识密码应用可以向物联网安全模组发送注意(attention,AT)指令,并基于标识,通过物联网安全模组与无证书标识密码服务平台(包括KGC和物联网密码应用服务系统)进行密钥申请、密钥运算等业务交互。Afterwards, the SIM security identification cryptographic application can send an attention (AT) command to the IoT security module, and based on the identification, perform key application, key calculation and other business interactions with the certificateless identification cryptographic service platform (including KGC and IoT cryptographic application service system) through the IoT security module.

KGC可以包括:密钥注册系统(keyregistration system,KRS)、密钥服务系统(keyservice system,KSS)、密钥分发系统(key distribution system,KDS))和密钥生成系统(key generation system,KGS)。KGC may include: key registration system (KRS), key service system (KSS), key distribution system (KDS) and key generation system (KGS).

一种可能的实现方式中,如图11所示,首先终端设备可以基于ICCID和PUF生成IDA,并向数字安全身份认证平台(包括身份标识管理模块、终端权限管理模块和无证书标识密码服务平台)发送IDA,通过数字安全身份认证平台登记IDA、配置终端认证策略和权限管控策略,并通过数字安全身份认证平台向安全身份认证网关(即身份认证设备)下发终端认证策略和权限管控策略。In a possible implementation, as shown in FIG11 , first, the terminal device can generate ID A based on ICCID and PUF, and send ID A to the digital security identity authentication platform (including the identity management module, the terminal authority management module and the certificateless identity password service platform), register ID A through the digital security identity authentication platform, configure the terminal authentication policy and the authority management policy, and issue the terminal authentication policy and the authority management policy to the security identity authentication gateway (i.e., the identity authentication device) through the digital security identity authentication platform.

进一步的,终端设备可以生成第一签名私钥和第一签名公钥,并向数字安全身份认证平台发送IDA、第一签名私钥和第一签名公钥。进一步的,通过数字安全身份认证平台生成第二签名私钥和第二签名公钥。终端设备可以接收第二签名私钥和第二签名公钥,并在认证终端设备的身份时,基于第一签名私钥和第二签名私钥生成目标签名私钥。Further, the terminal device can generate a first signature private key and a first signature public key, and send ID A , the first signature private key and the first signature public key to the digital security identity authentication platform. Further, a second signature private key and a second signature public key are generated through the digital security identity authentication platform. The terminal device can receive the second signature private key and the second signature public key, and generate a target signature private key based on the first signature private key and the second signature private key when authenticating the identity of the terminal device.

终端设备可以通过目标签名私钥生成认证请求的目标数字签名,并向数字安全身份认证平台发送IDA、第二签名公钥、认证请求和目标数字签名。进一步的,进行数字安全身份认证平台与安全身份认证网关的策略同步,安全身份认证网关可以基于IDA、第二签名公钥、随机数和KGC的公钥生成目标签名公钥,并基于目标签名公钥验证目标数字签名,在目标数字签名验证通过时确定终端设备的身份认证通过。进一步的,在终端设备的身份认证通过时,终端设备可以通过安全身份认证网关接入物联网主站平台。The terminal device can generate the target digital signature of the authentication request through the target signature private key, and send ID A , the second signature public key, the authentication request and the target digital signature to the digital security identity authentication platform. Further, the digital security identity authentication platform and the security identity authentication gateway are synchronized in policy. The security identity authentication gateway can generate the target signature public key based on ID A , the second signature public key, the random number and the public key of KGC, and verify the target digital signature based on the target signature public key. When the target digital signature is verified, it is determined that the terminal device's identity authentication is passed. Further, when the terminal device's identity authentication is passed, the terminal device can access the IoT master station platform through the security identity authentication gateway.

需要说明的是,安全身份认证网关也可以采用与终端设备相同的方式,向数字安全身份认证平台申请密钥,将申请的密钥用于与终端设备进行双向的身份认证。It should be noted that the security identity authentication gateway can also apply for a key from the digital security identity authentication platform in the same way as the terminal device, and use the applied key for two-way identity authentication with the terminal device.

