[go: up one dir, main page]

CN115277240A - Authentication method and device for Internet of things equipment - Google Patents

Authentication method and device for Internet of things equipment Download PDF

Info

Publication number
CN115277240A
CN115277240A CN202210926720.5A CN202210926720A CN115277240A CN 115277240 A CN115277240 A CN 115277240A CN 202210926720 A CN202210926720 A CN 202210926720A CN 115277240 A CN115277240 A CN 115277240A
Authority
CN
China
Prior art keywords
server
authentication
mask data
key parameter
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210926720.5A
Other languages
Chinese (zh)
Other versions
CN115277240B (en
Inventor
曹元�
张凯钊
刘皖熠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hohai University HHU
Original Assignee
Hohai University HHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hohai University HHU filed Critical Hohai University HHU
Priority to CN202210926720.5A priority Critical patent/CN115277240B/en
Publication of CN115277240A publication Critical patent/CN115277240A/en
Application granted granted Critical
Publication of CN115277240B publication Critical patent/CN115277240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of information security, in particular to an authentication method of Internet of things equipment, which is applied to an equipment end and comprises the following steps: under the condition of establishing connection with a server, after receiving an authentication request of a user, acquiring an equipment key parameter and an equipment number of an equipment end, and sending the equipment key parameter and the equipment number to the server so that the server checks the equipment number, and generates mask data of the server according to the equipment key parameter; acquiring server mask data and server key parameters sent by a server, and generating server verification parameters of the server according to the server mask data; determining that the server passes the authentication according to the server key parameter and the server verification parameter; and after the server passes the authentication, acquiring equipment authentication passing information sent by the server, and starting an application function corresponding to the authentication request. The method improves the authentication efficiency of the equipment, ensures the safety of the equipment, reduces the resource waste and realizes the function of 'one-time pad'.

Description

一种物联网设备的认证方法及装置Authentication method and device for an Internet of Things device

技术领域technical field

本发明涉及信息安全技术领域,尤其涉及一种物联网设备的认证方法及装置。The present invention relates to the technical field of information security, in particular to an authentication method and device for an Internet of Things device.

背景技术Background technique

近年来,物联网设备的需求量和应用范围均在增加。与此同时,物联网设备的安全问题也受到越来越多的重视。目前,一系列的侵入式攻击和非侵入式攻击对物联网设备的安全带来了威胁,与某个物联网设备连接的设备的激增以及攻击软件、违规软件或恶意软件的不断发展,严重损害了物联网设备和生态系统的安全性。In recent years, the demand and scope of IoT devices have increased. At the same time, more and more attention has been paid to the security of IoT devices. At present, a series of intrusive and non-intrusive attacks pose a threat to the security of IoT devices. The proliferation of devices connected to an IoT device and the continuous development of attack software, illegal software, or malware have seriously damaged It improves the security of IoT devices and ecosystems.

目前,物联网设备常使用非对称密钥和对称密钥来进行设备的认证,以保障物联网设备的安全性。然而,物联网设备的软件的加密操作和解密操作会消耗大量资源,同时也会造成网络性能的下降,引发物联网设备认证效率低的问题。Currently, IoT devices often use asymmetric keys and symmetric keys for device authentication to ensure the security of IoT devices. However, the encryption operation and decryption operation of the software of the IoT device will consume a large amount of resources, and will also cause a decrease in network performance, causing the problem of low authentication efficiency of the IoT device.

发明内容Contents of the invention

本申请实施例通过提供一种物联网设备的认证方法及装置,解决了现有技术中物联网设备认证效率低的技术问题,实现了物联网设备和服务器之间的相互认证功能,提高物联网设备的认证效率,保障设备的安全性,在物联网设备与服务器之间相互认证过程中,具有消耗资源少、响应速度快和“一次一密”的特点,有效防止物理侵入式攻击等技术效果。The embodiment of the present application solves the technical problem of low authentication efficiency of IoT devices in the prior art by providing an authentication method and device for IoT devices, realizes the mutual authentication function between IoT devices and servers, and improves the Internet of Things. The authentication efficiency of the device ensures the security of the device. In the process of mutual authentication between the IoT device and the server, it has the characteristics of less resource consumption, fast response and "one-time secret", effectively preventing physical intrusion attacks and other technical effects .

第一方面,本发明实施例提供一种物联网设备的认证方法,应用于设备端,所述方法包括:In the first aspect, the embodiment of the present invention provides an authentication method for an Internet of Things device, which is applied to the device side, and the method includes:

在与服务端建立连接的条件下,在接收到用户的认证请求后,获取所述设备端的设备密钥参数和设备编号,并将所述设备密钥参数和所述设备编号发送至所述服务端,以使所述服务端核对所述设备编号,并根据所述设备密钥参数,生成服务端掩码数据;Under the condition of establishing a connection with the server, after receiving the authentication request from the user, obtain the device key parameter and the device number of the device, and send the device key parameter and the device number to the service end, so that the server checks the device number, and generates server mask data according to the device key parameter;

获取所述服务端发送的所述服务端掩码数据和服务端密钥参数,并根据所述服务端掩码数据,生成所述服务端的服务端验证参数;Obtain the server mask data and server key parameters sent by the server, and generate server verification parameters of the server according to the server mask data;

根据所述服务端密钥参数和所述服务端验证参数,确定所述服务端通过认证;determining that the server has passed the authentication according to the server key parameter and the server verification parameter;

在确定所述服务端通过认证后,获取所述服务端发送的设备端认证通过信息,并开启所述认证请求对应的应用功能。After it is determined that the server has passed the authentication, the device-side authentication passing information sent by the server is obtained, and the application function corresponding to the authentication request is started.

优选的,在确定所述服务端通过认证后,还包括:Preferably, after determining that the server has passed the authentication, it also includes:

根据所述服务端密钥参数,得到设备掩码数据,并将所述设备掩码数据发送至所述服务端,以使所述服务端根据所述设备掩码数据,对所述设备端进行认证;Obtain device mask data according to the server-side key parameter, and send the device mask data to the server, so that the server performs the device-side processing on the device according to the device mask data certification;

在将所述设备掩码数据发送至所述服务端后,获取所述服务端发送的设备认证通过信息,并开启所述对应的应用功能。After sending the device mask data to the server, obtain device authentication passing information sent by the server, and start the corresponding application function.

优选的,所述获取设备的设备密钥参数,包括:Preferably, said obtaining device key parameters of the device includes:

获取设备激励参数,并将所述设备激励参数输入至所述设备端的物理不可克隆函数中,得到设备响应参数,以及将所述设备激励参数输入至所述设备端的哈希函数中,得到所述设备激励参数的哈希结果;Obtain device incentive parameters, and input the device incentive parameters into the physical unclonable function on the device side to obtain device response parameters, and input the device incentive parameters into the hash function on the device side to obtain the Hash result of device incentive parameters;

根据所述设备响应参数和所述设备激励参数的哈希结果,得到所述设备密钥参数。The device key parameter is obtained according to a hash result of the device response parameter and the device incentive parameter.

优选的,在得到所述设备密钥参数后,还包括:Preferably, after obtaining the device key parameter, it also includes:

根据所述设备密钥参数,得到设备验证密钥;Obtaining a device verification key according to the device key parameter;

所述根据所述服务端掩码数据,生成所述服务端的服务端验证参数,包括:The generating of the server verification parameters of the server according to the server mask data includes:

根据所述服务端掩码数据和所述设备验证密钥,得到所述服务端验证参数。The server verification parameter is obtained according to the server mask data and the device verification key.

优选的,所述根据所述服务端密钥参数和所述服务端验证参数,确定所述服务端通过认证,包括:Preferably, the determining that the server passes the authentication according to the server key parameter and the server verification parameter includes:

根据所述服务端密钥参数和所述服务端验证参数,得到第一模糊汉明距离;Obtaining a first fuzzy Hamming distance according to the server key parameter and the server verification parameter;

若所述第一模糊汉明距离不小于第一设定距离阈值,则确定所述服务端通过认证,并输出所述设备端对所述服务端认证通过的信息。If the first fuzzy Hamming distance is not less than the first set distance threshold, then determine that the server has passed the authentication, and output information that the device has passed the authentication of the server.

优选的,在接收到用户的认证请求之前,还包括:Preferably, before receiving the user's authentication request, it also includes:

向所述服务端发送注册信号;sending a registration signal to the server;

在发送所述注册信号后,获取所述服务端发送的激励值集和所述设备端的设备代号,并存储所述激励值集和所述设备代号,其中,所述设备代号与所述设备编号一致;After sending the registration signal, obtain the incentive value set sent by the server and the device code of the device, and store the incentive value set and the device code, wherein the device code and the device number consistent;

根据所述激励值集中的每个激励值,得到每个激励值对应的响应值和多个激励响应对,其中,一个激励响应对包括一个激励值和该激励值对应的响应值;According to each stimulus value in the stimulus value set, a response value corresponding to each stimulus value and a plurality of stimulus-response pairs are obtained, wherein a stimulus-response pair includes an stimulus value and a response value corresponding to the stimulus value;

将所述多个激励响应对发送至所述服务端,以使所述服务端存储所述多个激励响应对。sending the plurality of stimulus-response pairs to the server, so that the server stores the plurality of stimulus-response pairs.

基于同一发明构思,第二方面,本发明还提供一种物联网设备的认证装置,应用于设备端,所述装置包括:Based on the same inventive concept, in the second aspect, the present invention also provides an authentication device for an Internet of Things device, which is applied to the device end, and the device includes:

获取发送模块,用于在与服务端建立连接的条件下,在接收到用户的认证请求后,获取所述设备端的设备密钥参数和设备编号,并将所述设备密钥参数和所述设备编号发送至所述服务端,以使所述服务端核对所述设备编号,并根据所述设备密钥参数,生成服务端掩码数据;The obtaining and sending module is used to obtain the device key parameter and device number of the device after receiving the user's authentication request under the condition of establishing a connection with the server, and combine the device key parameter and the device number The number is sent to the server, so that the server checks the device number, and generates server mask data according to the device key parameter;

获取生成模块,用于获取所述服务端发送的所述服务端掩码数据和服务端密钥参数,并根据所述服务端掩码数据,生成所述服务端的服务端验证参数;An acquisition generation module, configured to acquire the server mask data and server key parameters sent by the server, and generate server verification parameters of the server according to the server mask data;

认证模块,用于根据所述服务端密钥参数和所述服务端验证参数,确定所述服务端通过认证;An authentication module, configured to determine that the server has passed the authentication according to the server key parameter and the server verification parameter;

控制模块,用于在确定所述服务端通过认证后,获取所述服务端发送的设备端认证通过信息,并开启所述认证请求对应的应用功能。The control module is configured to obtain the device-side authentication passing information sent by the server after determining that the server has passed the authentication, and start the application function corresponding to the authentication request.

