CN114268944A

Movatterモバイル変換

Info

Publication number: CN114268944A
Application number: CN202111492831.1A
Authority: CN
Inventors: 王超
Original assignee: Shanghai Mxchip Information Technology Co Ltd
Current assignee: Shanghai Mxchip Information Technology Co Ltd
Priority date: 2021-12-08
Filing date: 2021-12-08
Publication date: 2022-04-01

Abstract

The application discloses an identity authentication method, which is applied to a network distributor and comprises the following steps: in the mesh network distribution process, a device key is generated by negotiating with a device which is not distributed with a network; receiving the broadcast sent by the equipment without the distribution network, and establishing BLEGATT connection with the equipment without the distribution network according to the broadcast; and performing identity authentication on the equipment which is not connected with the network by using the equipment key through the BLE GATT connection. The method and the device can improve the efficiency and accuracy of identity authentication. The application also discloses a network distribution device, an electronic device and a storage medium, and the network distribution device, the electronic device and the storage medium have the beneficial effects.

Description

Identity authentication method, network distributor, electronic equipment and storage medium

Technical Field

The present application relates to the field of bluetooth technologies, and in particular, to an identity authentication method, a network adapter, an electronic device, and a storage medium.

Background

Bluetooth is an open global specification for wireless data and voice communications, and it can establish a special short-range wireless connection for fixed and mobile devices in a communication environment.

Identity authentication is realized in a related technology by inputting a pairing code, and the specific process is as follows: when the device A initiates a Bluetooth pairing operation to the device B, the device A displays a string of pairing codes of 6 digits on an interface and sends the pairing codes to the device B, the device B displays the same pairing codes on the interface and requires a user to confirm whether the actual pairing codes of the device A and the device B are the same, and if the actual pairing codes of the device A and the device B are the same, the device B can be paired successfully by clicking the device B. However, the above-mentioned authentication method has a complex flow and low efficiency, and may cause a connection failure due to a user input error.

Therefore, how to improve the efficiency and accuracy of identity authentication is a technical problem that needs to be solved by those skilled in the art.

Disclosure of Invention

The application aims to provide an identity authentication method, a network distribution device, electronic equipment and a storage medium, and the identity authentication method, the network distribution device, the electronic equipment and the storage medium can improve the identity authentication efficiency and accuracy.

In order to solve the above technical problem, the present application provides an identity authentication method, which is applied to a network distributor, and the identity authentication method includes:

in the mesh network distribution process, a device key is generated by negotiating with a device which is not distributed with a network;

receiving a broadcast sent by the equipment without the network distribution, and establishing BLE GATT connection with the equipment without the network distribution according to the broadcast;

and performing identity authentication on the equipment which is not connected with the network by using the equipment key through the BLE GATT connection.

Optionally, performing identity authentication on the device without the network distribution by using the device key through the BLE GATT connection includes:

generating a first random number, and encrypting the first random number by using the equipment key to obtain a first ciphertext;

sending the first ciphertext to the equipment not connected with the network through the BLE GATT connection, so that the equipment not connected with the network decrypts the first ciphertext, and encrypting a decryption result of the first ciphertext and a second random number by using the equipment key to obtain a second ciphertext;

receiving a second ciphertext sent by the non-distribution network equipment through the BLE GATT connection, and decrypting the second ciphertext by using the equipment key;

and if the decryption result of the second ciphertext comprises the first random number, judging that the equipment without the distribution network passes the identity authentication.

Optionally, after determining that the device not connected to the network passes the identity authentication, the method further includes:

encrypting the second random number obtained by decrypting the second ciphertext by using the device key to obtain a ciphertext to be verified;

and sending the cipher text to be verified to the equipment which is not connected with the network through the BLE GATT connection, so that the equipment which is not connected with the network decrypts the cipher text to be verified, and when the decryption result of the cipher text to be verified is the second random number, the network distributor is judged to be the trusted equipment.

Optionally, after performing identity authentication on the non-network-distribution device by using the device key through the BLE GATT connection, the method further includes:

and encrypting service data by using a symmetric encryption algorithm with a secret key as the equipment secret key to obtain encrypted service data, and transmitting the encrypted service data to the equipment without the distribution network.

The application also provides an identity authentication method, which is applied to equipment without a distribution network, and the identity authentication method comprises the following steps:

in the mesh network distribution process, a device key is generated by negotiating with a network distributor;

sending a broadcast to the distribution network device so that the non-distribution network device establishes BLE GATT connection with the non-distribution network device according to the broadcast;

and performing identity authentication on the network distributor by using the equipment key through the BLE GATT connection.