本申请提供一种设备认证方法,采用SIM卡的ICCID,作为无证书椭圆曲线算法(SM2)标识密钥生成体系的设备唯一标识,联合PUF芯片硬件的指纹特征值,生成设备身份的实际公钥标识,形成一种物联网终端硬件防伪的安全机制,建立芯片级公钥标识密码安全体系和物联网终端强安全身份能力,实现唯一身份的密码能力,提供精确安全身份能力。The present application provides a device authentication method, which uses the ICCID of a SIM card as the device's unique identifier for a certificateless elliptic curve algorithm (SM2) identification key generation system, and combines the fingerprint feature value of a PUF chip hardware to generate an actual public key identifier for the device identity, thereby forming a security mechanism for hardware anti-counterfeiting of an Internet of Things terminal, establishing a chip-level public key identifier cryptographic security system and a strong security identity capability of an Internet of Things terminal, realizing the cryptographic capability of a unique identity, and providing precise security identity capabilities.

上述主要从方法的角度对本申请实施例提供的方案进行了介绍。为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请实施例能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The above mainly introduces the solution provided by the embodiment of the present application from the perspective of the method. In order to realize the above functions, it includes hardware structures and/or software modules corresponding to the execution of each function. Those skilled in the art should easily realize that, in combination with the units and algorithm steps of each example described in the embodiment disclosed herein, the embodiment of the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed in the form of hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to exceed the scope of the present application.

本申请实施例可以根据上述方法示例对一种设备认证方法进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。可选的,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiment of the present application can divide the functional modules of a device authentication method according to the above method example. For example, each functional module can be divided according to each function, or two or more functions can be integrated into one processing module. The above integrated module can be implemented in the form of hardware or in the form of software functional modules. Optionally, the division of modules in the embodiment of the present application is schematic and is only a logical function division. There may be other division methods in actual implementation.

图12为本申请实施例提供的一种设备认证装置的结构示意图。如图12所示,一种设备认证装置100用于提高终端设备认证的准确度,例如用于执行图2所示的一种设备认证方法。该设备认证装置100包括:传输单元1001和处理单元1002。FIG12 is a schematic diagram of the structure of a device authentication apparatus provided in an embodiment of the present application. As shown in FIG12 , a device authentication apparatus 100 is used to improve the accuracy of terminal device authentication, for example, to execute a device authentication method shown in FIG2 . The device authentication apparatus 100 includes: a transmission unit 1001 and a processing unit 1002 .

传输单元1001,用于获取终端设备的标识,标识包括终端设备的指纹特征值。The transmission unit 1001 is used to obtain an identification of a terminal device, where the identification includes a fingerprint feature value of the terminal device.

处理单元1002,用于基于标识,生成目标签名私钥;目标签名私钥与目标签名公钥对应;处理单元1002,还用于基于目标签名私钥,生成目标数字签名;目标数字签名用于认证终端设备的身份。Processing unit 1002 is used to generate a target signature private key based on the identifier; the target signature private key corresponds to the target signature public key; processing unit 1002 is also used to generate a target digital signature based on the target signature private key; the target digital signature is used to authenticate the identity of the terminal device.

传输单元1001,还用于向身份认证设备发送标识和目标数字签名,以使得身份认证设备基于标识,生成目标签名公钥,并基于目标签名公钥,验证目标数字签名。The transmission unit 1001 is further used to send the identification and the target digital signature to the identity authentication device, so that the identity authentication device generates a target signature public key based on the identification, and verifies the target digital signature based on the target signature public key.

在一种可能的实现方式中,处理单元1002,还用于基于标识,生成第一签名私钥和第一签名公钥;传输单元1001,还用于向密钥管理设备发送标识和第一签名公钥;密钥管理设备用于基于第一签名公钥生成第二签名公钥,以及基于标识和第二签名公钥生成第二签名私钥;传输单元1001,还用于接收密钥管理设备发送的第二签名公钥和第二签名私钥;处理单元1002,还用于基于第一签名私钥和第二签名私钥,生成目标签名私钥。In one possible implementation, the processing unit 1002 is further used to generate a first signature private key and a first signature public key based on the identifier; the transmission unit 1001 is further used to send the identifier and the first signature public key to the key management device; the key management device is used to generate a second signature public key based on the first signature public key, and to generate a second signature private key based on the identifier and the second signature public key; the transmission unit 1001 is further used to receive the second signature public key and the second signature private key sent by the key management device; the processing unit 1002 is further used to generate a target signature private key based on the first signature private key and the second signature private key.