基于同一发明构思,第三方面,本发明实施例提供一种物联网设备的认证方法,应用于服务端,所述方法包括:Based on the same inventive concept, in the third aspect, the embodiment of the present invention provides an authentication method for an IoT device, which is applied to a server, and the method includes:

在与设备端建立连接后,获取所述服务端的服务端密钥参数、所述设备端发送的设备密钥参数和设备编号;After establishing a connection with the device, obtain the server key parameter of the server, the device key parameter and the device number sent by the device;

若所述设备编号与所述服务端数据库中的所述设备端的设备代号一致,则根据所述设备密钥参数,生成服务端掩码数据,并将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端;If the device number is consistent with the device code of the device in the server database, generate server mask data according to the device key parameter, and combine the server mask data with the service The terminal key parameter is sent to the device terminal;

在将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端后,获取所述设备端发送的设备掩码数据;After sending the server mask data and the server key parameter to the device, acquire the device mask data sent by the device;

根据所述设备掩码数据,确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。According to the device mask data, it is determined that the device has passed the authentication, and the device authentication passing information of the device is sent to the device.

优选的,所述根据所述设备掩码数据,确定所述设备端通过认证,包括:Preferably, the determining that the device has passed the authentication according to the device mask data includes:

根据所述设备掩码数据,生成所述设备端的设备验证参数;generating device verification parameters on the device side according to the device mask data;

根据所述设备验证参数和所述设备密钥参数,得到第二模糊汉明距离;Obtaining a second fuzzy Hamming distance according to the device verification parameter and the device key parameter;

若所述第二模糊汉明距离不小于第二设定距离阈值,则确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。If the second fuzzy Hamming distance is not less than the second set distance threshold, it is determined that the device has passed the authentication, and the device authentication passing information of the device is sent to the device.

基于同一发明构思,第四方面,本发明还提供一种物联网设备的认证装置,应用于服务端,所述装置包括:Based on the same inventive concept, in the fourth aspect, the present invention also provides an authentication device for an Internet of Things device, which is applied to a server, and the device includes:

第一获取模块,用于在与设备端建立连接后,获取所述服务端的服务端密钥参数、所述设备端发送的设备密钥参数和设备编号;The first obtaining module is used to obtain the server key parameter of the server, the device key parameter and the device number sent by the device after establishing a connection with the device;

判断模块,用于若所述设备编号与所述服务端数据库中的所述设备端的设备代号一致,则根据所述设备密钥参数,生成服务端掩码数据,并将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端;A judging module, configured to generate server mask data according to the device key parameter if the device number is consistent with the device code of the device in the server database, and mask the server sending the data and the key parameter of the server to the device;

第二获取模块,用于在将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端后,获取所述设备端发送的设备掩码数据;A second obtaining module, configured to obtain the device mask data sent by the device after sending the server mask data and the server key parameter to the device;

确定模块,用于根据所述设备掩码数据,确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。The determination module is configured to determine that the device has passed the authentication according to the device mask data, and send the device authentication passing information of the device to the device.

本发明实施例中的一个或多个技术方案,至少具有如下技术效果或优点:One or more technical solutions in the embodiments of the present invention have at least the following technical effects or advantages:

在本发明实施例中,用户使用设备端某个应用功能时,触发用户的认证请求。设备端在接收到用户的认证请求后,获取设备端的设备密钥参数和设备编号,并将设备密钥参数和设备编号发送至服务端,以使服务端核对设备编号,并根据设备密钥参数,生成服务端掩码数据。这里,使服务端不仅核对设备编号,确认设备端为在服务端中已注册的设备,还生成服务端掩码数据,有效防止机器学习攻击、重放攻击或中间人攻击等相关攻击,提高设备的认证效率,保障设备的安全性。In the embodiment of the present invention, when the user uses a certain application function on the device side, the user's authentication request is triggered. After receiving the user's authentication request, the device side obtains the device key parameters and device number of the device side, and sends the device key parameters and device number to the server side, so that the server side can check the device number, and according to the device key parameter , to generate server-side mask data. Here, the server not only checks the device number, confirms that the device is a device registered in the server, but also generates server mask data, which effectively prevents machine learning attacks, replay attacks, or man-in-the-middle attacks and other related attacks, and improves the security of the device. Authentication efficiency ensures device security.

接着,设备端获取服务端发送的服务端掩码数据和服务端密钥参数,并根据服务端掩码数据,生成服务端的服务端验证参数。再根据服务端密钥参数和服务端验证参数,确定服务端通过认证,实现设备端对服务端的认证,进一步提高设备的认证效率,保障设备的安全性。Next, the device acquires the server mask data and server key parameters sent by the server, and generates server verification parameters of the server according to the server mask data. Then, according to the key parameters of the server and the verification parameters of the server, it is determined that the server has passed the authentication, and the authentication of the device to the server is realized, thereby further improving the authentication efficiency of the device and ensuring the security of the device.

然后,在确定服务端通过认证后,获取服务端发送的设备端认证通过信息,这里表示设备端对服务端认证通过,服务端对设备端认证通过,即二者相互认证通过,保障设备的安全性。二者相互认证通过后,设备端开启认证请求对应的应用功能,以供用户安全使用设备端的应用功能。Then, after confirming that the server has passed the authentication, obtain the device-side authentication pass information sent by the server, which means that the device-side authenticates to the server-side, and the server-side authenticates to the device-side, that is, the two pass mutual authentication to ensure the safety of the device sex. After the mutual authentication of the two passes, the device side starts the application function corresponding to the authentication request, so that the user can use the application function of the device side safely.

通过本发明实施例的物联网设备的认证方法,打破了服务端和设备端原有的响应和激励的直接映射关系。在二者整个认证过程中,每次使用的相关参数或掩码数据均依赖于真随机数发生器产生的数据,还设置了相关的掩码数据,大大提高了设备端的认证效率,保证设备的安全性。并且,服务端还能做到“一次一密”,有效防止了机器学习攻击、重放攻击、中间人攻击。在二者整个认证过程中,还利用物理不可克隆函数,能防止物理侵入式攻。Through the authentication method of the Internet of Things device in the embodiment of the present invention, the original direct mapping relationship between the response and the incentive of the server and the device is broken. During the entire authentication process of the two, the relevant parameters or mask data used each time depend on the data generated by the true random number generator, and the relevant mask data is also set, which greatly improves the authentication efficiency of the device and ensures the safety of the device. safety. Moreover, the server can also achieve "one-time padding", which effectively prevents machine learning attacks, replay attacks, and man-in-the-middle attacks. During the entire authentication process of the two, physical unclonable functions are also used to prevent physical intrusion attacks.

附图说明Description of drawings

通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考图形表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same components are represented by the same reference figures. In the attached picture:

图1示出了本发明实施例中的应用于设备端的物联网设备的认证方法的步骤流程示意图;FIG. 1 shows a schematic flow chart of the steps of an authentication method applied to an IoT device at the device end in an embodiment of the present invention;

图2示出了本发明实施例中的设备端与服务端之间的物联网设备的认证方法的流程示意图;FIG. 2 shows a schematic flowchart of an authentication method for an IoT device between a device end and a server end in an embodiment of the present invention;

图3示出了本发明实施例中的应用于设备端的物联网设备的认证装置的模块示意图;FIG. 3 shows a schematic module diagram of an authentication device applied to an IoT device at the device end in an embodiment of the present invention;

图4示出了本发明实施例中的应用于服务端的物联网设备的认证方法的步骤流程示意图;FIG. 4 shows a schematic flow chart of steps of an authentication method applied to an IoT device at the server end in an embodiment of the present invention;

图5示出了本发明实施例中的应用于服务端的物联网设备的认证装置的模块示意图。Fig. 5 shows a schematic diagram of modules of an authentication device applied to a server-side IoT device in an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

实施例一Embodiment one

本发明第一实施例提供了一种物联网设备的认证方法,应用于设备端,如图1所示,包括:The first embodiment of the present invention provides an authentication method for an Internet of Things device, which is applied to the device side, as shown in Figure 1, including:

S101,在与服务端建立连接的条件下,在接收到用户的认证请求后,获取设备端的设备密钥参数和设备编号,并将设备密钥参数和设备编号发送至服务端,以使服务端核对设备编号,并根据设备密钥参数,生成服务端掩码数据;S101, under the condition of establishing a connection with the server, after receiving the authentication request from the user, obtain the device key parameter and device number of the device, and send the device key parameter and device number to the server, so that the server Check the device number, and generate server mask data according to the device key parameters;

S102,获取服务端发送的服务端掩码数据和服务端密钥参数,并根据服务端掩码数据,生成服务端的服务端验证参数;S102. Obtain the server mask data and server key parameters sent by the server, and generate server verification parameters of the server according to the server mask data;

S103,根据服务端密钥参数和服务端验证参数,确定服务端通过认证;S103. Determine that the server passes the authentication according to the server key parameter and the server verification parameter;

S104,在确定服务端通过认证后,获取服务端发送的设备端认证通过信息,并开启认证请求对应的应用功能。S104. After it is determined that the server has passed the authentication, obtain the device-side authentication passing information sent by the server, and start the application function corresponding to the authentication request.

本实施例的物联网设备的认证方法应用在设备端中,设备端为物联网设备,如手机、平板电脑、电子锁或其他电子产品等。物联网设备的认证方法具体适用于的场景为移动支付的身份验证场景、门禁管理场景、防伪识别认证场景、射频识别技术(Radio FrequencyIdentification,RFID)、近场通信(Near Field Communication,NFC)技术或其他通信技术的应用场景中的设备认证场景等等。The authentication method for the Internet of Things device in this embodiment is applied to the device end, and the device end is an Internet of Things device, such as a mobile phone, a tablet computer, an electronic lock, or other electronic products. The authentication method of the Internet of Things device is specifically applicable to scenarios such as identity verification scenarios of mobile payment, access control management scenarios, anti-counterfeiting identification authentication scenarios, radio frequency identification technology (Radio Frequency Identification, RFID), near field communication (Near Field Communication, NFC) technology or Device authentication scenarios in application scenarios of other communication technologies, etc.

