[go: up one dir, main page]

CN111931158A - Bidirectional authentication method, terminal and server - Google Patents

Bidirectional authentication method, terminal and server Download PDF

Info

Publication number
CN111931158A
CN111931158A CN202010797811.4A CN202010797811A CN111931158A CN 111931158 A CN111931158 A CN 111931158A CN 202010797811 A CN202010797811 A CN 202010797811A CN 111931158 A CN111931158 A CN 111931158A
Authority
CN
China
Prior art keywords
certificate
public key
module
terminal
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010797811.4A
Other languages
Chinese (zh)
Inventor
胡圣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Trendit Co ltd
Original Assignee
Shenzhen Trendit Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Trendit Co ltd filed Critical Shenzhen Trendit Co ltd
Priority to CN202010797811.4A priority Critical patent/CN111931158A/en
Publication of CN111931158A publication Critical patent/CN111931158A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本发明实施例提供了一种双向认证方法、终端以及服务器,包括终端发送签名证书公钥至服务器,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配;所述终端接收所述服务器发送的加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配;所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息;所述终端发送所述认证信息至服务器,所述服务器根据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证。本申请可以实现双向认证,并且采用国密算法替代国际密码算法,基于国密算法重新实现了双向认证的过程,使安全性能显著提高。

Figure 202010797811

Embodiments of the present invention provide a two-way authentication method, a terminal, and a server, including the terminal sending a public key of a signature certificate to the server, wherein the public key of the signature certificate matches the private key of the signature certificate pre-stored by the terminal; the The terminal receives the encryption certificate public key sent by the server, wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server; The key pair chaotic sequence is processed to obtain authentication information; the terminal sends the authentication information to the server, and the server verifies the authentication information according to the signature certificate public key and the encryption certificate private key. The application can realize two-way authentication, and adopts the national secret algorithm to replace the international encryption algorithm, and re-implements the process of two-way authentication based on the national secret algorithm, so that the security performance is significantly improved.

Figure 202010797811

Description

一种双向认证方法、终端以及服务器A two-way authentication method, terminal and server

技术领域technical field

本发明涉及认证技术领域,特别是涉及一种双向认证方法、终端以及服务器。The invention relates to the technical field of authentication, in particular to a bidirectional authentication method, a terminal and a server.

背景技术Background technique

POS机在使用过程中经常要用到签到操作,目的是更新工作密钥,使交易过程涉及的银行卡密码等敏感信息得到保护而不被泄露。在签到操作前,机器终端都需要与后台服务器进行双向认证,以确认双方的身份合法。POS machines often use sign-in operations in the process of use, the purpose is to update the work key, so that sensitive information such as bank card passwords involved in the transaction process can be protected from being leaked. Before the sign-in operation, the machine terminal needs to perform two-way authentication with the background server to confirm the legality of the identities of both parties.

现有一种技术,需要通过2轮交互就可以实现双向认证密钥协商的新模式,该模式的第1轮身份认证采用国密算法SM2加解密和签名验签模块实现,第2轮身份认证采用国密算法SM3哈希运算实现。In the existing technology, a new mode of two-way authentication key negotiation can be realized through 2 rounds of interaction. The first round of identity authentication in this mode is implemented by the national secret algorithm SM2 encryption and decryption and signature verification module, and the second round of identity authentication adopts Implementation of the national secret algorithm SM3 hash operation.

POS行业通常用的双向认证实现中,因为实现过程较简单,安全系数低,不能很好的保护隐私。In the two-way authentication implementation commonly used in the POS industry, because the implementation process is relatively simple and the security factor is low, privacy cannot be well protected.

发明内容SUMMARY OF THE INVENTION

鉴于上述问题,提出了本发明实施例以便提供一种克服上述问题或者至少部分地解决上述问题的一种双向认证方法、终端以及服务器。In view of the above problems, the embodiments of the present invention are proposed to provide a bidirectional authentication method, terminal and server that overcome the above problems or at least partially solve the above problems.

为了解决上述问题,本发明实施例公开了一种双向认证方法包括:所述方法应用于POS机终端和后台服务器的双向认证,所述方法包括:In order to solve the above problem, an embodiment of the present invention discloses a two-way authentication method, including: the method is applied to the two-way authentication of a POS terminal and a background server, and the method includes:

终端发送签名证书公钥至服务器,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配;The terminal sends the public key of the signature certificate to the server, wherein the public key of the signature certificate matches the private key of the signature certificate stored in advance by the terminal;

所述终端接收所述服务器发送的加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配;The terminal receives the encryption certificate public key sent by the server, wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server;

所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息;The terminal processes the chaotic sequence according to the private key of the signature certificate and the public key of the encryption certificate to obtain authentication information;

所述终端发送所述认证信息至服务器,所述服务器根据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证。The terminal sends the authentication information to the server, and the server verifies the authentication information according to the public key of the signature certificate and the private key of the encryption certificate.

优选的,所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息的步骤之前,还包括:Preferably, before the step of processing the chaotic sequence according to the private key of the signature certificate and the public key of the encrypted certificate to obtain the authentication information, the terminal further includes:

所述终端发送第一随机值至服务器;the terminal sends the first random value to the server;

所述终端接收所述服务器的第二随机值,其中,所述第二随机值由所述服务器根据所述第一随机值生成;receiving, by the terminal, a second random value from the server, wherein the second random value is generated by the server according to the first random value;

所述终端基于所述第二随机值和所述第一随机值确定混沌序列。The terminal determines a chaotic sequence based on the second random value and the first random value.

优选的,所述终端根据所述签名证书私钥和所述加密证书公钥对预设的混沌序列进行处理确定认证信息的步骤,包括:Preferably, the step of the terminal processing a preset chaotic sequence according to the private key of the signature certificate and the public key of the encryption certificate to determine the authentication information includes:

所述终端根据所述签名证书私钥对所述混沌序列进行签名,生成签名信息;The terminal signs the chaotic sequence according to the private key of the signature certificate, and generates signature information;

所述终端根据所述加密证书公钥数据对所述混沌序列进行加密,生成加密文件;The terminal encrypts the chaotic sequence according to the encryption certificate public key data, and generates an encrypted file;

所述认证信息包括签名信息和加密文件。The authentication information includes signature information and encrypted files.

优选的,所述服务器根据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证的步骤,包括:Preferably, the step of the server verifying the authentication information according to the public key of the signature certificate and the private key of the encrypted certificate includes:

所述服务器根据所述加密证书私钥对所述加密文件进行解密;The server decrypts the encrypted file according to the private key of the encryption certificate;

所述服务器根据所述签名证书公钥对所述签名信息进行验签。The server verifies the signature information according to the public key of the signature certificate.

此外,本申请还提供一种双向认证终端,所述终端包括:In addition, the present application also provides a two-way authentication terminal, and the terminal includes:

发送模块:用于发送签名证书公钥,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配;Sending module: used to send the public key of the signature certificate, wherein the public key of the signature certificate matches the private key of the signature certificate stored in advance by the terminal;

接收模块:用于接收加密证书公钥,其中,所述加密证书公钥为根据所述签名证书公钥确定所得;Receiving module: used to receive an encryption certificate public key, wherein the encryption certificate public key is determined according to the signature certificate public key;

处理模块:用于根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息;Processing module: used to process the chaotic sequence according to the private key of the signature certificate and the public key of the encryption certificate to obtain authentication information;

认证模块:用于发送所述认证信息。Authentication module: used to send the authentication information.

优选的,所述处理模块,还包括:Preferably, the processing module further includes:

第一模块:用于发送第一随机值;The first module: used to send the first random value;

第二模块:用于接收第二随机值,其中,所述第二随机值根据所述第一随机值生成;second module: for receiving a second random value, wherein the second random value is generated according to the first random value;

混沌模块:用于基于所述第二随机值和所述第一随机值确定混沌序列。Chaos module: used to determine a chaotic sequence based on the second random value and the first random value.

优选的,所述处理模块包括:Preferably, the processing module includes:

签名模块:用于根据所述签名证书私钥对所述混沌序列进行签名,生成签名信息;Signature module: used to sign the chaotic sequence according to the private key of the signature certificate, and generate signature information;

加密模块:用于根据所述加密证书公钥数据对所述混沌序列进行加密,生成加密文件;Encryption module: used to encrypt the chaotic sequence according to the public key data of the encryption certificate, and generate an encrypted file;

文件模块:用于所述认证信息包括签名信息和加密文件。File module: used for the authentication information including signature information and encrypted files.

本申请还提供一种双向认证服务器,所述服务器包括:The application also provides a two-way authentication server, the server includes:

签名证书模块:用于接收签名证书公钥,其中,所述签名证书公钥与所签名证书私钥相匹配;Signature certificate module: used to receive the public key of the signature certificate, wherein the public key of the signature certificate matches the private key of the signed certificate;

加密证书模块:用于发送加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配;Encryption certificate module: used to send an encryption certificate public key, wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server;

信息模块:用于接收认证信息,其中,所述认证信息是根据所述签名证书私钥和所述加密证书公钥所得;Information module: used to receive authentication information, wherein the authentication information is obtained according to the private key of the signature certificate and the public key of the encryption certificate;

验证模块:用于依据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证。Verification module: used to verify the authentication information according to the public key of the signature certificate and the private key of the encrypted certificate.

本发明还提供电子设备,包括处理器、存储器及存储在所述存储器上并能够在所述处理器上运行的计算机程序,所述计算机程序被所述处理器执行时实现双向认证方法的步骤。The present invention also provides an electronic device comprising a processor, a memory and a computer program stored on the memory and capable of running on the processor, the computer program implementing the steps of the mutual authentication method when executed by the processor.

本发明还提供计算机可读存储介质,所述计算机可读存储介质上存储计算机程序,所述计算机程序被处理器执行时实现双向认证方法的步骤。The present invention also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by the processor, implements the steps of the two-way authentication method.

本发明实施例包括,终端发送签名证书公钥至服务器,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配;所述终端接收所述服务器发送的加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配;所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息;所述终端发送所述认证信息至服务器,所述服务器根据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证。本申请具体包括以下优点,本申请可以实现双向认证,并且采用国密算法替代国际密码算法,基于国密算法重新实现了双向认证的过程,使安全性能显著提高。The embodiment of the present invention includes: the terminal sends the public key of the signed certificate to the server, wherein the public key of the signed certificate matches the private key of the signed certificate pre-stored by the terminal; the terminal receives the public key of the encrypted certificate sent by the server , wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server; the terminal processes the chaotic sequence according to the signature certificate private key and the encryption certificate public key to obtain authentication information; The terminal sends the authentication information to the server, and the server verifies the authentication information according to the public key of the signature certificate and the private key of the encryption certificate. The application specifically includes the following advantages. The application can realize two-way authentication, and adopts the national secret algorithm to replace the international encryption algorithm. Based on the national secret algorithm, the process of two-way authentication is re-implemented, and the security performance is significantly improved.

附图说明Description of drawings

图1是本发明的一种双向认证方法实施例的步骤流程图;Fig. 1 is a flow chart of steps of a two-way authentication method embodiment of the present invention;

图2是本发明的一种双向认证终端实施例的结构框图;2 is a structural block diagram of a two-way authentication terminal embodiment of the present invention;

图3是本发明实现双向认证方法的电子设备;Fig. 3 is the electronic device that the present invention realizes the two-way authentication method;

图4是现有认证方法实施例的步骤流程图;4 is a flow chart of steps of an embodiment of an existing authentication method;

图5是本发明的一种双向认证的基于国密算法的步骤流程图;Fig. 5 is the step flow chart based on the national secret algorithm of a kind of two-way authentication of the present invention;

图6是本发明的一种双向认证方法实施例的步骤流程图。FIG. 6 is a flow chart of steps in an embodiment of a two-way authentication method according to the present invention.

具体实施方式Detailed ways

为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本发明作进一步详细的说明。In order to make the above objects, features and advantages of the present invention more clearly understood, the present invention will be described in further detail below with reference to the accompanying drawings and specific embodiments.

本发明实施例的核心构思之一在于,本申请可以实现双向认证,并且采用国密算法替代国际密码算法,实现了基于国密算法实现了双向认证的过程,使安全性能显著提高。One of the core concepts of the embodiments of the present invention is that the present application can realize two-way authentication, and the national secret algorithm is used instead of the international encryption algorithm to realize the process of realizing the two-way authentication based on the national secret algorithm, so that the security performance is significantly improved.

参照图1,示出了本发明的一种双向认证方法实施例的步骤流程图,具体可以包括如下步骤:Referring to FIG. 1, a flow chart of steps of an embodiment of a two-way authentication method of the present invention is shown, which may specifically include the following steps:

步骤S100,终端发送签名证书公钥至服务器,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配。Step S100, the terminal sends the public key of the signature certificate to the server, wherein the public key of the signature certificate matches the private key of the signature certificate stored in advance by the terminal.

步骤S200,所述终端接收所述服务器发送的加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配。Step S200, the terminal receives the encryption certificate public key sent by the server, wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server.

步骤S300,所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息。Step S300, the terminal processes the chaotic sequence according to the private key of the signature certificate and the public key of the encrypted certificate to obtain authentication information.

步骤S400,所述终端发送所述认证信息至服务器,所述服务器根据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证。Step S400, the terminal sends the authentication information to the server, and the server verifies the authentication information according to the public key of the signature certificate and the private key of the encrypted certificate.

所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息的步骤之前,还包括:Before the step of processing the chaotic sequence according to the private key of the signature certificate and the public key of the encrypted certificate, the terminal further includes:

所述终端发送第一随机值至服务器。The terminal sends the first random value to the server.

所述终端接收所述服务器的第二随机值,其中,所述第二随机值由所述服务器根据所述第一随机值生成。The terminal receives a second random value from the server, wherein the second random value is generated by the server according to the first random value.

所述终端基于所述第二随机值和所述第一随机值确定混沌序列。The terminal determines a chaotic sequence based on the second random value and the first random value.

所述终端根据所述签名证书私钥和所述加密证书公钥对预设的混沌序列进行处理确定认证信息的步骤,包括:所述终端根据所述签名证书私钥对所述混沌序列进行签名,生成签名信息;所述终端根据所述加密证书公钥数据对所述混沌序列进行加密,生成加密文件;所述认证信息包括签名信息和加密文件。The step that the terminal processes the preset chaotic sequence according to the private key of the signature certificate and the public key of the encryption certificate to determine authentication information includes: the terminal signs the chaotic sequence according to the private key of the signature certificate , and generate signature information; the terminal encrypts the chaotic sequence according to the public key data of the encryption certificate to generate an encrypted file; the authentication information includes signature information and an encrypted file.

所述服务器根据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证的步骤,包括:The step that the server verifies the authentication information according to the public key of the signature certificate and the private key of the encrypted certificate, includes:

所述服务器根据所述加密证书私钥对所述加密文件进行解密;所述服务器根据所述签名证书公钥对所述签名信息进行验签。The server decrypts the encrypted file according to the private key of the encryption certificate; and the server verifies the signature information according to the public key of the signature certificate.

现有POS机在使用过程中经常需要进行签到操作,目的是更新工作密钥,使交易过程涉及的银行卡密码等敏感信息得到保护而不被泄露。在签到操作前,机器终端都需要与后台服务器进行双向认证,以确认双方的身份合法。The existing POS machine often needs to perform a sign-in operation in the process of use, the purpose is to update the working key, so that the sensitive information such as the bank card password involved in the transaction process can be protected from being leaked. Before the sign-in operation, the machine terminal needs to perform two-way authentication with the background server to confirm the legality of the identities of both parties.

密码算法是保障信息安全的核心技术,尤其是银行行业的核心领域,长期以来都是沿用三重数据加密算法、密码散列函数等国际通用的密码算法体系及相关标准。随着金融安全上升到国家安全高度程度,近年来国家有关机关和监管机构站在国家安全和长远战略的高度提出了推动国密算法应用实施、加强行业安全可控的要求。为摆脱对国外技术和产品的过度依赖,建设行业网络安全环境,增强我国行业信息方法的安全可控能力。Cryptographic algorithms are the core technology to ensure information security, especially in the core areas of the banking industry. For a long time, international common cryptographic algorithm systems and related standards such as triple data encryption algorithms and cryptographic hash functions have been used. As financial security has risen to the level of national security, in recent years, relevant state agencies and regulatory agencies have put forward the requirements of promoting the application and implementation of national secret algorithms and strengthening the security and controllability of the industry from the perspective of national security and long-term strategies. In order to get rid of excessive dependence on foreign technologies and products, build an industry network security environment, and enhance the security and controllability of my country's industry information methods.

POS行业通常用的双向认证实现中,密码算法都是使用国际密码算法,本申请提出一种使用国密密码算法的双向认证实现。In the two-way authentication implementation commonly used in the POS industry, the cryptographic algorithms all use international cryptographic algorithms. This application proposes a two-way authentication implementation using a national cryptographic algorithm.

POS行业通常用的双向认证实现中,会使用随机数和传输密钥进行机器终端和后台服务器的互相验证,但是因为实现过程较简单,安全程度并不高。本文提出一种在使用国密算法的基础上,使用双向随机数和加密、签名证书互相验证的方法,把双向认证的安全程度提高。In the two-way authentication implementation commonly used in the POS industry, random numbers and transmission keys are used for mutual authentication between the machine terminal and the background server, but because the implementation process is simple, the degree of security is not high. This paper proposes a method of mutual verification using two-way random numbers, encryption and signature certificates on the basis of using the national secret algorithm to improve the security of two-way authentication.

参照图2,示出了本发明的一种双向认证终端实施例的结构框图,具体可以包括如下模块:Referring to FIG. 2, it shows a structural block diagram of a two-way authentication terminal embodiment of the present invention, which may specifically include the following modules:

发送模块100:用于终端发送签名证书公钥,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配。Sending module 100: used for the terminal to send the public key of the signature certificate, wherein the public key of the signature certificate matches the private key of the signature certificate stored in advance by the terminal.

接收模块200:用于所述终端接收加密证书公钥,其中,所述加密证书公钥为根据所述签名证书公钥确定所得。Receiving module 200: used for the terminal to receive an encryption certificate public key, wherein the encryption certificate public key is determined according to the signature certificate public key.

处理模块300:用于所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息。Processing module 300: used by the terminal to process the chaotic sequence according to the private key of the signature certificate and the public key of the encrypted certificate to obtain authentication information.

认证模块400:用于所述终端发送所述认证信息。Authentication module 400: used for the terminal to send the authentication information.

所述处理模块300,还包括:The processing module 300 further includes:

第一模块:用于终端发送第一随机值。The first module: used for the terminal to send the first random value.

第二模块:用于所述终端接收第二随机值,其中,所述第二随机值根据所述第一随机值生成。The second module: for the terminal to receive a second random value, wherein the second random value is generated according to the first random value.

混沌模块:用于所述终端基于所述第二随机值和所述第一随机值确定混沌序列。Chaos module: used for the terminal to determine a chaotic sequence based on the second random value and the first random value.

所述处理模块300包括:The processing module 300 includes:

签名模块:所述终端根据所述签名证书私钥对所述混沌序列进行签名,生成签名信息。Signature module: the terminal signs the chaotic sequence according to the private key of the signature certificate, and generates signature information.

加密模块:所述终端根据所述加密证书公钥数据对所述混沌序列进行加密,生成加密文件;Encryption module: the terminal encrypts the chaotic sequence according to the public key data of the encryption certificate, and generates an encrypted file;

文件模块:所述认证信息包括签名信息和加密文件。File module: the authentication information includes signature information and encrypted files.

对于终端实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。As for the terminal embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the partial description of the method embodiment.

本申请还包括一种双向认证服务器,所述服务器包括:The present application also includes a two-way authentication server, and the server includes:

签名证书模块:服务器接收签名证书公钥,其中,所述签名证书公钥与所签名证书私钥相匹配;Signature certificate module: the server receives the public key of the signature certificate, wherein the public key of the signature certificate matches the private key of the signed certificate;

加密证书模块:所述服务器发送加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配;Encryption certificate module: the server sends an encryption certificate public key, wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server;

信息模块:所述服务器接收认证信息,其中,所述认证信息是根据所述签名证书私钥和所述加密证书公钥所得;Information module: the server receives authentication information, wherein the authentication information is obtained according to the private key of the signature certificate and the public key of the encryption certificate;

验证模块:所述服务器依据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证。Verification module: the server verifies the authentication information according to the public key of the signature certificate and the private key of the encryption certificate.

所述信息模块之前,还包括:Before the information module, it also includes:

第一随机值模块:用于所述服务器接收第一随机值;The first random value module: used for the server to receive the first random value;

第二随机值模块:所述服务器根据所述第一随机值生成并发送第二随机值。Second random value module: the server generates and sends a second random value according to the first random value.

所述验证模块包括:The verification module includes:

分解模块:用于将所述认证信息分解为加密文件和签名信息;Decomposition module: used to decompose the authentication information into encrypted files and signature information;

解密模块:用于所述服务器根据所述加密证书私钥对所述加密文件进行解密;Decryption module: used for the server to decrypt the encrypted file according to the private key of the encryption certificate;

验签模块:用于所述服务器根据所述签名证书公钥对所述签名信息进行验签。Signature verification module: used for the server to perform signature verification on the signature information according to the public key of the signature certificate.

参照图4,示出了现有认证方法实施例的步骤流程图,具体如下:机器终端产生随机数并用传输密钥加密,服务器后台有传输密钥对应的私钥,可以进行解密操作。解密出的数据对16个字节做三重数据加密算法计算得到检验值,比较验签值是否一致,一致则双向认证成功,不一致则双向认证失败。但是现有技术实现过程较简单,安全程度不高。Referring to FIG. 4 , a flow chart of steps of an embodiment of an existing authentication method is shown, as follows: the machine terminal generates a random number and encrypts it with a transmission key, and the server has a private key corresponding to the transmission key in the background, which can be decrypted. The decrypted data is calculated by triple data encryption algorithm on 16 bytes to obtain the check value, and the check value is compared to see if the check value is consistent. If they are consistent, the two-way authentication succeeds. However, the implementation process of the prior art is relatively simple, and the degree of security is not high.

参照图5,示出了本发明的一种双向认证的基于国密算法的步骤流程图,具体如下:国密算法用芯片的硬件实现,芯片厂商提供国密算法的软件接口,我们进行重新封装,加强软件接口的可读性,其中国密算法包含以下算法:SM2加密算法、SM2解密算法、SM2签名算法、SM2验签算法、SM3哈希值计算算法、SM4算法。Referring to Fig. 5, a flow chart of steps based on the national secret algorithm of a two-way authentication of the present invention is shown, and the details are as follows: the national secret algorithm is implemented by the hardware of the chip, the chip manufacturer provides the software interface of the national secret algorithm, and we repackage , to enhance the readability of the software interface, its Chinese encryption algorithm includes the following algorithms: SM2 encryption algorithm, SM2 decryption algorithm, SM2 signature algorithm, SM2 signature verification algorithm, SM3 hash value calculation algorithm, SM4 algorithm.

参照图6,示出了本发明一种双向认证方法实施例的步骤流程图,具体步骤如下:Referring to FIG. 6, a flow chart of steps of an embodiment of a two-way authentication method of the present invention is shown, and the specific steps are as follows:

在一个具体实施例中,包括:In a specific embodiment, it includes:

终端发送签名证书公钥至服务器,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配;The terminal sends the public key of the signature certificate to the server, wherein the public key of the signature certificate matches the private key of the signature certificate stored in advance by the terminal;

所述终端接收所述服务器发送的加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配;The terminal receives the encryption certificate public key sent by the server, wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server;

在一实施例中,终端产生第一混沌序列,将所述第一混沌序列中的部分值作为第一随机数,发送给服务器;In one embodiment, the terminal generates a first chaotic sequence, and uses part of the values in the first chaotic sequence as a first random number, and sends it to the server;

所述服务器根据所述第一随机数产生第二随机数;generating, by the server, a second random number according to the first random number;

所述终端接收所述第二随机数,将第二随机数和第一混沌序列以及第一随机数相结合,生成混沌序列。The terminal receives the second random number, and combines the second random number with the first chaotic sequence and the first random number to generate a chaotic sequence.

在一实施例中,终端产生48个字节的随机数,优选可以将终端生成48个随机字节的前16个字节作为第一随机数发送给服务器;In one embodiment, the terminal generates a random number of 48 bytes, preferably the first 16 bytes of the 48 random bytes generated by the terminal can be sent to the server as the first random number;

服务器根据第一随机数也就是16个字节产生第二随机数,服务器重新生成的16个字节,将服务器产生的16个字节作为第二随机数发送给终端;The server generates the second random number according to the first random number, that is, 16 bytes, and sends the 16 bytes regenerated by the server to the terminal as the second random number;

终端将第二随机数替换终端产生48个字节随机数的中间16个字节,将重新组合的48个字节作为混沌序列;The terminal replaces the middle 16 bytes of the 48-byte random number generated by the terminal with the second random number, and uses the recombined 48 bytes as the chaotic sequence;

终端读取加密证书的公钥数据,并用国密SM2算法加密48个字节的随机数;The terminal reads the public key data of the encryption certificate, and encrypts a 48-byte random number with the national secret SM2 algorithm;

终端再读取签名证书的私钥数据,用国密SM2算法签名48个字节随机数的哈希结果,所述哈希结果是通过用国密SM3算法计算得到;The terminal reads the private key data of the signature certificate again, and signs the hash result of the 48-byte random number with the national secret SM2 algorithm, and the hash result is obtained by calculating with the national secret SM3 algorithm;

终端发送将加密和签名数据生成认证信息发送给服务器;The terminal sends the encrypted and signed data to generate authentication information to the server;

服务器用解密证书的私钥和验签证书的公钥分别去解密和验签,具体用国密SM2、SM4算法分别去解密和验签;The server uses the private key of the decryption certificate and the public key of the verification certificate to decrypt and verify the signature respectively. Specifically, the national secret SM2 and SM4 algorithms are used to decrypt and verify the signature respectively;

若验签成功则双向认证成功,验签失败则双向认证失败。If the signature verification succeeds, the two-way authentication succeeds, and if the signature verification fails, the two-way authentication fails.

需要说明的是,对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明实施例并不受所描述的动作顺序的限制,因为依据本发明实施例,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本发明实施例所必须的。It should be noted that, for the sake of simple description, the method embodiments are described as a series of action combinations, but those skilled in the art should know that the embodiments of the present invention are not limited by the described action sequences, because According to embodiments of the present invention, certain steps may be performed in other sequences or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present invention.

参照图3,示出了本发明的一种XX方法的计算机设备,具体可以包括如下:Referring to Fig. 3, a computer device of the XX method of the present invention is shown, which may specifically include the following:

在本发明实施例中,本发明还提供一种计算机设备,上述计算机设备12以通用计算设备的形式表现,计算机设备12的组件可以包括但不限于:一个或者多个处理器或者处理单元16,系统存储器28,连接不同系统组件(包括系统存储器28和处理单元16)的总线18。In an embodiment of the present invention, the present invention also provides a computer device, the above-mentioned computer device 12 is represented in the form of a general-purpose computing device, and the components of the computer device 12 may include but are not limited to: one or more processors or processing units 16, System memory 28, a bus 18 that connects various system components, including system memory 28 and processing unit 16.

总线18表示几类总线18结构中的一种或多种,包括存储器总线18或者存储器控制器,外围总线18,图形加速端口,处理器或者使用多种总线18结构中的任意总线18结构的局域总线18。举例来说,这些体系结构包括但不限于工业标准体系结构(ISA)总线18,微通道体系结构(MAC)总线18,增强型ISA总线18、音视频电子标准协会(VESA)局域总线18以及外围组件互连(PCI)总线18。The bus 18 represents one or more of several types of bus 18 structures, including a memory bus 18 or a memory controller, a peripheral bus 18, a graphics acceleration port, a processor, or an office using any of a variety of bus 18 structures. Domain bus 18. By way of example, these architectures include, but are not limited to, Industry Standard Architecture (ISA) bus 18, Micro Channel Architecture (MAC) bus 18, Enhanced ISA bus 18, Audio Video Electronics Standards Association (VESA) local bus 18, and Peripheral Component Interconnect (PCI) bus 18 .

计算机设备12典型地包括多种计算机系统可读介质。这些介质可以是任何能够被计算机设备12访问的可用介质,包括易失性和非易失性介质,可移动的和不可移动的介质。Computer device 12 typically includes a variety of computer system readable media. These media can be any available media that can be accessed by computer device 12, including both volatile and nonvolatile media, removable and non-removable media.

系统存储器28可以包括易失性存储器形式的计算机系统可读介质,例如随机存取存储器(RAM)31和/或高速缓存存储器32。计算机设备12可以进一步包括其他移动/不可移动的、易失性/非易失性计算机体统存储介质。仅作为举例,存储系统34可以用于读写不可移动的、非易失性磁介质(通常称为“硬盘驱动器”)。尽管图3中未示出,可以提供用于对可移动非易失性磁盘(如“软盘”)读写的磁盘驱动器,以及对可移动非易失性光盘(例如CD~ROM,DVD~ROM或者其他光介质)读写的光盘驱动器。在这些情况下,每个驱动器可以通过一个或者多个数据介质接口与总线18相连。存储器可以包括至少一个程序产品,该程序产品具有一组(例如至少一个)程序模块42,这些程序模块42被配置以执行本发明各实施例的功能。System memory 28 may include computer system readable media in the form of volatile memory, such as random access memory (RAM) 31 and/or cache memory 32 . Computer device 12 may further include other removable/non-removable, volatile/non-volatile computer system storage media. For example only, storage system 34 may be used to read and write to non-removable, non-volatile magnetic media (commonly referred to as "hard drives"). Although not shown in Figure 3, a magnetic disk drive may be provided for reading and writing to removable non-volatile magnetic disks (eg "floppy disks"), and removable non-volatile optical disks (eg CD-ROM, DVD-ROM) or other optical media) to read and write optical drives. In these cases, each drive may be connected to bus 18 through one or more data media interfaces. The memory may include at least one program product having a set (eg, at least one) of program modules 42 configured to perform the functions of various embodiments of the present invention.

具有一组(至少一个)程序模块42的程序/实用工具41,可以存储在例如存储器中,这样的程序模块42包括——但不限于——操作系统、一个或者多个应用程序、其他程序模块42以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。程序模块42通常执行本发明所描述的实施例中的功能和/或方法。A program/utility 41 having a set (at least one) of program modules 42, which may be stored, for example, in memory, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules 42 and program data, each or some combination of these examples may include an implementation of a network environment. Program modules 42 generally perform the functions and/or methods of the described embodiments of the present invention.

计算机设备12也可以与一个或多个外部设备14(例如键盘、指向设备、显示器24、摄像头等)通信,还可与一个或者多个使得用户能与该计算机设备12交互的设备通信,和/或与使得该计算机设备12能与一个或多个其它计算设备进行通信的任何设备(例如网卡,调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口22进行。并且,计算机设备12还可以通过网络适配器20与一个或者多个网络(例如局域网(LAN)),广域网(WAN)和/或公共网络(例如因特网)通信。如图所示,网络适配器21通过总线18与计算机设备12的其他模块通信。应当明白,尽管图中未示出,可以结合计算机设备12使用其他硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元16、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统34等。The computer device 12 may also communicate with one or more external devices 14 (eg, a keyboard, pointing device, display 24, camera, etc.), may also communicate with one or more devices that enable a user to interact with the computer device 12, and/or Or with any device (eg, network card, modem, etc.) that enables the computer device 12 to communicate with one or more other computing devices. Such communication may take place through input/output (I/O) interface 22 . Also, the computer device 12 may communicate with one or more networks (eg, a local area network (LAN)), a wide area network (WAN), and/or a public network (eg, the Internet) through a network adapter 20 . As shown, network adapter 21 communicates with other modules of computer device 12 via bus 18 . It should be understood that, although not shown, other hardware and/or software modules may be used in conjunction with computer device 12, including but not limited to: microcode, device drivers, redundant processing units 16, external disk drive arrays, RAID systems, magnetic tapes drives and data backup storage systems 34 and the like.

处理单元16通过运行存储在系统存储器28中的程序,从而执行各种功能应用以及数据处理,例如实现本发明实施例所提供的双向认证方法。The processing unit 16 executes various functional applications and data processing by running the program stored in the system memory 28, for example, to implement the two-way authentication method provided by the embodiment of the present invention.

即上述处理单元16执行上述程序时实现:终端发送签名证书公钥至服务器,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配;That is, when the above-mentioned processing unit 16 executes the above-mentioned program, it realizes: the terminal sends the public key of the signature certificate to the server, wherein the public key of the signature certificate matches the private key of the signature certificate stored in advance by the terminal;

所述终端接收所述服务器发送的加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配;The terminal receives the encryption certificate public key sent by the server, wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server;

所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息;The terminal processes the chaotic sequence according to the private key of the signature certificate and the public key of the encryption certificate to obtain authentication information;

所述终端发送所述认证信息至服务器,所述服务器根据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证。The terminal sends the authentication information to the server, and the server verifies the authentication information according to the public key of the signature certificate and the private key of the encryption certificate.

在本发明实施例中,本发明还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如本申请所有实施例提供的双向认证的方法。In an embodiment of the present invention, the present invention further provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the method for mutual authentication provided by all the embodiments of the present application.

也即,给程序被处理器执行时实现:终端发送签名证书公钥至服务器,其中,所述签名证书公钥与所述终端预先储存的签名证书私钥相匹配;That is, when the program is executed by the processor, the terminal sends the public key of the signature certificate to the server, wherein the public key of the signature certificate matches the private key of the signature certificate stored in advance by the terminal;

所述终端接收所述服务器发送的加密证书公钥,其中,所述加密证书公钥与所述服务器预先储存的加密证书私钥相匹配;The terminal receives the encryption certificate public key sent by the server, wherein the encryption certificate public key matches the encryption certificate private key pre-stored by the server;

所述终端根据所述签名证书私钥和所述加密证书公钥对混沌序列处理,得到认证信息;The terminal processes the chaotic sequence according to the private key of the signature certificate and the public key of the encryption certificate to obtain authentication information;

所述终端发送所述认证信息至服务器,所述服务器根据所述签名证书公钥和所述加密证书私钥对所述认证信息进行验证。The terminal sends the authentication information to the server, and the server verifies the authentication information according to the public key of the signature certificate and the private key of the encryption certificate.

可以采用一个或多个计算机可读的介质的任意组合。计算机可读介质可以是计算机克顿信号介质或者计算机可读存储介质。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线或半导体的方法、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦可编程只读存储器(EPOM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD~ROM)、光存储器件、磁存储器件或者上述的任意合适的组合。在本文件中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行方法、装置或者器件使用或者与其结合使用。Any combination of one or more computer-readable media may be employed. The computer-readable medium may be a computer-readable signal medium or a computer-readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared or semiconductor method, apparatus or device, or a combination of any of the above. More specific examples (a non-exhaustive list) of computer readable storage media include: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), Erasable Programmable Read Only Memory (EPOM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the above. In this document, a computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in connection with an instruction execution method, apparatus, or device.

计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括——但不限于——电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,改计算机可读介质可以发送、传播或者传输用于由指令执行方法、装置或者器件使用或者与其结合使用的程序。A computer-readable signal medium may include a propagated data signal in baseband or as part of a carrier wave, with computer-readable program code embodied thereon. Such propagated data signals may take a variety of forms including, but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can transmit, propagate, or transmit a program for use by or in conjunction with an instruction execution method, apparatus, or device. .

可以以一种或多种程序设计语言或其组合来编写用于执行本发明操作的计算机程序代码,上述程序设计语言包括面向对象的程序设计语言——诸如Java、Smalltalk、C++,还包括常规的过程式程序设计语言——诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行或者完全在远程计算机或者服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)——连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。Computer program code for carrying out operations of the present invention may be written in one or more programming languages, including object-oriented programming languages such as Java, Smalltalk, C++, and conventional Procedural programming language - such as the "C" language or similar programming language. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (eg, using an Internet service provider to via Internet connection).

本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments may be referred to each other.

本领域内的技术人员应明白,本发明实施例的实施例可提供为方法、装置、或计算机程序产品。因此,本发明实施例可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It should be understood by those skilled in the art that the embodiments of the embodiments of the present invention may be provided as a method, an apparatus, or a computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product implemented on one or more computer-usable storage media having computer-usable program code embodied therein, including but not limited to disk storage, CD-ROM, optical storage, and the like.

本发明实施例是参照根据本发明实施例的方法、终端设备(方法)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理终端设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理终端设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。Embodiments of the present invention are described with reference to flowcharts and/or block diagrams of methods, terminal devices (methods), and computer program products according to embodiments of the present invention. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing terminal equipment to produce a machine that causes the instructions to be executed by the processor of the computer or other programmable data processing terminal equipment Means are created for implementing the functions specified in the flow or flows of the flowcharts and/or the blocks or blocks of the block diagrams.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理终端设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer readable memory capable of directing a computer or other programmable data processing terminal equipment to operate in a particular manner, such that the instructions stored in the computer readable memory result in an article of manufacture comprising instruction means, the The instruction means implement the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理终端设备上,使得在计算机或其他可编程终端设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程终端设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing terminal equipment, so that a series of operational steps are performed on the computer or other programmable terminal equipment to produce a computer-implemented process, thereby executing on the computer or other programmable terminal equipment The instructions executed on the above provide steps for implementing the functions specified in the flowchart or blocks and/or the block or blocks of the block diagrams.

尽管已描述了本发明实施例的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例做出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明实施例范围的所有变更和修改。Although preferred embodiments of the embodiments of the present invention have been described, additional changes and modifications to these embodiments may be made by those skilled in the art once the basic inventive concepts are known. Therefore, the appended claims are intended to be construed to include the preferred embodiments as well as all changes and modifications that fall within the scope of the embodiments of the present invention.

最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者终端设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者终端设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者终端设备中还存在另外的相同要素。Finally, it should also be noted that in this document, relational terms such as first and second are used only to distinguish one entity or operation from another, and do not necessarily require or imply these entities or that there is any such actual relationship or sequence between operations. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or terminal device comprising a list of elements includes not only those elements, but also a non-exclusive list of elements. other elements, or also include elements inherent to such a process, method, article or terminal equipment. Without further limitation, an element defined by the phrase "comprises a..." does not preclude the presence of additional identical elements in the process, method, article or terminal device comprising said element.

以上对本发明所提供的一种双向认证方法,进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。A two-way authentication method provided by the present invention has been introduced in detail above. The principles and implementations of the present invention are described with specific examples in this paper. Its core idea; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in the specific implementation and application scope. limit.

Claims (10)

1. A bidirectional authentication method is applied to bidirectional authentication of a POS machine terminal and a background server, and is characterized by comprising the following steps:
the terminal sends a public key of a signature certificate to the server, wherein the public key of the signature certificate is matched with a private key of the signature certificate stored in the terminal in advance;
the terminal receives an encrypted certificate public key sent by the server, wherein the encrypted certificate public key is matched with an encrypted certificate private key stored in the server in advance;
the terminal processes the chaotic sequence according to the signature certificate private key and the encryption certificate public key to obtain authentication information;
and the terminal sends the authentication information to a server, and the server verifies the authentication information according to the public key of the signature certificate and the private key of the encryption certificate.
2. The mutual authentication method according to claim 1, wherein before the step of processing the chaotic sequence by the terminal according to the private key of the signature certificate and the public key of the encryption certificate to obtain the authentication information, the method further comprises:
the terminal sends a first random value to a server;
the terminal receives a second random value of the server, wherein the second random value is generated by the server according to the first random value;
the terminal determines a chaotic sequence based on the second random value and the first random value.
3. The mutual authentication method according to claim 2, wherein the step of the terminal processing the chaotic sequence according to the private key of the signature certificate and the public key of the encryption certificate to obtain the authentication information comprises:
the terminal signs the chaotic sequence according to the private key of the signature certificate to generate signature information;
the terminal encrypts the chaotic sequence according to the public key data of the encryption certificate to generate an encrypted file;
the authentication information includes the signature information and the encrypted file.
4. The mutual authentication method according to claim 3, wherein the step of verifying the authentication information by the server according to the public key of the signature certificate and the private key of the encryption certificate comprises:
the server decrypts the encrypted file according to the private key of the encrypted certificate;
and the server checks the signature information according to the public key of the signature certificate.
5. A bi-directional authentication terminal, characterized in that the terminal comprises:
a sending module: the terminal is used for sending a public key of a signature certificate, wherein the public key of the signature certificate is matched with a private key of the signature certificate stored in the terminal in advance;
a receiving module: the system comprises a public key module, a public key module and a public key module, wherein the public key module is used for receiving an encrypted certificate public key, and the encrypted certificate public key is determined according to the signature certificate public key;
a processing module: the system is used for processing the chaotic sequence according to the private key of the signature certificate and the public key of the encryption certificate to obtain authentication information;
an authentication module: for sending the authentication information.
6. The mutual authentication terminal as claimed in claim 5, wherein the processing module further comprises:
a first module: for transmitting a first random value;
a second module: for receiving a second random value, wherein the second random value is generated according to the first random value;
a chaotic module: and the chaotic sequence is determined according to the second random value and the first random value.
7. The mutual authentication terminal as claimed in claim 5, wherein the processing module comprises:
a signature module: the private key is used for signing the chaotic sequence according to the private key of the signature certificate to generate signature information;
an encryption module: the encryption device is used for encrypting the chaotic sequence according to the public key data of the encryption certificate to generate an encrypted file;
a file module: the authentication information comprises signature information and an encrypted file.
8. A mutual authentication server, wherein the server comprises:
a signature certificate module: the system comprises a public key module, a public key module and a private key module, wherein the public key module is used for receiving a signature certificate public key, and the signature certificate public key is matched with a signature certificate private key;
an encryption certificate module: the system comprises a public key module, a public key module and a public key module, wherein the public key module is used for sending an encrypted certificate public key, and the encrypted certificate public key is matched with a prestored encrypted certificate private key;
an information module: the system is used for receiving authentication information, wherein the authentication information is obtained according to the private key of the signature certificate and the public key of the encryption certificate;
a verification module: and the authentication information is verified according to the public key of the signature certificate and the private key of the encryption certificate.
9. Electronic device, characterized in that it comprises a processor, a memory and a computer program stored on said memory and capable of running on said processor, said computer program, when executed by said processor, implementing the steps of the mutual authentication method according to any one of claims 1 to 4.
10. Computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the mutual authentication method according to any one of claims 1 to 4.
CN202010797811.4A 2020-08-10 2020-08-10 Bidirectional authentication method, terminal and server Pending CN111931158A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010797811.4A CN111931158A (en) 2020-08-10 2020-08-10 Bidirectional authentication method, terminal and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010797811.4A CN111931158A (en) 2020-08-10 2020-08-10 Bidirectional authentication method, terminal and server

Publications (1)

Publication Number Publication Date
CN111931158A true CN111931158A (en) 2020-11-13

Family

ID=73307831

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010797811.4A Pending CN111931158A (en) 2020-08-10 2020-08-10 Bidirectional authentication method, terminal and server

Country Status (1)

Country Link
CN (1) CN111931158A (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112508138A (en) * 2020-11-18 2021-03-16 北京融讯科创技术有限公司 Single board server management method, device, equipment and computer readable storage medium
CN113592484A (en) * 2021-07-16 2021-11-02 支付宝(杭州)信息技术有限公司 Account cubing method, system and device
CN114331456A (en) * 2021-12-29 2022-04-12 中国农业银行股份有限公司 A communication method, apparatus, system and readable storage medium
CN114374522A (en) * 2022-03-22 2022-04-19 杭州美创科技有限公司 Trusted device authentication method and device, computer device and storage medium
CN114398625A (en) * 2021-12-23 2022-04-26 青岛畅索科技有限公司 Terminal authentication method and device, terminal equipment and storage medium
CN114692120A (en) * 2020-12-30 2022-07-01 成都鼎桥通信技术有限公司 State password authentication method, virtual machine, terminal equipment, system and storage medium
CN114785532A (en) * 2022-06-22 2022-07-22 广州万协通信息技术有限公司 Security chip communication method and device based on bidirectional signature authentication
CN115001864A (en) * 2022-07-27 2022-09-02 深圳市西昊智能家具有限公司 Communication authentication method and device for intelligent furniture, computer equipment and storage medium
CN115150158A (en) * 2022-06-30 2022-10-04 深圳前海微众银行股份有限公司 Remote identity authentication method, device, device and storage medium
CN115378998A (en) * 2022-08-22 2022-11-22 中国工商银行股份有限公司 Service calling method, device, system, computer equipment and storage medium
CN115514480A (en) * 2022-09-30 2022-12-23 深圳奇迹智慧网络有限公司 Data interaction method and readable storage medium
CN115706979A (en) * 2021-08-10 2023-02-17 中移(杭州)信息技术有限公司 Signature method, related device and storage medium
CN115913618A (en) * 2022-09-27 2023-04-04 武汉安天信息技术有限责任公司 Method, medium and terminal for ensuring TCP communication security based on hybrid encryption
CN116800487A (en) * 2023-06-14 2023-09-22 启明信息技术股份有限公司 An authentication method based on secure transmission of Internet of Vehicles
CN117521052A (en) * 2024-01-04 2024-02-06 中国电信股份有限公司江西分公司 A server privacy protection authentication method, device, computer equipment and media
CN118400098A (en) * 2024-04-30 2024-07-26 河南省信息化集团有限公司 Secret key safety management method and system based on random number encryption key
CN118984248A (en) * 2024-09-10 2024-11-19 广东省电子商务认证有限公司 WAPI certificate application method, device, equipment and storage medium
CN119182588A (en) * 2024-09-09 2024-12-24 西安热工研究院有限公司 Symmetric encryption transmission method, device, medium and program product based on TCM
CN119449316A (en) * 2024-09-14 2025-02-14 招商银行股份有限公司 Key distribution method, system, device, storage medium and program product

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101662705A (en) * 2009-10-19 2010-03-03 国网信息通信有限公司 Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
CN101771535A (en) * 2008-12-30 2010-07-07 上海茂碧信息科技有限公司 Mutual authentication method between terminal and server
CN104426657A (en) * 2013-08-23 2015-03-18 阿里巴巴集团控股有限公司 Service authentication method and system, server
CN105162760A (en) * 2015-07-28 2015-12-16 郝孟一 Random draw-off method, apparatus and system
CN105872848A (en) * 2016-06-13 2016-08-17 北京可信华泰信息技术有限公司 Credible two-way authentication method applicable to asymmetric resource environment
CN106453330A (en) * 2016-10-18 2017-02-22 深圳市金立通信设备有限公司 Identity authentication method and system
CN106603485A (en) * 2016-10-31 2017-04-26 美的智慧家居科技有限公司 Secret key negotiation method and device
CN106656481A (en) * 2016-10-28 2017-05-10 美的智慧家居科技有限公司 Identity authentication method, apparatus and system
CN107094156A (en) * 2017-06-21 2017-08-25 北京明朝万达科技股份有限公司 A kind of safety communicating method and system based on P2P patterns
WO2018113362A1 (en) * 2016-12-20 2018-06-28 百富计算机技术(深圳)有限公司 Remote key acquisition method, point-of-sale terminal and storage medium
CN108512846A (en) * 2018-03-30 2018-09-07 北京邮电大学 Mutual authentication method and device between a kind of terminal and server
CN109309565A (en) * 2017-07-28 2019-02-05 中国移动通信有限公司研究院 Method and device for security authentication

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771535A (en) * 2008-12-30 2010-07-07 上海茂碧信息科技有限公司 Mutual authentication method between terminal and server
CN101662705A (en) * 2009-10-19 2010-03-03 国网信息通信有限公司 Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
CN104426657A (en) * 2013-08-23 2015-03-18 阿里巴巴集团控股有限公司 Service authentication method and system, server
CN105162760A (en) * 2015-07-28 2015-12-16 郝孟一 Random draw-off method, apparatus and system
CN105872848A (en) * 2016-06-13 2016-08-17 北京可信华泰信息技术有限公司 Credible two-way authentication method applicable to asymmetric resource environment
CN106453330A (en) * 2016-10-18 2017-02-22 深圳市金立通信设备有限公司 Identity authentication method and system
CN106656481A (en) * 2016-10-28 2017-05-10 美的智慧家居科技有限公司 Identity authentication method, apparatus and system
CN106603485A (en) * 2016-10-31 2017-04-26 美的智慧家居科技有限公司 Secret key negotiation method and device
WO2018113362A1 (en) * 2016-12-20 2018-06-28 百富计算机技术(深圳)有限公司 Remote key acquisition method, point-of-sale terminal and storage medium
CN107094156A (en) * 2017-06-21 2017-08-25 北京明朝万达科技股份有限公司 A kind of safety communicating method and system based on P2P patterns
CN109309565A (en) * 2017-07-28 2019-02-05 中国移动通信有限公司研究院 Method and device for security authentication
CN108512846A (en) * 2018-03-30 2018-09-07 北京邮电大学 Mutual authentication method and device between a kind of terminal and server

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112508138B (en) * 2020-11-18 2024-03-26 北京融讯科创技术有限公司 Single board server management method, device, equipment and computer readable storage medium
CN112508138A (en) * 2020-11-18 2021-03-16 北京融讯科创技术有限公司 Single board server management method, device, equipment and computer readable storage medium
CN114692120A (en) * 2020-12-30 2022-07-01 成都鼎桥通信技术有限公司 State password authentication method, virtual machine, terminal equipment, system and storage medium
CN113592484A (en) * 2021-07-16 2021-11-02 支付宝(杭州)信息技术有限公司 Account cubing method, system and device
CN115706979A (en) * 2021-08-10 2023-02-17 中移(杭州)信息技术有限公司 Signature method, related device and storage medium
CN114398625A (en) * 2021-12-23 2022-04-26 青岛畅索科技有限公司 Terminal authentication method and device, terminal equipment and storage medium
CN114331456A (en) * 2021-12-29 2022-04-12 中国农业银行股份有限公司 A communication method, apparatus, system and readable storage medium
CN114374522A (en) * 2022-03-22 2022-04-19 杭州美创科技有限公司 Trusted device authentication method and device, computer device and storage medium
CN114374522B (en) * 2022-03-22 2022-06-28 杭州美创科技有限公司 Trusted device authentication method and device, computer device and storage medium
CN114785532A (en) * 2022-06-22 2022-07-22 广州万协通信息技术有限公司 Security chip communication method and device based on bidirectional signature authentication
CN115150158A (en) * 2022-06-30 2022-10-04 深圳前海微众银行股份有限公司 Remote identity authentication method, device, device and storage medium
CN115001864A (en) * 2022-07-27 2022-09-02 深圳市西昊智能家具有限公司 Communication authentication method and device for intelligent furniture, computer equipment and storage medium
CN115378998B (en) * 2022-08-22 2024-02-02 中国工商银行股份有限公司 Service calling method, device, system, computer equipment and storage medium
CN115378998A (en) * 2022-08-22 2022-11-22 中国工商银行股份有限公司 Service calling method, device, system, computer equipment and storage medium
CN115913618A (en) * 2022-09-27 2023-04-04 武汉安天信息技术有限责任公司 Method, medium and terminal for ensuring TCP communication security based on hybrid encryption
CN115514480A (en) * 2022-09-30 2022-12-23 深圳奇迹智慧网络有限公司 Data interaction method and readable storage medium
CN116800487A (en) * 2023-06-14 2023-09-22 启明信息技术股份有限公司 An authentication method based on secure transmission of Internet of Vehicles
CN117521052A (en) * 2024-01-04 2024-02-06 中国电信股份有限公司江西分公司 A server privacy protection authentication method, device, computer equipment and media
CN118400098A (en) * 2024-04-30 2024-07-26 河南省信息化集团有限公司 Secret key safety management method and system based on random number encryption key
CN118400098B (en) * 2024-04-30 2025-06-17 河南省信息化集团有限公司 A private key security management method and system based on random number encryption key
CN119182588A (en) * 2024-09-09 2024-12-24 西安热工研究院有限公司 Symmetric encryption transmission method, device, medium and program product based on TCM
CN119182588B (en) * 2024-09-09 2025-10-10 西安热工研究院有限公司 Symmetric encryption transmission method, device, medium and program product based on TCM
CN118984248A (en) * 2024-09-10 2024-11-19 广东省电子商务认证有限公司 WAPI certificate application method, device, equipment and storage medium
CN119449316A (en) * 2024-09-14 2025-02-14 招商银行股份有限公司 Key distribution method, system, device, storage medium and program product
CN119449316B (en) * 2024-09-14 2025-11-14 招商银行股份有限公司 Key distribution methods, systems, devices, storage media, and program products

Similar Documents

Publication Publication Date Title
CN111931158A (en) Bidirectional authentication method, terminal and server
CN110692214B (en) Methods and systems for ownership verification using blockchain
CN108366069B (en) Bidirectional authentication method and system
CN103370688B (en) A system and method for generating multi-factor personalized server strong keys from simple user passwords
US11711213B2 (en) Master key escrow process
CN112232814B (en) Encryption and decryption methods of payment key, payment authentication method and terminal equipment
CN106533665B (en) Mthods, systems and devices for storing website private key plaintext
CN115225268A (en) Using elliptic curve cryptography for personal device security to share secrets
CN107210914A (en) Method for secure credential provisioning
CN105790938A (en) System and method for generating safety unit key based on reliable execution environment
US20250021631A1 (en) Systems and methods for whitebox device binding
CN114270386A (en) Authenticator application for consent framework
CN107908574A (en) The method for security protection of solid-state disk data storage
US20130212391A1 (en) Elliptic curve cryptographic signature
US8769301B2 (en) Product authentication based upon a hyperelliptic curve equation and a curve pairing function
CN110719174B (en) Ukey-based certificate issuing method
CN108418692A (en) The online wiring method of certification certificate
TWI476629B (en) Data security and security systems and methods
CN114048513A (en) A one-time digital certificate application and signature system and method
CN111817856B (en) Identity authentication method and system based on zero-knowledge proof and password technology
CN114297355A (en) Method and system for establishing secure session, solid state disk and terminal equipment
KR102848801B1 (en) Authentication server that can perform public key management using authentication blocks and the operating method thereof
CN118611909A (en) Decryption method, encryption method, device, electronic device and storage medium
CN120752656A (en) System and method for dynamic integration of user-supplied data with one-time password authentication passwords
TWI702820B (en) Secret sharing signature system with hierarchical mechanism and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201113

RJ01 Rejection of invention patent application after publication