HK1229972B - Method, device and system for authenticating terminal device - Google Patents

Description

Terminal device authentication method, device and system

Technical Field

The present application relates to the field of communication information processing, and in particular to a terminal device authentication method, device and system.

Background Art

With the development of mobile Internet and the Internet of Things, terminal devices including wearable devices (such as smart bracelets, smart watches, etc.) are becoming more and more popular and are gradually becoming the development trend of future smart mobile product applications.

Wearable devices often contain a variety of sensitive information, including user accounts, identities, communications, and property. If wearable devices are compromised through malicious phishing, terminal spoofing, or information interception, the user could suffer immeasurable losses. Consequently, the security authorization and authentication of wearable devices is gaining increasing attention. Security application products based on wearable devices are also beginning to emerge. These solutions primarily involve wearable devices authorizing and authenticating smart terminals (such as mobile smartphones and smart appliances) based on signature codes from third-party applications.

However, existing wearable device authentication solutions typically use a single, unchanging signature code, and the authentication process often employs one-way authentication over less secure channels like Wi-Fi or Bluetooth. Existing authentication methods can easily lead to signature code interception and leakage, or fraudulent use of counterfeit smart devices to gain access to wearable device permissions. Existing authentication methods for wearable devices still present significant security risks.

Summary of the Invention

The purpose of this application is to provide a terminal device authentication method, device and system, which can provide two-way authentication during the authorization process for smart terminal devices including wearable devices, thereby improving the security of terminal device authorization authentication.

The present application provides a terminal device authentication method, apparatus, and system that are implemented as follows:

A terminal device authentication method, the method comprising:

The first terminal sends an authorization activation request message generated by encrypting a first key generated by using a stored preset key and a first device identifier of the first terminal;

The second terminal obtains the authorization activation request message, decrypts it using the stored preset key, and determines whether to activate the device authorization based on the decryption result;

When the decryption result is successful, sending an authorization activation result message generated by encrypting the second device identifier of the second terminal using the first key obtained by the decryption;

The first terminal obtains the authorization activation result message and decrypts the authorization activation result message using the first key; if the decryption is successful, the device authorization is activated.

A terminal device authentication method, the method comprising:

The first terminal sends an authorization request message generated by encrypting a second key generated by using the stored first key and the first device identifier of the first terminal;

The second terminal obtains the authorization request message and decrypts it using the stored first key; when the decryption is successful, determining whether a first authorized device identifier corresponding to the first device identifier obtained by the decryption is stored;

When the judgment result is yes, the second terminal authorizes the first terminal based on the first device identifier, and sends an authorization result message generated by encrypting the second device identifier of the second terminal using the second key obtained by decryption;

The first terminal obtains the authorization result message and decrypts it using the second key; when the decryption is successful, it determines whether a second authorized device identifier corresponding to the second device identifier obtained by the decryption is stored, and determines whether to authorize the second terminal based on the judgment result.

A terminal device authentication method, the method comprising:

The first terminal sends an authorization request message generated by encrypting a second key generated by using the stored first key and the first device identifier of the first terminal;

The first terminal obtains the authorization result message sent by the second terminal and decrypts it using the second key;

When the decryption is successful, the first terminal determines whether a second authorized device identifier corresponding to the second device identifier obtained by the decryption is stored, and determines whether to authorize the second terminal based on the determination result.

A terminal device authentication method, the method comprising:

The second terminal obtains the authorization request message sent by the first terminal and decrypts it using the stored first key;

When the decryption is successful, the second terminal determines whether a first authorized device identifier corresponding to the first device identifier obtained by the decryption is stored;

When the judgment result is yes, the second terminal authorizes the first terminal based on the first device identification, and sends an authorization result message generated by encrypting the second device identification of the second terminal using the second key obtained by decryption.

A terminal device authentication device, the device comprising:

A first storage unit is used to store the generated first key and the obtained second authorized device identifier of the second terminal;

a first encryption unit, configured to generate a second key, and encrypt the second key and the obtained first device identifier using the first key to generate an authorization request message;

A first communication module, configured to send the authorization request message and to receive an authorization result message sent by the second terminal;

a first decryption judgment unit, configured to decrypt the authorization result message using the second key, and, when the decryption is successful, to judge whether the first storage unit stores a second authorized device identifier corresponding to the second device identifier obtained by the decryption;

The first authorization module is configured to determine whether to authorize the second terminal based on a determination result of the first decryption determination unit.

A terminal device authentication device, the device comprising:

A second communication module, configured to receive an authorization request message sent by the first terminal and send an authorization result message;

A second storage unit, configured to store the acquired first authorization device identifier and first key of the first terminal;

a second decryption judgment unit, configured to decrypt the authorization request message using the stored first key, and, when the decryption is successful, to judge whether the second storage unit stores a first authorization device identifier corresponding to the first device identifier;

The second authorization module determines whether to authorize the first terminal corresponding to the first device identifier based on the judgment result of the second decryption judgment unit.

The second encryption unit is configured to, when the judgment result of the second decryption judgment unit is yes, encrypt the second device identification of the second terminal using the second key to generate an authorization result message.

A terminal device authentication system, the system comprising:

The first terminal is configured to send an authorization request message generated by encrypting a second key generated by using a stored first key pair and a first device identifier of the first terminal; further configured to obtain an authorization result message sent by the second terminal and decrypt the message using the second key; further configured to, upon successful decryption, determine whether a second authorized device identifier corresponding to the second device identifier obtained by decryption is stored, and determine whether to authorize the second terminal based on the determination result;

The second terminal is used for the first terminal to send an authorization request message and decrypt it with the stored first key; it is also used to determine whether a first authorized device identifier corresponding to the first device identifier obtained by the decryption is stored when the decryption is successful; it is also used to authorize the first terminal based on the first device identifier when the judgment result is yes, and send an authorization result message generated by encrypting the second device identifier of the second terminal with the second key obtained by the decryption.

A terminal device authentication system, the system comprising:

The first terminal is configured to send an authorization request message generated by encrypting a second key generated by using a stored first key pair and a first device identifier of the first terminal; further configured to obtain an authorization result message sent by the second terminal and decrypt the message using the second key; further configured to, upon successful decryption, determine whether a second authorized device identifier corresponding to the second device identifier obtained by decryption is stored, and determine whether to authorize the second terminal based on the determination result;

The second terminal is used for the first terminal to send an authorization request message and decrypt it with the stored first key; it is also used to determine whether a first authorized device identifier corresponding to the first device identifier obtained by the decryption is stored when the decryption is successful; it is also used to authorize the first terminal based on the first device identifier when the judgment result is yes, and send an authorization result message generated by encrypting the second device identifier of the second terminal with the second key obtained by the decryption.