下面,结合图1来详细介绍本实施例提供的物联网设备的认证方法的具体实施步骤:Below, the specific implementation steps of the authentication method for the IoT device provided in this embodiment will be introduced in detail in conjunction with FIG. 1:

在执行步骤S101之前,设备端与服务端建立连接后,设备端需要向服务端进行注册。设备端向服务端发送注册信号,以使设备端进入注册阶段。在注册阶段,服务端接收到设备端发送的注册信号后,服务端通过自己的真随机数发生器(True Random NumberGenerator,TRNG),随机生成多个激励值(即激励值集)和设备端的设备代号,并向设备端发送该激励值集和设备编号。服务端在得到设备端的设备代号后,将设备代号存储在服务端的数据库中,以通过设备代号对设备端实现索引。Before step S101 is executed, after the connection between the device and the server is established, the device needs to register with the server. The device side sends a registration signal to the server side, so that the device side enters the registration phase. In the registration phase, after the server receives the registration signal sent by the device, the server uses its own True Random Number Generator (TRNG) to randomly generate multiple incentive values (that is, incentive value sets) and device code, and send the incentive value set and device number to the device. After obtaining the device code of the device, the server stores the device code in the database of the server, so as to realize indexing of the device through the device code.

还需要说明的是,服务器端通过其自身的物理不可克隆函数电路,生成n个激励模块,每个激励模块包括NC个激励值。其中,n和NC均为大于1的整数。在注册阶段,服务端接收到设备端发送的注册信号后,服务端通过自己的真随机数发生器(True Random NumberGenerator,TRNG),得到随机数u和k。u为设备端的设备代号,k为第k个激励模块的激励值,即激励值集。It should also be noted that the server generates n incentive modules through its own physical unclonable function circuit, and each incentive module includes N C incentive values. Wherein, both n and N C are integers greater than 1. In the registration phase, after the server receives the registration signal sent by the device, the server obtains random numbers u and k through its own True Random Number Generator (TRNG). u is the device code of the device, and k is the stimulus value of the kth stimulus module, that is, the stimulus value set.

设备端在发送注册信号后,获取服务端发送的激励值集和设备端的设备代号,并存储激励值集和设备代号。其中,设备端收到设备代号后,将设备代号作为设备端的设备编号,即设备代号与设备编号一致。After sending the registration signal, the device obtains the incentive value set sent by the server and the device code of the device, and stores the incentive value set and the device code. Wherein, after the device end receives the device code, it uses the device code as the device number of the device, that is, the device code is consistent with the device number.

并且,在设备端在接收到服务端发送的激励值集后,根据激励值集C中的每个激励值Ci,得到每个激励值Ci对应的响应值Ri和多个激励响应对CRP(Ci,Ri)。其中,一个激励响应对包括一个激励值和该激励值对应的响应值,i表示第i个激励值或响应值的。设备端在得到多个激励响应对后,将多个激励响应对发送至服务端。服务端在接收到多个激励响应对后,服务端存储多个激励响应对。And, after the device receives the incentive value set sent by the server, according to each incentive value C i in the incentive value set C, the response value R i corresponding to each incentive value C i and multiple stimulus-response pairs are obtained CRP(C i , R i ). Wherein, a stimulus-response pair includes a stimulus value and a response value corresponding to the stimulus value, and i represents the ith stimulus value or response value. After obtaining multiple stimulus-response pairs, the device side sends the multiple stimulus-response pairs to the server. After the server receives the multiple stimulus-response pairs, the server stores the multiple stimulus-response pairs.

如图2所示,在设备端与服务端进行认证的过程中,首先执行步骤S101,在与服务端建立连接的条件下,在接收到用户的认证请求后,获取设备端的设备密钥参数和设备编号,并将设备密钥参数和设备编号发送至服务端,以使服务端核对设备编号,并根据设备密钥参数,生成服务端掩码数据。As shown in Figure 2, in the process of authentication between the device and the server, step S101 is first executed to obtain the device key parameters and The device number, and send the device key parameter and the device number to the server, so that the server can check the device number, and generate server mask data according to the device key parameter.

具体来讲,在设备端与服务端建立连接的情况下,用户使用设备端某个需要认证身份的应用功能时,会点击设备上的应用,则设备端会接收到用户的认证请求。设备端在接收到用户的认证请求后,获取自己的设备密钥参数和设备编号,并将设备端自己的设备密钥参数和设备编号发送至服务端。其中,用户的认证请求为用户在使用设备端某个应用功能时,需要认证身份的请求。如用户使用手机端的移动支付功能时,认证身份的请求。或在高速公路上,车辆通过收费站时,通过设置在车辆上的车载电子标签,以使收费站的ETC(Electronic Toll Collection,电子不停车收费系统)识别,实现通过ETC验证车辆身份的请求。Specifically, when a connection is established between the device and the server, when the user uses an application function that requires authentication on the device, he clicks on the application on the device, and the device receives the user's authentication request. After receiving the authentication request from the user, the device obtains its own device key parameters and device number, and sends its own device key parameters and device number to the server. Wherein, the user's authentication request is a request for identity authentication when the user uses a certain application function on the device. For example, when the user uses the mobile payment function on the mobile phone, the identity authentication request. Or on the expressway, when the vehicle passes the toll booth, the vehicle electronic tag installed on the vehicle is used to identify the ETC (Electronic Toll Collection, electronic toll collection system) of the toll booth, and realize the request to verify the identity of the vehicle through the ETC.

设备端获取自己的设备密钥参数a过程是,先获取设备激励参数,并将设备激励参数输入至设备端的物理不可克隆函数中,得到设备响应参数,以及将设备激励参数输入至设备端的哈希函数中,得到设备激励参数的哈希结果。再根据设备响应参数和设备激励参数的哈希结果,得到设备密钥参数。The process of obtaining its own device key parameter a on the device side is to first obtain the device incentive parameters, and input the device incentive parameters into the physical unclonable function of the device side, obtain the device response parameters, and input the device incentive parameters into the hash of the device side In the function, get the hash result of device incentive parameters. Then according to the hash result of the device response parameter and the device incentive parameter, the device key parameter is obtained.

具体地,设备端通过设备端的真随机数发生器TRNGd,得到设备激励索引Id。由于TRNGd输出的设备激励索引Id对应的激励值可能与预先存储的Ci不匹配,则需将Id馈入设备端的线性反馈移位寄存器(Linear Feedback Shift Register,LFSR),其中,LFSR函数的所有输出值都限制在0和Nr之间。Nr为设备端在注册阶段中得到的CRP的数量。Id通过设备端的线性反馈移位寄存器,输出得到设备实际索引LFSR(Id)。根据设备实际索引,在设备端的数据库DBd中查找到设备激励参数CdSpecifically, the device obtains the device excitation index I d through the device-side true random number generator TRNG d . Since the excitation value corresponding to the device excitation index I d output by TRNG d may not match the pre-stored C i , it is necessary to feed I d into the linear feedback shift register (Linear Feedback Shift Register, LFSR) at the device side, where LFSR All output values of the function are bounded between 0 and Nr. Nr is the number of CRPs obtained by the device during the registration phase. I d passes through the linear feedback shift register at the device side, and outputs the actual index LFSR(I d ) of the device. According to the actual index of the device, the device incentive parameter C d is found in the database DB d on the device side.

接着,将Cd输入到设备端的物理不可克隆函数PUF(k,Cd)中,得到设备响应参数Rd。并且,将设备激励参数Cd输入至设备端的哈希函数Hash中,得到设备激励参数的哈希结果Hash(Cd)。再将设备响应参数Rd和Hash(Cd)作异或运算,得到设备密钥参数a。Next, input C d into the physical unclonable function PUF(k, C d ) of the device to obtain the device response parameter R d . In addition, the device incentive parameter C d is input into the hash function Hash at the device side to obtain a hash result Hash(C d ) of the device incentive parameter. Then XOR operation is performed on the device response parameter R d and Hash(C d ) to obtain the device key parameter a.

在得到设备密钥参数a后,将设备密钥参数a馈入设备端的线性反馈移位寄存器LFSR中,设备端的LFSR(a)输出设备目标索引Ia。根据设备目标索引Ia,在设备端的数据库DBd中查找到设备端的验证激励参数

Figure BDA0003779808530000091
Figure BDA0003779808530000092
通过设备端的物理不可克隆函数PUF(k,
Figure BDA0003779808530000093
),得到设备验证密钥Ks。After the device key parameter a is obtained, the device key parameter a is fed into the linear feedback shift register LFSR at the device side, and the LFSR(a) at the device side outputs the device target index I a . According to the device target index I a , find the device-side verification incentive parameters in the device-side database DB d
Figure BDA0003779808530000091
Will
Figure BDA0003779808530000092
Through the physical unclonable function PUF(k,
Figure BDA0003779808530000093
) to get the device verification key K s .

服务端接收到设备端发送的设备密钥参数和设备编号后,先判断设备编号与服务端数据库中存储的设备端的设备代号是否一致。若设备端发送的设备编号与服务端数据库中存储的设备端的设备代号一致,表示设备端为已向服务端注册过的设备端,服务端已存储设备端的激励响应对CRP(Ci,Ri),则服务端根据设备密钥参数,生成服务端掩码数据,并将服务端掩码数据和服务端的服务端密钥参数发送至设备端。After receiving the device key parameter and device number sent by the device, the server first judges whether the device number is consistent with the device code of the device stored in the server database. If the device number sent by the device is consistent with the device code stored in the server database, it means that the device has registered with the server, and the server has stored the incentive response of the device to CRP(C i , R i ), the server generates the server mask data according to the device key parameter, and sends the server mask data and the server server key parameter to the device.

若设备端发送的设备编号与服务端数据库中存储的设备端的设备代号未一致,表示设备端未向服务端进行注册,设备端不能与服务端进行认证,则服务端向设备端发送设备端为未注册设备的相关信息。If the device number sent by the device is not consistent with the device code stored in the server database, it means that the device has not registered with the server, and the device cannot be authenticated with the server, then the server sends the device to the device. Information about unregistered devices.

服务端获取服务端密钥参数b的过程是,服务端通过服务端的真随机数发生器TRNGs,得到服务端激励响应索引Is。将Is馈入服务端的线性反馈移位寄存器LFSR中,服务端的线性反馈移位寄存器LFSR输出得到服务端实际索引LFSR(Is)。根据服务端实际索引,在服务端的数据库DBs中查找到服务端激励响应对参数CRP(Cs,Rs)。The process for the server to obtain the server key parameter b is that the server obtains the server incentive response index I s through the server's true random number generator TRNG s . Feed I s into the linear feedback shift register LFSR of the server, and the output of the linear feedback shift register LFSR of the server obtains the actual index LFSR(I s ) of the server. According to the actual index of the server, the server incentive response pair parameter CRP(C s , R s ) is found in the database DB s of the server.

接着,将服务端激励响应对CRP(Cs,Rs)的服务端激励参数Cs输入至服务端的哈希函数Hash中,得到服务端激励参数Cs的哈希结果Hash(Cs)。将服务端响应参数Rs和Hash(Cs)作异或运算,得到服务端密钥参数b。Next, input the server incentive parameter C s of the server incentive response pair CRP(C s , R s ) into the hash function Hash of the server, and obtain the hash result Hash(C s ) of the server incentive parameter C s . Exclusive OR operation is performed on the server response parameter R s and Hash(C s ) to obtain the server key parameter b.

服务端在得到服务端密钥参数b后,根据服务端密钥参数b,得到服务端验证密钥,具体过程是:将服务端密钥参数b馈入服务端的线性反馈移位寄存器LFSR中,服务端的LFSR(b)输出服务端目标索引Ib。根据服务端目标索引Ib,在服务端的数据库DBs中查找到服务端验证密钥KdAfter the server obtains the server-side key parameter b, it obtains the server-side authentication key according to the server-side key parameter b. The specific process is: feed the server-side key parameter b into the linear feedback shift register LFSR of the server, The LFSR(b) of the server outputs the target index I b of the server. According to the target index I b of the server, the verification key K d of the server is found in the database DB s of the server.

服务端根据设备密钥参数a,生成服务端掩码数据e的具体过程是,服务端将设备端发送的设备密钥参数a通过自己的线性反馈移位寄存器LFSR,服务端的LFSR(a)输出得到第一索引

Figure BDA0003779808530000101
根据第一索引
Figure BDA0003779808530000102
在服务端的数据库DBs中查找到第一验证密钥Ks。将第一验证密钥Ks和服务端激励响应索引Is作异或运算,得到服务端掩码数据e。服务端将服务端掩码数据e和服务端密钥参数b发送至设备端。The specific process for the server to generate the server mask data e according to the device key parameter a is that the server passes the device key parameter a sent by the device through its own linear feedback shift register LFSR, and the server's LFSR(a) outputs get first index
Figure BDA0003779808530000101
according to the first index
Figure BDA0003779808530000102
The first verification key K s is found in the database DB s of the server. The XOR operation is performed on the first verification key K s and the server stimulus response index I s to obtain the server mask data e. The server sends the server mask data e and the server key parameter b to the device.

接着,执行步骤S102,获取服务端发送的服务端掩码数据和服务端密钥参数,并根据服务端掩码数据,生成服务端的服务端验证参数。Next, step S102 is executed to acquire the server mask data and the server key parameter sent by the server, and generate the server authentication parameters of the server according to the server mask data.

具体来讲,设备端接收到服务端发送的服务端掩码数据e和服务端密钥参数b后,根据服务端掩码数据e和设备验证密钥Ks,得到服务端验证参数

Figure BDA0003779808530000103
Specifically, after the device receives the server mask data e and the server key parameter b sent by the server, it obtains the server verification parameter according to the server mask data e and the device verification key K s
Figure BDA0003779808530000103

得到服务端验证参数

Figure BDA0003779808530000104
具体过程是,将服务端掩码数据e和设备验证密钥Ks作异或运算,得到第二索引
Figure BDA0003779808530000105
将第二索引
Figure BDA0003779808530000106
通过设备端的LFSR,得到第三索引LFSR
Figure BDA0003779808530000107
根据第三索引LFSR
Figure BDA0003779808530000108
在设备端的数据库DBd中查找到第一激励参数Cs。将第一激励参数Cs输入到设备端的物理不可克隆函数PUF(k,Cs)中,得到第一响应参数Rs。将第一响应参数Rs和第一激励参数Cs的哈希结果Hash(Cs)作异或运算,得到服务端验证参数
Figure BDA0003779808530000111
Get server authentication parameters
Figure BDA0003779808530000104
The specific process is to perform an XOR operation on the server mask data e and the device verification key K s to obtain the second index
Figure BDA0003779808530000105
index the second
Figure BDA0003779808530000106
Through the LFSR on the device side, get the third index LFSR
Figure BDA0003779808530000107
According to the third index LFSR
Figure BDA0003779808530000108
The first excitation parameter C s is found in the database DB d at the device side. Input the first excitation parameter C s into the physical unclonable function PUF(k, C s ) of the device to obtain the first response parameter R s . Perform XOR operation on the hash result Hash(C s ) of the first response parameter R s and the first incentive parameter C s to obtain the verification parameter of the server
Figure BDA0003779808530000111

设备端在得到服务端验证参数

Figure BDA0003779808530000112
后,执行步骤S103,根据服务端密钥参数和服务端验证参数,确定服务端通过认证。The device side obtains the verification parameters of the server side
Figure BDA0003779808530000112
Afterwards, step S103 is executed to determine that the server has passed the authentication according to the key parameter of the server and the authentication parameter of the server.

具体来讲,设备端在得到服务端验证参数

Figure BDA0003779808530000113
后,设备端将服务端密钥参数b和服务端验证参数
Figure BDA0003779808530000114
作模糊汉明距离算法(Fuzzy Hamming Distance,PHD)计算,得到第一模糊汉明距离PHD(b,
Figure BDA0003779808530000115
)。再对第一模糊汉明距离PHD(b,
Figure BDA0003779808530000116
)进行判断。若第一模糊汉明距离不小于第一设定距离阈值τ1,则确定服务端通过认证,并输出设备端对服务端认证通过的信息。其中,第一设定距离阈值根据实际需求而设置。若第一模糊汉明距离小于第一设定距离阈值,则确定服务端未通过认证,向服务端和设备端的屏幕输出设备端对服务端认证未通过的信息,并关闭认证请求对应的应用功能。Specifically, after the device side obtains the server-side verification parameters
Figure BDA0003779808530000113
After that, the device will pass the server-side key parameter b and the server-side verification parameter
Figure BDA0003779808530000114
Do fuzzy Hamming distance algorithm (Fuzzy Hamming Distance, PHD) calculation, get the first fuzzy Hamming distance PHD (b,
Figure BDA0003779808530000115
). Then for the first fuzzy Hamming distance PHD(b,
Figure BDA0003779808530000116
) to judge. If the first fuzzy Hamming distance is not less than the first set distance threshold τ1, it is determined that the server has passed the authentication, and output information that the device has passed the authentication of the server. Wherein, the first set distance threshold is set according to actual needs. If the first fuzzy Hamming distance is less than the first set distance threshold, it is determined that the server has not passed the authentication, and the information that the device fails to authenticate the server to the server is output to the screens of the server and the device, and the application function corresponding to the authentication request is closed .

在本实施例中,设备端在被用户使用的过程中,向服务端发送设备密钥参数和设备编号,以使服务器核对设备编号,以及生成服务端掩码数据和服务端密钥参数。设备端根据接收到的服务端发送的服务端掩码数据和服务端密钥参数,对服务端进行认证,判断服务端是否通过认证,以提高设备的认证效率,保障设备的安全性。并且,通过服务端掩码数据的设置,能有效防止机器学习攻击、重放攻击或中间人攻击等。In this embodiment, during the process of being used by the user, the device sends the device key parameter and the device number to the server, so that the server checks the device number and generates the server mask data and the server key parameter. The device authenticates the server according to the received server mask data and server key parameters sent by the server, and judges whether the server has passed the authentication, so as to improve the authentication efficiency of the device and ensure the security of the device. Moreover, through the setting of mask data on the server side, machine learning attacks, replay attacks or man-in-the-middle attacks can be effectively prevented.

设备端在确定服务端通过认证后,执行步骤S104,获取服务端发送的设备端认证通过信息,并开启认证请求对应的应用功能。After determining that the server has passed the authentication, the device executes step S104 to obtain the device authentication passing information sent by the server, and activates the application function corresponding to the authentication request.

具体来讲,在确定服务端通过认证后,设备端根据服务端密钥参数b,得到设备掩码数据f,并将设备掩码数据发送至服务端,以使服务端根据设备掩码数据,对设备端进行认证。Specifically, after confirming that the server has passed the authentication, the device obtains the device mask data f according to the server key parameter b, and sends the device mask data to the server, so that the server can, according to the device mask data, Authenticate on the device side.

得到设备掩码数据f的具体过程是,将服务端密钥参数b通过设备端的LFSR,得到第四索引

Figure BDA0003779808530000117
根据第四索引
Figure BDA0003779808530000118
在设备端的数据库DBd中查找到第二激励参数CKd。将CKd输入到设备端的物理不可克隆函数PUF(k,CKd)中,得到第二响应参数Kd。将Kd和设备激励索引Id作异或运算,得到设备掩码数据f。The specific process of obtaining the device mask data f is to pass the server key parameter b through the LFSR of the device to obtain the fourth index
Figure BDA0003779808530000117
according to the fourth index
Figure BDA0003779808530000118
The second excitation parameter C Kd is found in the database DB d at the device side. Input C Kd into the physical unclonable function PUF(k, C Kd ) of the device to obtain the second response parameter K d . Exclusive OR operation is performed on K d and device excitation index I d to obtain device mask data f.

服务端在接收到设备端发送的设备掩码数据f后,根据设备掩码数据f,生成设备端的设备验证参数,具体过程是:服务端将设备掩码数据f和服务端验证密钥Kd作异或运算,得到第五索引

Figure BDA0003779808530000121
Figure BDA0003779808530000122
通过服务端的LFSR,得到第六索引LFSR
Figure BDA0003779808530000123
根据第六索引LFSR
Figure BDA0003779808530000124
在服务端的数据库DBs中查找到第三激励参数Cd和第三响应参数Rd。将第三响应参数Rd和第三激励参数Cd的哈希结果Hash(Cd)作异或运算,得到设备验证参数
Figure BDA0003779808530000125
After receiving the device mask data f sent by the device, the server generates the device verification parameters of the device according to the device mask data f. The specific process is: the server combines the device mask data f and the server verification key K d XOR operation to get the fifth index
Figure BDA0003779808530000121
Will
Figure BDA0003779808530000122
Through the LFSR of the server, get the sixth index LFSR
Figure BDA0003779808530000123
According to the sixth index LFSR
Figure BDA0003779808530000124
The third excitation parameter C d and the third response parameter R d are found in the database DB s of the server. Perform XOR operation on the hash result Hash(C d ) of the third response parameter R d and the third excitation parameter C d to obtain the device verification parameter
Figure BDA0003779808530000125

服务端在得到设备验证参数

Figure BDA0003779808530000126
后,将设备验证参数
Figure BDA0003779808530000127
和设备密钥参数a作模糊汉明距离算法PHD计算,得到第二模糊汉明距离PHD(a,
Figure BDA0003779808530000128
)。再对第二模糊汉明距离PHD(a,
Figure BDA0003779808530000129
)进行判断。若第二模糊汉明距离不小于第二设定距离阈值τ2,则确定设备端通过认证,并将设备端的设备端认证通过信息发送至设备端。其中,第二设定距离阈值根据实际需求而设置。若第二模糊汉明距离小于第二设定距离阈值,则服务端对设备端认证未通过,向设备端发送设备端未通过认证的信息。The server gets the device verification parameters
Figure BDA0003779808530000126
After that, the device will verify the parameter
Figure BDA0003779808530000127
Calculate the fuzzy Hamming distance algorithm PHD with the device key parameter a to get the second fuzzy Hamming distance PHD(a,
Figure BDA0003779808530000128
). Then for the second fuzzy Hamming distance PHD(a,
Figure BDA0003779808530000129
) to judge. If the second fuzzy Hamming distance is not less than the second set distance threshold τ2, it is determined that the device has passed the authentication, and the device-side authentication passing information of the device is sent to the device. Wherein, the second set distance threshold is set according to actual needs. If the second fuzzy Hamming distance is less than the second set distance threshold, the server fails to authenticate the device, and sends information to the device that the device has not passed the authentication.

服务端在将设备端认证通过信息发送至设备端后,服务端会从自己的数据库中删除设备端和服务端相互认证通过的过程中使用的服务端激励响应对参数CRP(Cs,Rs),以在设备端和服务端相互认证的过程,实现设备端和服务端相互认证一次,使用一次服务端激励响应对参数CRP(Cs,Rs),即使用一次密钥,提高设备端和服务端的认证效率,保障设备的安全性,减少资源浪费,加快响应速度。After the server sends the device-side authentication information to the device, the server will delete the server-side incentive response pair parameter CRP(C s ,R s ), in the process of mutual authentication between the device and the server, the mutual authentication between the device and the server is realized once, and the parameter CRP(C s , R s ) is used once for the incentive response of the server, that is, the key is used once to improve the And the authentication efficiency of the server, guarantee the security of the device, reduce the waste of resources, and speed up the response speed.

设备端在将设备掩码数据发送至服务端后,获取服务端发送的设备端认证通过信息,并开启对应的应用功能,以使用户使用对应的应用功能。After the device end sends the device mask data to the server end, it obtains the device end authentication passing information sent by the server end, and enables the corresponding application function, so that the user can use the corresponding application function.

在本实施例中,设备端对服务端认证通过后,服务端还需对设备端进行认证。服务端根据设备端发送的设备掩码数据f,得到设备验证参数

Figure BDA00037798085300001210
再根据设备验证参数
Figure BDA00037798085300001211
和设备密钥参数a,确定出对设备端的认证结果,以提高设备的认证效率,保障设备的安全性。并且,通过设备掩码数据的设置,能有效防止机器学习攻击、重放攻击或中间人攻击等。In this embodiment, after the device side authenticates the server side, the server side also needs to authenticate the device side. The server obtains the device verification parameters according to the device mask data f sent by the device
Figure BDA00037798085300001210
Then verify the parameters according to the device
Figure BDA00037798085300001211
and the device key parameter a to determine the authentication result on the device, so as to improve the authentication efficiency of the device and ensure the security of the device. Moreover, through the setting of device mask data, machine learning attacks, replay attacks, or man-in-the-middle attacks can be effectively prevented.

在设备端与服务端的整个认证过程中,设备端和服务端均用到了物理不可克隆函数PUF,能高效防止物理侵入式攻击。During the entire authentication process between the device and the server, both the device and the server use the physically unclonable function PUF, which can effectively prevent physical intrusion attacks.

还需要说明的是,本实施例的设备和/或服务端均可采用将真随机数发生器TRNG对应的工艺电路和物理不可克隆函数PUF对应的工艺电路进行并联的电路,进一步减少软件资源的浪费,提高响应速度。It should also be noted that the device and/or the server in this embodiment can use a circuit in which the process circuit corresponding to the true random number generator TRNG and the process circuit corresponding to the physical unclonable function PUF are connected in parallel to further reduce the cost of software resources. Waste, improve responsiveness.

本发明实施例中的一个或多个技术方案,至少具有如下技术效果或优点:One or more technical solutions in the embodiments of the present invention have at least the following technical effects or advantages:

在本实施例中,用户使用设备端某个应用功能时,触发用户的认证请求。设备端在接收到用户的认证请求后,获取设备端的设备密钥参数和设备编号,并将设备密钥参数和设备编号发送至服务端,以使服务端核对设备编号,并根据设备密钥参数,生成服务端掩码数据。这里,使服务端不仅核对设备编号,确认设备端为在服务端中已注册的设备,还生成服务端掩码数据,有效防止机器学习攻击、重放攻击或中间人攻击等相关攻击,提高设备的认证效率,保障设备的安全性。In this embodiment, when the user uses a certain application function on the device side, the user's authentication request is triggered. After receiving the user's authentication request, the device side obtains the device key parameters and device number of the device side, and sends the device key parameters and device number to the server side, so that the server side can check the device number, and according to the device key parameter , to generate server-side mask data. Here, the server not only checks the device number, confirms that the device is a device registered in the server, but also generates server mask data, which effectively prevents machine learning attacks, replay attacks, or man-in-the-middle attacks and other related attacks, and improves the security of the device. Authentication efficiency ensures device security.

接着,设备端获取服务端发送的服务端掩码数据和服务端密钥参数,并根据服务端掩码数据,生成服务端的服务端验证参数。再根据服务端密钥参数和服务端验证参数,确定服务端通过认证,实现设备端对服务端的认证,进一步提高设备的认证效率,保障设备的安全性。Next, the device acquires the server mask data and server key parameters sent by the server, and generates server verification parameters of the server according to the server mask data. Then, according to the key parameters of the server and the verification parameters of the server, it is determined that the server has passed the authentication, and the authentication of the device to the server is realized, thereby further improving the authentication efficiency of the device and ensuring the security of the device.

然后,在确定服务端通过认证后,获取服务端发送的设备端认证通过信息,这里表示设备端对服务端认证通过,服务端对设备端认证通过,即二者相互认证通过,保障设备的安全性。二者相互认证通过后,设备端开启认证请求对应的应用功能,以供用户安全使用设备端的应用功能。Then, after confirming that the server has passed the authentication, obtain the device-side authentication pass information sent by the server, which means that the device-side authenticates to the server-side, and the server-side authenticates to the device-side, that is, the two pass mutual authentication to ensure the safety of the device sex. After the mutual authentication of the two passes, the device side starts the application function corresponding to the authentication request, so that the user can use the application function of the device side safely.

本实施例的物联网设备的认证方法,打破了服务端和设备端原有的响应和激励的直接映射关系。在二者整个认证过程中,每次使用的相关参数或掩码数据均依赖于真随机数发生器产生的数据,还设置了相关的掩码数据,大大提高了设备端的认证效率,保证设备的安全性。并且,服务端还能做到“一次一密”,有效防止了机器学习攻击、重放攻击、中间人攻击。在二者整个认证过程中,还利用物理不可克隆函数,能防止物理侵入式攻击。The authentication method for the IoT device in this embodiment breaks the original direct mapping relationship between the response and the incentive between the server and the device. During the entire authentication process of the two, the relevant parameters or mask data used each time depend on the data generated by the true random number generator, and the relevant mask data is also set, which greatly improves the authentication efficiency of the device and ensures the safety of the device. safety. Moreover, the server can also achieve "one-time padding", which effectively prevents machine learning attacks, replay attacks, and man-in-the-middle attacks. During the entire authentication process of the two, physical unclonable functions are also used to prevent physical intrusion attacks.

实施例二Embodiment two

基于相同的发明构思,本发明第二实施例还提供了一种物联网设备的认证装置,如图3所示,应用于设备端,所述装置包括:Based on the same inventive concept, the second embodiment of the present invention also provides an authentication device for IoT devices, as shown in Figure 3, which is applied to the device side, and the device includes:

获取发送模块201,用于在与服务端建立连接的条件下,在接收到用户的认证请求后,获取所述设备端的设备密钥参数和设备编号,并将所述设备密钥参数和所述设备编号发送至所述服务端,以使所述服务端核对所述设备编号,并根据所述设备密钥参数,生成服务端掩码数据;The obtaining and sending module 201 is configured to obtain the device key parameter and device number of the device after receiving the user's authentication request under the condition of establishing a connection with the server, and combine the device key parameter and the sending the device number to the server, so that the server checks the device number, and generates server mask data according to the device key parameter;

获取生成模块202,用于获取所述服务端发送的所述服务端掩码数据和服务端密钥参数,并根据所述服务端掩码数据,生成所述服务端的服务端验证参数;An acquisition and generation module 202, configured to acquire the server mask data and server key parameters sent by the server, and generate server verification parameters of the server according to the server mask data;

认证模块203,用于根据所述服务端密钥参数和所述服务端验证参数,确定所述服务端通过认证;An authentication module 203, configured to determine that the server passes the authentication according to the server key parameter and the server verification parameter;

控制模块204,用于在确定所述服务端通过认证后,获取所述服务端发送的设备端认证通过信息,并开启所述认证请求对应的应用功能。The control module 204 is configured to, after determining that the server has passed the authentication, obtain device-side authentication passing information sent by the server, and enable the application function corresponding to the authentication request.

作为一种可选的实施例,控制模块204,用于:在确定所述服务端通过认证后,根据所述服务端密钥参数,得到设备掩码数据,并将所述设备掩码数据发送至所述服务端,以使所述服务端根据所述设备掩码数据,对所述设备端进行认证;As an optional embodiment, the control module 204 is configured to: after determining that the server has passed the authentication, obtain device mask data according to the server key parameter, and send the device mask data to the server, so that the server authenticates the device according to the mask data of the device;

在将所述设备掩码数据发送至所述服务端后,获取所述服务端发送的设备认证通过信息,并开启所述对应的应用功能。After sending the device mask data to the server, obtain device authentication passing information sent by the server, and start the corresponding application function.

作为一种可选的实施例,获取发送模块201,用于所述获取设备的设备密钥参数,包括:As an optional embodiment, the acquiring and sending module 201, configured to acquire the device key parameters of the device, includes:

获取设备激励参数,并将所述设备激励参数输入至所述设备端的物理不可克隆函数中,得到设备响应参数,以及将所述设备激励参数输入至所述设备端的哈希函数中,得到所述设备激励参数的哈希结果;Obtain device incentive parameters, and input the device incentive parameters into the physical unclonable function on the device side to obtain device response parameters, and input the device incentive parameters into the hash function on the device side to obtain the Hash result of device incentive parameters;

根据所述设备响应参数和所述设备激励参数的哈希结果,得到所述设备密钥参数。The device key parameter is obtained according to a hash result of the device response parameter and the device incentive parameter.

作为一种可选的实施例,获取发送模块201,用于在得到所述设备密钥参数后,还包括:As an optional embodiment, the obtaining and sending module 201 is configured to, after obtaining the device key parameter, further include:

根据所述设备密钥参数,得到设备验证密钥;Obtaining a device verification key according to the device key parameter;

获取生成模块202,用于所述根据所述服务端掩码数据,生成所述服务端的服务端验证参数,包括:The acquisition generation module 202 is used to generate the server verification parameters of the server according to the mask data of the server, including:

根据所述服务端掩码数据和所述设备验证密钥,得到所述服务端验证参数。The server verification parameter is obtained according to the server mask data and the device verification key.

作为一种可选的实施例,所述根据所述服务端密钥参数和所述服务端验证参数,确定所述服务端通过认证,包括:As an optional embodiment, the determining that the server passes the authentication according to the server key parameter and the server authentication parameter includes:

根据所述服务端密钥参数和所述服务端验证参数,得到第一模糊汉明距离;Obtaining a first fuzzy Hamming distance according to the server key parameter and the server verification parameter;

若所述第一模糊汉明距离不小于第一设定距离阈值,则确定所述服务端通过认证,并输出所述设备端对所述服务端认证通过的信息。If the first fuzzy Hamming distance is not less than the first set distance threshold, then determine that the server has passed the authentication, and output information that the device has passed the authentication of the server.

作为一种可选的实施例,获取发送模块201,用于:在接收到用户的认证请求之前,向所述服务端发送注册信号;As an optional embodiment, the acquiring and sending module 201 is configured to: send a registration signal to the server before receiving the user's authentication request;

在发送所述注册信号后,获取所述服务端发送的激励值集和所述设备端的设备代号,并存储所述激励值集和所述设备代号,其中,所述设备代号与所述设备编号一致;After sending the registration signal, obtain the incentive value set sent by the server and the device code of the device, and store the incentive value set and the device code, wherein the device code and the device number consistent;

根据所述激励值集中的每个激励值,得到每个激励值对应的响应值和多个激励响应对,其中,一个激励响应对包括一个激励值和该激励值对应的响应值;According to each stimulus value in the stimulus value set, a response value corresponding to each stimulus value and a plurality of stimulus-response pairs are obtained, wherein a stimulus-response pair includes an stimulus value and a response value corresponding to the stimulus value;

将所述多个激励响应对发送至所述服务端,以使所述服务端存储所述多个激励响应对。sending the plurality of stimulus-response pairs to the server, so that the server stores the plurality of stimulus-response pairs.

由于本实施例所介绍的物联网设备的认证装置为实施本申请实施例一中物联网设备的认证方法所采用的装置,故而基于本申请实施例一中所介绍的物联网设备的认证方法,本领域所属技术人员能够了解本实施例的物联网设备的认证装置的具体实施方式以及其各种变化形式,所以在此对于该物联网设备的认证装置如何实现本申请实施例一中的方法不再详细介绍。只要本领域所属技术人员实施本申请实施例一中物联网设备的认证方法所采用的装置,都属于本申请所欲保护的范围。Since the authentication device for IoT devices introduced in this embodiment is the device used to implement the authentication method for IoT devices in Embodiment 1 of this application, based on the authentication method for IoT devices introduced in Embodiment 1 of this application, Those skilled in the art can understand the specific implementation of the authentication device of the Internet of Things device in this embodiment and its various variants, so how to implement the method in the first embodiment of the application for the authentication device of the Internet of Things device Let me introduce in detail. As long as those skilled in the art implement the device used by the authentication method for the Internet of Things device in Embodiment 1 of the present application, they all fall within the scope of protection intended by the present application.

实施例三Embodiment three

基于相同的发明构思,本发明第三实施例提供了一种物联网设备的认证方法,如图4所示,应用于服务端,所述方法包括:Based on the same inventive concept, the third embodiment of the present invention provides an authentication method for an IoT device, as shown in FIG. 4 , applied to the server, and the method includes:

S301,在与设备端建立连接后,获取所述服务端的服务端密钥参数、所述设备端发送的设备密钥参数和设备编号;S301. After establishing a connection with the device, obtain the server key parameter of the server, the device key parameter and the device number sent by the device;

S302,若所述设备编号与所述服务端数据库中的所述设备端的设备代号一致,则根据所述设备密钥参数,生成服务端掩码数据,并将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端;S302. If the device number is consistent with the device code of the device in the server database, generate server mask data according to the device key parameter, and combine the server mask data and the The key parameter of the server is sent to the device;

S303,在将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端后,获取所述设备端发送的设备掩码数据;S303. After sending the server mask data and the server key parameter to the device, acquire the device mask data sent by the device;

S304,根据所述设备掩码数据,确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。S304. According to the device mask data, determine that the device has passed the authentication, and send the device authentication passing information of the device to the device.

作为一种可选的实施例,获取所述服务端密钥参数,包括:As an optional embodiment, obtaining the server key parameter includes:

获取所述服务端的服务端激励参数和服务端响应参数,其中,所述服务端激励参数和所述服务端响应参数相对应;Obtaining server incentive parameters and server response parameters of the server, wherein the server incentive parameters correspond to the server response parameters;

将所述服务端激励参数输入至所述服务端的哈希函数中,得到所述服务端激励参数的哈希结果;inputting the server incentive parameter into the hash function of the server to obtain a hash result of the server incentive parameter;

根据所述服务端激励参数的哈希结果和所述服务端响应参数,得到所述服务端密钥参数。The server key parameter is obtained according to the hash result of the server incentive parameter and the server response parameter.

作为一种可选的实施例,所述根据所述设备掩码数据,确定所述设备端通过认证,包括:As an optional embodiment, the determining that the device has passed the authentication according to the device mask data includes:

根据所述设备掩码数据,生成所述设备端的设备验证参数;generating device verification parameters on the device side according to the device mask data;

根据所述设备验证参数和所述设备密钥参数,得到第二模糊汉明距离;Obtaining a second fuzzy Hamming distance according to the device verification parameter and the device key parameter;

若所述第二模糊汉明距离不小于第二设定距离阈值,则确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。If the second fuzzy Hamming distance is not less than the second set distance threshold, it is determined that the device has passed the authentication, and the device authentication passing information of the device is sent to the device.

作为一种可选的实施例,在将所述设备端的设备端认证通过信息发送至所述设备端后,从所述服务端的数据库中删除所述服务端激励参数和所述服务端响应参数。As an optional embodiment, after the device-side authentication passing information of the device is sent to the device, the server-side incentive parameter and the server-side response parameter are deleted from the server-side database.

作为一种可选的实施例,在得到所述服务端密钥参数后,还包括:As an optional embodiment, after obtaining the server key parameter, it also includes:

根据所述服务端密钥参数,得到服务端验证密钥。Obtain the server verification key according to the server key parameter.

作为一种可选的实施例,所述根据所述设备掩码数据,生成所述设备端的设备验证参数,包括:As an optional embodiment, the generating the device verification parameters on the device side according to the device mask data includes:

根据所述设备掩码数据和所述服务端验证密钥,得到所述设备验证参数。The device verification parameters are obtained according to the device mask data and the server verification key.

作为一种可选的实施例,在获取所述服务端的服务端密钥参数、所述设备端发送的设备密钥参数和设备编号之前,还包括:As an optional embodiment, before obtaining the server key parameter of the server, the device key parameter and the device number sent by the device, the method further includes:

获取所述设备端发送的注册信号;Obtain a registration signal sent by the device;

在获取到所述注册信号后,向所述设备端发送激励值集和所述设备端的设备代号,以使所述设备端根据所述激励值集,得到多个激励响应对,并将所述设备代号存储至所述服务端的数据库中;After obtaining the registration signal, send the stimulus value set and the device code of the device to the device, so that the device can obtain multiple stimulus-response pairs according to the stimulus value set, and send the The device code is stored in the database of the server;

在向所述设备端发送多个激励参数后,获取所述设备端发送的所述多个激励响应对,并存储所述多个激励响应对。After the multiple stimulus parameters are sent to the device, the multiple stimulus-response pairs sent by the device are acquired, and the multiple stimulus-response pairs are stored.

实施例四Embodiment Four

基于相同的发明构思,本发明第四实施例还提供了一种物联网设备的认证装置,如图5所示,应用于服务端,所述装置包括:Based on the same inventive concept, the fourth embodiment of the present invention also provides an authentication device for an Internet of Things device, as shown in Figure 5, which is applied to the server, and the device includes:

第一获取模块401,用于在与设备端建立连接后,获取所述服务端的服务端密钥参数、所述设备端发送的设备密钥参数和设备编号;The first obtaining module 401 is configured to obtain the server key parameter of the server, the device key parameter and the device number sent by the device after establishing a connection with the device;

判断模块402,用于若所述设备编号与所述服务端数据库中的所述设备端的设备代号一致,则根据所述设备密钥参数,生成服务端掩码数据,并将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端;A judging module 402, configured to generate server mask data according to the device key parameter and mask the server if the device number is consistent with the device code of the device in the server database. code data and the server key parameter are sent to the device;

第二获取模块403,用于在将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端后,获取所述设备端发送的设备掩码数据;The second acquiring module 403 is configured to acquire the device mask data sent by the device after sending the server mask data and the server key parameter to the device;

确定模块404,用于根据所述设备掩码数据,确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。The determining module 404 is configured to determine, according to the device mask data, that the device has passed the authentication, and send the device authentication passing information of the device to the device.

作为一种可选的实施例,第一获取模块401,用于获取所述服务端密钥参数,包括:As an optional embodiment, the first obtaining module 401 is configured to obtain the server key parameter, including:

获取所述服务端的服务端激励参数和服务端响应参数,其中,所述服务端激励参数和所述服务端响应参数相对应;Obtaining server incentive parameters and server response parameters of the server, wherein the server incentive parameters correspond to the server response parameters;

将所述服务端激励参数输入至所述服务端的哈希函数中,得到所述服务端激励参数的哈希结果;inputting the server incentive parameter into the hash function of the server to obtain a hash result of the server incentive parameter;

根据所述服务端激励参数的哈希结果和所述服务端响应参数,得到所述服务端密钥参数。The server key parameter is obtained according to the hash result of the server incentive parameter and the server response parameter.

作为一种可选的实施例,所述根据所述设备掩码数据,确定所述设备端通过认证,包括:As an optional embodiment, the determining that the device has passed the authentication according to the device mask data includes:

根据所述设备掩码数据,生成所述设备端的设备验证参数;generating device verification parameters on the device side according to the device mask data;

根据所述设备验证参数和所述设备密钥参数,得到第二模糊汉明距离;Obtaining a second fuzzy Hamming distance according to the device verification parameter and the device key parameter;

若所述第二模糊汉明距离不小于第二设定距离阈值,则确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。If the second fuzzy Hamming distance is not less than the second set distance threshold, it is determined that the device has passed the authentication, and the device authentication passing information of the device is sent to the device.

作为一种可选的实施例,确定模块404,用于:在将所述设备端的设备端认证通过信息发送至所述设备端后,从所述服务端的数据库中删除所述服务端激励参数和所述服务端响应参数。As an optional embodiment, the determining module 404 is configured to: delete the server incentive parameter and The server responds with parameters.

作为一种可选的实施例,第一获取模块401,用于在得到所述服务端密钥参数后,根据所述服务端密钥参数,得到服务端验证密钥。As an optional embodiment, the first acquiring module 401 is configured to obtain the server verification key according to the server key parameter after obtaining the server key parameter.

作为一种可选的实施例,判断模块402,用于所述根据所述设备掩码数据,生成所述设备端的设备验证参数,包括:As an optional embodiment, the judging module 402 is configured to generate device verification parameters on the device side according to the device mask data, including:

根据所述设备掩码数据和所述服务端验证密钥,得到所述设备验证参数。The device verification parameters are obtained according to the device mask data and the server verification key.

作为一种可选的实施例,第一获取模块401,用于:在获取所述服务端的服务端密钥参数、所述设备端发送的设备密钥参数和设备编号之前,获取所述设备端发送的注册信号;As an optional embodiment, the first obtaining module 401 is configured to: obtain the the registration signal sent;

在获取到所述注册信号后,向所述设备端发送激励值集和所述设备端的设备代号,以使所述设备端根据所述激励值集,得到多个激励响应对,并将所述设备代号存储至所述服务端的数据库中;After obtaining the registration signal, send the stimulus value set and the device code of the device to the device, so that the device can obtain multiple stimulus-response pairs according to the stimulus value set, and send the The device code is stored in the database of the server;

在向所述设备端发送多个激励参数后,获取所述设备端发送的所述多个激励响应对,并存储所述多个激励响应对。After the multiple stimulus parameters are sent to the device, the multiple stimulus-response pairs sent by the device are acquired, and the multiple stimulus-response pairs are stored.

由于本实施例所介绍的物联网设备的认证装置为实施本申请实施例三中物联网设备的认证方法所采用的装置,故而基于本申请实施例三中所介绍的物联网设备的认证方法,本领域所属技术人员能够了解本实施例的物联网设备的认证装置的具体实施方式以及其各种变化形式,所以在此对于该物联网设备的认证装置如何实现本申请实施例三中的方法不再详细介绍。只要本领域所属技术人员实施本申请实施例三中物联网设备的认证方法所采用的装置,都属于本申请所欲保护的范围。Since the authentication device for IoT devices introduced in this embodiment is the device used to implement the authentication method for IoT devices in Embodiment 3 of this application, based on the authentication method for IoT devices introduced in Embodiment 3 of this application, Those skilled in the art can understand the specific implementation of the authentication device of the Internet of Things device in this embodiment and its various variants, so how to implement the method in the third embodiment of the application for the authentication device of the Internet of Things device Let me introduce in detail. As long as a person skilled in the art implements the device used by the authentication method for the IoT device in Embodiment 3 of the present application, it all falls within the scope of protection intended by the present application.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While preferred embodiments of the invention have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be construed to cover the preferred embodiment as well as all changes and modifications which fall within the scope of the invention.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (10)

1.一种物联网设备的认证方法,其特征在于,应用于设备端,所述方法包括:1. An authentication method for an Internet of Things device, characterized in that it is applied to a device end, and the method includes: 在与服务端建立连接的条件下,在接收到用户的认证请求后,获取所述设备端的设备密钥参数和设备编号,并将所述设备密钥参数和所述设备编号发送至所述服务端,以使所述服务端核对所述设备编号,并根据所述设备密钥参数,生成服务端掩码数据;Under the condition of establishing a connection with the server, after receiving the authentication request from the user, obtain the device key parameter and the device number of the device, and send the device key parameter and the device number to the service end, so that the server checks the device number, and generates server mask data according to the device key parameter; 获取所述服务端发送的所述服务端掩码数据和服务端密钥参数,并根据所述服务端掩码数据,生成所述服务端的服务端验证参数;Obtain the server mask data and server key parameters sent by the server, and generate server verification parameters of the server according to the server mask data; 根据所述服务端密钥参数和所述服务端验证参数,确定所述服务端通过认证;determining that the server has passed the authentication according to the server key parameter and the server verification parameter; 在确定所述服务端通过认证后,获取所述服务端发送的设备端认证通过信息,并开启所述认证请求对应的应用功能。After it is determined that the server has passed the authentication, the device-side authentication passing information sent by the server is obtained, and the application function corresponding to the authentication request is started. 2.如权利要求1所述的方法,其特征在于,在确定所述服务端通过认证后,还包括:2. The method according to claim 1, further comprising: after determining that the server has passed the authentication: 根据所述服务端密钥参数,得到设备掩码数据,并将所述设备掩码数据发送至所述服务端,以使所述服务端根据所述设备掩码数据,对所述设备端进行认证;Obtain device mask data according to the server-side key parameter, and send the device mask data to the server, so that the server performs the device-side processing on the device according to the device mask data certification; 在将所述设备掩码数据发送至所述服务端后,获取所述服务端发送的设备认证通过信息,并开启所述对应的应用功能。After sending the device mask data to the server, obtain device authentication passing information sent by the server, and start the corresponding application function. 3.如权利要求1所述的方法,其特征在于,所述获取设备的设备密钥参数,包括:3. The method according to claim 1, wherein said obtaining the device key parameters of the device comprises: 获取设备激励参数,并将所述设备激励参数输入至所述设备端的物理不可克隆函数中,得到设备响应参数,以及将所述设备激励参数输入至所述设备端的哈希函数中,得到所述设备激励参数的哈希结果;Obtain device incentive parameters, and input the device incentive parameters into the physical unclonable function on the device side to obtain device response parameters, and input the device incentive parameters into the hash function on the device side to obtain the Hash result of device incentive parameters; 根据所述设备响应参数和所述设备激励参数的哈希结果,得到所述设备密钥参数。The device key parameter is obtained according to a hash result of the device response parameter and the device incentive parameter. 4.如权利要求3所述的方法,其特征在于,在得到所述设备密钥参数后,还包括:4. The method according to claim 3, further comprising: after obtaining the device key parameters: 根据所述设备密钥参数,得到设备验证密钥;Obtaining a device verification key according to the device key parameter; 所述根据所述服务端掩码数据,生成所述服务端的服务端验证参数,包括:The generating of the server verification parameters of the server according to the server mask data includes: 根据所述服务端掩码数据和所述设备验证密钥,得到所述服务端验证参数。The server verification parameter is obtained according to the server mask data and the device verification key. 5.如权利要求1所述的方法,其特征在于,所述根据所述服务端密钥参数和所述服务端验证参数,确定所述服务端通过认证,包括:5. The method according to claim 1, wherein the determining that the server passes the authentication according to the server key parameter and the server verification parameter comprises: 根据所述服务端密钥参数和所述服务端验证参数,得到第一模糊汉明距离;Obtaining a first fuzzy Hamming distance according to the server key parameter and the server verification parameter; 若所述第一模糊汉明距离不小于第一设定距离阈值,则确定所述服务端通过认证,并输出所述设备端对所述服务端认证通过的信息。If the first fuzzy Hamming distance is not less than the first set distance threshold, then determine that the server has passed the authentication, and output information that the device has passed the authentication of the server. 6.如权利要求1所述的方法,其特征在于,在接收到用户的认证请求之前,还包括:6. The method according to claim 1, further comprising: before receiving the authentication request from the user: 向所述服务端发送注册信号;sending a registration signal to the server; 在发送所述注册信号后,获取所述服务端发送的激励值集和所述设备端的设备代号,并存储所述激励值集和所述设备代号,其中,所述设备代号与所述设备编号一致;After sending the registration signal, obtain the incentive value set sent by the server and the device code of the device, and store the incentive value set and the device code, wherein the device code and the device number consistent; 根据所述激励值集中的每个激励值,得到每个激励值对应的响应值和多个激励响应对,其中,一个激励响应对包括一个激励值和该激励值对应的响应值;According to each stimulus value in the stimulus value set, a response value corresponding to each stimulus value and a plurality of stimulus-response pairs are obtained, wherein a stimulus-response pair includes an stimulus value and a response value corresponding to the stimulus value; 将所述多个激励响应对发送至所述服务端,以使所述服务端存储所述多个激励响应对。sending the plurality of stimulus-response pairs to the server, so that the server stores the plurality of stimulus-response pairs. 7.一种物联网设备的认证装置,其特征在于,应用于设备端,所述装置包括:7. An authentication device for an Internet of Things device, characterized in that it is applied to a device end, and the device includes: 获取发送模块,用于在与服务端建立连接的条件下,在接收到用户的认证请求后,获取所述设备端的设备密钥参数和设备编号,并将所述设备密钥参数和所述设备编号发送至所述服务端,以使所述服务端核对所述设备编号,并根据所述设备密钥参数,生成服务端掩码数据;The obtaining and sending module is used to obtain the device key parameter and device number of the device after receiving the user's authentication request under the condition of establishing a connection with the server, and combine the device key parameter and the device number The number is sent to the server, so that the server checks the device number, and generates server mask data according to the device key parameter; 获取生成模块,用于获取所述服务端发送的所述服务端掩码数据和服务端密钥参数,并根据所述服务端掩码数据,生成所述服务端的服务端验证参数;An acquisition generation module, configured to acquire the server mask data and server key parameters sent by the server, and generate server verification parameters of the server according to the server mask data; 认证模块,用于根据所述服务端密钥参数和所述服务端验证参数,确定所述服务端通过认证;An authentication module, configured to determine that the server has passed the authentication according to the server key parameter and the server verification parameter; 控制模块,用于在确定所述服务端通过认证后,获取所述服务端发送的设备端认证通过信息,并开启所述认证请求对应的应用功能。The control module is configured to obtain the device-side authentication passing information sent by the server after determining that the server has passed the authentication, and start the application function corresponding to the authentication request. 8.一种物联网设备的认证方法,其特征在于,应用于服务端,所述方法包括:8. An authentication method for an Internet of Things device, characterized in that it is applied to a server, and the method comprises: 在与设备端建立连接后,获取所述服务端的服务端密钥参数、所述设备端发送的设备密钥参数和设备编号;After establishing a connection with the device, obtain the server key parameter of the server, the device key parameter and the device number sent by the device; 若所述设备编号与所述服务端数据库中的所述设备端的设备代号一致,则根据所述设备密钥参数,生成服务端掩码数据,并将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端;If the device number is consistent with the device code of the device in the server database, generate server mask data according to the device key parameter, and combine the server mask data with the service The terminal key parameter is sent to the device terminal; 在将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端后,获取所述设备端发送的设备掩码数据;After sending the server mask data and the server key parameter to the device, acquire the device mask data sent by the device; 根据所述设备掩码数据,确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。According to the device mask data, it is determined that the device has passed the authentication, and the device authentication passing information of the device is sent to the device. 9.如权利要求8所述的方法,其特征在于,所述根据所述设备掩码数据,确定所述设备端通过认证,包括:9. The method according to claim 8, wherein the determining that the device has passed the authentication according to the device mask data comprises: 根据所述设备掩码数据,生成所述设备端的设备验证参数;generating device verification parameters on the device side according to the device mask data; 根据所述设备验证参数和所述设备密钥参数,得到第二模糊汉明距离;Obtaining a second fuzzy Hamming distance according to the device verification parameter and the device key parameter; 若所述第二模糊汉明距离不小于第二设定距离阈值,则确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。If the second fuzzy Hamming distance is not less than the second set distance threshold, it is determined that the device has passed the authentication, and the device authentication passing information of the device is sent to the device. 10.一种物联网设备的认证装置,其特征在于,应用于服务端,所述装置包括:10. An authentication device for an Internet of Things device, characterized in that it is applied to a server, and the device includes: 第一获取模块,用于在与设备端建立连接后,获取所述服务端的服务端密钥参数、所述设备端发送的设备密钥参数和设备编号;The first obtaining module is used to obtain the server key parameter of the server, the device key parameter and the device number sent by the device after establishing a connection with the device; 判断模块,用于若所述设备编号与所述服务端数据库中的所述设备端的设备代号一致,则根据所述设备密钥参数,生成服务端掩码数据,并将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端;A judging module, configured to generate server mask data according to the device key parameter if the device number is consistent with the device code of the device in the server database, and mask the server sending the data and the key parameter of the server to the device; 第二获取模块,用于在将所述服务端掩码数据和所述服务端密钥参数发送至所述设备端后,获取所述设备端发送的设备掩码数据;A second obtaining module, configured to obtain the device mask data sent by the device after sending the server mask data and the server key parameter to the device; 确定模块,用于根据所述设备掩码数据,确定所述设备端通过认证,并将所述设备端的设备端认证通过信息发送至所述设备端。The determination module is configured to determine that the device has passed the authentication according to the device mask data, and send the device authentication passing information of the device to the device.
CN202210926720.5A 2022-08-03 2022-08-03 Authentication method and device for Internet of things equipment Active CN115277240B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210926720.5A CN115277240B (en) 2022-08-03 2022-08-03 Authentication method and device for Internet of things equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210926720.5A CN115277240B (en) 2022-08-03 2022-08-03 Authentication method and device for Internet of things equipment

Publications (2)

Publication Number Publication Date
CN115277240A true CN115277240A (en) 2022-11-01
CN115277240B CN115277240B (en) 2024-06-25

Family

ID=83749465

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210926720.5A Active CN115277240B (en) 2022-08-03 2022-08-03 Authentication method and device for Internet of things equipment

Country Status (1)

Country Link
CN (1) CN115277240B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117879874A (en) * 2023-12-08 2024-04-12 天翼云科技有限公司 Triple safety protection method and system for SDWAN (software development and hardware development) system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019052532A1 (en) * 2017-09-18 2019-03-21 阿里巴巴集团控股有限公司 Information interaction method, apparatus and device for internet of things device
CN110545543A (en) * 2019-09-03 2019-12-06 南瑞集团有限公司 Authentication method, device and system for wireless equipment
CN110752919A (en) * 2019-10-21 2020-02-04 湖北工业大学 Two-party authentication and session key exchange method based on BST-PUF
CN111740965A (en) * 2020-06-09 2020-10-02 河海大学常州校区 A method for IoT device authentication based on physical unclonable equation
US20200412556A1 (en) * 2019-06-28 2020-12-31 Electronics And Telecommunications Research Institute User device, physical-unclonable-function-based authentication server, and operating method thereof
CN113099443A (en) * 2019-12-23 2021-07-09 阿里巴巴集团控股有限公司 Equipment authentication method, device, equipment and system
CN113162768A (en) * 2021-02-24 2021-07-23 北京科技大学 Intelligent Internet of things equipment authentication method and system based on block chain
CN114039732A (en) * 2021-11-08 2022-02-11 中国人民解放军国防科技大学 Physical layer authentication method, system, equipment and computer readable storage medium
CN114063651A (en) * 2021-11-18 2022-02-18 湖北工业大学 Method and storage medium for mutual authentication between user and multiple drones
CN114157451A (en) * 2021-11-11 2022-03-08 广东石油化工学院 Internet of things equipment identity authentication method, device and system and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019052532A1 (en) * 2017-09-18 2019-03-21 阿里巴巴集团控股有限公司 Information interaction method, apparatus and device for internet of things device
US20200412556A1 (en) * 2019-06-28 2020-12-31 Electronics And Telecommunications Research Institute User device, physical-unclonable-function-based authentication server, and operating method thereof
CN110545543A (en) * 2019-09-03 2019-12-06 南瑞集团有限公司 Authentication method, device and system for wireless equipment
CN110752919A (en) * 2019-10-21 2020-02-04 湖北工业大学 Two-party authentication and session key exchange method based on BST-PUF
CN113099443A (en) * 2019-12-23 2021-07-09 阿里巴巴集团控股有限公司 Equipment authentication method, device, equipment and system
CN111740965A (en) * 2020-06-09 2020-10-02 河海大学常州校区 A method for IoT device authentication based on physical unclonable equation
CN113162768A (en) * 2021-02-24 2021-07-23 北京科技大学 Intelligent Internet of things equipment authentication method and system based on block chain
CN114039732A (en) * 2021-11-08 2022-02-11 中国人民解放军国防科技大学 Physical layer authentication method, system, equipment and computer readable storage medium
CN114157451A (en) * 2021-11-11 2022-03-08 广东石油化工学院 Internet of things equipment identity authentication method, device and system and storage medium
CN114063651A (en) * 2021-11-18 2022-02-18 湖北工业大学 Method and storage medium for mutual authentication between user and multiple drones

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘东慧;: "基于物联网的计算机网络安全分析", 计算机产品与流通, no. 07 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117879874A (en) * 2023-12-08 2024-04-12 天翼云科技有限公司 Triple safety protection method and system for SDWAN (software development and hardware development) system

Also Published As

Publication number Publication date
CN115277240B (en) 2024-06-25

Similar Documents

Publication Publication Date Title
US10700861B2 (en) System and method for generating a recovery key and managing credentials using a smart blockchain contract
KR102493744B1 (en) Security Verification Method Based on Biometric Characteristics, Client Terminal, and Server
US10523441B2 (en) Authentication of access request of a device and protecting confidential information
US9887983B2 (en) Apparatus and method for implementing composite authenticators
US10116693B1 (en) Server using proof-of-work technique for hardening against denial of service attacks
CN109714176B (en) Password authentication method, device and storage medium
CN110990827A (en) Identity information verification method, server and storage medium
US20160125180A1 (en) Near Field Communication Authentication Mechanism
CN108199845B (en) A lightweight authentication device and authentication method based on PUF
CN110874494B (en) Method, device and system for processing password operation and method for constructing measurement trust chain
CN106921640A (en) Identity identifying method, authentication device and Verification System
EP3206329B1 (en) Security check method, device, terminal and server
WO2018112482A1 (en) Method and system for distributing attestation key and certificate in trusted computing
CN112241527B (en) Secret key generation method and system of terminal equipment of Internet of things and electronic equipment
EP3133791B1 (en) Double authentication system for electronically signed documents
CN107453871B (en) Password generation method, password verification method, payment method and payment device
KR101253683B1 (en) Digital Signing System and Method Using Chained Hash
CN119005980A (en) Block chain account generation method and system
KR20200016506A (en) Method for Establishing Anonymous Digital Identity
CN114257410B (en) Identity authentication method and device based on digital certificate and computer equipment
CN113508380B (en) Methods used for end-entity authentication
JP7632477B2 (en) Recovery verification system, collation system, recovery verification method and program
CN115277240B (en) Authentication method and device for Internet of things equipment
Pippal et al. Enhanced time-bound ticket-based mutual authentication scheme for cloud computing
CN116866093B (en) Identity authentication method, identity authentication device, and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant