[go: up one dir, main page]

WO2018196465A1 - Procédé d'authentification, terminal et serveur - Google Patents

Procédé d'authentification, terminal et serveur Download PDF

Info

Publication number
WO2018196465A1
WO2018196465A1 PCT/CN2018/075088 CN2018075088W WO2018196465A1 WO 2018196465 A1 WO2018196465 A1 WO 2018196465A1 CN 2018075088 W CN2018075088 W CN 2018075088W WO 2018196465 A1 WO2018196465 A1 WO 2018196465A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
key
image data
server
signaling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/075088
Other languages
English (en)
Chinese (zh)
Inventor
张路
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2018196465A1 publication Critical patent/WO2018196465A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of Internet of Things technologies, and in particular, to an authentication method, a terminal, and a server.
  • Authentication authentication usually exists during each human-computer interaction process. For example, before the access control of the residential community, the card is swiped by using the access card, or the fingerprint is swiped, or the key is used to authenticate the authentication; on the bus, the card is used by using the bus card or the chip inside the mobile phone. Right authentication; before the bank's automatic teller machine (ATM), the information of the bank card is read by the ATM, and the user inputs the password to perform authentication.
  • ATM automatic teller machine
  • An embodiment of the present invention provides an authentication method, which is applied to a first terminal, where the method includes: acquiring image data of a second terminal; and when the wireless access bearer is in a released state, using an Internet of Things protocol to transmit data. Transmitting the image data to the server, wherein the image data is used to request the server to send a key corresponding to the first terminal; receiving a key sent by the server, and sending the key to the first The second terminal; the key is used by the second terminal to authenticate the first terminal.
  • An embodiment of the present invention further provides an authentication method, which is applied to a server, where the method includes: receiving image data of a second terminal that is used by a first terminal to transmit signaling by using an Internet of Things protocol; and using the The image data is searched in a preset database to obtain a key corresponding to the first terminal, and the key is sent to the first terminal, where the key is used to be sent by the first terminal. And authenticating the first terminal after the second terminal is authenticated.
  • the embodiment of the present invention further provides a first terminal, where the first terminal includes: an acquiring module, configured to acquire image data of the second terminal; and a first sending module configured to: when the radio access bearer is in a released state Transmitting, by the Internet of Things protocol, the image data to a server by using signaling for transmitting data, the image data being used to request the server to send a key corresponding to the first terminal, and configured to Sending a key to the second terminal, the key is used by the second terminal to authenticate the first terminal; and the first receiving module is configured to receive the key sent by the server .
  • the first terminal includes: an acquiring module, configured to acquire image data of the second terminal; and a first sending module configured to: when the radio access bearer is in a released state Transmitting, by the Internet of Things protocol, the image data to a server by using signaling for transmitting data, the image data being used to request the server to send a key corresponding to the first terminal, and configured to Sending a key to the second terminal, the key
  • the embodiment of the present invention further provides a computer storage medium, the computer storage medium comprising a set of instructions, when executed, causing at least one processor to perform the above-mentioned authentication method applied to the first terminal.
  • the embodiment of the invention further provides a computer storage medium, the computer storage medium comprising a set of instructions, when executed, causing at least one processor to perform the above-mentioned authentication method applied to the server.
  • FIG. 1 is a schematic diagram of an implementation process of an authentication method according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic diagram of a protocol structure of an NB-IoT network according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a manner of transmitting image data on a signaling plane according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a manner of transmission of image data on a user plane according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of an implementation process of an authentication method according to Embodiment 2 of the present invention.
  • FIG. 6 is a schematic diagram showing the structure of a first terminal according to Embodiment 3 of the present invention.
  • FIG. 7 is a schematic diagram showing the composition of a server according to Embodiment 4 of the present invention.
  • FIG. 8 is a schematic diagram showing the structure of an internal module of a first terminal according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a specific implementation process of an authentication method according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of a specific implementation process of entering a new key according to an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of a specific implementation process of changing a key according to an embodiment of the present invention.
  • the Internet of Things is a major trend in the development of current communication technologies.
  • cellular-based Narrow Band Internet of Things NB-IoT, Narrow Band Internet of Things
  • eMTC Enhanced Machine Type Counterparts
  • Both are consistently optimistic in the IoT market.
  • NB-IoT and eMTC protocols of the Internet of Things support the transmission of a small amount of user data on the signaling plane.
  • the authentication scenario in the human-computer interaction scenario is an IoT application scenario, which has the characteristics of small data volume and discontinuous transmission.
  • the first terminal side is taken as an example to describe the authentication method in detail.
  • the method includes the following steps:
  • Step 101 Acquire image data of the second terminal.
  • Step 101 may specifically include: searching for at least one terminal; determining the second terminal from the at least one terminal; and collecting an image of the second terminal to obtain the image data.
  • the first terminal may search for at least one terminal through Bluetooth, and may also search for at least one terminal by using other local area network protocols, such as Wireless Fidelity (WiFi), ZigBee, and the like.
  • the terminal may specifically be an ATM machine, an access security gate, a smart bus or a credit card machine on a subway, and the like.