Optionally, performing identity authentication on the network distributor by using the device key through the BLE GATT connection includes:

receiving a first ciphertext transmitted by the network distributor through the BLE GATT connection; wherein the process of generating the first ciphertext by the network distributor comprises: generating a first random number, and encrypting the first random number by using the equipment key to obtain a first ciphertext;

decrypting the first ciphertext to generate a second random number, and encrypting a decryption result of the first ciphertext and the second random number by using the device key to obtain a second ciphertext;

sending the second ciphertext to the network distributor through the BLE GATT connection, so that the network distributor decrypts the second ciphertext by using the device key, and after the decryption result of the second ciphertext is judged to include the first random number, encrypting the second random number obtained by decrypting the second ciphertext by using the device key to obtain a ciphertext to be verified;

receiving the ciphertext to be verified, which is sent by the network distributor through the BLE GATT connection;

and decrypting the ciphertext to be verified, and judging that the network distributor is the trusted device when the decryption result of the ciphertext to be verified is the second random number.

Optionally, after performing identity authentication on the network distributor through the BLE GATT connection by using the device key, the method further includes:

receiving encrypted service data transmitted by the distribution network device; the encrypted service data is obtained by encrypting the service data by the distribution network device by using a symmetric encryption algorithm taking a secret key as the equipment secret key;

and decrypting the encrypted service data by using the equipment key to obtain service data in a plaintext form.

The present application further provides a network distribution device, including:

the first key generation module is used for generating an equipment key by negotiating with equipment which is not distributed with the network in the process of mesh distribution;

the communication module is used for receiving the broadcast sent by the equipment without the distribution network and establishing BLE GATT connection with the equipment without the distribution network according to the broadcast;

and the first authentication module is used for performing identity authentication on the non-network-distribution equipment by using the equipment key through the BLE GATT connection.

The present application further provides an electronic device, comprising:

the second key generation module is used for generating an equipment key by negotiating with a network distributor in the mesh network distribution process;

the broadcasting module is used for sending a broadcast to the distribution network device so that the non-distribution network device establishes BLE GATT connection with the non-distribution network device according to the broadcast;

and the second authentication module is used for performing identity authentication on the network distributor by using the equipment key through the BLE GATT connection.

The application also provides a storage medium, on which a computer program is stored, which when executed implements the steps performed by the above-mentioned identity authentication method.

The application provides an identity authentication method, which is applied to a network distributor and comprises the following steps: in the mesh network distribution process, a device key is generated by negotiating with a device which is not distributed with a network; receiving a broadcast sent by the equipment without the network distribution, and establishing BLE GATT connection with the equipment without the network distribution according to the broadcast; and performing identity authentication on the equipment which is not connected with the network by using the equipment key through the BLE GATT connection.

The method and the device negotiate between the network distribution device and the equipment which is not distributed in the mesh network distribution process to obtain the equipment key device. In the mesh network, only the network distribution device and the non-network distribution device have device keys. And after the BLE GATT connection is established between the network distributor and the non-network distribution equipment, the identity authentication is carried out on the non-network distribution equipment through the BLE GATT connection by utilizing the equipment key. In the process, the mutual pairing code between the network distribution device and the equipment without the network distribution is not needed, and the efficiency and the accuracy of identity authentication can be improved. This application still provides a distribution network ware, an electronic equipment and a storage medium simultaneously, has above-mentioned beneficial effect, no longer gives unnecessary details here.

Drawings

In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.

Fig. 1 is a flowchart of an identity authentication method according to an embodiment of the present application;

fig. 2 is a flowchart of another identity authentication method provided in an embodiment of the present application;

fig. 3 is a schematic diagram illustrating a method for establishing a secure communication link by using a devicekey according to an embodiment of the present application;

fig. 4 is a schematic diagram of a data transmission process according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a distribution network device according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Referring to fig. 1, fig. 1 is a flowchart of an identity authentication method according to an embodiment of the present disclosure.

The specific steps may include:

s101: in the mesh network distribution process, a device key is generated by negotiating with a device which is not distributed with a network;

the embodiment can be applied to a network distribution device, the network distribution device can perform Bluetooth communication with other devices, and the network distribution device and the devices which are not distributed with the network are used for mesh (wireless mesh network) distribution network operation between the Bluetooth communication.

In the mesh network distribution process, the network distribution device can negotiate with a device not distributed with the network (such as a mobile phone, a tablet computer, a bluetooth door lock, a bluetooth safe or a bluetooth toothbrush) to generate a device key (DevKey).

S102: receiving a broadcast sent by the equipment without the network distribution, and establishing BLE GATT connection with the equipment without the network distribution according to the broadcast;

the device not connected with the network can initiate a BLE (Bluetooth Low energy) broadcast, the network distribution device receives the broadcast sent by the device not connected with the network, and then a BLE GATT (Generic Attribute Profile) connection is established with the device not connected with the network according to the broadcast.

S103: and performing identity authentication on the equipment which is not connected with the network by using the equipment key through the BLE GATT connection.

The identity authentication method comprises the following steps that based on the BLE GATT connection established between the network distribution device and the non-network distribution device, identity authentication is carried out on the non-network distribution device through the BLE GATT connection by using the device secret key.

In this embodiment, in the mesh network distribution process, a network distributor negotiates with a device not distributed to obtain a device key. In the mesh network, only the network distribution device and the non-network distribution device have device keys. And after the BLE GATT connection is established between the network distributor and the non-network distribution equipment, the identity authentication is carried out on the non-network distribution equipment through the BLE GATT connection by utilizing the equipment key. In the process, the mutual pairing code between the network distribution device and the equipment without the network distribution is not needed, and the efficiency and the accuracy of identity authentication can be improved.

As a further introduction to the corresponding embodiment of fig. 1, after the identity authentication is performed on the non-distribution network device through the BLE GATT connection by using the device key, a symmetric encryption algorithm using a key (also referred to as a secret key) as the device key may be further used to encrypt traffic data to obtain encrypted traffic data, and transmit the encrypted traffic data to the non-distribution network device. In the above mode, the device key is used as the data encryption key in the GATT communication process, so that the data is ensured not to be cracked, and the communication safety is improved.

As a further description of the corresponding embodiment of fig. 1, the corresponding embodiment of fig. 1 may perform identity authentication based on a device key in the following manner:

step A1: and generating a first random number, and encrypting the first random number by using the equipment key to obtain a first ciphertext.

Step A2: and sending the first ciphertext to the equipment not connected with the network through the BLE GATT connection, so that the equipment not connected with the network decrypts the first ciphertext, and encrypting a decryption result of the first ciphertext and a second random number by using the equipment key to obtain a second ciphertext.

Step A3: and receiving a second ciphertext sent by the non-distribution network equipment through the BLE GATT connection, and decrypting the second ciphertext by using the equipment key.

Step A4: and if the decryption result of the second ciphertext comprises the first random number, judging that the equipment without the distribution network passes the identity authentication.

Further, after it is determined that the device not connected to the network passes the identity authentication, the method further includes:

encrypting the second random number obtained by decrypting the second ciphertext by using the device key to obtain a ciphertext to be verified; and sending the cipher text to be verified to the equipment which is not connected with the network through the BLE GATT connection, so that the equipment which is not connected with the network decrypts the cipher text to be verified, and when the decryption result of the cipher text to be verified is the second random number, the network distributor is judged to be the trusted equipment.

Referring to fig. 2, fig. 2 is a flowchart of another identity authentication method provided in the embodiment of the present application, and the specific steps may include:

s201: in the mesh network distribution process, a device key is generated by negotiating with a network distributor;

the embodiment can be applied to equipment without a distribution network, and in the mesh distribution network process, the distribution network can negotiate with the equipment without the distribution network to generate an equipment key device.

S202: sending a broadcast to the distribution network device so that the non-distribution network device establishes BLE GATT connection with the non-distribution network device according to the broadcast;

the distribution network device can initiate BLE (Bluetooth Low energy) broadcast, and the distribution network device can establish BLE GATT connection after receiving the broadcast sent by the distribution network device.

S203: and performing identity authentication on the network distributor by using the equipment key through the BLE GATT connection.

After the identity authentication is passed, the network distribution device can encrypt the service data by using a symmetric encryption algorithm using a secret key as the device secret key to obtain encrypted service data, and transmit the encrypted service data to the device without the network distribution. After the identity authentication is performed on the network distributor through the BLE GATT connection by using the device key, the device which is not connected with the network can receive the encrypted service data transmitted by the network distributor, and the encrypted service data is decrypted by using the device key to obtain the service data in a plaintext form. Specifically, the embodiment may perform decryption processing on the encrypted service data by using a symmetric decoding algorithm using the secret key as the device secret key, so as to obtain service data in a plaintext form.

As a further description of the corresponding embodiment of fig. 2, the corresponding embodiment of fig. 2 may perform identity authentication based on a device key in the following manner:

step B1: receiving a first ciphertext transmitted by the network distributor through the BLE GATT connection;

wherein the process of generating the first ciphertext by the network distributor comprises: and generating a first random number, and encrypting the first random number by using the equipment key to obtain the first ciphertext.

Step B2: and decrypting the first ciphertext to generate a second random number, and encrypting a decryption result of the first ciphertext and the second random number by using the equipment key to obtain a second ciphertext.

Step B3: and sending the second ciphertext to the network distributor through the BLE GATT connection, so that the network distributor decrypts the second ciphertext by using the device key, and after the decryption result of the second ciphertext is judged to include the first random number, encrypting the second random number obtained by decrypting the second ciphertext by using the device key to obtain a ciphertext to be verified.

Step B4: and receiving the ciphertext to be verified, which is sent by the network distributor through the BLE GATT connection.

Step B5: and decrypting the ciphertext to be verified, and judging that the network distributor is the trusted device when the decryption result of the ciphertext to be verified is the second random number.

The flow described in the above embodiment is explained below by an embodiment in practical use.

The common GATT connection security encryption technology in the related art generally adopts a scheme recommended by a bluetooth core specification, and specifically realizes security encryption of a bluetooth communication flow through the following three stages:

stage one: a Pairing Feature Exchange (Pairing Feature Exchange) stage;

and a second stage: a Short Term Key (STK) generation stage and a Long Term Key (LTK) generation stage;

and a third stage: a Key Distribution phase (Transport Specific Key Distribution).

In the above process, a plurality of data interactions are required to obtain the secret key of the subsequent GATT communication encryption, and the authentication is required in the authentication process by inputting the pairing code, so that the authentication efficiency is influenced.

In order to solve the defects in the related art, the embodiment of the application provides a new scheme for the secure encryption of the bluetooth GATT connection, and the process uses the device key generated in the mesh distribution network process to encrypt data without authentication, thereby reducing the complexity of an interaction process and protocol design. In the embodiment, the device key is used as the data encryption key in the GATT communication process, so that the data is ensured not to be cracked.

In the mesh network, only the node (network distributor) and the configured client (non-network distribution equipment) know the device key (DevKey). The device key is mainly used for encrypting information such as a switching network key and the like, and can also be used for data transmission between the node and the client. In this embodiment, the GATT data transmission between the node and the client is encrypted using the device key.

Referring to fig. 3, fig. 3 is a schematic diagram of a principle of a method for establishing a secure communication link by using a devicekey according to an embodiment of the present application, and the specific implementation process is as follows:

step C1: in the mesh network distribution process, the equipment which is not distributed with the network obtains the equipment key devicekey distributed by the network distributor.

Step C2: the device not in the network initiates the ble broadcast.

The network distributor may discover devices (i.e., devices not connected to the network) through ble scan.

Step C3: and initiating the establishment of BLE GATT connection by the distribution network device.

Step C4: and performing identity authentication by using the devicekey.

Step C5: and completing service communication by using the devicekey.

Specifically, a symmetric encryption algorithm (secret key) is used between the network distributor and the non-network distribution equipment to encrypt service data and process service logic.

Referring to fig. 4, fig. 4 is a schematic diagram of a data transmission process provided in the embodiment of the present application, where the embodiment may include the following steps:

step D1: the distribution network device generates a random number A1, and encrypts A by using a symmetric encryption algorithm (the key is devicekey) to obtain SA 1. The network distributor sends the SA1 to the non-network-distribution devices (i.e. the devices to be network-distributed) through the BLE connection. After the non-distribution network equipment receives the encrypted data SA1, the SA1 is decrypted by using a symmetric encryption algorithm (the key is devicekey), and A1 is obtained.

Step D2: the device without the distribution network generates a random number A2, and encrypts A1 and A2 by using a symmetric encryption algorithm (the key is devicekey) to obtain SA 12. The non-distribution network device sends the SA12 to the distribution network device through the BLE connection. After the distribution network device receives the SA12, the SA12 is decrypted by using a symmetric encryption algorithm (the key is devicekey), and a1 and a2 are obtained. And (4) carrying out credibility judgment on A1: if the decrypted A1 is the same as the A1 sent out, the network distributor considers that the device which is not connected with the network is a trusted device at the moment.

Step D3: the distribution network device generates a random number A2, and encrypts A2 by using a symmetric encryption algorithm (the key is devicekey) to obtain SA 2. The network distributor sends the SA2 to the non-network-distribution devices through the BLE connection. After the non-distribution network equipment receives the encrypted data SA2, the SA2 is decrypted by using a symmetric encryption algorithm (the key is devicekey), and A2 is obtained. And (4) carrying out credibility judgment on A2: if the decrypted A2 is the same as the A2 sent out, the device which is not connected with the network at the moment is regarded as a trusted device.

After the step D1, the step D2 and the step D3 are completed, the process of identity authentication between the network distributor and the non-network-distribution equipment is ended. If decryption failure or credible judgment failure occurs in the process, the authentication can be judged to be identity authentication failure.

In this embodiment, the device key successfully allocated to the BLE mesh distribution network is used as the encryption key of the subsequent GATT communication message, so that the step of key generation is saved in the GATT communication process, the communication flow is simplified, and the communication security is ensured.

Referring to fig. 5, fig. 5 is a schematic structural diagram of a mesh distributor according to an embodiment of the present application, where the mesh distributor includes:

the firstkey generation module 501 is configured to generate a device key by negotiating with a device not in a network distribution process in the mesh network;

acommunication module 502, configured to receive a broadcast sent by the non-network-distribution device, and establish a BLE GATT connection with the non-network-distribution device according to the broadcast;

afirst authentication module 503, configured to authenticate the identity of the non-network-connected device by using the device key through the BLE GATT connection.

Further, thefirst authentication module 503 is configured to generate a first random number, and encrypt the first random number by using the device key to obtain a first ciphertext; the BLE GATT connection is further used for sending the first ciphertext to the equipment which is not connected with the network, so that the equipment which is not connected with the network can decrypt the first ciphertext, and the equipment key is used for encrypting a decryption result of the first ciphertext and a second random number to obtain a second ciphertext; the device is also used for receiving a second ciphertext sent by the non-distribution network device through the BLE GATT connection, and decrypting the second ciphertext by using the device key; and the network equipment is further used for judging that the equipment which does not have the distribution network passes the identity authentication if the decryption result of the second ciphertext comprises the first random number.

Further, the method also comprises the following steps:

the verification module is used for encrypting the second random number obtained by decrypting the second ciphertext by using the equipment key to obtain a ciphertext to be verified after the equipment without the network is judged to pass the identity authentication; and the BLE GATT connection is further used for sending the cipher text to be verified to the equipment not connected with the network so that the equipment not connected with the network can decrypt the cipher text to be verified and judge that the network distributor is the trusted equipment when the decryption result of the cipher text to be verified is the second random number.

Further, the method also comprises the following steps:

and the data encryption module is used for encrypting the service data by using a symmetric encryption algorithm taking a secret key as the equipment secret key to obtain encrypted service data after identity authentication is performed on the equipment which is not connected with the network through the BLE GATT connection by using the equipment secret key, and transmitting the encrypted service data to the equipment which is not connected with the network.

Referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure, where the apparatus may include:

the secondkey generation module 601, during the mesh network distribution process, generating an equipment key by negotiating with a network distributor;

abroadcasting module 602, configured to send a broadcast to the distribution network device, so that the non-distribution network device establishes a BLE GATT connection with the non-distribution network device according to the broadcast;

asecond authentication module 603, configured to authenticate an identity of the network distributor through the BLE GATT connection by using the device key.

Further, the method also comprises the following steps:

the decryption module is used for receiving encrypted service data transmitted by the network distribution device after the identity authentication of the network distribution device is carried out through the BLE GATT connection by using the device secret key; the encrypted service data is obtained by encrypting the service data by the distribution network device by using a symmetric encryption algorithm taking a secret key as the equipment secret key; and the device is further configured to decrypt the encrypted service data by using the device key to obtain service data in a plaintext form.

Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.

The present application also provides a storage medium having a computer program stored thereon, which when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims

1. An identity authentication method is applied to a network distributor, and comprises the following steps:

2. The identity authentication method according to claim 1, wherein authenticating the identity of the non-network-connected device by using the device key through the BLE GATT connection comprises:

3. The identity authentication method according to claim 2, further comprising, after determining that the non-network-distribution device passes the identity authentication:

4. The identity authentication method according to claim 1, further comprising, after authenticating the identity of the non-network-connected device with the device key through the BLE GATT connection:

5. An identity authentication method is applied to equipment without a network distribution, and comprises the following steps:

6. The identity authentication method according to claim 5, wherein authenticating the identity of the network distributor by using the device key through the BLE GATT connection comprises:

7. The identity authentication method according to claim 5, further comprising, after authenticating the identity of the networker with the device key through the BLE GATT connection:

8. A network distribution device, comprising:

9. An electronic device, comprising:

10. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out the steps of the method of identity authentication according to any one of claims 1 to 7.