在一种可能的实现方式中,传输单元1001,还用于向身份认证设备发送标识、目标数字签名和第二签名公钥;身份认证设备用于基于标识、目标数字签名和第二签名公钥认证终端设备的身份。In a possible implementation, the transmission unit 1001 is further used to send the identification, the target digital signature and the second signature public key to the identity authentication device; the identity authentication device is used to authenticate the identity of the terminal device based on the identification, the target digital signature and the second signature public key.

图13为本申请实施例提供的一种设备认证装置的结构示意图。如图13所示,一种设备认证装置110用于提高终端设备认证的准确度,例如用于执行图6所示的一种设备认证方法。该设备认证装置110包括:传输单元1101和处理单元1102。FIG13 is a schematic diagram of the structure of a device authentication apparatus provided in an embodiment of the present application. As shown in FIG13 , a device authentication apparatus 110 is used to improve the accuracy of terminal device authentication, for example, to execute a device authentication method shown in FIG6 . The device authentication apparatus 110 includes: a transmission unit 1101 and a processing unit 1102 .

传输单元1101,用于接收终端设备发送的终端设备的标识和目标数字签名;目标数字签名为基于签名私钥生成的;目标签名私钥为基于标识生成的;标识包括终端设备的指纹特征值;目标签名私钥与目标签名公钥对应。Transmission unit 1101 is used to receive the terminal device identification and target digital signature sent by the terminal device; the target digital signature is generated based on the signature private key; the target signature private key is generated based on the identification; the identification includes the fingerprint feature value of the terminal device; the target signature private key corresponds to the target signature public key.

处理单元1102,用于基于标识,生成目标签名公钥。The processing unit 1102 is used to generate a target signature public key based on the identifier.

处理单元1102,还用于基于目标签名公钥,验证目标数字签名。The processing unit 1102 is further configured to verify the target digital signature based on the target signature public key.

处理单元1102,还用于在目标数字签名验证通过的情况下,确定终端设备的身份认证通过。The processing unit 1102 is further configured to determine whether the identity authentication of the terminal device has passed when the target digital signature verification has passed.

在一种可能的实现方式中,传输单元1101,还用于接收终端设备发送的标识、目标数字签名和第二签名公钥,第二签名公钥为基于标识生成的;处理单元1102,还用于基于标识、第二签名公钥、随机数和密钥管理设备的公钥,生成目标签名公钥。In a possible implementation, the transmission unit 1101 is also used to receive an identification, a target digital signature, and a second signature public key sent by a terminal device, where the second signature public key is generated based on the identification; the processing unit 1102 is also used to generate a target signature public key based on the identification, the second signature public key, a random number, and the public key of the key management device.

图14为本申请实施例提供的一种设备认证装置的结构示意图。如图14所示,一种设备认证装置120用于提高终端设备认证的准确度,例如用于执行图8所示的一种设备认证方法。该设备认证装置120包括:传输单元1201和处理单元1202。FIG14 is a schematic diagram of the structure of a device authentication device provided in an embodiment of the present application. As shown in FIG14 , a device authentication device 120 is used to improve the accuracy of terminal device authentication, for example, to execute a device authentication method shown in FIG8 . The device authentication device 120 includes: a transmission unit 1201 and a processing unit 1202 .

传输单元1201,用于接收终端设备发送的终端设备的标识和第一签名公钥,标识包括终端设备的指纹特征值,第一签名公钥为基于标识生成的;处理单元1202,用于基于第一签名公钥,生成第二签名公钥。The transmission unit 1201 is used to receive the terminal device identification and the first signature public key sent by the terminal device, where the identification includes the fingerprint feature value of the terminal device, and the first signature public key is generated based on the identification; the processing unit 1202 is used to generate the second signature public key based on the first signature public key.

处理单元1202,还用于基于标识和第二签名公钥,生成第二签名私钥。The processing unit 1202 is further configured to generate a second signature private key based on the identifier and the second signature public key.

传输单元1201,还用于向终端设备发送第二签名公钥和第二签名私钥,终端设备用于基于第二签名公钥和第二签名私钥进行身份认证。The transmission unit 1201 is also used to send the second signature public key and the second signature private key to the terminal device, and the terminal device is used to perform identity authentication based on the second signature public key and the second signature private key.