  • At least one terminal Before searching, at least one terminal can be identified.
  • the ATM machine uses the 001 number
  • the access security gate uses the 002 number
  • the smart bus or the credit card on the subway uses the 003 number.
  • the manner in which the first terminal determines the second terminal from the at least one terminal obtained by the searching may be: the first terminal searches for at least one terminal, and is displayed by the user interface or the form of a button confirmation or a voice prompt, by the first terminal user.
  • a terminal is determined as the second terminal in the at least one terminal.
  • the method may further be: the first terminal pre-sets the rule, and determines the second rule according to the rule.
  • the rule may be that the first terminal separately measures the distance between each terminal and the first terminal obtained by the search. And selecting the terminal closest to the first terminal to determine the second terminal.
  • the method may be: the first terminal compares the distance between each terminal and the first terminal measured according to the preset rule, and displays the second terminal by the first terminal user according to actual needs.
  • the method may further include: when the state of the first terminal is in a locked state, generating a first prompt message, where the first prompt message is used to prompt the first terminal user to unlock a first terminal; an obtaining operation, wherein the operation is a response operation to the first prompt message; and in response to the operation, performing an unlocking operation on the first terminal; and after the unlocking is successful, entering a working state.
  • the first terminal in order to reduce power consumption and ensure security, the first terminal cannot always be in a working state or search for the state of at least one terminal.
  • the working time of the first terminal can be set according to user requirements. For example, the first terminal enters a locked state after working for 1 minute or 10 minutes.
  • Step 102 When the radio access bearer is in a release state, the image data is sent to the server by using the signaling for transmitting data through the Internet of Things protocol.
  • the image data is used to request the server to send a key corresponding to the first terminal.
  • the radio access bearer includes a radio bearer (RB, Radio Bearer) between the user equipment (UE, UserEquipment) and the UTTS (UMTS Terrestrial Radio Access Network), and a core network.
  • RB Radio Bearer
  • Iu bearer between (CN, Core Network) and UTRAN.
  • the step of transmitting image data to a server by using an IoT protocol using signaling for transmitting data may include: transmitting image data to the server through a non-access stratum of a signaling plane, wherein The non-access stratum is capable of transmitting data between the terminal and the core network.
  • the Internet of Things protocol may be an NB-IoT protocol or an eMTC protocol.
  • step 102 further includes: reading state variable information of the radio access bearer; and determining that the radio access bearer is in a released state when the state variable information is invalid information.
  • a series of variables corresponding to the radio access bearer are stored in the protocol stack memory of the first terminal, and the read variables can be used to query whether the first terminal saves the radio access bearer.
  • the valid state variable information if the variables are empty or the memory is released, the first terminal does not save the valid state variable information related to the radio access bearer between the first terminal and the core network, and the state variable information is The invalid information can further determine that the radio access bearer is in a released state.
  • the radio access bearer when the radio access bearer is in the released state, only the signaling plane protocol architecture of the network supports transmitting data through the signaling plane, and the image data can be sent to the server through the non-access stratum of the signaling plane, and the condition is met.
  • the network protocol specifically includes NB-IoT, eMTC, and the like.
  • Figure 2 shows the protocol structure of the NB-IoT network.
  • the protocol structure includes the UE, the base station (E-NodeB), the mobility management entity (MME, Mobility Management Entity), and the service gateway. SGW, Serving GateWay).
  • the protocol architecture of the NB-IoT network includes a control plane protocol architecture and a user plane protocol architecture.
  • the control plane is also referred to as a signaling plane.
  • the protocol structure of the signaling plane includes: Non-Access Stratum (NAS), Radio Resource Control (RRC), Packet Data Convergence Protoco (PDCP), and Radio Link Control Layer.
  • RLC Radio Link Control
  • MAC Media Access Control Layer
  • PHY Physical Layer
  • the protocol architecture of the signaling plane is the NAS layer at the layer on the MME side. Among them, the NAS layer supports signaling and data transmission between the terminal and the core network.
  • the RRC layer processes the third layer information of the control plane between the terminal and the base station, and the functions of the RRC include RB control, broadcast, paging, and the like.
  • the PDCP layer is responsible for compressing and decompressing IP headers, transmitting user data, and the like.
  • the RLC layer is responsible for segmentation and connection, retransmission processing, and sequential transmission of high-level data.
  • the MAC layer serves the RLC layer in a logical channel manner.
  • the PHY layer is responsible for coding, modulation, demodulation, multi-antenna mapping, and the like.
  • the protocol structure of the user plane includes: PDCP, RLC, MAC, PHY.
  • the non-access stratum of the signaling plane sends the image data to the server, including: establishing a signaling radio bearer between the terminal and the core network, and generating a non-access stratum signaling message by using the image data, where The non-access stratum signaling message is sent to the server on the signaling radio bearer.
  • the foregoing steps may include: packing the image data, and filling the packed data packet in a data body field of the non-access stratum to generate a non-access stratum signaling message, and the non-access stratum message
  • the message is transmitted to the server on the network side through the non-access stratum.
  • the non-access stratum message is transmitted to the server after passing through the non-access stratum, the RRC layer, the PDCP layer, the RLC layer, and the MAC layer.
  • the data packet packed with the image data passes through the PDCP layer, the RLC layer, and the MAC layer, and the packed data is encapsulated by the physical layer, and then transmitted to the server on the network side in the form of a transport block.
  • Figure 3 shows the transmission of image data on the signaling plane, as shown in Figure 3.
  • the transmission of image data between the first terminal and the server on the signaling plane comprises two parts, the first part is data transmission between the first terminal and the base station, and the second part is data transmission between the base station and the core network.
  • the first part that is, the data transmission between the first terminal and the base station, is specifically: the first terminal encapsulates the acquired image data of the second terminal and fills the data body field of the non-access layer to generate a non-connection. Incoming layer signaling message.
  • the PHY layer transmits the non-access stratum signaling message to the base station by using a radio frequency signal. Side of the NAS layer.
  • the non-access stratum signaling message transmitted by the NAS layer on the first terminal can be filled with data. Therefore, when the radio access bearer does not exist, that is, when the radio access bearer is in the released state, the radio bearer does not need to be established.
  • the data radio bearer also avoids the delay problem caused by establishing a radio bearer.
  • the second part that is, the data transmission between the base station and the core network, specifically: the base station sequentially receives the non-access stratum signaling message including the image data through the PHY layer, the MAC layer, the RLC layer, the PDCP layer, After being processed by the RRC layer and the NAS layer, the LAC layer and the NAS layer are transmitted to the MME.
  • the MME may send the non-access stratum signaling message including the image data to a service capa-bility exposure function (SCEF).
  • SCEF service capa-bility exposure function
  • the non-access stratum signaling message including the image data may also be sent to the SGW, and sent by the SGW to the packet data gateway. (PGW, Packet Data Network Gateway), and the PGW sends the non-access stratum signaling message including the image data to the server.
  • PGW Packet Data Network Gateway
  • the first terminal Based on the signaling radio bearer between the first terminal and the core network, when the radio access bearer is in a released state, that is, when there is no data transmission channel between the first terminal and the core network, the first terminal passes the Internet of Things protocol.
  • the image data of the second terminal is transmitted to the server using signaling for transmitting data, more specifically, through the NAS layer of the signaling plane. Because the radio access bearer does not need to be re-established, the delay problem caused by establishing the radio access bearer is avoided, and the image data of the second terminal can be quickly sent to the server on the network side, thereby implementing fast authentication.
  • step 102 further includes: when the radio access bearer is in an established state, transmitting image data to the server through the user plane.
  • the image data is used to request the server to send a key corresponding to the first terminal.
  • the transmission mode of the image data on the user plane is as shown in FIG. 4.
  • the transmission of image data between the first terminal and the server on the user plane comprises two parts, the first part is data transmission between the first terminal and the base station, and the second part is data transmission between the base station and the core network.
  • the first part that is, the data transmission between the first terminal and the base station, specifically: the first terminal packs the acquired image data of the second terminal, and sequentially passes the packaged data packet to the PDCP layer and the RLC layer.
  • the PHY layer After the MAC layer processing and the PHY layer encapsulation, the PHY layer transmits the data packet including the image data to the PDCP layer on the base station side in the form of a radio frequency signal.
  • the second part that is, the data transmission between the base station and the core network, specifically: the base station sequentially receives the received data packet containing the image data through the PHY layer, the MAC layer, the RLC layer, and the PDCP layer, and then sends the data packet to the SGW.
  • the SGW sends the PGW to the PGW, and the PGW transmits the data packet containing the image data to the server on the network side.
  • the first terminal When the radio access bearer is in an established state, the first terminal sends the image data of the second terminal to the server based on the data radio bearer on the user plane.
  • Step 103 Receive a key sent by the server, and send the key to the second terminal.
  • the key is used for the second terminal to authenticate the first terminal.
  • the step 103 further includes: generating, according to the acquired image data of the second terminal, that the identity of the first terminal user needs to be verified, generating second prompt information;
  • the second prompt information is used to prompt the first terminal user to input verification information; obtain verification information input by the first terminal user; and verify the input verification information, and verify the key after successful verification Send to the second terminal.
  • the second terminal may be a transfer machine, an access card, or another device.
  • the second terminal is a transfer machine, the identity of the first terminal user needs to be verified, and the second terminal authenticates the first terminal, and the purpose of the verification is to improve security; and when the second terminal is When the access card is used, the identity of the first terminal user does not need to be verified, and the second terminal can authenticate the first terminal.
  • the verification information input by the first terminal user may be fingerprint information, a piece of voice, a key, or the like.
  • the verifying the input verification information includes: when the input verification information is fingerprint information, performing fingerprint image format conversion, image segmentation and image enhancement, image filtering, image binarization, and image fineness on the fingerprint message. , feature point extraction and matching processing; when the input verification information is a piece of speech, pre-emphasizing, framing, windowing, and Meer filter group filtering of the speech to obtain a Mel frequency cepstrum parameter (MFCC, Mel) Frequency Cepstrum Coefficient), performing MFCC Principal Components Analysis (DOA) dimension reduction processing, and then using vector quantization (VQ, Vector Quantization) for pattern matching; when the input verification information is a key, the density is The key is compared to a preset keystore.
  • MFCC Mel frequency cepstrum parameter
  • DOA MFCC Principal Components Analysis
  • VQ Vector Quantization
  • the method further includes: sending the changed key or the entered new key to the server when the key corresponding to the first terminal is changed or entering a new key, the changed secret The key or the new key entered is used by the server to update the default database.
  • the user of the first terminal can change the key corresponding to the first terminal, and Send the changed key to the server for the server to update the default database.