The present application provides a terminal device authentication method, device and system that can ensure the activation of device authorization and authentication of device authorization between multiple terminals. The first terminal can use a pre-stored preset key to encrypt the verification key and device identification to form an authorization activation request message, so that only the second terminal that also stores the preset key can decrypt it and complete the authentication of one party's authorization activation. The verification key obtained by decryption can then be used to encrypt the device identification of the second terminal, which is then decrypted by the first terminal. Only after the decryption is successful can the authorization authentication for the first terminal be activated, completing the two-way authentication of the terminal device activation authorization request. Furthermore, after the authorization is activated and the device identification of the authorized device is obtained, the terminal device authentication method provided by the present application can be used to perform authorization authentication for the terminal device or the application on the device. In the device authorization process, two-way authentication of multiple terminals is still used, and the device identification and verification key are added to the two-way authentication message interaction. In the preferred embodiment, the verification key used can also be dynamically updated, which can greatly improve the authorization authentication of terminal devices such as wearable devices and improve the security of terminal device authorization authentication.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are only some embodiments recorded in this application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative labor.

FIG1 is a schematic diagram of a method flow of an embodiment of a terminal device authentication method of the present application;

FIG2 is a schematic diagram of a method flow of an embodiment of a terminal device authentication method of the present application;

FIG3 is a flow chart of another embodiment of a terminal device authentication method of the present application;

FIG4 is a flow chart of another embodiment of a terminal device authentication method of the present application;

FIG5 is a schematic diagram of the module structure of an embodiment of a terminal device authentication device of the present application;

FIG6 is a schematic diagram of the module structure of another embodiment of a terminal device authentication device of the present application;

FIG7 is a schematic diagram of the module structure of another embodiment of a terminal device authentication device of the present application;

FIG8 is a schematic diagram of the module structure of an embodiment of a terminal device authentication device of the present application;

FIG9 is a schematic diagram of the module structure of another embodiment of a terminal device authentication device of the present application;

FIG10 is a schematic diagram of the module structure of another embodiment of a terminal device authentication apparatus of the present application.

DETAILED DESCRIPTION

In order to enable those skilled in the art to better understand the technical solutions in this application, the technical solutions in the embodiments of this application will be clearly and completely described below in conjunction with the drawings in the embodiments of this application. Obviously, the described embodiments are only part of the embodiments of this application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by ordinary technicians in this field without making creative efforts should fall within the scope of protection of this application.

The terminal described in this application may include but is not limited to terminal devices of wearable devices. The authorization and authentication of the terminal device may include but is not limited to application scenarios in which the terminal device on the user side is connected to the Internet and the terminal device on the server side through connection methods such as Wi-Fi or cellular mobile networks for authorization and authentication, and may also be connected to other smart terminal devices through methods such as but not limited to Bluetooth transmission protocol, NFC near-field communication, and wired connection for authorization and authentication. Below, this application takes the authorization and authentication between the terminal device of a wearable device and a smart mobile phone as an example to explain in detail the method and apparatus described in this application. The wearable devices described in this application include but are not limited to wearable devices such as watches, glasses, shoes, hats, clothing, and jewelry equipped with smart processing chips.

Before authorization authentication is performed between terminal devices, it is possible to first verify whether the terminal device requiring authorization authentication is trustworthy. After the verification is passed, authorization authentication can be enabled for the terminal device requiring authorization, and then further authorization can be performed. The use of the pre-authentication method for whether authorization authentication is enabled for the terminal device described in this application can effectively reduce the number of illegal terminal devices performing authorization authentication, and block the authorization authentication communication between wearable devices or other terminal devices and illegal terminals as early as possible. Figure 1 is a method flow diagram of an embodiment of a terminal device authentication method described in this application. As shown in Figure 1, the method may include:

S1: The first terminal sends an authorization activation request message generated by encrypting a first key generated by using a stored preset key and a first device identifier of the first terminal.

The first terminal encrypts the generated first key key1 and the first device identification of the first terminal using the stored preset key key0 to form an authorization activation request message MSG_A1, and sends the authorization activation request message MSG_A1.

The first terminal can be the smartphone mentioned above, and can also be other mobile smart terminals in other application scenarios. In this embodiment, the terminal device that sends the authorization activation request message MSG_A1 can be used as the first terminal, and the terminal device that receives the authorization activation request message MSG_A1 can be used as the second terminal. In a specific implementation, for example, in this embodiment, the smartphone can be used as the first terminal, and the wearable device can be used as the second terminal. Of course, the first terminal that performs authorization authentication on the second terminal, such as the wearable device, in the above embodiment can also be a specially set server, or an intelligent terminal device management device, etc.

A preset key key0 may be pre-stored in the first terminal. The preset key may include an initialization key set at the factory, or a key pre-agreed with the second terminal that can be used to activate device authorization or device authorization authentication. The first terminal may generate a first key key1, which may be used for authorization and authentication with the second terminal including the wearable device. The first terminal may generate the first key key1 through an application on the terminal or a preset key generation algorithm. The first key key1 may include a key in a conventional data format such as numbers, characters, or symbols.

Then, the generated first key key1 and the first device identifier app_divice_id of the first terminal can be encrypted using the pre-set key key0 to form the authorization activation request message MSG_A1 of the first terminal. The first device identifier app_divice_id of the first terminal can be identification information used to uniquely identify the first terminal device, and specifically can include, for example, the IMEI, MAC address, or other device identification string of a smartphone.

After forming the authorization activation request message MSG_A1, the first terminal may send the authorization activation request message MSG_A1. Specifically, the sending method may include broadcasting the authorization activation request message MSG_A1 via WIFI or Bluetooth, or other communication methods such as using a dedicated channel or network.

The first terminal may use the stored preset key to encrypt the generated first key and the first device identification of the first terminal to form an authorization activation request message MSG_A1, and may send the authorization activation request message MSG_A1 in a broadcast message or point-to-point manner.

S2: The second terminal obtains the authorization activation request message, decrypts it using the stored preset key, and can determine whether to activate device authorization based on the decryption result.

The second terminal can obtain the authorization activation request message MSG_A1 sent by the first terminal, and can use the stored preset key key0 to decrypt the obtained authorization activation request message MSG_A1; the second terminal determines whether to activate device authorization based on the decryption result.

The second terminal can receive the authorization activation message sent by the first terminal in the form of broadcast or point-to-point. The second terminal also pre-stores a preset key key0, such as the preset key key0 set at the factory in wearable devices such as smart bracelets and smart watches. The preset key in the second terminal can be the same as the preset key stored in the first terminal such as a smart phone, and can complete the corresponding information encryption or decryption. Of course, in other implementations, they can also be keys that match each other. In actual applications, the preset key of the wearable device of the second terminal can generally include the verification key of the factory device, and the preset key of the first terminal can include the first terminal downloading from a dedicated server or service provider through a certain application, and of course it can also include a key set in advance at the factory.

The second terminal described in this application may include but is not limited to wearable devices such as watches, glasses, shoes, hats, clothing, jewelry, bracelets, pendants, etc. equipped with intelligent processing chips.

After the second terminal obtains the authorization request message MSG_A1, it can decrypt it with the stored preset key key0. If the authorization request message MSG_A1 obtained by the second terminal is also encrypted with the preset key key0, then the second terminal can correspondingly decrypt it successfully using its own preset key key0. If the second terminal obtains an authorization request message sent by an illegal terminal device using forgery, terminal device deception, etc., which is not encrypted with the preset key0, the second terminal cannot decrypt it successfully, and the device authorization authentication may not be activated for it. The second terminal device can determine whether the terminal device corresponding to the obtained authorization request message is legal based on the decryption success of the obtained authorization request message. If it is legal, the device authorization is activated for it and authorization authentication is allowed; otherwise, it can be regarded as an illegal terminal device, and its authorization request can be rejected, blocked, etc.

The second terminal can obtain the authorization activation request message MSG_A1, decrypt it, and determine whether to activate device authorization based on the decryption result, and whether to allow authorization authentication with the device that obtained the authorization activation request message MSG_A1.

S3: When the decryption result is successful, sending an authorization activation result message generated by encrypting the second device identification of the second terminal using the first key obtained by the decryption.

If the decryption result is successful, the second terminal can activate device authorization. The second terminal uses the first key key0 obtained through decryption to encrypt the second terminal's second device identifier auth_divice_id, forming an authorization activation result message MSG_B1, and sends the authorization activation result message MSG_B1. If the second terminal successfully decrypts the obtained authorization activation request message MSG_A1 using its own stored preset key key0, the second terminal device can activate the device authorization service and allow authorization and authentication information to be exchanged with other terminal devices.

In a preferred embodiment of the present application, in a one-to-many or many-to-many application scenario, a preferred embodiment of the present application provides an authentication method for distinguishing different terminal devices based on device identification. Specifically, when the decryption result is successful, the second terminal activating device authorization may include:

When the decryption result is successful, the second terminal activates device authorization for the first terminal based on the first device identification obtained by the decryption.

For example, when the second terminal successfully decrypts the authorization activation request message MSG_A1 of the first terminal, it can obtain the first device identifier of the first terminal device and store it in a local application file. Then, when activating device authorization, the second terminal can be configured to activate device authorization and authentication services for the terminal device corresponding to the first device identifier based on the successfully decrypted first device identifier, allowing the second terminal to exchange authorization and authentication messages with the first terminal. When activating device authorization for the first terminal, the second terminal can still obtain the authorization activation request message MSG_A1 of other terminal devices, but may not activate device authorization for the terminal device corresponding to the unsuccessfully decrypted authorization request message, or may not activate device authorization for terminal devices such as the device identifier that the second terminal device has not decrypted or recorded.

After the above decryption is successful, the second terminal can complete the authentication of the activation authorization request of the first terminal, and then the second terminal can further register and authenticate with the first terminal, which can be used by the first terminal to register, identify and activate authorization authentication for the second terminal, and complete the registration of the second terminal by the first terminal, activation device authorization authentication, etc. In this embodiment, the second terminal can use the first key key1 obtained by decrypting the authorization activation request message MSG_A1 to encrypt the second device identifier auth_divice_id of the second terminal to form an authorization activation result message MSG_B1. The second terminal can also broadcast messages in WIFI or Bluetooth mode, or send the authorization activation result message MSG_B1 in other point-to-point communication modes. In most wearable devices such as smart bracelets, the second terminal can be equipped with a module for a short-range or mobile communication network or a proprietary data communication network, which can realize information communication between the first terminal and the second terminal and complete information interaction.

When the decryption is successful, the second terminal may use the obtained first key to encrypt the second device identification, and feed back a received activation result message to the first terminal.

S4: The first terminal obtains the authorization activation result message and decrypts it using the first key; if the decryption is successful, the device authorization is activated.

The first terminal can receive and obtain the authorization activation message sent by the second terminal, for example, a smartphone obtains the authorization result message broadcast by the wearable device via Bluetooth through Bluetooth scanning. The second terminal can use the generated first key key1 to decrypt the received authorization activation result message MSG_B1. If the decryption is successful, it can be indicated that the second terminal device that sent the authorization result message is reliable, and the relevant information of the second terminal, such as the second device identifier auth_divice_id of the second terminal device, can be registered. The device authorization can be activated for message interaction with the wearable device for authorization authentication, thereby completing the authentication of the device authorization activation of the second terminal.

In a preferred embodiment, when the decryption of the first terminal is successful, activating device authorization may include: when the decryption of the first terminal device is successful, activating device authorization for the second terminal based on the second device identifier auth_divice_id obtained by the decryption.

If the smartphone's first terminal successfully decrypts the wearable device's second terminal's authorized decryption message MSG_B1, the wearable device's device identifier can be obtained. The smartphone can then register and store the wearable device identifier and the first key1. This allows the smartphone to obtain and store the wearable device identifier and enable device authorization only for the stored identifier. This upgrades open device authorization to point-to-point authorization, effectively preventing unauthorized wearable devices from accessing device authorization services and improving the security of two-way authentication on terminal devices.

After the above-mentioned message interaction process of opening authorization authentication, the first terminal, such as a smartphone, can obtain and store the second device identification auth_divice_id of the second terminal, such as a smart bracelet, and can store the generated first key key1; the second terminal can also store the device identification app_divice_id of the first terminal, such as a smartphone, and the first key key1, completing the two-way authentication of the first and second terminals for opening device authorization. Compared with the traditional one-way authorization authentication of the wearable device to the smartphone or server, the embodiment of the present application performs two-way authentication for opening device authorization before authorization authentication, which can greatly improve the security of terminal device authentication and authorization.

After the device authorization service/function is activated in both directions on the first terminal and the second terminal, device authorization authentication can be performed. Figure 2 is a schematic diagram of a method flow of an embodiment of a terminal device authentication method described in this application. As shown in Figure 2, the method for performing authorization authentication after the authorization authentication function is activated on the first terminal and the second terminal device may include:

S1’: The first terminal sends an authorization request message generated by encrypting a second key generated by the stored first key and the first device identification of the first terminal.

The first terminal may use the stored first key key1 to encrypt the generated second key key2 and the first device identification app_divice_id of the first terminal to form an authorization request message MSG_A2, and send the authorization request message MSG_A2.

The first terminal can use the application on the first terminal to generate a second key key2. The generated second key key2 may include a verification key generated randomly or according to a predetermined algorithm. For details, please refer to the first key key1 generated during the device authorization process of the first terminal, which will not be described in detail here. In the aforementioned description, the first terminal generated the first key key1 when activating the device authorization and stored it. Here, the first terminal can use the second key to encrypt the generated second key key2 and the first device identifier app_divice_id of the first terminal to form an authorization request message MSG_A2 for the second terminal such as a wearable device, and can send the authorization request message MSG_A2 via short-distance communication methods such as WIFI, Bluetooth, infrared, or point-to-point or other dedicated communication methods for the second terminal to receive and process.

S2': The second terminal obtains the authorization request message and decrypts it using the stored first key; when the decryption is successful, it is determined whether a first authorized device identifier corresponding to the first device identifier obtained by the decryption is stored.

The second terminal can obtain the authorization request message MSG_A2 and decrypt the obtained authorization request message MSG_A2 using the stored first key key1. If the decryption is successful, the first device identifier app_divice_id obtained by decryption is compared with the stored first authorization device identifier Pre_app_divice_id to determine whether there is a first authorization device identifier Pre_app_divice_id corresponding to the first device identifier app_divice_id. The second terminal can be a wearable device, specifically including but not limited to wearable devices such as watches, glasses, shoes, hats, clothing, jewelry, bracelets, pendants, etc. equipped with an intelligent processing chip.

In this embodiment, the second terminal of the wearable device can authenticate the first terminal of the smartphone. As previously mentioned, during the device authorization request process, the second terminal can obtain the first key, key1, sent by the first terminal. The second terminal can receive the authorization request message, MSG_A2, sent by the first terminal and then decrypt the authorization request message, MSG_A2, using the first key, key1. If the decryption fails, the second terminal fails to authorize the first terminal.

If the decryption is successful, the first device identification app_divice_id obtained by decrypting the authorization request message MSG_A2 can be compared with the device identification obtained and stored when the device authorization service is activated to determine whether it is consistent with the device identification when the authorization service is activated. The aforementioned second terminal device can obtain the first device identification of the first terminal when activating device authorization. Here, the first device identification stored by the second terminal can be used as the first authorization device identification Pre_app_divice_id and marked as the identification of a reliable terminal device. Of course, in the case of a one-to-many or many-to-many application scenario where the terminal device faces a one-to-many or many-to-many situation, the second terminal can store multiple first authorization device identifications, and each first authorization device identification can correspond to a first terminal device. The second terminal can compare the first device identification app_divice_id with the first authorization device identification Pre_app_divice_id to determine whether the first authorization device identification Pre_app_divice_id corresponding to the first device identification app_divice_id is stored.

If the judgment result is no, even if the authorization message MSG_A2 is decrypted successfully, it can be set not to authorize the first terminal corresponding to the first device identifier app_divice_id in the authorization message, or the second terminal fails to authorize and authenticate the first terminal.

S3': When the judgment result is yes, the second terminal authorizes the first terminal based on the first device identifier, and sends an authorization result message generated by encrypting the second device identifier of the second terminal using the second key obtained by decryption.

Of course, when the judgment result is yes, the second terminal authorizes the first terminal based on the first device identification app_divice_id; the second terminal uses the second key key2 obtained by decryption to encrypt the second device identification auth_divice_id of the second terminal to form an authorization result message MSG_B2, and sends the authorization result message MSG_B2.

Specifically, the second terminal can obtain the first device identifier app_divice_id to mark the first terminal and authorize the first terminal. In the embodiment of the present application, after the second terminal authorizes and authenticates the first terminal, the first terminal also needs to reversely authenticate the second terminal to improve the security and reliability of authorization and authentication between the smartphone and the wearable device. Therefore, the second terminal can use the second key key2 obtained by decryption to encrypt the second device identifier auth_divice_id of the second terminal, forming an authorization result message MSG_B2 that is fed back to the first terminal. Of course, the second terminal can send the authorization result message MSG_B2. The specific message interaction transmission method can refer to the message interaction method between the first terminal and the second terminal in other embodiments of the present application, which will not be repeated here.

S4': The first terminal obtains the authorization result message and decrypts it using the second key; when the decryption is successful, it is determined whether a second authorized device identifier corresponding to the second device identifier obtained by the decryption is stored, and based on the determination result, it is determined whether to authorize the second terminal.

The first terminal can obtain the authorization result message MSG_B2 and decrypt the authorization result message MSG_B2 using the second key key2; when the decryption is successful, the second device identification auth_divice_id obtained by the decryption is compared with the stored second authorization device identification Pre_auth_divice_id to determine whether there is a second authorization device identification Pre_auth_divice_id corresponding to the second device identification auth_divice_id, and determine whether to authorize the second terminal based on the judgment result.

The first terminal can obtain the authorization result message MSG_B2 through WIFI or Bluetooth, and decrypt it using the generated second key key2. If the decryption is successful, the second device identification auth_divice_id obtained by decrypting the authorization result message MSG_B2 can be compared with the device identification obtained and stored when the device authorization service is activated to determine whether it is consistent with the device identification when the authorization service is activated. The aforementioned first terminal device can obtain and store the second device identification of the second terminal when the device authorization is activated. Here, the second device identification stored by the first terminal can be used as the second authorization device identification Pre_auth_divice_id and marked as a reliable terminal device identification. Of course, in the case of a one-to-many or many-to-many application scenario where the terminal device faces one-to-many or many-to-many, the first terminal can store multiple second authorization device identifications, and each second authorization device identification can correspond to a second terminal device, such as storing the second authorization device identification of a smart bracelet or a smart watch. The first terminal may compare the second device identifier auth_divice_id with the second authorized device identifier Pre_auth_divice_id to determine whether a second authorized device identifier Pre_auth_divice_id corresponding to the second device identifier auth_divice_id is stored.

Further, the first terminal can determine whether to authorize the second terminal based on the judgment result. If the judgment result is yes, the first terminal authorizes the second terminal. For example, if the smartphone determines that the second device identifier of the smart bracelet obtained is the same as the second authorized device identifier of the smart bracelet stored when the authorization authentication is turned on, the smartphone can authorize the smart bracelet based on the second device identifier of the smart bracelet and complete the authorization authentication of the smart bracelet. Then the first terminal can perform the corresponding authorization operation on the second terminal. Of course, if the judgment result is that the acquired second terminal device identifier does not match the stored second authorized device identifier, the authorization to the second terminal fails.

The present application provides a terminal device authentication method that can first authenticate the device authorization activation request before the terminal device is authenticated, and exclude terminal devices that do not meet the device authorization activation requirements, which can effectively prevent illegal terminals from requesting device authorization. In the process of device authorization authentication, especially the authorization authentication between the client of the wearable device and the server of the smart terminal adopts a two-way authentication based on a preset key and a generated first key and a second key. Compared with the traditional wearable device's one-way authentication of the server, the security and reliability of authentication between devices are greatly improved, which can effectively prevent the wearable device from being maliciously phished, terminal deception, etc.

The verification feature code usually used in the authorization and authentication process in the prior art is a fixed feature code. Once the feature code is stolen, the attacker will use the acquired feature code to obtain the authority of the terminal device, which has poor security and reliability. The terminal device authentication method described in this application also provides a preferred embodiment. In this preferred embodiment, the terminal device performing two-way authorization authentication can change the verification key during each authorization authentication process. In this way, the dynamically updated verification key can greatly improve the security of the authorization authentication of the terminal device. Figure 3 is a flow chart of another embodiment of a terminal device authentication method of the present application. As shown in Figure 3, the terminal device authentication method may also include:

S5': when the second terminal determines that the first authorized device identifier Pre_app_divice_id corresponding to the first device identifier app_divice_id is stored, the first key key1 is replaced by the second key key2;

When the first terminal determines that a second authorized device identifier Pre_auth_divice_id corresponding to the second device identifier auth_divice_id obtained by decryption is stored, the first key key1 is replaced by the second key key2.

In the preferred embodiment, the first terminal can generate a new second verification key for each new authorization authentication. After one authentication, the first terminal can use the new second verification key to replace the current first verification key as the updated first key. The terminal device authentication method described in the preferred embodiment of the present application uses dynamic updating of verification keys to improve the security of terminal device authorization authentication.

In conventional terminal device verification, especially in verification between smart terminals (smartphones, tablets, etc.) and wearable devices (smart bracelets, smart watches, etc.), WIFI or Bluetooth communication is often used. Such short-distance information transmission belongs to a method with a low channel security level in modern communication technology. The information transmission process is easily intercepted by attackers, and the transmitted information is easily stolen or forged. In another preferred embodiment of a terminal device authentication method described in the present application, additional verification information can be further added to the information content transmitted by the terminal device to ensure the reliability of information reception and further improve the security and reliability of information transmission.

FIG4 is a schematic diagram of a method flow of another embodiment of a terminal device authentication method described in the present application. As shown in FIG4 , the terminal device authentication method may further include:

S6': adding information that the first key is used to encrypt additional information generated according to a predetermined rule to the authorization request message sent by the first terminal;

Adding information that the additional information is encrypted using the second key to the authorization result message returned by the second terminal;

Correspondingly, when the first terminal successfully decrypts the authorization result message, it also determines whether the additional information obtained by decryption is the same as the additional information when sending the authorization request message, and determines whether to authorize the second terminal based on the judgment result.

The added additional information typically includes, but is not limited to, a challenge code (a string of random numbers that can be used to encrypt messages to prevent plaintext transmission over the communication link), a digest (user login account information, session ID, etc.), etc. In this embodiment, verification information such as a challenge code and digest can be added to the transmitted information, thereby encrypting the message transmitted over the channel and effectively preventing attackers from sending data packets that have already been received by the terminal device to deceive the system. This can effectively improve the accuracy of authorization and authentication in wearable devices.

Based on the terminal device authentication method described in this application, this application provides a terminal device authentication device. Figure 5 is a schematic diagram of the module structure of the terminal device authentication device described in this application. As shown in Figure 5, the device may include:

The first storage unit 101 may be used to store the generated first key and the obtained second authorized device identifier of the second terminal;

The first encryption unit 102 may be configured to generate a second key, and encrypt the second key and the obtained first device identifier using the first key to generate an authorization request message;

The first communication module 103 can be used to send the authorization request message and can also be used to receive the authorization result message sent by the second terminal. In a specific implementation process, the communication module can include a WIFI communication module, or a Bluetooth or infrared communication module based on short-range communication, etc., and of course can also include a mobile communication network module and a wired communication module for 2G/3G/4G and higher communication protocols.

The first decryption judgment unit 104 may be configured to decrypt the authorization result message using the second key, and when the decryption is successful, determine whether the first storage unit 101 stores a second authorized device identifier corresponding to the second device identifier obtained by decryption;

The first authorization module 105 may be configured to determine whether to authorize the second terminal based on the determination result of the first decryption determination unit 104 .

The terminal device authentication device described in this embodiment can be used to authenticate terminal devices such as smartphones, tablet computers, or dedicated servers that can authenticate wearable devices. It can effectively and securely perform device authorization authentication on wearable devices, thereby improving the security of device authorization authentication.

In another preferred embodiment of the terminal device authentication device described in this application, the first key stored in the storage unit 101 can also be dynamically updated. The key is updated during each device authorization authentication, which can significantly improve the security and reliability of device authorization authentication. Figure 6 is a schematic diagram of the module structure of another embodiment of the terminal device authentication device described in this application. As shown in Figure 6, the terminal device authentication device in the preferred embodiment can also include:

The first key updating module 106 may be configured to replace the first key stored in the first storage unit 101 with the second key generated by the first encryption unit 102 when the judgment result of the first decryption judgment unit 104 is yes.

To ensure the synchronous update of the verification key of the terminal device undergoing authorization authentication, the first key update module 106 described in this embodiment can replace the first key stored in the first storage unit 101 with the second key generated by the first encryption unit 102 when the first decryption judgment unit 104 determines whether the first storage unit 101 stores a second authorized device identifier corresponding to the second device identifier obtained through decryption. If the judgment result is yes, the second terminal that can receive the authorization request message has passed the authorization authentication. The verification key pre-stored in the second terminal, such as the first key, is also updated to the second key. This ensures key consistency during encryption and decryption of the bidirectional terminal devices undergoing authorization authentication during the next authorization authentication.

In another embodiment of the present application, to further enhance the security of information transmission in the communication channel of the authorized and authenticated terminal device, FIG7 is a schematic diagram of the module structure of another embodiment of a terminal device authentication device described in the present application. As shown in FIG7 , the terminal device authentication device may further include:

The additional information module 107 may be configured to add information in the authorization request message that is encrypted using the first key to generate additional information according to a predetermined rule;

Correspondingly, when the first decryption judgment unit 104 successfully decrypts the authorization result message, it also determines whether the additional information obtained by decryption is the same as the additional information added to the authorization request message. The first authorization module 105 determines whether to authorize the second terminal based on the judgment result of the additional information.

In one embodiment of the terminal device authentication device described in the present application, the second terminal may be a wearable device. Specifically, the second terminal may include but is not limited to wearable devices such as watches, glasses, shoes, hats, clothing, jewelry, bracelets, and pendants equipped with intelligent processing chips.

The terminal device thermal resistance device described above can be used to authenticate wearable devices, such as smartphones, tablets, or dedicated servers. Accordingly, the present application also provides a device that can be used for authentication in wearable devices, such as smart watches and smart bracelets, for authorizing and authenticating terminal devices, such as smartphones and servers. Figure 8 is a schematic diagram of the module structure of an embodiment of a terminal device authentication device described in the present application. As shown in Figure 8, the device may include:

The second communication module 201 may be configured to receive an authorization request message sent by the first terminal and send an authorization result message;

The second storage unit 202 may be used to store the acquired first authorization device identifier and first key of the first terminal;

The second decryption judgment unit 203 may be configured to decrypt the authorization request message using the stored first key, and when the decryption is successful, determine whether the second storage unit 202 stores a first authorization device identifier corresponding to the first device identifier;

The second authorization module 204 may determine whether to authorize the first terminal corresponding to the first device identifier based on the determination result of the second decryption determination unit 203 .

The second encryption unit 205 may be configured to, when the determination result of the second decryption determination unit 203 is yes, encrypt the second device identification of the second terminal using the second key to generate an authorization result message.

The terminal device authentication device provided in this embodiment can authenticate a terminal device such as a smartphone that requests authorization in a terminal of a wearable device, thereby completing two-way authorization authentication of the terminal device. In this embodiment, the first key obtained when opening the authorization request can be used to decrypt the authorization request message to obtain the first device identifier, and then compare it with the stored first authorized device identifier to determine whether the first terminal requesting authorization is legitimate, and determine whether to authorize the first terminal based on the judgment result. In this way, the smart terminal, server, etc. that requests authorization authentication can be effectively reversely authenticated in the terminal device that can be used as a wearable device, thereby improving the security of the terminal device authorization authentication.

In a preferred embodiment, the terminal device authentication device described above for wearable devices can also dynamically update the verification key to improve the security and reliability of terminal device authorization authentication. Figure 9 is a schematic diagram of the module structure of another embodiment of a terminal device authentication device described in this application. As shown in Figure 9, the device can also include:

The second key update module 206 can be used to replace the first key stored in the second storage unit 201 with the second key obtained by decryption when the second decryption judgment unit 203 determines that the second storage unit 202 stores a first authorized device identifier corresponding to the first device identifier obtained by decryption.

As mentioned above, after the second terminal successfully decrypts, it can replace the stored first key with the second key obtained when decrypting the authorization request message, thereby realizing dynamic update of the verification key in the terminal device authorization authentication and providing security and reliability of the verification process.

FIG10 is a schematic diagram of the module structure of another embodiment of a terminal device authentication device described in the present application. In another preferred embodiment as shown in FIG10 , the device may further include:

The additional information processing module 207 may be configured to add information of the additional information obtained by decryption and encrypted using the second key obtained by decryption to the authorization result message.

Adding additional information to the transmission message of the terminal device authorization and authentication can prevent forged transmission messages and further enhance the security of the information transmission of the communication channel of the terminal device for authorization and authentication.

Based on the terminal device authentication apparatus described in this application, which can be used for a first terminal device of a wearable device and a second terminal device of a smartphone, tablet computer, or server, the present application provides a terminal device authentication system, which can specifically include:

The first terminal may be configured to send an authorization request message generated by encrypting a second key generated by a stored first key pair and the first device identifier of the first terminal; may also be configured to obtain an authorization result message sent by the second terminal and decrypt the message using the second key; and may also be configured to, upon successful decryption, determine whether a second authorized device identifier corresponding to the second device identifier obtained by decryption is stored, and determine whether to authorize the second terminal based on the determination result.

The second terminal can be used by the first terminal to send an authorization request message and decrypt it with the stored first key; it can also be used to determine whether a first authorized device identifier corresponding to the first device identifier obtained by the decryption is stored when the decryption is successful; it can also be used to authorize the first terminal based on the first device identifier when the judgment result is yes, and send an authorization result message generated by encrypting the second device identifier of the second terminal with the second key obtained by the decryption.

In a preferred embodiment of the above terminal device authentication system, the system may further include:

means for the first terminal to replace the first key with the second key when the first terminal determines that a second authorized device identifier corresponding to the second device identifier obtained by decryption is stored:

The device is used for the second terminal to replace the first key with the second key when the second terminal determines that there is a first authorized device identifier corresponding to the first device identifier.

The terminal device authentication system described in the above embodiment can realize two-way authorization authentication between terminal devices and provide security of device authorization authentication. The dynamic update of verification keys adopted in the preferred embodiment can further improve the security and reliability of device authorization authentication.

This application also provides a terminal device authentication system that can perform device authorization authentication before authorization authentication, which can ensure that the terminal device requesting authorization authentication has the authority to perform authorization authentication. Therefore, the terminal device authentication system provided by this application can specifically include:

The first terminal can be used to send an authorization activation request message generated by encrypting a first key generated by a stored preset key pair and a first device identifier of the first terminal; and can also be used to obtain an authorization activation result message sent by the second terminal and decrypt the authorization activation result message using the first key; if decryption is successful, the device authorization is activated;

The second terminal can be used to obtain the authorization activation request message sent by the first terminal, decrypt it using the stored preset key, and determine whether to activate the device authorization based on the decryption result; it can also be used to send an authorization activation result message generated by encrypting the second device identifier of the second terminal using the first key obtained by the decryption when the decryption result is successful.

In a preferred embodiment, the terminal device authentication system may further include at least one of the following.

means for activating device authorization for the second terminal based on the second device identification obtained by the decryption when the decryption is successful by the first terminal;

The device is configured to enable device authorization for the first terminal based on the first device identification obtained by the decryption when the decryption result is successful.

The second terminal in the above-mentioned terminal device authentication system may include but is not limited to wearable devices such as watches, glasses, shoes, hats, clothing, jewelry, bracelets, and pendants equipped with intelligent processing chips.

The terminal device authentication method, device and system provided in this application can realize the activation of device authorization and two-way authentication of device authorization between multiple terminals, which greatly improves the security of terminal device authentication compared with the one-way authentication of terminal devices, especially wearable devices, in the existing technology.

Although the content of this application mentions information interaction based on message transmission such as mobile communication networks, WIFI, Bluetooth, etc., this application is not limited to the case where it must be a completely standard data transmission protocol. A slightly modified transmission mechanism based on certain protocols can also implement the solutions of the above-mentioned embodiments of this application. Of course, even if the above-mentioned universal or standard protocols are not adopted, but a private protocol is adopted, as long as the information interaction and information judgment feedback methods of the above-mentioned embodiments of this application are met, the same application can still be implemented, and no further details will be given here.

The units or modules described in the above embodiments can be implemented by computer chips or physical devices, or by products with certain functions. For ease of description, the above devices are described separately according to their functions. Of course, when implementing this application, the functions of each module can be implemented in the same or multiple software and/or hardware, or a module that implements the same function can be implemented by a combination of multiple sub-modules or sub-units.

Those skilled in the art will also appreciate that, in addition to implementing the controller in pure computer-readable program code, it is entirely possible to implement the same functionality by logically programming the method steps in the form of logic gates, switches, application-specific integrated circuits, programmable logic controllers, embedded microcontrollers, and the like. Therefore, such a controller can be considered a hardware component, and the devices included therein for implementing various functions can also be considered structures within the hardware component. Alternatively, the devices for implementing various functions can be considered both software modules implementing the method and structures within the hardware component.

The present application may be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, classes, etc. that perform specific tasks or implement specific abstract data types. The present application may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communications network. In a distributed computing environment, program modules may be located in local and remote computer storage media, including storage devices.

Through the description of the above implementation methods, it can be known that those skilled in the art can clearly understand that the present application can be implemented by means of software plus the necessary general hardware platform. Based on this understanding, the technical solution of the present application, or the part that contributes to the prior art, can be embodied in the form of a software product, which can be stored in a storage medium such as ROM/RAM, a disk, an optical disk, a smart chip, etc., and includes a number of instructions for enabling a computer device (which can be a personal computer, a mobile terminal, a server, a wearable device, or a network device, etc.) to execute the methods described in each embodiment of the present application or certain parts of the embodiments.

The various embodiments in this specification are described in a progressive manner. The same or similar parts between the various embodiments can be referred to each other. Each embodiment focuses on the differences from other embodiments. The present application can be used in many general or special computer systems or environments or configurations including intelligent processing chip terminals. For example: personal computers, server computers, handheld devices or portable devices, tablet devices, multi-processor systems, microprocessor-based systems, programmable electronic devices, network PCs, minicomputers, mainframe computers, wearable devices, etc., as well as distributed computing environments including any of the above systems or devices, etc.

Although the present application has been described with reference to the embodiments, those skilled in the art will appreciate that there are many modifications and variations to the present application without departing from the spirit of the present application. It is intended that the appended claims include these modifications and variations without departing from the spirit of the present application.

Claims (22)

1. A terminal device authentication method, characterized in that the method comprises: The first terminal sends an authorization activation request message generated by encrypting the first key and the first device identifier of the first terminal with the stored preset key; The second terminal obtains the authorization activation request message, decrypts it using the stored preset key, and determines whether to activate the device authorization based on the decryption result. When the decryption result is successful, an authorization activation result message generated by encrypting the second device identifier of the second terminal using the first key obtained by decryption is sent. The first terminal obtains the authorization activation result message and decrypts the authorization activation result message using the first key; if the decryption is successful, the device authorization is activated. 2. The terminal device authentication method as described in claim 1, wherein the second terminal includes wearable devices such as wristwatches, glasses, shoes, hats, clothing, jewelry, bracelets, and pendants that are equipped with smart processing chips. 3. A terminal device authentication method as described in claim 1 or 2, characterized in that, when the decryption result is successful, the second terminal activating device authorization includes: When the decryption result is successful, the second terminal authorizes the first terminal to use the first device identifier obtained by the decryption. 4. A terminal device authentication method as described in claim 1 or 2, characterized in that, upon successful decryption of the first terminal, device authorization is activated, comprising: When the first terminal successfully decrypts, the device authorization is activated for the second terminal based on the second device identifier obtained from the decryption. 5. A terminal device authentication method, characterized in that the method comprises: The first terminal sends an authorization request message generated by encrypting the generated second key and the first device identifier of the first terminal using the stored first key; The second terminal obtains the authorization request message and decrypts it using the stored first key; when the decryption is successful, it determines whether a first authorized device identifier corresponding to the first device identifier obtained by decryption is stored. When the determination result is yes, the second terminal authorizes the first terminal based on the first device identifier and sends an authorization result message generated by encrypting the second device identifier of the second terminal with the second key obtained by decryption; The first terminal obtains the authorization result message and decrypts it using the second key. When the decryption is successful, it determines whether a second authorized device identifier corresponding to the second device identifier obtained by the decryption is stored, and determines whether to authorize the second terminal based on the determination result. 6. A terminal device authentication method, characterized in that the method comprises: The first terminal sends an authorization request message generated by encrypting the generated second key and the first device identifier of the first terminal using the stored first key; The first terminal obtains the authorization result message sent by the second terminal and decrypts it using the second key; When the decryption is successful, the first terminal determines whether a second authorized device identifier corresponding to the second device identifier obtained by decryption is stored, and determines whether to authorize the second terminal based on the determination result. 7. The terminal device authentication method as described in claim 6, characterized in that the method further includes: When the first terminal determines that it stores a second authorized device identifier corresponding to the second device identifier obtained by decryption, it replaces the first key with the second key. 8. The terminal device authentication method as described in claim 6, characterized in that the method further comprises: The authorization request message sent by the first terminal is encrypted with additional information generated by the first key pair according to a predetermined rule; Accordingly, when the first terminal successfully decrypts the authorization result message, it also determines whether the additional information obtained by decryption is the same as the additional information added to the authorization request message, and determines whether to authorize the second terminal based on the determination result. 9. A terminal device authentication method, characterized in that the method comprises: The second terminal obtains the authorization request message sent by the first terminal and decrypts it using the stored first key; When the decryption is successful, the second terminal determines whether it stores a first authorized device identifier corresponding to the first device identifier obtained by decryption; When the determination result is yes, the second terminal authorizes the first terminal based on the first device identifier and sends an authorization result message generated by encrypting the second device identifier of the second terminal with the second key obtained by decryption. 10. The terminal device authentication method as described in claim 9, characterized in that the method further comprises: When the second terminal determines that it stores a first authorized device identifier corresponding to the first device identifier, it replaces the first key with the second key. 11. The terminal device authentication method as described in claim 9, characterized in that the method further comprises: Add information that uses the second key to encrypt additional information to the authorization result message sent by the second terminal. 12. The terminal device authentication method as described in claim 9, characterized in that, The second terminal includes wearable devices such as watches, glasses, shoes, hats, clothing, jewelry, bracelets, and pendants that are equipped with smart processing chips. 13. A terminal device authentication apparatus, characterized in that the apparatus comprises: The first storage unit is used to store the generated first key and the obtained second authorized device identifier of the second terminal; The first encryption unit is used to generate a second key and encrypt the second key and the obtained first device identifier using the first key to generate an authorization request message; The first communication module is used to send the authorization request message and also to receive the authorization result message sent by the second terminal; The first decryption judgment unit is used to decrypt the authorization result message using the second key, and when the decryption is successful, to determine whether the first storage unit stores a second authorized device identifier corresponding to the second device identifier obtained by decryption; The first authorization module is used to determine whether to authorize the second terminal based on the judgment result of the first decryption judgment unit. 14. The terminal device authentication device as described in claim 13, characterized in that the device further comprises: The first key update module is used to replace the first key stored in the first storage unit with the second key generated by the first encryption unit when the judgment result of the first decryption judgment unit is true. 15. A terminal device authentication device as described in claim 13 or 14, characterized in that the device further comprises: The additional information module is used to add information to the authorization request message that is encrypted with the additional information generated by the first key pair according to a predetermined rule; Accordingly, when the first decryption judgment unit successfully decrypts the authorization result message, it also judges whether the additional information obtained by decryption is the same as the additional information added to the authorization request message. The first authorization module determines whether to authorize the second terminal based on the judgment result of the additional information. 16. A terminal device authentication apparatus, characterized in that the apparatus comprises: The second communication module is used to receive the authorization request message and send the authorization result message sent by the first terminal; The second storage unit is used to store the first authorized device identifier and the first key of the first terminal; The second decryption judgment unit is used to decrypt the authorization request message using the stored first key, and when the decryption is successful, to determine whether the second storage unit stores the first authorized device identifier corresponding to the first device identifier; The second authorization module determines whether to authorize the first terminal corresponding to the first device identifier based on the judgment result of the second decryption judgment unit. The second encryption unit is used to encrypt the second device identifier of the second terminal using the second key to generate an authorization result message when the judgment result of the second decryption judgment unit is zero. 17. The terminal device authentication device as described in claim 16, characterized in that the device further comprises: The second key update module is used to replace the first key stored in the second storage unit with the second key obtained through decryption when the second decryption judgment unit determines that the second storage unit stores a first authorized device identifier corresponding to the first device identifier obtained through decryption. 18. A terminal device authentication device as described in claim 16 or 17, characterized in that the device further comprises: An additional information processing module is used to add information to the authorization result message that encrypts the additional information obtained by decryption using the second key obtained by decryption. 19. A terminal device authentication system, characterized in that the system comprises: The first terminal is configured to send an authorization request message generated by encrypting a second key and a first device identifier of the first terminal with a stored first key; it is also configured to obtain an authorization result message sent by the second terminal and decrypt it with the second key; and when decryption is successful, it is also configured to determine whether a second authorized device identifier corresponding to the second device identifier obtained by decryption is stored, and determine whether to authorize the second terminal based on the determination result. The second terminal is configured to send an authorization request message to the first terminal and decrypt it using a stored first key; it is also configured to determine, upon successful decryption, whether a first authorized device identifier corresponding to the first device identifier obtained through decryption is stored; and it is also configured to authorize the first terminal based on the first device identifier when the determination result is yes, and send an authorization result message generated by encrypting the second device identifier of the second terminal with the second key obtained through decryption. 20. The terminal device authentication system as described in claim 19, characterized in that the system further comprises: A means for the first terminal to replace the first key with the second key when it determines that a second authorized device identifier corresponding to the decrypted second device identifier is stored: An apparatus for replacing the first key with the second key when the second terminal determines that there is a first authorized device identifier corresponding to the first device identifier. 21. A terminal device authentication system, characterized in that the system comprises: The first terminal is configured to send an authorization request message generated by encrypting a second key and a first device identifier of the first terminal with a stored first key; it is also configured to obtain an authorization result message sent by the second terminal and decrypt it with the second key; and when decryption is successful, it is also configured to determine whether a second authorized device identifier corresponding to the second device identifier obtained by decryption is stored, and determine whether to authorize the second terminal based on the determination result. The second terminal is configured to send an authorization request message to the first terminal and decrypt it using a stored first key; it is also configured to determine, upon successful decryption, whether a first authorized device identifier corresponding to the first device identifier obtained through decryption is stored; and it is also configured to authorize the first terminal based on the first device identifier when the determination result is yes, and send an authorization result message generated by encrypting the second device identifier of the second terminal with the second key obtained through decryption. 22. The terminal device authentication system as described in claim 21, characterized in that the system further comprises at least one of the following: A means for granting device authorization to the second terminal based on the second device identifier obtained by the decryption when the first terminal successfully decrypts; An apparatus for granting device authorization to the first terminal based on the first device identifier obtained by the decryption when the decryption result is successful.