在一种可能的实现方式中,处理单元1202,还用于基于第一签名公钥和随机数,生成第二签名公钥;处理单元1202,还用于基于标识、第一签名公钥、随机数和密钥管理设备的私钥,生成第二签名私钥。In one possible implementation, the processing unit 1202 is further used to generate a second signature public key based on the first signature public key and the random number; the processing unit 1202 is further used to generate a second signature private key based on the identifier, the first signature public key, the random number and the private key of the key management device.

在采用硬件的形式实现上述集成的模块的功能的情况下,本申请实施例提供了上述实施例中所涉及的电子设备的一种可能的结构示意图。如图15所示,一种电子设备130,用于提高终端设备认证的准确度,例如用于执行图2所示的一种设备认证方法。该电子设备130包括处理器1301,存储器1302以及总线1303。处理器1301与存储器1302之间可以通过总线1303连接。In the case of implementing the functions of the above-mentioned integrated modules in the form of hardware, an embodiment of the present application provides a possible structural diagram of the electronic device involved in the above-mentioned embodiment. As shown in Figure 15, an electronic device 130 is used to improve the accuracy of terminal device authentication, for example, for executing a device authentication method shown in Figure 2. The electronic device 130 includes a processor 1301, a memory 1302 and a bus 1303. The processor 1301 and the memory 1302 can be connected via a bus 1303.

处理器1301是通信装置的控制中心,可以是一个处理器,也可以是多个处理元件的统称。例如,处理器1301可以是一个通用中央处理单元(central processing unit,CPU),也可以是其他通用处理器等。其中,通用处理器可以是微处理器或者是任何常规的处理器等。The processor 1301 is the control center of the communication device, which can be a processor or a general term for multiple processing elements. For example, the processor 1301 can be a general-purpose central processing unit (CPU) or other general-purpose processors. Among them, the general-purpose processor can be a microprocessor or any conventional processor.

作为一种实施例,处理器1301可以包括一个或多个CPU,例如图15中所示的CPU 0和CPU 1。As an embodiment, the processor 1301 may include one or more CPUs, such as CPU 0 and CPU 1 shown in FIG. 15 .

存储器1302可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。The memory 1302 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited to these.

作为一种可能的实现方式,存储器1302可以独立于处理器1301存在,存储器1302可以通过总线1303与处理器1301相连接,用于存储指令或者程序代码。处理器1301调用并执行存储器1302中存储的指令或程序代码时,能够实现本申请实施例提供的一种设备认证方法。As a possible implementation, the memory 1302 may exist independently of the processor 1301, and the memory 1302 may be connected to the processor 1301 via the bus 1303 to store instructions or program codes. When the processor 1301 calls and executes the instructions or program codes stored in the memory 1302, a device authentication method provided in an embodiment of the present application can be implemented.

另一种可能的实现方式中,存储器1302也可以和处理器1301集成在一起。In another possible implementation, the memory 1302 may also be integrated with the processor 1301 .

总线1303,可以是工业标准体系结构(industry standard architecture,ISA)总线、外围设备互连(peripheral component interconnect,PCI)总线或扩展工业标准体系结构(extended industry standard architecture,EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 1303 may be an industry standard architecture (ISA) bus, a peripheral component interconnect (PCI) bus, or an extended industry standard architecture (EISA) bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG15 only uses one thick line, but does not mean that there is only one bus or one type of bus.

需要指出的是,图15示出的结构并不构成对该电子设备130的限定。除图15所示部件之外,该电子设备130可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。It should be noted that the structure shown in Fig. 15 does not constitute a limitation on the electronic device 130. In addition to the components shown in Fig. 15, the electronic device 130 may include more or fewer components than shown, or combine certain components, or arrange the components differently.

作为一个示例,结合图12,设备认证装置100中的传输单元1001以及处理单元1002实现的功能与图15中的处理器1301的功能相同。结合图13,设备认证装置110中的传输单元1101以及处理单元1102实现的功能与图15中的处理器1301的功能相同。结合图14,设备认证装置120中的传输单元1201以及处理单元1202实现的功能与图15中的处理器1301的功能相同。As an example, in conjunction with FIG12, the functions implemented by the transmission unit 1001 and the processing unit 1002 in the device authentication apparatus 100 are the same as the functions of the processor 1301 in FIG15. In conjunction with FIG13, the functions implemented by the transmission unit 1101 and the processing unit 1102 in the device authentication apparatus 110 are the same as the functions of the processor 1301 in FIG15. In conjunction with FIG14, the functions implemented by the transmission unit 1201 and the processing unit 1202 in the device authentication apparatus 120 are the same as the functions of the processor 1301 in FIG15.