  • the first terminal user may enter a new key and send it to the server; or when the second terminal is a new device, the preset database on the server When the key correspondence between the second terminal and the first terminal is not stored, the first terminal user enters a new key and sends it to the server.
  • the first terminal when the radio access bearer is in the released state, the first terminal sends the image data of the second terminal to the server by using the signaling for transmitting data through the Internet of Things protocol. Because the radio access bearer does not need to be re-established, the delay problem caused by establishing the radio access bearer is avoided, and the image data of the second terminal can be quickly sent to the server on the network side, thereby implementing fast authentication.
  • the server sends a key to the first terminal, and the first terminal sends the key to the second terminal, thereby avoiding the occurrence of the key being leaked, so that security authentication can be implemented.
  • this embodiment uses the server side as an example to describe the authentication method in detail.
  • the method includes the following steps:
  • Step 501 Receive image data of the second terminal that is sent by the first terminal by using the Internet of Things protocol for signaling transmission of data.
  • the step of receiving the image data of the second terminal that the first terminal uses the signaling for transmitting data through the Internet of Things protocol comprises: receiving the first terminal by using a signaling radio bearer between the terminal and the core network The non-access stratum signaling message sent by the non-access stratum of the signaling plane on the signaling radio bearer, where the non-access stratum signaling message includes the image data of the second terminal.
  • the signaling radio bearer between the terminal and the core network corresponds to the NAS layer of the MME on the core network side. That is, the image data transmitted on the signaling radio bearer is received by the NAS layer of the MME, and the image data is sent by the MME to the SCEF, and the server receives the image data sent by the SCEF; or the image data is sent by the MME to the MME.
  • the SGW is sent by the SGW to the PGW, and the server receives the image data transmitted by the PGW.
  • Step 502 Perform a search in the preset database by using the image data, obtain a key corresponding to the first terminal, and send the key to the first terminal.
  • the key is used to authenticate the first terminal after the first terminal sends the second terminal.
  • sending the key to the first terminal includes: transmitting, by using an IoT protocol, signaling for transmitting data, to the first terminal.
  • the key may be sent to the first terminal by using an NB-IoT or an eMTC protocol.
  • the non-access stratum of the signaling plane sends the key to the first terminal; when the radio access bearer is in the established state, the key is sent to the user plane. The first terminal.
  • the performing the searching in the preset database by using the image data comprises: extracting feature information from the image data based on the feature extraction strategy by using the image data, and according to the extracted feature information in a preset database Find it.
  • the information stored in the preset database may include: identifier information of the second terminal, and identifier information of the first terminal.
  • the correspondence between the identification information of the second terminal and the identification information of the first terminal is one-to-many.
  • the feature extraction strategy first preprocesses the image data, including grayscale, binarization, and noise suppression (filtering) processing.
  • Feature point extraction is performed based on the pre-processed image to construct a graphical feature, where the feature point may be an imaging point of any portion on the second terminal, such as a point at the edge of the second terminal.
  • Graphic features such as contour features, texture features within the contours, etc., can be formed by feature points.
  • the feature information of the second terminal such as identification information, is determined based on the graphical feature, and the identification information may be a number.
  • the method further includes: receiving a changed key sent by the first terminal or a new key entered; the changed key and the entered new key correspond to the second terminal; The preset database is updated according to the changed key or the entered new key.
  • the first terminal is provided by the first terminal.
  • the first terminal includes: an obtaining module 61, a first sending module 62, and a first receiving module 63, where:
  • the acquisition module 61 is configured to acquire image data of the second terminal.
  • the first sending module 62 is configured to: when the wireless access bearer is in a released state, send image data to the server by using an IoT protocol for transmitting data, wherein the image data is used to request the server to send a corresponding a key of the first terminal; and transmitting the key to the second terminal, wherein the key is used by the second terminal to authenticate the first terminal.
  • the first receiving module 63 is configured to receive a key transmitted by the server.
  • the obtaining module 61 is further configured to: search for at least one terminal; determine the second terminal from the at least one terminal; collect an image of the second terminal, to obtain the image data .
  • the first terminal may search at least one terminal through Bluetooth, and may also search for at least one terminal by using other local area network protocols, such as WiFi, ZigBee, and the like.
  • the terminal may specifically be an ATM machine, an access security gate, a smart bus or a credit card machine on a subway, and the like.
  • the first sending module 62 is further configured to establish a signaling radio bearer between the terminal and the core network, generate non-access stratum signaling messages by using image data, and use the non-access stratum signal The message is sent to the server on the signaling radio bearer.
  • the first sending module 62 establishes a signaling radio bearer between the first terminal and the core network, and generates non-image data by using the image data of the second terminal. And accessing the layer signaling message, and sending the non-access stratum signaling message to the server on the signaling radio bearer.
  • the radio access bearer when the radio access bearer is in the released state, only the signaling plane protocol architecture of the network supports transmitting data through the signaling plane, and the image data can be sent to the server through the non-access stratum of the signaling plane, and the network satisfying such conditions
  • the protocol specifically includes NB-IoT, eMTC, and the like.
  • the first sending module 62 is further configured to: when the radio access bearer is in an established state, send image data to the server based on the data radio bearer on the user plane.
  • the first terminal further includes an unlocking module, where the unlocking module is configured to generate a first prompt message when the state of the first terminal is in a locked state, where the first prompt message is used for prompting
  • the first terminal user unlocks the first terminal; the operation is performed in response to the first prompt message; in response to the operation, the first terminal is unlocked; and after the unlocking is successful, the first A terminal enters a working state.
  • the first terminal in order to reduce power consumption and ensure security, the first terminal cannot always be in a working state and search for the state of at least one terminal, and the working time of the first terminal can be set according to user requirements, for example, the first terminal works for 1 minute or After 10 minutes, it enters the locked state.
  • the first terminal further includes a determining module configured to read a state of a radio access bearer between the first terminal and the core network saved in the protocol stack, when the first terminal and the core When there is no data transmission channel between the networks, the determining module determines that the radio access bearer is in a released state.
  • the first terminal further includes a verification module configured to generate a second prompt information when it is determined that the identity of the first terminal user needs to be verified according to the acquired image data of the second terminal.
  • the second prompt information is used to prompt the first terminal user to input the verification information, and is further configured to obtain the verification information input by the first terminal user, and is further configured to verify the input verification information.
  • the first sending module 62 is further configured to send the key to the second terminal after the verification succeeds.
  • the second terminal may be a transfer machine or an access card
  • the identity of the first terminal user needs to be verified, and the second terminal only contacts the first terminal.
  • the authentication is performed, and the purpose of the verification is to improve security.
  • the second terminal is an access card
  • the identity of the first terminal user does not need to be verified, and the second terminal can authenticate the first terminal.
  • the first terminal further includes an entry module configured to: when the key corresponding to the first terminal is changed or the new key is entered, the changed key or the entered new key Sent to the server, the changed key or the entered new key is used by the server to update the preset database.
  • the first receiving module 63 is implemented by a communication interface on the first terminal; the obtaining module 61, the unlocking module, and the determining module may be a processor located on the first terminal, such as a central processing unit (CPU).
  • the implementation is performed by a microprocessor (MPU, Micro Processor Unit), a DSP, or a Field Programmable Gate Array (FPGA).
  • the first sending module 62, the verification module, and the input module are processed by the first terminal.
  • the device is implemented by a communication interface such as a CPU, an MPU, a DSP, or an FPGA.
  • the embodiment provides a server.
  • the server includes a second receiving module 71 and a second sending module 72. among them:
  • the second receiving module 71 is configured to receive image data of the second terminal that the first terminal transmits using signaling for transmitting data through the Internet of Things protocol.
  • the second sending module 72 is configured to perform a lookup in the preset database by using the image data, obtain a key corresponding to the first terminal, and send the key to the first terminal, where the key is used
  • the first terminal is authenticated after being sent by the first terminal to the second terminal.
  • the second receiving module 71 is further configured to receive the changed key or the entered new key sent by the first terminal, the changed key and the entered new key and the second The terminal corresponds.
  • the second receiving module 71 is further configured to receive, by the signaling radio bearer between the first terminal and the core network, the first terminal by using a non-access stratum of the signaling plane.
  • the signaling radio bearer between the terminal and the core network corresponds to the NAS layer of the MME on the core network side, that is, the image data transmitted on the signaling radio bearer is received by the NAS layer of the MME.
  • the MME sends the image data to the SCEF, and the server receives the image data sent by the SCEF.
  • the MME may send the image data to the SGW, and the SGW sends the image data to the PGW, and the server receives the image data sent by the PGW.
  • the second sending mode 72 is further configured to use the image data to extract feature information from the image data based on a feature extraction strategy, and perform a search in a preset database according to the extracted feature information. .
  • the second sending module 72 sends the password to the first terminal by using the signaling for transmitting data through the Internet of Things protocol.
  • the key may be sent to the first terminal by using an NB-IoT or an eMTC protocol. That is, when the radio access bearer is in the released state, the second sending module 72 sends the key to the first terminal through the NAS layer of the signaling plane; when the radio access bearer is in the established state, the second sending module 72 The key is sent to the first terminal through the user plane.
  • the server further includes an update module configured to update the preset database based on the changed key or a new key entered.
  • the update module is implemented by a processor located on the second terminal, such as a CPU, an MPU, a DSP, an FPGA, or the like; the second receiving module 71 and the second sending module 72 may be a processor, such as a CPU, located on the second terminal.
  • MPU, DSP, FPGA, etc. are implemented in combination with a communication interface.
  • FIG. 8 is a schematic diagram of the internal module structure of the first terminal, as shown in FIG. 8.
  • the first terminal internal module includes a user interaction module 801, an NB-IoT/eMTC communication module 802, a Bluetooth/WiFi communication module 803, an information collection module 804, and an image acquisition module 805.
  • User interaction module 801 used to complete the interaction between the first terminal and the user.
  • the interaction mode can be a user interface (UI, User Interface) display, button confirmation, voice prompts and the like.
  • the image data of the second terminal is sent uplink, and the downlink includes authentication information such as a key and personal information to be requested by the first terminal.
  • the user plane is used to transmit the image data, and in the case where the radio access bearer is released, the image data is transmitted using the signaling plane.
  • Bluetooth/WiFi communication module 803 used to search for and connect surrounding hosts (second terminals), such as ATM machines, access control security gates, smart bus/metro credit card machines, and the like. After the server sends the authentication data, such as the key, to the first terminal for authentication, the key is sent to the host through the Bluetooth/WiFi communication module 803, and the host completes the authentication of the first terminal.
  • the search and connection technology can use Bluetooth, and can also be completed by other LAN protocols such as WiFi, ZigBee, and the like.
  • Information collection module 804 for input and output.
  • the first terminal cannot always be in the working state and search for the state of the surrounding host. In most of the time, it is the standby state, that is, the locked state. In the locked state, the first terminal is not available, nor is it used. Will search for nearby hosts.
  • the working time of the first terminal can be set by the first terminal user, and the working time can be set to 1 minute or 10 minutes, and the like.
  • the information collecting module 804 is required to unlock the first terminal. During the period after unlocking, the first terminal is in the available and search state.
  • the information collection module 804 is also used in the process of adding a key and modifying a key.
  • Image acquisition module 805 In an open situation, the first terminal may continuously search for various hosts. For example, there may be an ATM machine at the door of the cell, and the first terminal searches for multiple hosts. In this case, the first terminal user needs to confirm which host is specifically connected as the second terminal. After determining the second terminal, the method of taking a live view is taken. The user can use the camera of the first terminal (belonging to the image acquisition module) to collect the image, and then send the image to the server through the NB-IoT/eMTC protocol, and the server determines that the host is the second terminal, and then the key corresponding to the first terminal is Send to the first terminal.
  • the camera of the first terminal belonging to the image acquisition module
  • the server determines that the host is the second terminal, and then the key corresponding to the first terminal is Send to the first terminal.
  • the first terminal can also be equipped with smart glasses or similar wearable products, so that the first terminal user can automatically work and upload the second terminal, for example, as long as the vehicle is running straight or observing the host to be operated.
  • the image data is given to the server, saving time and manpower.
  • FIG. 9 is a schematic diagram of a specific implementation process of an authentication method according to an embodiment of the present invention. As shown in FIG. 9, the process includes the following steps:
  • Step 901 Determine whether the first terminal is in an active state. If it is determined that the first terminal is in an active state, step 902 is performed. If the first terminal is in the locked state (for example, after the first terminal exceeds the preset working time, the first terminal is in the locked state), step 917 is performed.
  • Step 917 The user is prompted to unlock the first terminal, and wait for the user to unlock the first terminal by using a fingerprint or an eye pattern. After the unlocking is successful, step 902 is performed.
  • Step 902 In the case that it is determined that the first terminal is in the working state, the first terminal enters a state of searching for the host. When the first terminal searches for at least one host (the second terminal), step 903 is performed. If the first terminal does not find the host, then return to step 901.
  • Step 903 Prompt the first terminal user to open the live view authentication by, for example, the user interaction module 801, and wait for the user to open the live view authentication.
  • Step 904 The user performs the live view entry. If the live view entry is successful, step 9041 is performed; if the live view entry is unsuccessful, the process returns to step 903.
  • Step 9041 The device (the first terminal) is connected to the target host by using a method such as Bluetooth or other local area network, and then step 905 is performed.
  • a method such as Bluetooth or other local area network
  • the user can take a picture of the host device using the first terminal.
  • the photo can be the gate of the community that the user is about to enter, or it can be a house smart door lock, a bank ATM machine, a bus, a private club key cabinet, and so on.
  • Step 905 The first terminal determines whether the radio access bearer exists, and if yes, that is, the radio access bearer is in an established state, step 906 is performed, if not, that is, the radio access bearer is in a released state, then executing Step 912.
  • a series of variables corresponding to the radio access bearer are stored, and the read variables can be used to query whether the first terminal saves the valid state related to the radio access bearer.
  • the variable information if the variables are empty or the memory is released, the first terminal does not save the valid state variable information related to the radio access bearer between the first terminal and the core network, and the state variable information is invalid information, and further
  • the wireless access bearer may be determined to be in a released state.
  • the bearer and signaling connection established between the terminal and the core network will be released, and when the user requests data again, the core network will be first Perform service request (SR, Service Request) signaling interaction, establish an RRC bearer, and establish a radio bearer and a radio access bearer, and then perform data interaction between the terminal and the core network.
  • SR service request
  • RRC bearer an RRC bearer
  • radio bearer and a radio access bearer an RRC bearer
  • Step 906 Send the picture data of the host to the server by using the IoT protocol to use signaling for transmitting data.
  • the picture data of the host may be sent to the server through the user plane based on the NB-IoT (or eMTC) protocol.
  • the server searches for a preset database. If the key corresponding to the first terminal is found, the key is sent to the first terminal by using the NB-IoT/eMTC protocol.
  • Step 907 It is determined whether the key sent by the server to the first terminal is received. If the key is received, step 908 is performed, otherwise step 913 is performed.
  • Step 908 Generate a prompt message, for example, "Receive the key of the host "xxx", whether to send?"
  • the prompt message is used by the terminal to determine whether to verify the identity of the user, and when it is determined that the identity of the first terminal user needs to be performed When verifying, step 909 is performed.
  • whether the identity of the user is verified can be determined according to the security level preset by the user.
  • the key authentication of the ATM machine and the identity authentication on the bus can be set to the high security level. Only when the user identity is verified and the user presses the confirmation key, the key completion authentication process is sent.
  • the host is a transfer machine
  • the first terminal needs to verify the identity of the user, and then sends the key to the host after verifying the identity of the user.
  • the cell access control, company gates, etc. can be set to a low security level, without first verifying the user identity and the user's confirmation, the first terminal will send the key directly to the host (in this case, skip steps 908-909).
  • Step 909 Determine whether the verification information input by the user is received (the confirmation of the user is received). If yes, go to step 910, otherwise go back to step 908.
  • Step 910 After verifying that the identity of the user is successful, the key is sent to the host by using Bluetooth or the like.
  • Step 911 Determine whether the host authentication is passed. If the host authentication succeeds, step 916 is performed; if the authentication fails, step 915 is performed.
  • Step 912 Send the picture data of the host to the server by using the IoT protocol to use signaling for transmitting data.
  • the picture of the host may be sent to the server through the NAS layer of the signaling plane based on the NB-IoT or eMTC protocol.
  • the picture data of the host is packaged, and the packed data packet is filled in the data body field of the NAS layer to generate a non-access stratum signaling message, and the non-access stratum signaling message is transmitted to the network side through the NAS layer.
  • server Specifically, the non-access stratum message including the host picture data is encapsulated by the NAS layer, the RRC layer, the PDCP layer, the RLC layer, the MAC layer, and the PHY layer, and then transmitted to the server by using a radio signal.
  • the radio access bearer does not need to be re-established, the service request, the radio bearer, and the establishment of the radio access bearer are omitted, and the data can be quickly sent to the server.
  • Step 913 Prompt the user to take a photo again, return to step 903; or prompt the user that this is a new host device, need to enter a new key, and then perform step 914.
  • Step 914 Enter the new device process.
  • Step 915 The host prompts the first terminal user to perform key modification.
  • Step 915 can also be: the host directly sleeps on standby.
  • Step 916 The first terminal selects to continue searching or enters the standby mode according to the working time situation. If the working time exceeds the preset time of the user, the device is locked, and the first terminal is in a low power state after being locked.
  • FIG. 10 is a schematic diagram of a specific implementation process of a new device according to an embodiment of the present invention, that is, a specific implementation process of entering a new key. As shown in FIG. 10, the process includes the following steps:
  • Step 1001 Enter the process of entering a new key.
  • Step 1002 Confirm the user information by the information collecting module 804, confirm that the first terminal is used by a legitimate user, and make the first terminal enter the working mode.
  • Step 1003 Enter user information and a new key through the information collection module 804.
  • Step 1004 Send the entered key to the server.
  • the NAS layer of the signaling plane may be used to send the entered new key of the corresponding first terminal to the server; otherwise (The radio bearer is established, and the new key corresponding to the first terminal that is entered is sent to the server through the user plane.
  • the radio access bearer may be established first, and then the packetized data packet is packaged through the PDCP layer, the RLC layer, the MAC layer processing, and the PHY layer, and then sent to the network through the transport block. Side server.
  • Step 1005 The server updates the preset database, creates new key information, and the correspondence between the new key and the first terminal, and the correspondence between the host (second terminal) and the first terminal.
  • Step 1006 prompt the user to enter the new key successfully.
  • FIG. 11 is a schematic diagram of a specific implementation process of changing a key according to an embodiment of the present invention. As shown in FIG. 11, the process includes the following steps:
  • Step 1101 Enter the change key process.
  • Step 1102 Confirm the user information by the information collecting module 804, confirm that the first terminal is used by a legitimate user, and make the first terminal enter the working mode.
  • Step 1103 Enter the changed key through the information collection module 804.
  • Step 1104 Send the changed key to the server.
  • the changed key can be sent to the server based on the NB-IoT/eMTC protocol.
  • the radio access bearer when the radio access bearer does not exist (in the released state), the NAS layer of the signaling plane may be used to send the entered key of the corresponding first terminal to the server; otherwise (the radio bearer has been established), through the user plane
  • the entered key corresponding to the first terminal is sent to the server.
  • the radio access bearer may be established first, and then the packetized data packet is packaged by the PDCP layer, the RLC layer, the MAC layer, and the physical layer, and then sent to the physical layer through the transport block. Server on the network side.
  • Step 1105 The server updates the preset database, creates the changed key information, and the correspondence between the changed key and the first terminal, and the correspondence between the host and the first terminal.
  • Step 1106 The server prompts the user to change the key successfully.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • an embodiment of the present invention further provides a computer storage medium, where the computer storage medium includes a set of instructions, when executing the instruction, causing at least one processor to execute the server side authentication method, or perform the above Authentication method on the terminal side.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé d'authentification, un terminal et un serveur. Le procédé est appliqué à un premier terminal, et consiste à acquérir des données d'image d'un second terminal; lorsqu'un support d'accès radio est dans un état libéré, au moyen d'un protocole de l'Internet des objets, utiliser une signalisation pour transmettre des données et envoyer les données d'image à un serveur, les données d'image étant utilisées pour demander que le serveur envoie une clé correspondant à un premier terminal; et recevoir la clé envoyée par le serveur, et envoyer la clé au second terminal, la clé étant utilisée pour l'authentification du premier terminal par le second terminal.
PCT/CN2018/075088 2017-04-28 2018-02-02 Procédé d'authentification, terminal et serveur Ceased WO2018196465A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710296994.XA CN108809898B (zh) 2017-04-28 2017-04-28 一种鉴权方法、终端及服务器
CN201710296994.X 2017-04-28

Publications (1)

Publication Number Publication Date
WO2018196465A1 true WO2018196465A1 (fr) 2018-11-01

Family

ID=63919421

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/075088 Ceased WO2018196465A1 (fr) 2017-04-28 2018-02-02 Procédé d'authentification, terminal et serveur

Country Status (2)

Country Link
CN (1) CN108809898B (fr)
WO (1) WO2018196465A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112907791B (zh) * 2021-02-24 2022-03-29 华录智达科技股份有限公司 一种基于rfid精准识别和人脸识别技术的智能钥匙柜系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103155615A (zh) * 2010-10-15 2013-06-12 瑞典爱立信有限公司 轻量数据传输机制
WO2016036661A1 (fr) * 2014-09-05 2016-03-10 Utc Fire & Security Corporation Système et procédé d'authentification d'accès
CN105874750A (zh) * 2013-11-14 2016-08-17 高通股份有限公司 用于标识物理iot设备的方法和装置

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2381293B1 (es) * 2009-04-20 2012-11-07 Alter Core, S.L. Sistema y método de acreditación personal mediante dispositivo móvil.
CN103020818B (zh) * 2013-01-09 2016-04-20 重庆钱阿宝电子科技有限公司 动态二维验证码支付系统
CN103489102A (zh) * 2013-09-13 2014-01-01 惠州Tcl移动通信有限公司 一种基于二维码通过手机实现信用卡防盗刷的方法及系统
CN105871874A (zh) * 2016-04-27 2016-08-17 武汉市国扬科技有限公司 一种移动互联网虚拟钥匙授权系统及其硬件门锁控制方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103155615A (zh) * 2010-10-15 2013-06-12 瑞典爱立信有限公司 轻量数据传输机制
CN105874750A (zh) * 2013-11-14 2016-08-17 高通股份有限公司 用于标识物理iot设备的方法和装置
WO2016036661A1 (fr) * 2014-09-05 2016-03-10 Utc Fire & Security Corporation Système et procédé d'authentification d'accès

Also Published As

Publication number Publication date
CN108809898A (zh) 2018-11-13
CN108809898B (zh) 2020-10-20

Similar Documents

Publication Publication Date Title
CN110999356B (zh) 网络安全管理的方法及装置
CN102869014A (zh) 终端和数据通信方法
CN110278084B (zh) eID建立方法、相关设备及系统
CN103297968B (zh) 一种无线终端认证的方法、设备及系统
WO2017054617A1 (fr) Procédé, dispositif et système d'authentification de réseau wifi
CN109920100B (zh) 一种智能锁开锁方法及系统
US20200228981A1 (en) Authentication method and device
CN110996322B (zh) 一种实现终端二次认证的方法
CN112995998B (zh) 提供安全认证机制的方法、计算机系统和计算机可读介质
CN107864475A (zh) 基于Portal+动态密码的WiFi快捷认证方法
CN115915090A (zh) 数据服务系统
CN101163003A (zh) Sim卡使用umts终端和umts系统时终端认证网络的系统和方法
CN103180861A (zh) 用户认证装置和用户认证方法
US20230009298A1 (en) Systems and methods for secure authentication based on machine learning techniques
WO2018196465A1 (fr) Procédé d'authentification, terminal et serveur
CN113055342A (zh) 一种信息处理方法及通信装置
CN117812590A (zh) 一种通信方法及装置、计算机可读存储介质和通信系统
CN114189864A (zh) 移动通信系统非蜂窝接入装置及接入方法
CN112788598B (zh) 一种保护认证流程中参数的方法及装置
CN107172185A (zh) 网络配置方法及装置
WO2021089903A1 (fr) Fourniture de service de fonction modem
CN117082504A (zh) 一种密钥生成方法及装置、网络设备
CN117678255A (zh) 边缘启用器客户端标识认证过程
CN115700562A (zh) 认证方法、可读介质和电子设备
CN113079514A (zh) 一种入网校验方法、装置及计算机可读存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18791147

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18791147

Country of ref document: EP

Kind code of ref document: A1