可选的,如图15所示,本申请实施例提供的电子设备130还可以包括通信接口1304。Optionally, as shown in FIG. 15 , the electronic device 130 provided in the embodiment of the present application may further include a communication interface 1304 .

通信接口1304,用于与其他设备通过通信网络连接。该通信网络可以是以太网,无线接入网,无线局域网(wireless local area networks,WLAN)等。通信接口1304可以包括用于接收数据的接收单元,以及用于发送数据的发送单元。The communication interface 1304 is used to connect with other devices through a communication network. The communication network may be Ethernet, wireless access network, wireless local area network (WLAN), etc. The communication interface 1304 may include a receiving unit for receiving data and a sending unit for sending data.

在一种设计中,本申请实施例提供的电子设备中,通信接口还可以集成在处理器中。In one design, in the electronic device provided in the embodiment of the present application, the communication interface can also be integrated into the processor.

通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能单元的划分进行举例说明。在实际应用中,可以根据需要而将上述功能分配由不同的功能单元完成,即将装置的内部结构划分成不同的功能单元,以完成以上描述的全部或者部分功能。上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Through the description of the above implementation methods, those skilled in the art can clearly understand that for the convenience and simplicity of description, only the division of the above functional units is used as an example. In practical applications, the above functions can be assigned to different functional units as needed, that is, the internal structure of the device is divided into different functional units to complete all or part of the functions described above. The specific working process of the above-described system, device and unit can refer to the corresponding process in the aforementioned method embodiment, and will not be repeated here.

本申请实施例还提供一种计算机可读存储介质,计算机可读存储介质中存储有指令,当计算机执行该指令时,该计算机执行上述方法实施例所示的方法流程中的各个步骤。An embodiment of the present application also provides a computer-readable storage medium, in which instructions are stored. When a computer executes the instructions, the computer executes each step in the method flow shown in the above method embodiment.

本申请的实施例提供一种计算机程序产品,当计算机指令在电子设备上运行时,电子设备执行上述方法实施例中的一种设备认证方法。An embodiment of the present application provides a computer program product. When a computer instruction is executed on an electronic device, the electronic device executes a device authentication method in the above method embodiment.

其中,计算机可读存储介质,例如可以是但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘。随机存取存储器(random access memory,RAM)、只读存储器(read-only memory,ROM)、可擦式可编程只读存储器(erasable programmable read only memory,EPROM)、寄存器、硬盘、光纤、便携式紧凑磁盘只读存储器(compact disc read-only memory,CD-ROM)、光存储器件、磁存储器件、或者上述的人以合适的组合、或者本领域数值的任何其他形式的计算机可读存储介质。Among them, the computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination of the above. More specific examples of computer-readable storage media (a non-exhaustive list) include: an electrical connection with one or more wires, a portable computer disk, a hard disk. Random access memory (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM), registers, hard disks, optical fibers, portable compact disc read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any other form of computer-readable storage media in a suitable combination of the above, or values in the art.

一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于特定用途集成电路(application specific integrated circuit,ASIC)中。An exemplary storage medium is coupled to a processor so that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and the storage medium can be located in an application specific integrated circuit (ASIC).

在本申请实施例中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。In the embodiments of the present application, a computer-readable storage medium may be any tangible medium that contains or stores a program, which may be used by or in conjunction with an instruction execution system, apparatus, or device.

由于本申请的实施例中的电子设备、计算机可读存储介质、计算机程序产品可以应用于上述方法,因此,其所能获得的技术效果也可参考上述方法实施例,本申请实施例在此不再赘述。Since the electronic device, computer-readable storage medium, and computer program product in the embodiments of the present application can be applied to the above method, the technical effects that can be obtained can also refer to the above method embodiments, and the embodiments of the present application will not be repeated here.

以上,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。The above are only specific implementation methods of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the present application should be included in the protection scope of the present application.

Claims (13)

1. A method of device authentication, the method comprising:
acquiring an identifier of a terminal device, wherein the identifier comprises a fingerprint characteristic value of the terminal device;
generating a target signature private key based on the identification; the target signature private key corresponds to the target signature public key;
generating a target digital signature based on the target signature private key; the target digital signature is used for authenticating the identity of the terminal equipment;
And sending the identification and the target digital signature to an identity authentication device, so that the identity authentication device generates the target public signature key based on the identification and verifies the target digital signature based on the target public signature key.
2. The method of claim 1, wherein the generating a target signature private key based on the identification comprises:
generating a first private signature key and a first public signature key based on the identification;
Transmitting the identification and the first signed public key to a key management device; the key management device is configured to generate a second public signature key based on the first public signature key, and generate a second private signature key based on the identification and the second public signature key;
Receiving the second signature public key and the second signature private key sent by the key management equipment;
The target signature private key is generated based on the first signature private key and the second signature private key.
3. The method of claim 2, wherein the sending the identification and the target digital signature to an authentication device comprises:
Transmitting the identification, the target digital signature and the second signature public key to the identity authentication device; the identity authentication device is configured to authenticate an identity of the terminal device based on the identity, the target digital signature, and the second signature public key.
4. A method of device authentication, the method comprising:
Receiving an identifier and a target digital signature of the terminal equipment, which are sent by the terminal equipment; the target digital signature is generated based on the signature private key; the target signature private key is generated based on the identification; the identification comprises a fingerprint characteristic value of the terminal equipment; the target signature private key corresponds to the target signature public key;
generating the target signature public key based on the identification;
verifying the target digital signature based on the target signature public key;
and under the condition that the target digital signature passes verification, determining that the identity authentication of the terminal equipment passes.
5. The method of claim 4, wherein receiving the identification of the terminal device and the target digital signature transmitted by the terminal device comprises:
receiving the identifier, the target digital signature and a second signature public key sent by the terminal equipment, wherein the second signature public key is generated based on the identifier;
The generating the target signature public key based on the identification includes:
the target public signature key is generated based on the identification, the second public signature key, a random number, and a public key of a key management device.
6. A method of device authentication, the method comprising:
receiving an identifier of the terminal equipment and a first signature public key, wherein the identifier comprises a fingerprint characteristic value of the terminal equipment, and the first signature public key is generated based on the identifier;
Generating a second public signature key based on the first public signature key;
generating a second signature private key based on the identification and the second signature public key;
And sending the second signature public key and the second signature private key to the terminal equipment, wherein the terminal equipment is used for carrying out identity authentication based on the second signature public key and the second signature private key.
7. The method of claim 6, wherein the generating a second public signature key based on the first public signature key comprises:
Generating the second signature public key based on the first signature public key and a random number;
The generating a second signature private key based on the identification and the second signature public key includes:
the second signed private key is generated based on the identification, the first signed public key, a random number, and a private key of a key management device.
8. A device authentication apparatus, characterized in that the device authentication apparatus comprises: a transmission unit and a processing unit;
the transmission unit is used for acquiring the identifier of the terminal equipment, wherein the identifier comprises a fingerprint characteristic value of the terminal equipment;
The processing unit is used for generating a target signature private key based on the identification; the target signature private key corresponds to the target signature public key;
the processing unit is further used for generating a target digital signature based on the target signature private key; the target digital signature is used for authenticating the identity of the terminal equipment;
the transmission unit is further configured to send the identifier and the target digital signature to an authentication device, so that the authentication device generates the target public signature key based on the identifier, and verifies the target digital signature based on the target public signature key.
9. A device authentication apparatus, characterized in that the device authentication apparatus comprises: a transmission unit and a processing unit;
The transmission unit is used for receiving the identification of the terminal equipment and the target digital signature sent by the terminal equipment; the target digital signature is generated based on the signature private key; the target signature private key is generated based on the identification; the identification comprises a fingerprint characteristic value of the terminal equipment; the target signature private key corresponds to the target signature public key;
the processing unit is used for generating the target signature public key based on the identification;
the processing unit is further configured to verify the target digital signature based on the target signature public key;
the processing unit is further configured to determine that the identity authentication of the terminal device passes if the target digital signature passes.
10. A device authentication apparatus, characterized in that the device authentication apparatus comprises: a transmission unit and a processing unit;
the transmission unit is used for receiving an identifier of the terminal equipment and a first signature public key, wherein the identifier comprises a fingerprint characteristic value of the terminal equipment, and the first signature public key is generated based on the identifier;
the processing unit is used for generating a second signature public key based on the first signature public key;
the processing unit is further configured to generate a second signature private key based on the identifier and the second signature public key;
the transmission unit is further configured to send the second public signature key and the second private signature key to the terminal device, where the terminal device is configured to perform identity authentication based on the second public signature key and the second private signature key.
11. An electronic device, comprising: a processor and a memory;
Wherein the memory is configured to store one or more programs, the one or more programs comprising computer-executable instructions that, when executed by the electronic device, cause the electronic device to perform the method of any of claims 1-3, the method of any of claims 4-5, or the method of any of claims 6-7.
12. A computer readable storage medium storing one or more programs, wherein the one or more programs comprise instructions, which when executed by a computer, cause the computer to perform the method of any of claims 1-3, the method of any of claims 4-5, or the method of any of claims 6-7.
13. Computer program product, characterized in that it comprises computer instructions which, when run on an electronic device, perform the method according to any of claims 1-3, the method according to any of claims 4-5, or the method according to any of claims 6-7.
CN202410725640.2A 2024-06-05 2024-06-05 Device authentication method, device, electronic device, storage medium and program product Pending CN118632248A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410725640.2A CN118632248A (en) 2024-06-05 2024-06-05 Device authentication method, device, electronic device, storage medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410725640.2A CN118632248A (en) 2024-06-05 2024-06-05 Device authentication method, device, electronic device, storage medium and program product

Publications (1)

Publication Number Publication Date
CN118632248A true CN118632248A (en) 2024-09-10

Family

ID=92607504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410725640.2A Pending CN118632248A (en) 2024-06-05 2024-06-05 Device authentication method, device, electronic device, storage medium and program product

Country Status (1)

Country Link
CN (1) CN118632248A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120456022A (en) * 2025-07-08 2025-08-08 军工保密资格审查认证中心 System and method for enhancing device-card binding security by integrating radio frequency fingerprint and PUF

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120456022A (en) * 2025-07-08 2025-08-08 军工保密资格审查认证中心 System and method for enhancing device-card binding security by integrating radio frequency fingerprint and PUF

Similar Documents

Publication Publication Date Title
CN109714167B (en) Identity authentication and key agreement method and equipment suitable for mobile application signature
US9246900B2 (en) Using a single certificate request to generate credentials with multiple ECQV certificates
CN110958209B (en) Bidirectional authentication method, system and terminal based on shared secret key
CN114499876B (en) Internet of Things data storage method based on blockchain and NB-IoT chip
CN115021958B (en) A smart home identity authentication method and system integrating fog computing and blockchain
CN102223420A (en) Digital content distribution method for multimedia social network
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN112733129B (en) Trusted access method for server out-of-band management
EP3133791B1 (en) Double authentication system for electronically signed documents
CN107347073B (en) A kind of resource information processing method
EP2673915B1 (en) Using a single certificate request to generate credentials with multiple ecqv certificates
CN111600903A (en) Communication method, system, equipment and readable storage medium
CN119005980A (en) Block chain account generation method and system
CA3217688A1 (en) Multi-factor authentication using blockchain
CN113872769A (en) PUF-based device authentication method and device, computer device and storage medium
CN118632248A (en) Device authentication method, device, electronic device, storage medium and program product
CN115276998A (en) IoT authentication method, device and IoT device
CN118432826B (en) Group device registration and identity authentication method, system, device and storage medium
CN108566274B (en) Method, equipment and storage equipment for seamless docking between block chain authentication systems
CN112055008B (en) Identity authentication method and device, computer equipment and storage medium
CN117370952A (en) Multi-node identity verification method and device based on block chain
CN115514504A (en) Cross-confederation node authentication method, device, computer equipment and storage medium
CN119232389B (en) Method, system and computing device for trusted identification of super computing interface
CN115865369B (en) Identity authentication method and device
CN115396085B (en) Method and equipment for negotiating and authenticating based on biological characteristics and third secret key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination